AWS re:Inforce 2023 - Scaling compliance with AWS Control Tower (GRC301)

Aug 16, 2023

AWS re:Inforce 2023 - Scaling compliance with AWS Control Tower (GRC301)

Organizations have to satisfy multiple security requirements and control frameworks such as NIST 800-53 or PCI DSS to avoid punitive actions from regulators and stakeholders. Developing controls and understanding the relationships with AWS services and solutions can be time-consuming and complicated. In this session, learn how to use comprehensive controls and other capabilities in your AWS Control Tower environment to meet your compliance requirements and objectives.

Learn more about AWS re:Inforce at https://go.aws/42zqk7C.

Subscribe:
More AWS videos: http://bit.ly/2O3zS75
More AWS events videos: http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#reInforce2023 #AWSEvents

Content

2.01 -> - Good afternoon and welcome to GRC301.

6 -> I'm Chad Lorenc, I'm with AWS Professional Services.

10.38 -> Go ahead and check your headsets,

11.88 -> make sure you've got the blue ones,

13.41 -> and that you can hear everything.

14.73 -> If you have any technical problems,

16.17 -> raise your hand and someone will come around and help you.

19.62 -> I'm Chad Lorenc,

20.52 -> I'm a Practice Manager with AWS,

23.67 -> working in professional services directly with customers,

26.46 -> helping them enable their security and compliance.

30.6 -> This is Krista Gorman,

31.74 -> she's with the Control Tower Team as a lead,

34.5 -> and one of the services

35.67 -> that we're gonna be focusing on today.

38.25 -> And we just wanna start out by saying,

40.11 -> we know as compliance and audit people,

43.38 -> that you're under a lot of pressure

44.91 -> to validate against complex, ever-changing,

47.7 -> landscape of requirements.

50.25 -> We also understand that cloud is another set of complexity

53.61 -> for you to deal with in an already hard job.

57.51 -> And we want to tell you, we will show you a way,

59.88 -> not only to leverage the power of the cloud

61.92 -> to meet your compliance requirements,

64.29 -> but to help drive business value.

68.01 -> And so with that, let's go ahead and get started.

71.88 -> So first we're gonna talk about compliance maturity.

75.18 -> Gonna give you a couple benchmarks to measure you against,

78.03 -> as you look at where you are on your compliance maturity.

81.24 -> We're gonna then introduce Control Tower,

83.88 -> and some of our other AWS services,

85.8 -> and how they changed the game for compliance.

88.44 -> And last of all,

89.273 -> we're gonna give you some real practical actions

91.74 -> that you can take

92.573 -> to begin to move your program forward immediately.

97.71 -> So let's start with compliance maturity.

100.05 -> To begin our compliance maturity though,

102.21 -> we have to talk about what is kind of the status quo.

105.15 -> I walk into a lot of customers

106.86 -> and my first question is often,

108.517 -> "Show me where your compliance program is

110.52 -> and what kind of automation you've put in."

112.92 -> And I tend to get the same answer.

116.16 -> The status quo tends to start out

118.2 -> with this giant spreadsheet, right?

120.51 -> It's this complex control spreadsheet.

122.91 -> Defines all your controls

124.38 -> against all the requirements you have to meet,

127.53 -> how you're gonna measure it, who's gonna do it.

129.96 -> It's kind of the master document, right?

132.78 -> And then this is usually the first place

134.82 -> we see a little bit of automation.

136.14 -> There's some kind of email driven timing.

138.06 -> Maybe you've integrated it with a help desk system

140.52 -> or some other ticketing system.

142.44 -> And it kind of tells people when to start,

144.63 -> where to put their data, and when they have to complete it.

148.14 -> And then last of all, there's actually the workers, right?

150.9 -> The heavy lifting, the manual attestation

153.36 -> that people have to do.

155.01 -> And so these are kind of the three components

156.99 -> we see in the audit programs.

158.61 -> When we see this, yeah, there's some credit there.

160.89 -> You've done some automation, right?

162.69 -> I think some of the early phases was figuring out,

165.3 -> hey, let's define our controls, measure once,

167.82 -> and apply it across many programs with that tracking.

170.79 -> There was implementing the email nags, right?

173.82 -> And making sure everybody's on timing

175.44 -> and alerting when those are...

176.49 -> But it's really just the beginning phases

178.71 -> of what you can do with automation and compliance.

182.82 -> So my first question to you is,

186.15 -> what is your biggest challenge

187.5 -> when it comes to regulatory compliance in the cloud?

190.08 -> So if you have a chance to pull out your phone,

192.12 -> we're actually gonna do a live polling question here.

194.76 -> I encourage you guys to scan that,

197.01 -> and we really want to gauge this presentation

199.77 -> to where you're at.

200.61 -> So help us understand what is your challenge?

203.34 -> Is it about meeting specific requirements?

206.19 -> Is it more about limited budget and tools,

209.43 -> or are you struggling with internal expertise and turnover?

213.24 -> Or last might be a confusion

215.67 -> on how to apply those standards to the cloud.

218.76 -> Pick the one that's most relevant,

220.23 -> these may all feel relevant,

221.67 -> or none of them makes you feel relevant,

223.14 -> but pick the one that's the most relevant to you.

229.32 -> So throughout this presentation,

231.96 -> I'm gonna be throwing up these QR codes.

233.82 -> So expect that.

235.175 -> As an auditor, I understand when I throw out stats,

238.62 -> you're gonna want to audit me

239.453 -> and make sure I'm telling you the truth.

240.99 -> So you can scan codes throughout the presentation

243.12 -> to validate some of my stats.

244.8 -> But let's go ahead and move to the polling,

246.99 -> and see where our answers came up.

250.17 -> Confusion on how to define and apply regulatory requirements

253.17 -> within AWS, significantly the highest one.

257.55 -> And then we have some balance here between tools

260.43 -> and internal expertise.

262.71 -> So I appreciate that, thank you.

263.97 -> We'll go ahead and go back to the slides now.

267.87 -> So let's break this down a little bit,

269.88 -> with the thought of that,

271.38 -> we're all struggling with some of this cost.

275.49 -> So the first thing we wanna do is,

276.99 -> we wanna break down those sections.

278.13 -> We're gonna start with that spreadsheet.

281.4 -> The question you need to be asking with this spreadsheet is,

284.76 -> how accurate is this really for my compliance program?

287.76 -> How consistent?

288.99 -> Am I introducing errors?

291.18 -> And I'm gonna give you some external resources that says,

293.377 -> "Yeah, we're introducing errors,

295.08 -> but also help us understand where we're introducing errors,

297.33 -> because that is an opportunity for some of your automation."

303.15 -> 27% of failed controls are due to competency in the staff,

309.06 -> specifically in the compliance staff.

310.47 -> So that's some of that, understanding the regulations

313.05 -> and how to apply them.

314.13 -> That's knowing how to define the measurement

316.35 -> so that the people in the field can measure.

319.29 -> 33% is due to control failures,

322.77 -> often due to measurement, right?

325.44 -> This is where you're pushing it out to those attesters.

329.19 -> Often, your quality of your audit

331.05 -> is based on the quality of that person in the field, right?

333.87 -> And when you have turnover,

335.37 -> you lose some of that knowledge.

337.17 -> And this comes from a Deloitte 2019 survey.

341.46 -> So first of all, we have errors in our current status quo.

345.27 -> The next thing is how much money per audit.

347.73 -> Every time you fire off that email chain process,

351.78 -> how much money is that costing your business?

354.51 -> Now this may not surprise you if you're in finance,

356.91 -> but it's a huge number.

358.59 -> Four to 10% of your revenue goes to compliance

362.99 -> in the financial services industry.

365.43 -> Now, some of you may be saying,

366.367 -> "Oh, thank goodness, I'm not in financial services.

368.37 -> I'm in something simple like manufacturing."

371.46 -> Interesting enough,

372.42 -> also from the National Association of Manufacturers,

375.66 -> is their measurement that between 10

378.736 -> and $30,000 per employee,

381.57 -> per year for compliance.

383.19 -> With the higher end of that

384.84 -> being for the smaller the manufacturer,

386.94 -> the greater the burden per employee.

389.13 -> So it doesn't really matter if you're finance

392.58 -> or you're manufacturing,

393.75 -> if you have lots of compliance requirements or a few,

396.6 -> it is a cost to your business

398.55 -> that you have to consider every time

399.87 -> you fire off that audit process.

403.98 -> Last of all, I wanna talk about how much time.

406.95 -> This is how much time those people

408.72 -> in the field actually spend

410.07 -> trying to measure against those spreadsheet controls

413.82 -> that you've defined,

415.44 -> 40% of our cost is actually pushed out on the business.

419.25 -> Those are your IT and business experts

421.89 -> that are doing that control gathering for you.

425.37 -> So we can see,

427.32 -> we definitely have an equation here

429.09 -> that is not adding up very well for us from the cost

431.49 -> and impact to our business,

433.02 -> as far as how compliance is impacting

435.84 -> the businesses we're working in.

439.59 -> So the question is, what does the future look like?

442.14 -> And to talk about the future,

443.52 -> we kind of have to wrap our minds

444.66 -> around a couple concepts, right?

446.13 -> For compliance.

447.63 -> First of all, is the concept of data gravity.

450.48 -> The concept of data gravity is that where your data goes,

454.86 -> your apps are gonna follow.

456.51 -> This is because a need for increased throughput

459.33 -> and lower latency.

460.83 -> So as compliance, you can look into the future and say,

463.477 -> "Hey, where that data's going?

465.24 -> Those apps and those things that I'm auditing

467.1 -> are gonna follow it."

470.208 -> In a 2002 survey,

471.42 -> they said 60% of all corporate data is already in the cloud.

475.65 -> So we have this data gravity pulling us towards the cloud,

478.5 -> but there's a multiplier effect in play here as well,

481.17 -> and that is emerging technologies.

483.63 -> IoT, natural language processing,

486.75 -> all the things that are happening right now

488.61 -> are drawing us towards cloud technologies,

491.55 -> and are dependent on cloud for scale and functionality.

495.63 -> What that means is not only do we have data moving there,

499.38 -> but you have new technologies,

501.03 -> and new things you're gonna have to audit against.

503.85 -> As an auditor, my favorite is where the data is.

506.28 -> So I'm gonna pick on data warehousing

507.81 -> as the emerging technology.

510.24 -> 90% almost of companies now and in the near future

514.92 -> are gonna use data warehousing.

517.17 -> So that means your company is probably already putting

519.87 -> that data that you're concerned about as an audit,

522.15 -> or concerned about from compliance, into the cloud.

525.93 -> So it's pretty clear from just these two basic facts

529.59 -> that the future of compliance is in the cloud.

533.19 -> So now we have this collision, we have our current state,

536.46 -> and we know our future state is moving to the cloud,

539.28 -> but basically we're getting more complex, more dynamic,

543.39 -> more distributed, more regulated, and more costly.

546.93 -> And this is probably not a surprise to any of you

548.67 -> in the audience, right?

550.08 -> But what we're trying to drive here is,

552.24 -> getting to those business objectives

553.98 -> that we can deliver through compliance.

557.88 -> I think Aaron Klein said it the best.

559.987 -> "We have a legal, regulatory framework

563.07 -> built on the basis of paper, mail, and words,

567.27 -> versus a new world order that is digital, continuous,

571.71 -> and 24/7, and built on bits and bytes.

576.39 -> Somehow we need to square these two worlds."

581.01 -> So what does that look like?

583.95 -> Well, first of all,

584.783 -> we have to go back into that process

586.08 -> and break it down one more step.

587.7 -> We're gonna go back to that spreadsheet.

589.53 -> Most of you have already added this to your programs

592.14 -> where you've found your controls

593.34 -> and you've mapped them across.

594.72 -> If you haven't, if you're new to compliance,

597.57 -> don't start up from scratch.

599.04 -> A lot of people have already put

600.3 -> some really great frameworks out there you can grab,

602.55 -> I put a link to one of them.

604.5 -> But let's blow that up for a minute and take a look.

607.08 -> What that is, is that control is gonna be mapped.

609.99 -> So you're taking your company's control,

611.97 -> you're mapping it to all the standards you're using,

614.67 -> so that you can leverage that measurement across standards.

617.61 -> And then you're also giving the details

619.14 -> of how that control is tested,

621.6 -> as well as who's gonna test the controls.

625.74 -> So how do we break this out?

627.42 -> How do we change this dynamic

630.15 -> where we're living out of a spreadsheet from compliance

632.64 -> and move it into automation?

634.65 -> And so the first thing we're gonna talk about

636.78 -> is Control Tower, AWS Control tower,

639.57 -> an automated dashboard that continuously updates,

643.02 -> that does this control tracking for you,

645.72 -> but it also defines your controls technically,

649.2 -> versus having a human trying to audit against it.

651.84 -> And you can deploy those controls for measurement

654.39 -> in a point and click way.

656.37 -> That's the first key to really accelerating

659.07 -> some of your audit maturity,

661.14 -> and what we're looking for is,

662.43 -> we're looking and eliminating those errors, right?

664.95 -> So if you're doing defined technical measurement

667.8 -> instead of people, you're now driving down the error,

670.62 -> you're also driving down your staff requirements.

673.56 -> Now you don't have to have that genius,

676.05 -> one guy or one gal out there in the business,

678.81 -> that knows how to measure for your program

680.4 -> and give you accurate results.

683.43 -> One of the things we do as auditors,

686.25 -> is the first time we run into cost and time complexities,

690.42 -> what do we do?

691.41 -> We reduce scope.

693.33 -> So if you could eliminate some of these errors

696.24 -> and time complexities, the first question is,

698.58 -> can I start increasing scope?

700.38 -> And that's gonna be your first measurement to tell you,

703.027 -> "Hey, I'm starting to move that automation maturity needle.

706.62 -> I'm beginning to be able to increase my audit scopes,

709.41 -> instead of consistently decrease them."

711.84 -> And I'm sure you've all been in that position

713.43 -> where you've had to decrease the scope

715.23 -> more than you would want to as an auditor,

717.63 -> or as a compliance officer.

721.35 -> So the next place,

722.52 -> we're gonna go after the heavy lifting right away.

724.17 -> We're gonna jump straight to the attestation.

726.93 -> How do we deal with that, right?

729.03 -> We know that that has a huge impact on the business.

731.61 -> We're gonna talk about how you leverage AWS Audit Manager

735.06 -> to do that data collection and evidence collection.

740.79 -> So that immediately has the impact

744.75 -> of decreasing your cost to audit, right?

747.69 -> Now, you're not pushing that out on the business,

749.61 -> you're not pushing that on a specialist.

751.44 -> You're able to automate that.

753.42 -> What comes with that, right?

754.89 -> We're trying to get some business trade-offs, right?

757.44 -> We're selling this automation program to a board,

760.35 -> to a CIO, to a CTO,

762.51 -> to somebody that we're trying to justify

764.25 -> why we need this money,

765.42 -> why we need this effort for automation.

768.03 -> And the answer is,

769.26 -> this is going to enable you

770.7 -> to do compliance as a service, right?

773.61 -> Now that you can automatically test those controls,

776.22 -> you can automatically push them out.

778.26 -> You can go and say,

779.093 -> "Hey, let me do a pre-audit for you

780.81 -> before an external auditor comes in.

783.39 -> Let me go take a snapshot."

786.57 -> Let me offer this to the business,

788.16 -> if they're trying to get a feel for,

789.577 -> "Hey, we're wanting to move into a new market

791.61 -> that's gonna have this compliance standard.

793.65 -> Compliance team, can you tell me how far away we are?"

796.8 -> Right?

797.633 -> You can begin to get into those conversations early,

800.43 -> where you're gonna have a bigger impact.

803.58 -> The other shift that you want to see,

805.62 -> is instead of having to be a compliance-based program,

809.55 -> shifting to a risk-based program, right?

812.1 -> And now you're gonna start changing the business,

814.17 -> instead of just making sure

815.64 -> that we've got our backside covered,

818.88 -> we're gonna go in and say,

819.757 -> "Hey, let's help drive down risk in the business.

822.21 -> Let's do some targeted audits

823.71 -> where we know there's more risk."

825.87 -> And last of all,

827.31 -> this is where you're gonna finally get that leverage

830.22 -> that you need to be able

831.15 -> to tackle emerging technologies, right?

833.64 -> This agility that it's gonna enable,

836.07 -> you can go and start iterating in your compliance program

839.52 -> where you're saying, "Hey, new technology,

841.8 -> I'm gonna go ahead and throw this automation at it

844.59 -> and see where we score.

845.76 -> I'm going to work with the developers,

847.8 -> as they're playing with this technology,

849.63 -> to play with my compliance,

851.04 -> so that my compliance is in tune

853.05 -> and releases with the operations."

857.67 -> Once you've done that, once you're risk based,

859.86 -> once you can offer it as a service,

861.87 -> and you can pivot quickly to emerging technologies,

864.63 -> you've shifted again into a higher gear

866.79 -> in your compliance automation.

871.02 -> So let's tackle that last piece.

874.08 -> That last piece is that tracking, right?

876.63 -> Where you're trying to do what I call a snapshot audit.

880.17 -> A point-in-time audit.

882.3 -> If you could move away from, "I kick off an audit,

885.03 -> it runs and then I close it down."

886.92 -> You don't have those costs

888.27 -> and those heavy weights now on people,

891.18 -> because of the automation,

892.8 -> you can move using Security Hub to continuous automation.

896.94 -> And what this really looks like,

898.56 -> is you're gonna be able to dynamically "Shift left"

900.72 -> your compliance program.

902.55 -> So one of the great examples with Security Hub,

905.88 -> is if you can enable Security Hub

908.07 -> so that when your developers push code

910.59 -> out to AWS in their dev environment,

913.32 -> in their test environment,

915.247 -> AWS Security Hub can report back,

917.647 -> "Hey, that just knocked you outta compliance

919.61 -> in your test environment."

921.15 -> So now your developer has immediate feedback,

923.797 -> "Oh, that change I made just knocked me outta compliance.

926.31 -> I just exposed an S3 bucket publicly," right?

929.67 -> So that's what you want to do,

930.981 -> is you want to start building, so to speak, that education,

933.93 -> that "Shift left" into even your developer's mindset,

937.98 -> so they immediately know when they've made a change,

940.17 -> it's gonna push you outta compliance.

942.39 -> The other thing is instant audits, right?

945.06 -> Imagine if you're in front of the board

946.77 -> or you're with your CIO and they say,

948.637 -> "Hey, can you tell me?

950.4 -> This group is making me really nervous.

952.23 -> Are we okay?

954.06 -> Are they doing what they need to do?"

956.19 -> You can go back and take a look and say,

958.417 -> "Yeah, I can report to you.

960.15 -> We're hitting 70% of the benchmarks,

961.89 -> we got about 30% to work on.

963.87 -> Looks like that team needs to focus on their IAM,

966.51 -> they got a little outta control over there," right?

968.79 -> Can you imagine being able provide that immediate feedback

971.67 -> to your superiors about where your compliance program is?

977.25 -> The next thing is real-time deployment and new standards.

979.89 -> We know that in compliance,

981.42 -> we're consistently getting new standards, new expectations,

984.6 -> updated standards.

986.19 -> What if as soon as those came out,

988.05 -> they were populating and you could immediately deploy them?

991.26 -> Not only could you immediately deploy them,

992.88 -> but you could turn around and measure against them,

994.86 -> and provide feedback.

995.767 -> "Hey, that new standard that came out?"

998.43 -> I can look in my compliance program

1000.71 -> and say, "We're about 50% outta compliance.

1004.28 -> It's about half our controls.

1005.57 -> I'm estimating that I need this amount of money,

1007.85 -> and this amount of time from the business,

1009.71 -> in order to catch us up with this next standard," right?

1012.38 -> So you wanna be able to get ahead of your audit

1014.3 -> and be able to predict and project in the future,

1017.6 -> and so your executives don't have those surprises.

1020.03 -> And that's one of the huge things

1021.26 -> that you can enable through this continuous audit.

1025.28 -> When you're able to start predicting the future,

1027.89 -> when you're able to start deploying standards immediately,

1031.85 -> that's when we start seeing that automation

1034.28 -> start hitting the floor, right?

1035.48 -> We're going full speed now.

1037.61 -> We're starting to really dynamically impact the business.

1040.28 -> We're starting to build ourselves as auditors

1042.65 -> and compliance officers,

1044.24 -> as trusted people in the business

1045.77 -> providing our executives feedback.

1048.92 -> But let's get back to some of the real numbers.

1051.11 -> In ProServe, we love to build business objectives.

1053.45 -> In AWS, we love data.

1055.37 -> How do we get back to the real data

1056.96 -> to justify what we're doing?

1059.48 -> Well, fortunately, some of that's

1060.53 -> already been measured for us.

1062.09 -> If you're a company that has less than 50 controls,

1064.58 -> first of all lucky you, but 25% of them were automated,

1069.32 -> that means you would have a 52% cost reduction per audit.

1074.42 -> So that's a pretty drastic impact.

1076.31 -> If you have greater than 50%, or sorry,

1078.71 -> greater than 50 controls, and you're 25% automated,

1082.49 -> still a 27% cost reduction.

1085.4 -> I'm not real good at math, so I did that ahead of time.

1087.5 -> That means a one to 2% cost savings per control you deploy.

1091.64 -> So I want you to think about that

1092.8 -> as we're walking through all this setup,

1095.63 -> is because the technology part of this is easy, right?

1098.45 -> It's selling it and explaining it to the business

1100.31 -> that's hard.

1101.57 -> Every time you see Krista click on one of those controls,

1104.33 -> you should hear the cha-ching, right?

1105.89 -> That's a one to 2% cost savings per control

1108.68 -> that I can communicate to my management.

1112.49 -> So we're gonna take this one step further.

1114.71 -> I know we've already blanked out everything

1116.3 -> with automation here,

1117.71 -> but what if you could move

1118.97 -> to something that was proactive and preventative?

1121.46 -> And we're gonna actually talk about that with Control Tower.

1124.13 -> And let me tell you what that looks like.

1126.02 -> That means being a quality differentiator for your business,

1128.78 -> because you can say, "Hey, I can guarantee my products

1131.39 -> won't leave the door with these compliance risks."

1135.26 -> Imagine what kind of competitive place

1137.6 -> that would put you in the market.

1140.48 -> What if you could be the fastest one to market,

1142.91 -> in part because you've eliminated

1145.46 -> that costly compliance check

1148.46 -> at the end of every product release,

1150.56 -> or at the end of every new product.

1153.47 -> So that's a great place to measure impact by the way,

1157.07 -> how long your compliance takes per release,

1159.86 -> versus if you automated and got that to near real time.

1164.39 -> What does that impact on your business?

1167.3 -> And last, proactive compliance.

1169.43 -> Now the developer pushes that out and says,

1171.327 -> "Nope, sorry developer, you can't do that."

1174.71 -> What that does now is that forces the developer

1176.99 -> to immediately put in the correct controls for compliance.

1182.72 -> I don't think there's anybody in the compliance world

1184.67 -> that hasn't written up a report,

1186.5 -> or gone to the business and said,

1187.857 -> "Hey, this is outta compliance."

1189.23 -> And they say, "Oh my gosh,

1190.55 -> if we only knew about that six months ago.

1192.8 -> It's gonna cost $200,000 to go back and fix that."

1195.53 -> That's what we're trying to get in front of, right?

1197.48 -> Is, can we avoid rework, refactor and waste,

1201.62 -> by getting those compliance in early,

1203.81 -> and being proactive and preventative.

1205.52 -> When you get your program to being proactive

1207.68 -> and preventative, that's kind of the 95% goal.

1211.04 -> You're really getting there,

1212.45 -> and you're gonna set yourself up for success,

1214.73 -> not only earning the trust of your business,

1216.65 -> but beginning to show yourself as an enabler.

1220.46 -> So those business outcomes, reduction in errors,

1223.91 -> reduction in cost, reduction in time, right?

1227.33 -> You should be able to quantify those with your business

1229.67 -> based on those stats I showed you.

1231.8 -> You're gonna be able to increase your scope,

1234.32 -> offer compliance as a service,

1236.48 -> you're gonna be able

1237.313 -> to address new compliance regulations, right?

1239.27 -> We're trying to future proof for that future state

1241.88 -> where we know we're going in the cloud.

1243.59 -> Address new technologies,

1245.6 -> and leverage the cloud to your benefit,

1247.67 -> instead of being another thing you have to figure out.

1252.56 -> So I'm gonna focus again on that one to 2% cost savings

1256.34 -> per control you implement,

1258.32 -> as we start moving towards the next presentation.

1260.93 -> Before we jump into the controls,

1263.6 -> I am gonna set a little stage here of what the scope is.

1266.66 -> This is securing your part of the cloud

1269.03 -> that we're helping you enable.

1270.68 -> If you're concerned about how AWS secures

1272.78 -> our part of the cloud, go ahead and check out Artifact.

1276.17 -> It has those pieces in there for you already.

1279.92 -> We also are limiting our view to the compliance

1283.34 -> in the cloud.

1284.36 -> So if you're doing DevSecOps,

1286.79 -> you probably do have controls

1288.44 -> that you need to embed into your DevSecOps.

1291.17 -> There's a great presentation for that,

1293.48 -> but we're not gonna be focusing on pipelines and DevSecOps.

1297.32 -> Also, if you wanna reference architecture,

1299.42 -> if you're kind of like, "Are we doing

1300.53 -> a best practice audit?

1302.09 -> Do we have all the different expected tools for our security

1306.65 -> and compliance teams?"

1308.36 -> We have a great presentation for that.

1309.86 -> It's the Security Reference Architecture.

1312.02 -> I encourage you to check that out too.

1314.3 -> It's really great,

1315.133 -> but that's also not gonna be our focus on architecture.

1317.6 -> We really are gonna focus on how do we deliver,

1320.48 -> starting with Control Tower,

1321.8 -> those controls to enable automation in the cloud.

1325.31 -> And with that, I'm gonna go ahead

1326.57 -> and hand off to my co-speaker Krista.

1329.6 -> - Thanks Chad.

1331.527 -> So before we get started about the AWS impact,

1334.64 -> I'd like to know from you,

1336.14 -> how are you managing your regulatory compliance

1339.2 -> in your organization today?

1341.21 -> Do you have an in-house team?

1344.03 -> Are you primarily using third party tools?

1347.24 -> Are you looking for ideas on how to do this?

1350.3 -> Or do you primarily rely on your cloud provider

1353.57 -> to ensure this compliance?

1379.16 -> Okay, let's go to the results.

1383 -> Okay, predominantly you have an in-house team

1386.99 -> that manages your cloud compliance.

1389 -> So that expertise that Chad was talking about

1391.22 -> is really where you're focusing your need

1394.37 -> and your improvement.

1396.17 -> That's great information, thanks for sharing.

1400.01 -> Here's how Control Tower can help.

1401.6 -> Control Tower is really the best way

1403.79 -> to set up a multi-account environment.

1407.12 -> With Control Tower, you can set up a scalable

1410.69 -> and secure environment

1411.89 -> that's based on AWS best practices.

1415.34 -> So we've developed these best practices

1417.47 -> by talking to thousands of customers,

1419.78 -> and also working with our security teams

1422.24 -> to define the configurations

1423.68 -> that will help you create a foundation to be successful.

1427.43 -> We also have mandatory controls

1429.62 -> that help keep these blueprints in place.

1433.22 -> We also have an automated account creation process

1436.46 -> so that you can provision new accounts

1438.74 -> within this governance framework,

1440.36 -> so that from day one they're compliant.

1443.54 -> And additionally, as Chad mentioned,

1445.46 -> we have a dashboard that helps monitor compliance

1448.91 -> for anything that has changed a compliance status,

1451.67 -> that maybe has gone non-compliant,

1453.71 -> but also gives you a view

1455.48 -> of your overall organizational structure, right?

1458.15 -> So you can see all of the OUs in your accounts,

1462.05 -> and other resources that are associated with those.

1465.53 -> Now, Control Tower is great

1466.73 -> for setting up a brand new environment,

1468.53 -> but you can also extend governance

1470.66 -> into your legacy accounts with Control Tower.

1473.45 -> So this is a change.

1474.74 -> When we first launched, it was only for new environments,

1477.65 -> and over the last two years

1479.27 -> we've enabled this ability to extend that governance

1481.94 -> into your existing accounts.

1486.11 -> So what does this mean?

1487.94 -> So what is the landing zone specifically?

1489.98 -> So the landing zone is the enterprise wide container

1493.7 -> that holds all of your organizational units, accounts,

1497.75 -> users, and other resources,

1500.12 -> that you want to be subject to compliance regulation.

1503.21 -> And what's great is that the landing zone

1504.68 -> actually scales to fit your business needs.

1509.09 -> We also set up a centralized identity and access logging.

1513.11 -> So with AWS Identity Center,

1515.84 -> you can centrally manage your users

1517.7 -> along with their security credentials,

1519.95 -> really simplifying how you manage access to AWS accounts

1523.82 -> and business applications.

1525.38 -> And you can control all of your IAM

1527.78 -> and identity center access and permissions

1529.94 -> across your accounts with Control Tower.

1534.08 -> I mentioned that we have this account vending machine

1537.56 -> or account factory,

1539.09 -> and really, this is a configurable template, right?

1542.21 -> So that you can either use Control Tower defaults

1545.51 -> that are set up in the account,

1547.16 -> or you can actually customize them

1549.32 -> to be specific to your business needs.

1551.78 -> We also have a set of partner configurations

1555.26 -> that are still aligned with best practices,

1557.21 -> that have additional ideas about what you may want

1560.9 -> in that account template.

1565.31 -> And then lastly,

1566.18 -> we'll talk a lot today about the additional controls.

1568.76 -> So we have the mandatory controls

1570.62 -> that really protect the configurations

1572.81 -> of your environment,

1573.95 -> and what Control Tower sets up and manages on your behalf.

1578.06 -> But we also have a number of optional controls

1580.88 -> that you can layer in,

1582.08 -> to really enhance your security posture.

1585.71 -> And what's great about this is that this is

1587.27 -> something that you manage continuously, right?

1589.85 -> So you might just set up one landing zone, right?

1592.94 -> If you're an Enterprise customer,

1594.11 -> but you can also continually scale

1597.08 -> right with your account structure and nested OU structure,

1601.19 -> in order to make sure that as your business grows,

1604.97 -> you can have your structure follow that as well.

1610.73 -> So under the hood, Control Tower actually orchestrates

1614.21 -> 14 different services.

1616.4 -> Some of these will probably be very familiar to you.

1619.28 -> AWS Organizations, Cloud Trail.

1621.92 -> We also have Config and Security Hub,

1624.2 -> as well as CloudFormation,

1625.79 -> that help set up controls on your behalf.

1628.91 -> But really what we're doing with this underlying automation

1632.45 -> is removing this undifferentiated kind of heavy lifting

1636.41 -> of setting up your infrastructure,

1639.02 -> and really removing that burden from your teams

1641.78 -> to the Control Tower managed service product,

1644.51 -> and really helping you accelerate your cloud journey.

1647.9 -> So just a reminder, if you didn't know,

1650.87 -> there isn't an additional charge for Control Tower,

1653.24 -> you only pay for the underlying services that are enabling

1658.61 -> things like control.

1659.63 -> So that when we use Config for detective controls,

1663.59 -> there is an underlying cost for the configuration item

1666.98 -> recording for those checks.

1672.89 -> So let's get into the specifics.

1674.75 -> What happens when you set up a landing zone?

1678.11 -> First, Control Tower creates two organizational units.

1682.34 -> You have your security OU and your sandbox OU,

1687.32 -> as you can see here.

1689.03 -> In your security OU,

1690.56 -> we set up a log archive account,

1692.627 -> and we also set up an audit account.

1695.6 -> In your log archive account,

1697.52 -> this account works as a repository for logs

1701.36 -> of API activities and resource configurations

1704.36 -> from all of the accounts in the landing zone.

1707.39 -> The audit account is restricted,

1710.18 -> it's designed to give security and compliance teams

1713.51 -> read and write access to all of the accounts

1715.64 -> in your landing zone.

1717.26 -> It also contains the AWS Config Aggregator

1720.74 -> that collects configuration

1722.27 -> and compliance data from multiple accounts

1724.85 -> and regions within the organization,

1727.25 -> which allows you to view and query compliance results

1731.15 -> within a single account.

1733.73 -> We also create a native cloud directory

1737.21 -> with Identity Center,

1738.65 -> and apply all of the mandatory controls.

1741.62 -> We also use cloud formation stack sets,

1744.44 -> in order to set up these resources

1746.45 -> in all of the accounts and all of the regions.

1750.74 -> What happens when you create a new account factory?

1753.35 -> So now we're moving over to the sandbox OU.

1755.75 -> When you create a new account,

1757.43 -> we have that account baseline,

1759.23 -> but what that really means is that we've enabled CloudTrail

1762.56 -> and Config to centralize logging into an S3 bucket

1766.22 -> that's located in that log archive account.

1768.86 -> We've also pre-configured

1770.93 -> Amazon Simple Notification Services or SNS, right?

1776.99 -> SNS topics that other services can subscribe to.

1780.89 -> We've provided federated access via Identity Center,

1784.88 -> and we've also enabled lifecycle events

1788.48 -> which allow you to configure

1790.73 -> any additional custom automations

1793.31 -> as a part of this new account creation.

1796.844 -> So why it's so important really

1799.94 -> to have this foundational best practice architecture

1803.03 -> is because you can scale from this, right?

1805.46 -> We've set up all of the best practice configurations

1808.64 -> so that you know from day one when you create accounts,

1812 -> or when you're trying to really extend governance,

1815.09 -> you have this ready to go.

1818.24 -> So we have three different control types.

1820.43 -> The first is detective, and detective resources

1823.94 -> or detective controls are primarily behind the scenes

1827.36 -> Config rules and Security Hub checks, right?

1830.63 -> So you can detect resources

1832.58 -> that violate your defined security policies,

1835.49 -> and these can either be compliant or non-compliant.

1839.75 -> As a best practice,

1840.8 -> we suggest that you actually run detective controls first

1844.37 -> within your environment,

1845.6 -> before you implement our next types of controls

1849.23 -> such as preventive.

1851.09 -> So preventive controls really disallow any action

1855.23 -> that would lead to violations of your policies, right?

1857.69 -> So these are always compliant, and these are a great tool

1861.44 -> and I think that tool is more of a hammer, right?

1863.24 -> If you always want to make sure that you're compliant

1865.52 -> and you really are blocking actions,

1867.14 -> you can do that with service control policies

1870.65 -> or our preventive controls.

1873.71 -> Now our third type of control are proactive controls.

1877.28 -> Is anyone using proactive controls with Control Tower today?

1882.41 -> A couple? Just a few, okay.

1884.12 -> These are new.

1884.953 -> We launched proactive controls just at re:Invent last year.

1888.89 -> And so these behind the scenes

1891.11 -> are cloud formation guard policies

1893.78 -> that are implemented by hooks, right?

1896.39 -> That actually scan resources before they're provisioned,

1899.81 -> blocking provisioning if the resources aren't compliant,

1902.84 -> that means that you are always compliant,

1905.63 -> and that you only get

1907.43 -> to provision approved resources, right?

1913.82 -> Control tower has over 400 managed controls in our library.

1918.71 -> Did anyone see our feature release announcement yesterday,

1924.26 -> launching 10 new Security Hub controls?

1926.45 -> Anyone?

1927.283 -> One, kind of, maybe? Okay.

1929.45 -> It's new, right?

1930.283 -> We're continuing to add to this library.

1932.66 -> These are managed,

1933.62 -> meaning that we do the threat modeling, right?

1936.23 -> We keep them up-to-date as AWS launches new features,

1940.37 -> and as regulatory requirements change or evolve,

1944.21 -> we'll either modify the control, create a new version,

1947.84 -> or we'll create a net new control

1949.67 -> depending on the change, right?

1951.38 -> So that means that

1952.67 -> you don't necessarily have to pay attention to that anymore,

1954.95 -> we'll manage it on your behalf.

1957.53 -> We cover 39 services

1959.81 -> and we've introduced control objectives,

1963.11 -> and so control objectives

1964.64 -> are really like a very singular intent, right?

1968.18 -> And an example of that would be encryption at rest.

1971.66 -> You can enforce encryption at rest

1973.52 -> for many different services,

1975.23 -> but that intent goes across multiple frameworks, right?

1979.73 -> I've heard from customers where,

1981.86 -> when they're trying to meet a specific framework

1984.2 -> that they actually are applying the same control

1986.48 -> multiple times in order to meet each individual framework.

1989.9 -> By orchestrating

1991.49 -> or kind of mapping these two control objectives,

1995.18 -> you only have to apply that control once,

1997.64 -> and we provide the mappings to those frameworks for you.

2001.39 -> So it's not just NIST or PCI,

2003.97 -> it's actually the specific element

2006.01 -> or specific section of NIST

2008.38 -> that will define where that control is.

2010.6 -> So all of those spreadsheets that Chad was mentioning

2013.63 -> we'll manage that on your behalf too,

2015.52 -> and show you those mappings.

2018.46 -> Now a question for you.

2020.14 -> So I mentioned we have 39 services

2021.94 -> that are under our comprehensive controls coverage today.

2025.36 -> I'd love to know where would you like us to invest more?

2028.75 -> Which of these services are you most concerned about

2032.65 -> providing compliance for?

2061.33 -> Okay, looks like we're ready.

2066.82 -> Okay, databases and S3 are tied.

2071.47 -> That makes sense, actually we hear that a lot.

2074.77 -> And I'll actually be showing a couple of examples

2076.93 -> of our S3 controls today,

2078.82 -> so you can see what we have available.

2083.41 -> Here's an example of some of our additional controls

2085.72 -> that we have.

2086.553 -> We also provide guidance for these controls.

2089.17 -> I think it's difficult even if you have 400 controls,

2092.08 -> to understand or to figure out where should I start?

2095.26 -> Which control objective should I look at?

2097.24 -> Which control should I specifically look at?

2100.09 -> And by adding guidance,

2102.31 -> we can help direct you towards that.

2104.44 -> So for example,

2105.7 -> some of our strongly recommended controls

2107.59 -> are enabling the MFA on the root user

2109.99 -> and disallowing public read access to S3, right?

2114.34 -> So it's a great place to start.

2118.39 -> We also hear from customers, "Okay, that's great.

2121.48 -> You have controls, you have control objectives,

2123.52 -> I have the framework or the architecture,

2125.35 -> how do I actually apply these?"

2127.27 -> And we hear from customers,

2128.95 -> specifically those in highly regulated industry

2131.95 -> in the public sector,

2132.85 -> that they really have some concerns

2134.47 -> around data residency, right?

2136.72 -> So today you can use Control Tower

2139.18 -> to deploy data residency controls,

2141.88 -> and to prevent provisioning of resources

2144.85 -> in unwanted AWS regions,

2146.89 -> by restricting access to AWS APIs

2150.97 -> through service control policies.

2152.62 -> So we have a landing zone level region deny control

2156.76 -> that allows you to both dynamically select

2160.51 -> which regions you want to govern,

2162.49 -> and which regions you'd like to deny.

2165.46 -> This region deny control also is just a great way

2168.97 -> to help contain your overall landing zone.

2172.33 -> So maybe you don't have a specific data residency concern,

2176.08 -> but you want to make sure that you are optimized

2178.15 -> from a cost perspective,

2179.62 -> and don't see engineers creating resources

2182.44 -> in regions you'd really prefer not to be in,

2184.57 -> or don't need to be in.

2187.3 -> We also have additional controls

2189.25 -> in this data residency suite,

2191.59 -> that really helps support additional controls

2196.54 -> for underlying services.

2197.77 -> For example, blocking S3 cross-region policies

2202.12 -> and blocking the creation of internet gateways.

2205.54 -> So this way the content that's hosted on AWS

2209.71 -> for processing or storage,

2211.03 -> can't be transferred outside of your selected regions

2214.21 -> at that infrastructure level.

2216.76 -> So for example,

2217.99 -> a customer in Germany could deny access

2220.96 -> to services outside of regions...

2225.79 -> For example, maybe they're just in Frankfurt

2228.43 -> and they can do so with some of these controls

2231.04 -> with the exception of global services, right?

2237.25 -> Another area that we hear from customers often is,

2240.31 -> really about how can I help enforce encryption at scale?

2244.18 -> And so, overall we provide tools

2246.97 -> that really help you to easily encrypt your data in transit

2250.48 -> and at rest,

2251.313 -> to help make sure that only authorized users

2255.22 -> can have access to it.

2256.93 -> So with Control Tower, we have a landing zone,

2259.81 -> you can customize your landing zone

2261.34 -> to include KMS encryption,

2263.77 -> and we also have two specific encryption control objectives,

2267.19 -> encryption at rest and encryption in transit,

2270.28 -> that have a number of controls

2271.51 -> that help you achieve this, right?

2276.7 -> So how we pull this all together is...

2279.31 -> This is an example, right?

2280.51 -> So if you're trying to enforce encryption at rest for S3,

2284.53 -> you can see that there are three different frameworks

2286.54 -> that it's mapped to.

2287.83 -> You can see that we have a type of control, right?

2291.34 -> For S3 specific encryption and control

2294.37 -> that's detective, preventative and proactive.

2299.11 -> And we also map the relationships

2301.6 -> between these controls, right?

2303.25 -> So you can have a a holistic view

2306.25 -> and understand how to employ the most applicable controls

2310.69 -> to your environment.

2314.26 -> Okay, now I'm going to get started

2317.68 -> and actually share a demo with you

2319.45 -> about really that last mapping that I shared, so.

2326.62 -> Move forward to this.

2332.35 -> One more click maybe.

2335.08 -> Here we go.

2336.13 -> Okay, so this is our Control Tower dashboard,

2338.35 -> and you can see that we have a recommended actions bar

2341.8 -> and then also have a summary of your environment,

2345.1 -> of your OUs, accounts, and of the controls that are enabled.

2349.18 -> We also have a view of your non-compliant resources.

2354.67 -> So as we move over into the controls category,

2358.21 -> you can see the three types of mappings that I mentioned.

2361.21 -> So control objectives, right?

2363.1 -> Which as a reminder, is a high-level intent

2366.07 -> that you're trying to achieve,

2367.33 -> that typically requires a group of controls to enable.

2373.15 -> And we have a number of examples.

2374.98 -> So encryption at rest, encryption in transit,

2377.74 -> that I mentioned.

2378.76 -> Also, some of our more popular objectives

2382.39 -> are limiting network access and optimizing costs.

2387.25 -> You can also view these by service, right?

2389.53 -> So maybe you do want to just focus on S3,

2392.26 -> you can do so and search that here,

2394.99 -> or you can go by framework, right?

2397 -> So if you want to see all of the controls

2399.46 -> that are applicable for NIST, you can do so.

2402.94 -> You can also adjust your view

2404.89 -> if you want to see which framework specifically

2408.01 -> that these are applied to,

2408.97 -> if you're in one of the other screens,

2410.74 -> or the severity, or the control owner,

2413.44 -> you can adjust those here.

2419.74 -> So let's go back to the control objective page

2423.76 -> and walk through that encryption for S3 example.

2427.42 -> So if we go to encryption at rest

2429.46 -> and actually search for S3,

2431.38 -> you'll see the controls that pop up

2434.17 -> for this control objective,

2435.82 -> and that service specifically.

2440.02 -> You can see we have a proactive control,

2443.71 -> a detective control, and a preventive control.

2448.84 -> And all of these are related

2450.31 -> to making sure you have server-side encryption, right?

2453.52 -> And then disallowing changes.

2455.05 -> So if you click into the Security Hub backed

2458.59 -> specific detective control,

2460.72 -> you can see we have all of this rich metadata

2463.81 -> that really helps you understand how this control

2466.87 -> can be enabled.

2468.16 -> We have explainers for the behaviors,

2471.4 -> and we also have within the console

2473.59 -> and our documentation, all of the APIs, right?

2476.35 -> So you can enable this via the console or by API.

2481.75 -> You can see the description of the control

2484.45 -> and also that control relationship that I mentioned, right?

2487.54 -> So you can see that we would recommend

2489.88 -> that we also include this inclusive control.

2494.2 -> We have other types of relationships as well,

2496.39 -> but this one is inclusive,

2499.33 -> in order to help you understand that holistic experience

2506.86 -> You can view which OUs it's already enabled on,

2509.29 -> which in this case it's not enabled on any of my OUs,

2512.41 -> and we'll go forward and actually enable this.

2515.05 -> So since this is the first control

2516.97 -> that we're enabling in this specific OU

2519.88 -> that's powered by Security Hub,

2521.26 -> it's going to kick off the integration of Control Tower

2523.81 -> and Security Hub.

2525.85 -> About 170 of our detective controls

2528.43 -> are based on the Security Hub foundational best practice.

2531.97 -> The difference is that ours are enabled individually,

2535.51 -> versus a full standard,

2537.22 -> and we actually create a Control Tower

2539.35 -> specific managed standard within Security Hub.

2543.79 -> Now you can see that control is being enabled.

2548.53 -> So if we go back down to the relationships

2550.18 -> and try to enable this proactive control,

2556.15 -> you can see that this is a CloudFormation guard rule

2558.64 -> and again, it's proactive.

2560.08 -> So we remind you that this scans ahead of time,

2562.69 -> and we actually are checking to make sure

2566.331 -> that it's enforced by CloudFormation.

2569.71 -> Creates or update operations.

2571.81 -> The hook scans for compliance and either allows

2575.8 -> or passes or fails the implementation.

2581.2 -> You can see actually, within the framework,

2583.72 -> if you click on those IDs,

2584.89 -> it goes to the direct section of the framework

2587.29 -> that's available there,

2588.64 -> and we've already enabled that Security Hub control,

2592.18 -> but we also can look and see the specific artifacts

2596.05 -> that are available for this CloudFormation guard rule.

2599.23 -> And you can see all of the different scenarios

2603.13 -> where this could skip, fail,

2605.17 -> and then eventually pass

2606.88 -> if you were to apply this.

2608.8 -> And we really have tried to add in

2610.84 -> as much documentation as possible,

2612.67 -> so it's very transparent

2614.08 -> about what these controls are doing,

2616.45 -> and how to use them successfully.

2618.31 -> So we have a non-compliant template,

2620.14 -> you can see

2620.973 -> that you are missing your encryption properties here,

2623.17 -> and then you also have a compliant template

2625.51 -> which has the encryption enabled.

2630.31 -> But if we scroll down a little bit more,

2633.37 -> you'll see, if we go back to the relationships

2635.44 -> that there is actually a dependent relationship.

2639.34 -> So before we can apply that proactive control,

2642.16 -> we actually need to apply this preventive control.

2644.86 -> If we were to try to enable that,

2646.51 -> it would actually be blocked.

2648.31 -> This preventive control is a service control policy

2652.42 -> that actually protects that hook mechanism

2655.33 -> that we're enabling, right?

2657.88 -> So if we go forward, and you can actually see the Artifact,

2660.61 -> again, all of these,

2662.14 -> whether it's a a guard policy or an SCP

2665.29 -> or a detective control,

2666.37 -> you can see the Artifact within the the console

2669.1 -> or the documentation.

2671.23 -> So we can enable this control,

2672.487 -> and you can see it's enabling concurrently, right?

2676.09 -> So you can enable up to 10 controls concurrently, today.

2680.62 -> And we're looking to expand that.

2685.84 -> And now we're able to actually go back.

2688.6 -> We've set up the detective control,

2690.55 -> which is the best practice to do first.

2692.62 -> We've set up the required control,

2694.51 -> which is an SCP, in order to protect the hook,

2698.05 -> and we can actually go through

2699.64 -> and enable that proactive control too.

2701.77 -> So you have this fully kind of comprehensive enablement

2706.18 -> for trying to encrypt data at rest for S3.

2715.9 -> Okay, now I'm gonna switch over

2717.88 -> and actually talk about

2719.17 -> some of those data residency controls,

2720.88 -> specifically the region deny control.

2723.97 -> And so anything with data residency,

2725.83 -> usually there's some region associated with it.

2727.84 -> So we're just going to search region in our control section.

2734.2 -> Scroll down, and this is, as I mentioned,

2736.3 -> our most popular control.

2738.06 -> It is at the landing zone level.

2741.88 -> And you'll be able to see that we actually,

2744.61 -> instead of enabling directly on the OU,

2746.35 -> we'll have to go to the landing zone settings

2747.94 -> to modify this.

2749.92 -> You can see the SCP,

2751.66 -> and you can also see that today this is set up

2755.08 -> so it's showing the regions

2757.12 -> that I have enabled today, right?

2760.03 -> So these will be modified as well as the global exceptions

2763.45 -> to this deny policy.

2766.24 -> So if we go to landing zone settings,

2767.68 -> you can see that we are going to be able

2770.95 -> to view what settings that I have today.

2774.07 -> I have four governed regions, right?

2775.9 -> The region deny control is not enabled,

2779.44 -> and I can go through and actually modify settings

2783.64 -> and the first one that pops up

2785.05 -> is this region deny control.

2788.89 -> You can see an explainer

2790.27 -> and also a couple of reminders

2792.4 -> about what a not governed region is versus a governed.

2795.55 -> So anything essentially that after we enable this control,

2799.39 -> that we select or deselect.

2801.13 -> So anything that's not with a blue check mark today

2804.25 -> will be denied after I apply this control.

2808.72 -> So we'll go through and enable it,

2810.22 -> and a pop-up reminder to go and remove any configurations

2813.64 -> or accounts that you have in the regions

2815.35 -> you're about to deny.

2816.19 -> We don't want to leave them there.

2820.27 -> Move into next,

2822.16 -> and you can see some additional options

2824.44 -> for configuring your landing zone.

2825.91 -> So you can choose to use org trails or account trails,

2829.54 -> you can change your retention settings

2831.76 -> for S3 bucket logging.

2833.62 -> You can also enable KMS encryption if you would like, right?

2839.2 -> And then next we can review all of the settings

2841.81 -> that we change and then actually update the landing zone.

2846.19 -> I'm not gonna update the landing zone right now,

2847.78 -> but essentially that's the process

2850.27 -> for enabling or changing your landing zone settings as well,

2853.99 -> and enabling that region deny control.

2857.29 -> So what we've done so far in this demo

2859.54 -> is we looked through

2860.89 -> all of our different control objectives.

2862.96 -> We've actually applied a suite of controls

2865.9 -> for encryption for S3.

2867.79 -> We've modified our landings on settings

2869.56 -> to enable that region deny control,

2872.41 -> and we set up that Security Hub integration

2875.5 -> so that we now have the Control Tower

2877.6 -> specific service managed standard within Security Hub,

2881.56 -> and I'll show you what that looks like now.

2884.71 -> So you can see each of the individual detective controls

2888.55 -> that are powered by Security Hub

2890.2 -> would be enabled as a part of the standard,

2892.33 -> and you'll actually be able to see a specific security score

2895.57 -> so that you have your own custom, bespoke standard

2899.59 -> depending on your business needs.

2903.37 -> And now I'll hand it back over to Chad

2905.05 -> to talk about how you can help put this into action.

2912.19 -> - Thank you Krista for that great demo

2914.17 -> and walkthrough of how we can enable some of those controls.

2916.75 -> So let's step back from that

2919 -> and come back to some of those business objectives

2921.34 -> and talk about how we gonna put this in action.

2924.85 -> So we'll go back to the status quo for a moment

2927.55 -> and really look at that spreadsheet, right?

2929.92 -> Right now you should be churning down that spreadsheet.

2933.28 -> We've got 400 controls with Control Tower

2936.37 -> that you can immediately take off that spreadsheet

2939.52 -> and move to automation at least in your cloud postures.

2943.33 -> So take those quick wins with Control Tower,

2946 -> check off as many as you can.

2948.31 -> After that, take a step back and start measuring, right?

2951.82 -> We're still trying to figure out

2952.93 -> how we're adding business value here

2955.24 -> through some of this automation,

2956.35 -> so look at controls that have high error rate,

2960.16 -> have high dependency on people in the field,

2962.5 -> or have a high cost or time to implement and assess.

2967.63 -> So once you get that,

2969.52 -> you kinda get that balance of,

2971.02 -> what are the heavy lifts for your program.

2973.54 -> Then you want to prioritize it by how high easy it is

2976.21 -> to implement that control,

2977.8 -> and so I'm gonna walk you through that coming up here

2980.35 -> on what that looks like as far as levels of complexity,

2984.64 -> adding more controls to those 400 you've got.

2989.08 -> So the Fast Path, right?

2991 -> Similar to Control Tower,

2992.62 -> once you've got Control Tower rolled out

2994.72 -> and you have those 400 that Krista showed you,

2997.69 -> or for some reason you don't have Control Tower,

3000.48 -> you can go straight to AWS Config.

3003.3 -> There is a set of Config managed rules, works very similar,

3007.2 -> it's a library, you could do it in the console.

3012 -> It's kind of point and click, point and shoot.

3015.36 -> It is also updated by AWS,

3017.85 -> so you don't have to do any maintenance

3019.89 -> or management of that.

3020.85 -> So those are also beneficial,

3022.71 -> and now you have the detective

3025.32 -> and then you have some of the proactive controls

3027.33 -> that she talked about,

3028.5 -> that you can fire off directly from this AWS Config.

3031.8 -> So there was 326, last count, in this one.

3035.76 -> So again, you have a chance

3037.32 -> to really look at how do I start picking off

3039.36 -> any of those controls that are left in my spreadsheets,

3042.72 -> especially the ones that are heavy lift or heavy burden.

3046.62 -> And what's left should be, "Hey, we've got five

3050.1 -> or 10 controls that are really unique to our company.

3053.01 -> They are really significant, we want to drive down,

3054.9 -> we want to figure out how to automate.

3057 -> There's a number of ways to build your own custom rules.

3060.72 -> The rule development kit is kind of your best friend.

3064.02 -> However, I really like this walkthrough,

3066.21 -> and this is actually from our Control Tower workshop, right?

3069.39 -> Of how you set up an ID on that,

3072.42 -> you build your rules and you push 'em out to a Lambda.

3075.87 -> Lambda will execute and tell you a pass/fail.

3079.26 -> Once you've validated that,

3081.27 -> you go ahead and move out,

3082.53 -> and push that using your Control Tower

3085.14 -> into your managed accounts via CloudFormation.

3088.11 -> And what'll happen is that automation will then run

3090.69 -> from Config, it'll grab that custom rule,

3093.57 -> pull in the Lambda, do the evaluation,

3095.82 -> push back the results into Config,

3098.28 -> and Config will push that into Security Hub.

3100.89 -> So this is that dev feedback

3102.84 -> we were talking about earlier.

3104.37 -> So now right there in the account,

3106.23 -> that custom rule is evaluated, they see it,

3109.02 -> but also, as we talked about with Control Tower,

3111.72 -> we'll sync that back up to an audit account,

3114.06 -> so there's a central view

3115.95 -> that has all the due diligence around it, right?

3119.94 -> And that way you have the central view

3121.65 -> as well as the DevOps kind of view.

3124.2 -> So that is a very powerful way

3125.88 -> to build the rule development kit,

3127.353 -> it's the place you wanna start.

3129.93 -> The Control Tower workshop

3131.55 -> will take you through this exact flow.

3134.04 -> So if you're interested in how to kind of do this,

3135.71 -> compliances code workflow,

3137.97 -> and build your own things that you can execute on Lambda,

3140.61 -> this is where you want to go.

3142.68 -> And like I said, as you're weighing those,

3144.45 -> these are the ones where there's high value,

3146.28 -> but they're custom to you,

3147.84 -> and you can't find them in those other rule sets.

3151.89 -> This is code, so it is CLI based,

3154.11 -> it won't be the same menu driven either.

3158.58 -> So getting to the last piece,

3160.08 -> attestation part with Audit Manager.

3162.9 -> Wanna spend a little bit of time

3163.92 -> talking about AWS Audit Manager.

3166.11 -> This is your automated audit

3168.69 -> for when you really need that point-in-time collection.

3172.47 -> You can break it out multiple ways.

3174.39 -> You can see this is actually an audit in process.

3177.06 -> The red are the failed controls,

3178.92 -> the green are the past,

3180.45 -> and the gray are the not yet assessed.

3182.85 -> So it's running through the audit actively

3184.68 -> as we're looking here.

3185.79 -> The output, you can download,

3187.32 -> you can provide to auditors,

3188.58 -> you can evaluate yourself and work through it.

3192.81 -> You can look by control or by evidence.

3194.73 -> So it's really up to how you conduct your audit.

3198.72 -> Did want to talk a little bit about the evidence gathering

3202.59 -> for the audit with Audit Manager, right?

3205.02 -> This is the ideal way to gather evidence.

3208.38 -> You have a point-in-time collection, it's signed,

3212.76 -> it's encrypted.

3214.17 -> So you have a a protected evidence file

3217.17 -> that can't be tampered with, that has limited access,

3221.31 -> and then it sends out that alert

3222.9 -> and that data to Audit Manager.

3224.49 -> And we'll send out any alerts through SNS topics.

3227.46 -> So you have secured, encrypted evidence,

3229.86 -> which is another piece we didn't even really talk about.

3232.98 -> You've again taken another step

3235.62 -> towards driving errors outta your process.

3238.08 -> So Audit Manager is a great way to start

3240.33 -> in getting some of that automated attestation.

3244.8 -> So where to start?

3247.32 -> We talked first about Control Tower, right?

3249.45 -> Get familiar with Control Tower.

3251.64 -> Control tower is the fastest, easiest path.

3254.25 -> It's not the only path, but it is the quickest.

3257.07 -> So take some time to read about Control Tower,

3259.71 -> understand what your organizational setup is,

3263.25 -> and work from there.

3265.08 -> Next, you want to practice these AWS Control Tower, right?

3270.09 -> We're shifting the paradigm

3271.5 -> from the traditional audit thinking,

3273.54 -> where we're just adding one thing a year to,

3276.037 -> "Hey, how do I iterate in my audit program?"

3279.57 -> Part of that is getting comfortable being in the console

3282.15 -> and working through audit.

3283.5 -> These workshops give you a controlled environment

3286.56 -> that you can walk through,

3287.73 -> that you can learn at your own pace,

3288.9 -> and you can kind of experiment with these controls yourself.

3292.47 -> If you're not comfortable doing it yourself, that's okay,

3294.81 -> we also do immersion days.

3296.58 -> Ask your account team about this,

3298.26 -> and they can come in

3299.37 -> and have you do a guided walkthrough of these workshops.

3302.67 -> It's the same workshops at this link.

3304.62 -> You just kind of get a facilitator.

3306.96 -> And especially if you're trying to ramp up a team,

3308.67 -> this might be an opportunity.

3311.76 -> Next, you want to iterate, right?

3313.2 -> There's a lot of opportunities.

3315.12 -> Check out our AWS cloud governance.

3317.85 -> We continuously publish blogs, and ideas,

3320.37 -> and strategies, as well as updates to these platforms,

3324.12 -> so that as we advance those products,

3326.73 -> you immediately see the benefit

3328.23 -> of those in your environment.

3331.29 -> Last of all, once you've done this,

3332.88 -> once you've worked through this process

3334.53 -> and started to iterate, you'll start to figure out,

3336.937 -> "Hey, these things work awesome.

3339.15 -> I've got a gap here,

3340.29 -> I've got a gap there."

3341.7 -> Or, "I'd like to see some of my on-site premise stuff

3344.01 -> feed into this."

3345.27 -> Or, "I wanna pull something in from other clouds."

3347.37 -> We've got great partners,

3349.56 -> so check out our Control Tower partners.

3351.99 -> Once you've kind of got the feel for what you need,

3354.9 -> you'll really be able to engage in a strong way

3357 -> with our partners,

3357.833 -> and get the right partner to engage

3359.07 -> to close any gaps you have.

3362.22 -> With that, I really want to thank all of you

3363.9 -> for coming today.

3365.88 -> I encourage you to go build a compliance DevOps program.

3369.9 -> I'm gonna coin that the CompDevOps program.

3372.45 -> And remember, we're really trying

3373.89 -> to work towards business objectives.

3375.84 -> That reduction in error, reduction in cost,

3378.51 -> reduction in time.

3379.86 -> We want to grow our impact with increased scope

3383.22 -> and compliance as a service.

3385.29 -> And last of all, we wanna future proof our compliance

3387.87 -> so that we can address new regulations,

3390.09 -> we can address new technologies,

3392.16 -> and we can actually beat cloud opponents saying,

3394.987 -> "Hey, it's a lot easier to audit

3397.26 -> if you would move this to the cloud," right?

3399.36 -> That's the paradigm we want to be in as auditors.

3402.27 -> We don't wanna be the old guys,

3404.43 -> we want to be the guys on the front end, right?

3406.41 -> Saying, "Hey, I understand the technology,

3409.11 -> I understand where we're going.

3410.46 -> We wanna move to the cloud because we can do more for you

3413.4 -> as a business if you move your compliance to the cloud.'

3418.23 -> When you get to that place,

3419.25 -> you know that you've reached the efficiency

3421.74 -> you're aiming for.

3423.15 -> So I encourage your guys, you're ready, go do this.

3426.36 -> Please take some time to fill out the surveys.

3428.13 -> We take those surveys really seriously here at AWS.

3431.85 -> We appreciate your feedback,

3433.68 -> and I want to encourage you guys

3434.91 -> to go have a good re:Inforce.

3437.153 -> (audience applauds)

Source: https://www.youtube.com/watch?v=m2wjmGvY2pY