AWS re:Invent 2021 - Cloud compliance, assurance, and auditing

AWS re:Invent 2021 - Cloud compliance, assurance, and auditing

AWS re:Invent 2021 - Cloud compliance, assurance, and auditing

In this session, learn how to continuously assess, manage, and maintain compliance for formalized standards such as those required by the Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST), and others. Also, learn about various auditing options, including auditing privileged access across services like Amazon S3 and Amazon DynamoDB. Dive deep into how you can achieve governance and compliance using preventive and detective guardrails and other AWS services.

Learn more about re:Invent 2021 at https://bit.ly/3IvOLtK

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#AWS #AmazonWebServices #CloudComputing


Content

0.32 -> (bright music)
10.65 -> - Hi there, and welcome to
12.05 -> Cloud Compliance, Assurance, and Auditing.
15.01 -> My name is Andres Silva.
16.26 -> I'm a principal specialist solutions architect
18.45 -> here with the Cloud Operations Teams at AWS.
21.35 -> And for this presentation with me I have Kaartik Viswanath
25.23 -> who you'll be meeting later on in the presentation.
28.16 -> He is the lead for the developers of AWS Config.
32.56 -> He leads to the development team
34.13 -> and we're very excited to talk to you
36.13 -> about this topic of compliance in the cloud.
39.72 -> Now why is this an important topic
41.98 -> that you should be interested in?
44.81 -> Well, if you want to do any serious business in the cloud,
47.35 -> you will have to meet requirements
48.9 -> for some sort of compliance framework.
51.56 -> Maybe HIPAA, maybe PCS, FedRAMP.
55.49 -> Also running any infrastructure
57.85 -> at scale requires good governance,
60.43 -> requires good security processes.
62.56 -> So there's always gonna be a compliance in the conversation
66.9 -> and it is very important to run business in the cloud.
70.37 -> Now what is our goal with this presentation?
72.24 -> What do we want you to take away
73.77 -> from the presentation at the end?
75.62 -> We would like you to understand better
77.71 -> how you can use the different AWS services
80.47 -> and features that we provide to simplify the process
83.75 -> of achieving compliance in cloud environments.
87.21 -> And to do that,
88.23 -> we're gonna walk you through some guidance
91.05 -> and we're gonna do a dive deep into some of our services
94 -> to help you understand that better.
96.09 -> So let's get right to it
98.3 -> and let's get started.
100.07 -> So here's the agenda of the topics that we're gonna cover.
103.08 -> We're gonna talk about what are some of the challenges
105.01 -> that we're learning from customers
106.68 -> when it comes to compliance in the cloud?
109.48 -> Then we're gonna introduce you to a model
111.23 -> that's called the Three Lines Model,
113.18 -> and we're gonna explain what it is
115.04 -> and how it helps you make better sense
116.77 -> of how our services come together to help you.
119.86 -> As we discuss that model,
121.21 -> we're gonna touch on three main topics.
123.53 -> Managing risk, overseeing risk,
125.71 -> and providing assurance of risk management.
129.17 -> Then at the end,
130.003 -> we're gonna review some key takeaways
131.62 -> and things you can do to continue
132.79 -> learning about this important topic.
135.2 -> Now in order to better understand this topic
139.34 -> of compliance on the different services,
141.97 -> I wanna tell you a story
142.941 -> and it's about somebody that we're gonna call Ed, right?
146.99 -> Ed like many of us is learning about cloud compliance.
152.45 -> Ed was just hired as a cybersecurity engineer
155.51 -> for a big organization.
157.77 -> Now Ed brings a lot of experience in cybersecurity,
161.31 -> in compliance, in, in managing infrastructure.
165.5 -> However he is new to the cloud,
167.77 -> so he's new to learning how cloud operates,
170.15 -> and the different things that he has to keep in mind and,
174.39 -> and how to apply what he learns
177.27 -> to now managing his infrastructure
179.66 -> is a new journey that he's taking,
184.17 -> and many of you may feel like this too.
186.89 -> Now he's eager to learn
188.04 -> and explore like many of us also, right?
192.01 -> And also he is responsible now for implementing
195.24 -> compliance strategy at his organization.
198.43 -> So maybe you feel, identify a little bit with that,
201.45 -> maybe some aspects of this character
203.96 -> that I'm sharing with you.
205.932 -> And the first thing when we're facing
209.467 -> a challenge like this is what we'd like to do
210.99 -> is learn more about the products,
212.53 -> learn more about the challenge.
214.06 -> So that's exactly what Ed does.
215.89 -> He starts talking to some of the different teams,
218.42 -> meeting people, trying to understand
219.89 -> what are the requirements for this new job he has.
223.17 -> He has a big responsibility.
224.86 -> So one of the first thing he faces
226.88 -> is as he starts learning about this new challenge
232.3 -> or this new project that he has in front of him,
234.95 -> that there are some challenges
236.62 -> as he talks to some of the operation teams,
238.73 -> as he talks to the developers.
240.67 -> And maybe you've seen these challenges
242.64 -> when it comes to compliance in the cloud.
244.17 -> Let's go over them real quick,
245.45 -> what he finds out very quickly.
246.84 -> One of them is the dynamic landscape of the cloud.
250.23 -> There are so many different services,
252.2 -> managed services that behave in completely different ways.
255.79 -> And for all those,
256.73 -> you have to have compliance
258.43 -> and you need to ensure compliance.
259.577 -> That's a challenge sometimes.
261.69 -> Also the volume, variety, and velocity of resources in AWS
266.75 -> and in the cloud.
267.583 -> Think about an auto-scaling group.
269.67 -> Think about an cluster an ECS cluster, an EKS cluster.
272.63 -> They are constantly creating
274.36 -> and destroying, terminating resources.
276.95 -> And as that happens at a very fast speed,
280.42 -> you need to ensure compliance, that's another challenge.
284.09 -> The global footprint of or where the workloads are running,
288.31 -> now we need to worry about workloads
289.76 -> that are running on the other side of the world
291.67 -> and we need to make sure that we are meeting
293.47 -> certain compliance requirements for that specific region.
298.19 -> That could be a challenge.
300.14 -> The pace of innovation.
301.3 -> We are constantly releasing new services
304.41 -> and our organizations in customer environments
308.79 -> that wanna use those services,
310.46 -> and you have to make sure that they're compliant
312.12 -> as they started up their new services.
313.45 -> That could be a challenge also.
315.31 -> Familiarity with the cloud.
316.67 -> That's another one that Ed identify pretty quickly, right?
320.38 -> A lot of the engineers and operations teams
323.33 -> that are ramping up don't understand
325.99 -> how cloud computing works and they're learning.
329.58 -> How do you, as that happens and they learn,
332.86 -> how do you make sure that what they're doing is
335.02 -> or fits within the compliance requirements you have.
337.49 -> That could be a challenge also.
339.4 -> And the different compliance and security needs
341.79 -> for different organizations is another thing
343.73 -> that Ed quickly realized.
345.67 -> Some organizations are more concerned
347.64 -> with maybe PCI where others HIPAA.
350.94 -> So there's different frameworks
352.42 -> and they don't apply the same way to all organizations,
355.71 -> so that could also be a challenge.
358.5 -> But Ed is very determined, right?
361.93 -> He's not new to learning,
363 -> so he starts digging in.
364.47 -> He starts reading documentation about AWS
368.01 -> and the services we provide.
370.16 -> And then all of a sudden,
371.98 -> there's another challenge that comes up, right?
373.729 -> And he faces what you see on the screen right now.
377.1 -> Which one do I use for compliance?
379.71 -> How do I get going?
380.85 -> There are so many services.
382.23 -> There's AWS Config, there's CloudTrail.
385.15 -> There's Audit Manager, License Manager, Systems manager.
388.53 -> Which one do I use
390.13 -> and how do I use it?
391.91 -> Maybe you've felt a little bit like Ed
394.41 -> when you started researching about
395.83 -> and learning about our services.
398.65 -> So but Ed continues to dig deeper
400.85 -> and he finds some blogs that we've publish.
404.99 -> He has an opportunity to attend a session
406.941 -> that we did earlier this year
409.23 -> on cloud compliance and assurance
410.99 -> and he learns about this concept of the Three Lines Model.
416.14 -> Now what is the Three Lines Model?
418.08 -> The Three Lines Model is a standard that is presented
420.31 -> by the Institute of Internal Auditors
422.5 -> and it establishes that for our organization to implement
425.12 -> effective compliance strategy or strong governance,
429.25 -> they need to use what they describe
431.24 -> as the three lines of defense.
433.35 -> And when he starts digging deeper into this concept,
436.37 -> it makes more sense how all of our services fit together?
439.8 -> The first line of defense is where you manage risk.
444.17 -> So this is where you define the controls
447.77 -> that are gonna identify
449.16 -> and mitigate any risks in your infrastructure.
453.19 -> And this is where services like AWS Config,
456.369 -> CloudTrail, Systems Manager, License Manager, Backup,
460.93 -> this is where they operate
462.44 -> and help you define mechanisms to establish those controls,
468.62 -> detect any non-compliant resources,
470.62 -> and even remediate them
471.76 -> or track them for remediation purposes.
474.82 -> The second line of defense establishes that you need
477.49 -> a way to oversee the risk.
479.403 -> What that means is that after you have deployed
482.78 -> all your controls and you're managing risk,
485.17 -> you need to have a place
486.17 -> where you can have a unified view of the risks,
489.7 -> how they're being mitigated,
490.84 -> how they're being assessed
492.55 -> so that you can have a single pane of glass
494.78 -> on your security posture.
496.4 -> And this is where services like Security Hub
498.71 -> and even AWS Config also with some of these features come in
502.48 -> because these services allow you to quickly evaluate
505.21 -> the security posture of all your AWS accounts
507.95 -> in all regions, for all resources
509.94 -> and platforms that you're using,
511.52 -> identify any risks, and possibly mitigate them immediately.
516.1 -> And then the third line of defense
518.17 -> is the line of providing assurance of risk management.
522.54 -> And this is where at some point
525.95 -> an auditor is gonna knock on your door
527.88 -> and is gonna say,
529.147 -> "Well, you are supposed to be PCI compliant
531.45 -> or you are supposed to be HIPAA compliant.
533.41 -> Prove to me that you are indeed managing
536.17 -> and overseeing risk properly."
537.93 -> And that's where a new service that we released
542.62 -> at re:Invent last year call Audit Manager can help.
546.51 -> Even CloudTrail can help there
548.16 -> because these services will help you collect
550.42 -> all the evidence that you need for auditing purposes.
554.5 -> And we'll do a deeper dive
556.09 -> into what each one of these services does.
560.35 -> But the key here is that in order to effectively understand
563.81 -> how all of our services come together
566.35 -> and quickly realize that this is the framework
568.94 -> you have to put it in, the Three Lines Model,
571 -> and now it all starts making sense.
573.27 -> It all starts falling into the right place.
576.35 -> Now he gets it, right?
578.06 -> But then he says, "Well, how do I get started
581.45 -> with the first line of defense?
582.563 -> What should I do for the first line of defense?"
585.5 -> Well, let's talk a little bit about that.
587.73 -> Let me highlight a few things
589.9 -> that are important to understand
591.12 -> to get you started with managing risk,
593.24 -> that first line of defense.
594.87 -> The first thing is that you should use Control Tower
599.38 -> if at all possible.
600.65 -> Control Tower is the right place to start
603.45 -> because it's going to simplify the implementation,
607.55 -> the definition of all of the security controls
611.24 -> and everything you need to start managing risk.
613.74 -> It's gonna implement the account provisioning.
616.483 -> It's gonna establish guardrails.
618.55 -> It's gonna activate all the logging, auditing.
621.83 -> It's gonna activate Config, all that for you,
624.5 -> and it's gonna give you a headstart into managing risk.
628.74 -> Then after that, what you wanna do
630.73 -> is automate, automate, automate.
633.44 -> And what do I mean by that?
634.62 -> Well, what I mean is if you think back to the example
638.03 -> that I mentioned earlier of the speed
640.08 -> at which cloud resources operate,
642.21 -> it is impossible to try to track things manually, right?
645.29 -> So what you have to do is
646.46 -> as you implement your manage risk,
649.08 -> you need to implement controls
650.19 -> that allow you to detect things quickly
652.14 -> and mitigate them if possible.
653.83 -> So you need to take advantage of things
655.19 -> like AWS Config rules and remediation actions
658.46 -> which we're gonna show you more in depth how they work.
661.52 -> As part of that,
662.58 -> you also need to look into compliance as code.
665.72 -> Compliance as code is a mechanism
667.48 -> that will allow you to establish your controls
670.2 -> in a way that is defined by code, that can be reviewed,
674.4 -> that can be passed through a pipeline,
677.16 -> that can evaluate it
678.1 -> and make sure it is what you require, and then deploy.
682.12 -> That's gonna speed up the mechanism of
684.56 -> or the process of implementing your compliance requirements
688.54 -> because compliance is constantly changing.
690.62 -> So you don't wanna have to manually deploy
692.39 -> these controls every single time.
694.7 -> You want an effective way of defining them as code,
698.52 -> review them and publish them.
700.84 -> And then the last thing is you wanna keep in mind
703.41 -> that in order to manage risk effectively,
706.19 -> there are two main things.
707.69 -> There are preventive and detective controls.
710.797 -> Now let's talk about them now.
714.02 -> Let's talk about preventive and detective controls.
716.6 -> Let's start with preventive controls.
718.84 -> What are preventive controls?
720.26 -> When we talk about preventive controls,
722.43 -> we mean that you establish mechanisms that allow you to,
726.48 -> before things are created as cloud infrastructure,
729.95 -> prevent their creation if they don't fit
733.33 -> or meet the requirements for compliance.
735.58 -> The way you do that
736.62 -> is by implementing three main categories.
739.54 -> The first one is we have features
741.54 -> and services that allow you to manage
743.21 -> or control what things happen in your environment.
748.08 -> And this is where services like AWS Organizations
751.89 -> with features like service control policies come in
754.65 -> because they allow you to define services that you can use,
758.04 -> regions that you cannot use,
760.33 -> specific operations that you can not do.
762.55 -> So that would prevent a user from doing something
764.94 -> they're not supposed to do.
765.96 -> You can extend that with IAM policies
768.81 -> that get very granular
770.65 -> and specify how things,
773.93 -> what permissions an individual has
776.91 -> to do things in cloud infrastructure.
779.56 -> And then of course,
782.18 -> we already talked about Control Tower
783.72 -> as an important mechanism
785.07 -> on that first category of managing.
787.84 -> Then after that, what you do
789.47 -> is you make sure your provisioning is tidy up, right?
793.04 -> Provisioning is how things are gonna be created.
796.41 -> So you wanna avoid just giving everybody
798.43 -> free rein to the console
799.57 -> and let them do whatever they want.
801.12 -> You wanna use some sort of infrastructure as code mechanism
804.36 -> like CloudFormation or Service Catalog,
806.97 -> or even a lot of our customers use Terraform
809.82 -> and make that the way you provision infrastructure
813.75 -> because that will allow you to establish
816.84 -> processes of reviewing, storing your infrastructure as code
820.81 -> which will in turn allow you to take advantage
822.87 -> of the third category
824.1 -> which is where compliance comes in.
826.45 -> And in here, you can use tools like CloudFormation Guard
829.44 -> or even OPA is very popular
831.22 -> with customers that use Terraform
833.5 -> where you can actually define rules
836.76 -> that implement those controls for compliance.
839.94 -> And then before any CloudFormation template is provisioned,
844.17 -> it gets evaluated against those rules
846.55 -> and then you can stop the provisioning
848.24 -> if it doesn't meet the requirements.
850.96 -> We're not gonna do a deep dive of CloudFormation Guard,
852.98 -> but I wanna show you real quick how it looks.
855.08 -> So in this example that you see on the screen,
857.01 -> this is a CloudFormation Guard rule
859.18 -> that has been implemented or defined for volumes.
862.52 -> So in order for a volume that's defined in CloudFormation
865.41 -> to be allowed to pass,
866.76 -> it needs to meet the requirements that are defined here.
869.01 -> It needs to be encrypted, the size, the volume type.
872.76 -> So you have a lot of flexibility in how do you define that.
875.87 -> Now how do you implement this?
877.29 -> This is the way you implement it,
878.44 -> so let me show you a quick diagram.
880.39 -> So you start with a CloudFormation template.
882.68 -> So your development teams
883.74 -> or the people that run operations
885.27 -> would create that CloudFormation template.
887.61 -> But what happens is in order to deploy
889.11 -> that CloudFormation template,
891.18 -> they have to use some sort of CI/CD mechanism.
893.12 -> In this case, we use the example of using CodePipeline.
896.05 -> And with CodePipeline, CodePipeline would kickstart
898.96 -> the process of deploying the template
901.7 -> as soon as it detects a merge
903.45 -> to a specific branch in a repo,
905.35 -> and then it's gonna have a step that is gonna run CodeBuild
909.63 -> to run the CloudFormation Guard tool against the template
914.07 -> with the rules that have been defined for compliance.
917.09 -> Once it's run or executed,
919.81 -> it's gonna say pass or did not pass as you can see here.
924.12 -> What happened, did it pass?
925.14 -> It didn't pass, if it did not pass,
927.67 -> then we stop, right?
929.27 -> Nothing happens, an errors is generated,
931.95 -> and the user has to go back and figure out why it failed
934.92 -> and fix it before it can be deployed.
937.35 -> Now if it passes,
938.67 -> then we have it clear so that the CodeBuild
942.84 -> can pass it to the next step
944.15 -> which will create the resources in the infrastructure.
948.1 -> There we go, so that's how it works, right?
950.76 -> That's how a very simple implementation
952.37 -> of CloudFormation Guard can help
955.14 -> you implement preventive compliance.
959.53 -> Now we also need to talk about detective compliance.
962.44 -> So to do that,
963.273 -> I want to invite Kaartik to talk to us
965.85 -> a little bit about AWS Config
967.98 -> and how you can use it to implement detective controls.
970.66 -> Kaartik, please take it away.
973.51 -> - Thank you, Andres, let's first take a look
976.49 -> at what is AWS Config?
979.07 -> This three value proposition with AWS Config.
982.05 -> The first is providing you the ability
984.58 -> to track changes to your configuration.
987.93 -> The second is compliance,
990.2 -> providing the ability to track compliance of your resources,
994.79 -> and the third is visualization.
998.67 -> With visualization, you can actually see
1001.73 -> your compliance results, your changes
1004.33 -> to your configuration items, right?
1008.91 -> Across multiple accounts and multiple regions
1011.84 -> in a single pane of glass, right?
1014.1 -> So that's the value with visualization
1016.25 -> and you can also write queries,
1019.42 -> SQL queries to actually get the data.
1021.71 -> What I'll be talking about is the first two items
1025.28 -> which is tracking of your resources,
1027.19 -> as well as compliance.
1028.62 -> And then later in the presentation,
1030.3 -> Andres will walk you through visualization with AWS Config.
1035.31 -> So let's dive in.
1037.56 -> The first primitive with AWS Config is Config recording.
1043.5 -> So anytime you're working with AWS Config,
1046.27 -> you are going to be enabling Config recording, all right?
1049.66 -> What is Config recording?
1051.387 -> Config recording is the service
1053.57 -> by way of which you can track
1055.69 -> changes to your configuration items.
1059.29 -> And anytime you create a resource
1061.95 -> or you a update a resource, right?
1063.93 -> We're going to create what's called
1065.63 -> as a configuration item, right?
1067.5 -> And we will deliver it to an S3 bucket that you've chosen
1070.96 -> and you will also be able to see a snapshot,
1073.17 -> a timeline view of how
1075.4 -> your configuration resources have been changing.
1079.34 -> Today, with the AWS Config recording,
1081.89 -> we support up to 114 resource types that we track
1086.09 -> that's spawning across 40 different database services
1089.47 -> and we're continuously adding more resource types
1092.53 -> that's integrated with AWS Config.
1095.78 -> You not only can record AWS Config resources,
1100.87 -> but you can also record
1102.34 -> third-party resources using Config recording.
1105.64 -> The way you do that is with a feature
1107.85 -> that we call as custom Config resources
1110.85 -> where you can now bring in your resources
1112.84 -> either in on-premise or wherever else, right?
1115.28 -> You can bring them into AWS Config
1116.64 -> where you can track these resources
1119.88 -> that's residing in on on-premise or anywhere else.
1124.68 -> You can track them with Config recording, right?
1127.89 -> So that's Config recording which is fundamental for Config.
1133.07 -> The next service that is built on top of Config recording
1136.7 -> is what we call as Config rules.
1138.63 -> What is Config rules?
1139.987 -> So Config rules is basically the service
1141.61 -> by way of which we will evaluate
1144.1 -> every single resource for compliance, right?
1149.03 -> One of the things that...
1152.28 -> Actually one of the things that we hear from customers,
1153.253 -> okay, what is Config rules?
1155.08 -> How's this different from managed policies?
1157.829 -> Config rules is, the example I use
1160.567 -> is Config rules is technical term, right?
1164.36 -> The English word for Config rules is policies, right?
1167.74 -> So you are going to define policies
1169.89 -> that you want your resources to adhere to
1173.19 -> and Config rules is the way we are implementing
1176.45 -> these policies that you want
1178.6 -> your resources to adhere to, right?
1180.96 -> So if you look at Config rules,
1183.29 -> there are two types of Config rules.
1184.99 -> One is managed and the other one is custom, right?
1188.01 -> What I mean by managed rules is today,
1189.931 -> AWS offers over 200 plus Config rules, right?
1193.197 -> Out of the box Config rules that you can deploy.
1196.3 -> Let's take an example.
1198.76 -> Let's say you have a policy where you're saying
1202.22 -> all my data that is stored in my EBS volume
1205.78 -> needs to be encrypted, that's your policy.
1209.54 -> The way he will implement that policy
1212.05 -> is you would deploy a managed rule
1215.13 -> for EBS volume encryption.
1217.7 -> So now anytime an EBS volume is created or updated,
1223.866 -> your Config recording is basically going
1225.79 -> to track that resource, right?
1227.98 -> It's going to generate a configuration item.
1230.89 -> And as soon as that resource
1232.39 -> is either created or updated
1234.79 -> and the resource is track,
1236.43 -> Config rules will now process the managed rule
1240.41 -> that you have deployed
1242.25 -> against this resource that was created or updated
1245.36 -> and it's going to check to see hey, is this EBS volume,
1249.1 -> is it set up for always encrypting data
1253.53 -> or not encrypting the data?
1255.14 -> So let's say if your EBS volume was created
1257.5 -> so that all the data that is being stored
1259.59 -> is going to be encrypted, right?
1261.539 -> Now that particular resource is compliant, right?
1265.56 -> Now if the volume was created in such a way
1269.2 -> that the data is not going to be encrypted,
1271.87 -> now that resource is marked as noncompliant.
1276.13 -> With Config rules, we also have the capability
1277.933 -> where you can auto-remediate non-compliant resources, right?
1282.11 -> So obviously when you're having these policies, right?
1286.27 -> Like I said earlier we have 200 plus policies,
1288.55 -> we're not going to be able to cover every single policy
1292.22 -> that you would want deployed, right?
1293.74 -> Which is why we have custom rules.
1296.03 -> So with custom rules,
1297.16 -> you can now write your own Config rules that you want
1301 -> and you deploy that as a lambda function, right?
1303.89 -> So this way with managed rules and custom rules,
1306.77 -> you can now ensure
1308.21 -> that all your compliance requirements can be met, right?
1312.21 -> So that's something that which AWS is gonna learn, okay.
1314.64 -> So that's what I need to use.
1316.65 -> Now this is as part of deploying the rules, right?
1320.11 -> So now when do I evaluate these rules, right?
1325.61 -> That's the other dimension
1327.69 -> of when do the rules get evaluated?
1330.09 -> So you have two options.
1331.1 -> One is change triggered.
1332.38 -> The second is periodic.
1334.93 -> With change triggered, if you go back to the example
1337.64 -> that I gave you, right?
1338.65 -> That is what we call as a change triggered rule.
1341.2 -> As soon as a resource is created or updated,
1344.48 -> we're going to evaluate that resource for compliance
1348.13 -> against the Config rules that you have deployed
1350.28 -> for that particular resource type.
1353.13 -> So this is what we call it as continuous compliance, right?
1355.877 -> So now as the resources are created or updated,
1358.78 -> you are able to continuously check for compliance.
1361.69 -> You're always up-to-date, right?
1363.5 -> So that's when you deploy a change to that rule.
1367.448 -> There is the other use case where your auditor might come
1370.05 -> and say, "Hey, every 24 hours,
1373.03 -> I want to make sure that I have evidence
1376.9 -> that your resource is compliant."
1380.1 -> So now what we do in that particular case
1382.1 -> is you would deploy a periodic rule
1385.22 -> where you decide the frequency.
1387.6 -> So it could be every 24 hours
1389.39 -> or it could be every 12 hours.
1390.7 -> So at frequency that which you have defined,
1394.33 -> you are now going to execute the Config rule.
1397.54 -> And if no change has been made,
1399.83 -> the previous state will continue.
1401.6 -> So if you were compliant 24 hours back
1403.39 -> and the resource has not changed,
1404.54 -> you continue to remain compliant.
1406.008 -> (claps)
1407.04 -> So that's the value prop with periodicals rules, right?
1411.9 -> At specified time intervals,
1413.69 -> you have enough evidence to say
1415.57 -> if your resource is compliant or noncompliant.
1420.611 -> All right, so now that we know Config rules, right?
1424.24 -> So the next part is
1426.75 -> how are other services leveraged and configurable?
1429.57 -> So you can deploy Config rules,
1431.3 -> but what you will also find
1432.73 -> is there are other services in AWS
1435.07 -> that provide compliance-related capability, right?
1439.05 -> They are also built on top of Config rules.
1441.55 -> Let's take the case of Security Hub and Backup, right?
1444.43 -> So Security Hub has this primitive
1448.4 -> called Security Hub controls.
1450.36 -> Behind the scenes, it is nothing but a Config rules, right?
1454.22 -> So it's not presented to you as a Config rules,
1456.59 -> but it's presented as a Security Hub control
1458.91 -> but it's nothing but a Config rule.
1460.83 -> Similarly with Backup, you have
1462.34 -> these backup audit manager policies, right?
1464.89 -> They are nothing but Config rules behind the scenes, right?
1469.09 -> With Control tower, right, you have
1470.74 -> these detective guardrails, right?
1473.89 -> Andres has talked about permanent guardrails, right?
1475.55 -> So we also have detective guardrails with Control Tower.
1478.47 -> Again, they are nothing but Config rules.
1481.65 -> So you also have other services
1482.79 -> like Audit Manager and Firewall Manager.
1484.45 -> And again, they are under the cover
1486.25 -> for the compliance evaluations,
1488.75 -> they all use Config rules, right?
1491.65 -> We're talking about conformance back in a minute.
1493.91 -> One point I want to call out with regards to pricing, right?
1497.65 -> And we've heard multiple customers ask us these questions
1501.18 -> where when you're deploying Security Hub or Backup, right?
1505.07 -> In your pricing bill,
1506.03 -> you would notice at line item for Config recording
1508.26 -> but you would not notice line item for Config rules, right?
1512.17 -> The reason is the way that gets presented
1514.43 -> is it's as a security app control
1515.86 -> or a backup policy, right?
1517.34 -> So you would not see a Config rules line item,
1521.4 -> but instead you're seeing the security app control
1523.04 -> or the backup policy has the line item
1525.18 -> as a replacement for Config rules.
1527.45 -> But behind the scenes,
1528.283 -> it's effectively a Config rule, right?
1530.3 -> But for all of these services,
1532.38 -> one of the core features that you have to always be enabling
1536.41 -> is Config recording, right?
1537.77 -> So sometimes if you're wondering, right?
1539.71 -> So hey, why am I being charged for Config recording?
1542.9 -> As you can see with our Config recording,
1545.47 -> we would not be able
1546.64 -> to deliver these compliance evaluations
1549.09 -> because for me to be able to record that resource change,
1552.78 -> I need Config recording in either way.
1554.8 -> So which is why Config rules
1557.22 -> is basically the core for all your compliance evaluations.
1562.33 -> All right, let's dig
1563.163 -> a little bit deeper into conformance packs, right?
1569.84 -> So what is a conformance pack?
1572.091 -> A conformance pack is nothing
1573.59 -> but it's a collection of rules, right?
1576.78 -> So the idea of conformance pack
1578.62 -> is it's going to simplify your deployment experience.
1584.55 -> So I mentioned conformance packs are a collection of rules.
1586.53 -> So you can have up to 130 Config rules
1588.97 -> in a single conformance pack.
1590.67 -> The real use case is so let's say I want to deploy
1593.9 -> 100 rules in multiple accounts, right?
1596.41 -> So you go to account one, account two, account three.
1598.6 -> So every time you have to ensure
1600.64 -> that you're actually deploying all the 100 rules, right?
1603.5 -> You do not want to have any cause for a human error, right?
1607.84 -> That's where conformance pack comes in handy, right?
1610.28 -> So you do this exercise once
1612.9 -> where you ensure that you have now
1616.86 -> cornered all your 100 rules
1618.17 -> into this single conformance pack.
1620.21 -> From now onwards, you're just dealing with that one entity
1622.88 -> or that primitive offer conformance pack.
1625.41 -> You know that if I go and deploy conformance pack A
1629.14 -> and the conformance packs A has
1630.87 -> all the 100 rules that I want,
1632.84 -> then I'm not missing out on Config rules for my account.
1636.8 -> So you can now deploy
1638.13 -> the conformance pack across multiple accounts
1640.22 -> or across an organization, right?
1641.9 -> As one click, you can deploy it across your organization.
1646.94 -> So that's a great value proposition
1649.93 -> with conformance pack where it simplifies your deployment.
1653.1 -> Also, if you're deploying across an AWS organization,
1655.86 -> you can use a delegated admin account
1657.42 -> or the master account
1658.52 -> to actually deploy these conformance packs.
1661.23 -> Another benefit with conformance pack
1663.12 -> is once you deploy the conformance pack, right?
1665.98 -> These rules are immutable rules, right?
1668.89 -> So now you can ensure that I cannot,
1671.73 -> the user or member account
1673.93 -> doesn't accidentally delete one of the rules.
1677.14 -> With the conformance pack today,
1678.5 -> we have more than 50 plus conformance packs
1682.073 -> that you can actually directly deploy.
1684.44 -> The other value out of a conformance pack
1687.03 -> is we also start using conformance pack
1689.01 -> for compliance regimes or operation best practices, right?
1693.35 -> So one of the operations of best practices
1695.09 -> we have is in S3, right? So you have an S3 conform,
1697.801 -> S3 operation conformance packs
1700.24 -> But there are also
1701.073 -> some compliance regimes like HIPAA, right?
1703.55 -> And some of these where they require you
1706.7 -> to have a manual process
1708.46 -> like let's say an auditor has gone
1710.34 -> and verified something, right?
1712.18 -> So we have this category of rules
1713.81 -> that is today available only in a conformance pack
1717.04 -> call as process check rules
1719.28 -> where you're not checking for compliance
1722.77 -> of a particular resource,
1724.85 -> but instead you're actually checking if a particular process
1728.02 -> was completed or not, right?
1729.72 -> So then it would just be hey, the audit are verified this.
1732.91 -> I have the signature,
1733.87 -> so let me go and add this to the conformance pack.
1736.75 -> You can add a process check rule,
1739 -> a generic one which says verified by the auditor.
1741.61 -> And now you just go and say,
1742.63 -> do a put configure and say yep, that is compliant, right?
1746.15 -> So it gives you that ability
1748.56 -> when you're having some compliance regimes
1751.01 -> where there is this,
1753.68 -> there are these other requirements
1755.45 -> that are beyond just verifying what value of the resources,
1761.77 -> if they are compliant or not,
1763 -> but there are these manual checks
1764.32 -> that you have to do, right? So that's the value it gives.
1767 -> The other benefit with conformance pack
1769.2 -> is we launches this feature this year
1772.06 -> is the ability for you to get the status of the entire pack.
1776.8 -> So let's go back to the example, right?
1778.22 -> If you're already deploying 100 rules, right?
1780.27 -> And now if we to ensure that hey,
1782.53 -> is my account compliant
1784.25 -> or are all of these 100 rules compliant?
1785.91 -> You have to do an and function
1787.9 -> of each and every single rule, right?
1791.04 -> With the conformance pack,
1792.03 -> we actually give you that LAN status
1795.34 -> for the conformance packs directly, right?
1797.32 -> So it simplifies the reporting.
1801.33 -> And finally, like I mentioned earlier
1802.56 -> we have more than 50 plus conformance packs
1804.62 -> for operational best practices,
1806.04 -> as well as for various compliance routines.
1811.57 -> So let's kind of put all of these back together, right?
1813.84 -> So Andres talked about detective controls
1816.197 -> and how Config is used there.
1817.77 -> So we talked in detail about Config rules, right?
1820.22 -> As well as conformance pack
1821.55 -> and how they helped with the detective controls.
1824.637 -> And the same point again is here what we're checking
1828.9 -> is with these rules and conformance packs
1831.3 -> is after the resource has been created,
1834.72 -> we're now checking if that particular resource
1837.57 -> that was created is compliant against the policy
1840.76 -> or the Config rules that we have deployed, right?
1844.03 -> One of the benefits with conformance pack
1846.22 -> as I mentioned earlier is conformance pack,
1848.42 -> we're starting to see a lot of customers
1850.11 -> deploy conformance pack based on different scenarios, right?
1852.77 -> Where hey, I'm running a particular campaign,
1855.33 -> so I want to make sure now I'm deploying it
1857.74 -> for this subset of accounts
1859.37 -> and making sure that I'm now compliant,
1862.1 -> and I've completed my campaign.
1864.21 -> Or we also see for operational best practices,
1866.95 -> as well as compliance regimes.
1870.24 -> Another point which I want to address here
1872.67 -> which comes up quite a bit is if you look
1875.52 -> at Security Hub standards versus conformance packs,
1877.24 -> there is similarity between the two.
1879.12 -> And one of the things that Andres started talking about
1883.02 -> and as you'll see in the rest of the session
1884.52 -> when he talks about various services
1886.25 -> is there are different ways
1889.11 -> in which you can solve the problem, right?
1891.69 -> And there is also an user persona aspect of it, right?
1895.12 -> Depending on what type, what your role is,
1897.73 -> you're going to pick the appropriate feature, right?
1899.73 -> And for us, we take an agnostic standard
1903.97 -> in terms of we're providing you various services
1907.16 -> and you pick the service
1908.87 -> that works for your particular use case, right?
1911.79 -> Security Hub standards versus conformance pack,
1914.1 -> it's very similar where the Security Hub standards
1916.66 -> we provide an open-ended way of,
1918.52 -> today, we provide an an open-ended way
1919.93 -> of hey, now for HIPAA,
1921.87 -> you should now go
1923.13 -> and deploy these different controls, right?
1926.199 -> With conformance pack, it starts there, right?
1928.42 -> With confirming pack, we're basically taking
1930.92 -> the same set of rules or controls
1932.853 -> that Security Hub standards have
1934.83 -> and you have the similar set of Config rules
1936.91 -> in a conformance pack,
1938.79 -> but it allows you to go one step further
1940.85 -> where if you were to determine saying
1943.68 -> yeah, these set of rules don't work for me
1947.23 -> or it's not applicable for my particular environment,
1950.12 -> so instead I want to add something else, right?
1952.76 -> So with conformance pack,
1953.74 -> you can now, it gives you the flexibility
1955.47 -> to extend beyond what what prescribed, right?
1959.88 -> So the way I think of conformance pack
1962.19 -> is it's a hybrid between an open-ended solution
1965.14 -> and a do-it-yourself where we're giving you,
1967.88 -> you get started, you're not starting at zero.
1969.57 -> Where we give you for HIPAA,
1972.95 -> I'm picking that as an example,
1974.25 -> here are a set of Config rules
1975.44 -> that you needed to deploy, right?
1976.693 -> As well as process check rules you need to deploy for HIPAA.
1980.339 -> We're giving you a starting point, right?
1982.61 -> But you don't need to deploy that, right?
1984.763 -> It's just this reference.
1986.46 -> Now you can add or delete to that.
1987.97 -> So that's the difference
1989.22 -> where you're looking for an open-ended way
1992.16 -> and a more managed solution,
1994.49 -> Security Hub standards is your option.
1997.2 -> But if you're looking
1998.033 -> for a do-it-yourself type of solution,
2000.32 -> with a headstart conformance pack
2001.92 -> would be the solution that you would use, right?
2007.37 -> So back to our friend Ed.
2009.67 -> So one thing Ed is going to realize in this journey
2012.03 -> is Config is the core for compliance.
2016.21 -> So I need to ensure that I learn
2018.28 -> more about AWS Config, Config recording, and Config rules,
2023.28 -> as well in remediation and conformance packs
2026.42 -> while I'm coming up with my compliance strategy.
2029.7 -> And then later in the session,
2031.71 -> we'll see Andres talk about virtualization
2033.25 -> and where you'll see how Config
2034.6 -> brings all of these aspects together.
2036.98 -> So learning about risk Config
2039.1 -> is critical for my success here.
2041.96 -> So before we move on,
2044.14 -> I quickly wanted to dive a little bit deeper into AWS Config
2048.5 -> and talk about what were some of the features
2052.29 -> that we launched in the past 12 months, right?
2055.11 -> One feature is we support AWS KMS encryption
2059.77 -> with your S3 buckets.
2061.09 -> So previously, what we would do
2063.26 -> is prior to this feature
2064.76 -> is we would leverage the server-side encryption
2068.2 -> on S3, the AES-256 key, right?
2071.59 -> With this feature launch,
2074.03 -> now you can provide the canvas encryption key as well
2076.76 -> and we would honor that.
2079.51 -> We're continuing to add more managed rules.
2081.26 -> We've launched 34 new rules this year
2083.1 -> and the numbers are only gonna keep increasing.
2084.82 -> We talked about conformance pack, right?
2087.28 -> Where now we have this compliance status
2089.74 -> for a conformance pack,
2091.25 -> as well as the compliance status is available as a CI.
2094.92 -> So now you can see the timeline
2096.41 -> for the conformance pack status as well.
2098.99 -> We've integrated support for conformance pack
2101.42 -> with aggregators as well so you can see
2103.53 -> the conformance pack changes,
2105.79 -> as well as the compliance status
2107.27 -> of your conformance pack on your aggregator.
2110.17 -> On the advanced query,
2112.12 -> so if you're writing these queries
2113.83 -> that you wanna create the data from am aggregator
2115.927 -> and if you're writing complex queries,
2117.96 -> you don't have to keep writing those credits.
2120.26 -> We have this feature called Save Query
2122.74 -> by way of which once you write the query,
2124.16 -> you can now save it so it saves you some time.
2126.29 -> It's more a usability feature.
2127.98 -> And also another usability feature
2129.845 -> which is pretty strongly asked
2132.69 -> by a lot of customers last year
2134.19 -> was pagination support for the results.
2136.635 -> And it was interesting,
2138.23 -> That's a very simple feature,
2140.42 -> but the number of thank you notes that we've gotten
2142.69 -> once we've launched this feature
2143.69 -> from customers was very interesting.
2145.43 -> So that's a quick summary of the various features
2148.97 -> that we have with AWS Config compliance in the past year.
2153.63 -> With that, let me hand it over back to Andres
2156.04 -> to walk you through the rest of the session.
2159.96 -> - Right, thank you very much Kaartik.
2161.47 -> We appreciate all those details about AWS Config.
2165.46 -> There's one more thing I wanted
2166.5 -> to talk to you about regarding AWS Config.
2170.1 -> We recently published a blog
2171.58 -> that I think it would be interesting for you to review
2173.59 -> as part of your strategy for managing risk
2176.207 -> and it's a blog that shows how you can use
2178.38 -> custom Config rules with OPA
2181 -> or Open Policy Agent.
2184.69 -> This is an open source platform
2186.11 -> that is very popular with users of container workloads
2190.7 -> because it implements a policy language called Rego
2193.99 -> which makes it very easy to define policies to evaluate
2198.25 -> anything that's expressed in basically JSON format.
2202.29 -> So we have a sample out there.
2204.03 -> You can scan this QR code
2205.37 -> and essentially what we're doing is implementing,
2208.13 -> we're allowing you to define a rule
2210.27 -> to evaluate a resource using Rego
2213.14 -> but then execute it through AWS Config rules
2216.87 -> which is actually pretty cool
2218.16 -> and I'm very excited about.
2219.56 -> So I encourage you to take a look at it as another option
2222.27 -> to simplify how you write your compliance lodging.
2226.83 -> You can always also of course use lambda
2231.63 -> and write your logic in code.
2234.33 -> This is just another option that makes it a lot simpler
2237.32 -> and our goal is just to show you
2238.59 -> all that is possible with custom Config rules.
2242.62 -> Now what I wanna do is I wanna show you a demo
2245.24 -> of how you can use some of the things
2248.39 -> we've discussed with AWS Config,
2250.33 -> with remediation actions, with conformance pack.
2252.71 -> Put it all together so you can deploy
2254.67 -> one control for compliance purposes.
2257.15 -> Let's take a look at the demo piece.
2260.81 -> So let me show you a demo of how you can define a control
2264.75 -> to manage risk in a detective way using AWS Config.
2269.16 -> So the first thing I wanna show you
2270.3 -> is how you deploy that control,
2271.68 -> and I'm here at the AWS Config console
2274.69 -> and I'm gonna go to Rules.
2276.72 -> Now let's imagine that I have to comply
2278.7 -> with HIPAA in my organization.
2281.06 -> And as part of that,
2282.71 -> I'm going to deploy a rule
2287.04 -> that validates that my S3 buckets are encrypted.
2291.17 -> So we have a rule for that
2292.25 -> and all I have to do is click Add Rule,
2295.43 -> and then type here the name
2298.38 -> of the rule that I'm looking.
2299.7 -> In this case, I'm looking for this specific rule
2301.86 -> which is called S3 Bucket Server-Side Encryption Enabled.
2305.62 -> So I'm gonna type the name of it,
2306.93 -> I'm gonna select it,
2307.847 -> and then I'm just gonna click Next here.
2311.27 -> Now here I have the option of giving it a name
2315.12 -> so I'm just gonna use the same name that is provided there,
2319.681 -> but I'm gonna append it with demo
2320.89 -> just so that I know that's the one that I'm working with.
2324.35 -> The other options that are specified here
2326.87 -> are when it will be evaluated.
2329.85 -> In this case, I am going to select
2333.52 -> that the scope of change is whenever the resource changes
2337.51 -> and it applies to S3 bucket.
2341.06 -> I can also specify a unique S3 bucket
2345.65 -> if I'm interested in only evaluating a specific bucket.
2348.4 -> That's another option that we have.
2350.19 -> So I'm just gonna leave all the default and click Next
2352.77 -> and then I'm gonna go ahead and deploy my rule.
2355.77 -> What's gonna happen is AWS Config is gonna go
2358.2 -> and deploy that rule for me.
2361.53 -> All right, so here's my rule that I've deployed
2365.16 -> that I just deployed,
2366.05 -> the S3 Bucket Server-Side Encryption Enabled Demo.
2369.79 -> I'm gonna click on it
2370.87 -> and then I'm going to see that it has already detected
2374.63 -> a number of resources that are not compliant.
2379.28 -> Now what I can do
2381.04 -> is because this is
2382.39 -> a non-negotiable thing in my organization,
2384.98 -> I can go ahead and deploy a remediation action.
2387.49 -> The way you do that is you go into the rule
2389.64 -> and you select this option here in Actions
2391.74 -> that's called Managed Remediation.
2393.71 -> And as Managed Remediation,
2395.27 -> I can specify an SMS,
2398.61 -> I'm sorry, a Systems Manager document
2403.09 -> that will perform the necessary API actions
2406.62 -> to fix that resource.
2408.21 -> In this case, this console already has suggested for me
2412.45 -> the remediation action that I should use
2414.91 -> which is AWS-EnableS3BucketEncryption.
2417.18 -> So I'm just gonna leave that at the default
2420.12 -> and I must make sure that the resource ID
2422.56 -> is the bucket name that will be used.
2427.1 -> The only other thing that I have to specify here
2430.04 -> is the role that will be used to perform that action.
2436.95 -> So, and that's already been populated for me here,
2441.32 -> so all have to do now is save the changes.
2446.1 -> And now I have a remediation action
2448.12 -> that I can use for those buckets.
2450.5 -> The way I know this is working now
2452.23 -> is if I select the specific bucket that I wanna fix,
2456.35 -> the Remediation Action button will be enabled.
2459.98 -> Now you can deploy remediation actions
2462.55 -> either in automatic way
2463.76 -> which will mean as soon as the resource is detected,
2466.95 -> it will be fixed
2469.13 -> or they can be deployed in manual mode,
2472.46 -> and this is something that you specifying in the definition.
2474.94 -> And then you'll have the option to come into the console
2477.13 -> and decide when you're gonna fix it.
2479.26 -> So that's how you deploy the control
2482.18 -> and the remediation action.
2484.12 -> Now how do you take that to the next level
2486.37 -> and deploy that rule
2487.96 -> and that remediation action as part of a conformance pack?
2490.55 -> Let me show you that real quick.
2492.96 -> So what I have here is my HIPAA conformance pack
2496.34 -> that I have already downloaded the sample,
2498.44 -> I've been working on it,
2499.9 -> and I've been modifying it to fit my specific needs.
2504.96 -> So what I wanna do is I wanna add
2507.96 -> this rule for Service-Side Encryption Enabled
2512.78 -> right here as you can see,
2514.75 -> and I also wanna add the remediation action.
2519.48 -> Now what I have here,
2520.67 -> a conformance pack is essentially a CloudFormation template.
2523.86 -> What I have here is the definition of the rule
2526.17 -> and I have the definition of the remediation action.
2530.31 -> And as you would think
2532.22 -> the rule itself is just the definition of the rule name,
2537.61 -> what resources are gonna apply,
2539.24 -> the same kind of things that we specify
2541.01 -> when we deploy the rule.
2542.23 -> For the remediation action it's very similar.
2545.07 -> We just specify the rule that it applies to
2548.49 -> and we need to make sure that we have the right role
2554.15 -> here with the proper account ID.
2556.49 -> So in my sample here
2558.59 -> and let me scroll and find it,
2561.41 -> I've already added here
2568.52 -> the rule as you can see for Service-Side Encryption Enabled.
2573.52 -> I also have added my remediation action
2577.41 -> and with the proper account ID, the proper role.
2579.97 -> We need to make sure that will exists.
2582.44 -> So now I can just go ahead and save this
2584.97 -> and I can go back to,
2586.64 -> now that I've modified my template,
2589.92 -> I can go back to the conformance packs here in the console,
2595.09 -> and I can click on Deploy conformance packs.
2599.05 -> I can select upload a template
2602.07 -> which is the template that I just worked on.
2604.381 -> And I can either upload it from an S3 bucket,
2608.59 -> but I'm gonna upload it from my local machine.
2610.75 -> I'm gonna choose the file here
2612.93 -> and I am going to select the file that I just updated,
2618.17 -> and I'm gonna click Next.
2620.65 -> And for demo HIPAA
2626.75 -> is what I'm gonna enter for the name just to keep it simple
2630.49 -> and I'm gonna click Next,
2632.93 -> and I click Deploy.
2634.25 -> And as simple as that,
2635.38 -> now you are deploying your new brand new conformance pack
2638.68 -> with the remediation action and everything configured.
2642.17 -> Now I'm already deploy one here
2644.93 -> so that I'll show you how it looks of the exact same one.
2647.72 -> Once it's deployed, the first thing you're gonna see
2650.15 -> is you have an overall compliance status
2652.38 -> for the conformance pack.
2654.08 -> And then as we dig into the specific conformance pack,
2656.84 -> we can see which rules
2659.15 -> that are part of that conformance pack are noncompliant.
2663.43 -> And as we dive deep into these rules,
2667.25 -> so here we have the rule that we just deployed
2671.28 -> and as you can see,
2672.15 -> it has a remediation action associated with it.
2675.47 -> So I can go into this rule
2679.23 -> and the first thing that I wanna mention
2682.32 -> as we go into rules that are deployed by conformance packs,
2686.9 -> that it warns me that this rule
2689.58 -> was created by a conformance pack,
2691.09 -> so I can't edit the rule.
2692.56 -> This is where the immutability comes in.
2694.88 -> But I also can see
2695.89 -> there is a remediation action associated with it.
2699.24 -> So when I select one of these resources,
2702.27 -> I can go ahead and click Remediate
2704.36 -> and it will start the process of remediating.
2706.63 -> I click Remediate and I refresh.
2711.64 -> It says the action executed successfully.
2714.67 -> And then I refresh again.
2717.42 -> Oh, so it completed.
2718.6 -> The action was executed successfully.
2720.56 -> So now this bucket
2721.91 -> that was before noncompliant has now been fixed.
2726.02 -> So this is how you can deploy a control
2728.66 -> to manage risk using AWS Config,
2731.46 -> deploy a remediation action to automate the process,
2735.38 -> and then make that part of a conformance pack
2737.243 -> that you can deploy
2738.28 -> across multiple accounts and multiple regions.
2743.09 -> Now when we talk about managing risk,
2745.57 -> we also have to talk about
2747.8 -> other couple of services that are important.
2750.02 -> One of them is Systems Manager
2751.2 -> and I wanna take a minute to talk to you about it
2753.74 -> because it's an important part of managing risk, why?
2756.69 -> Well, there are a few features of Systems Manager
2759.26 -> that are important to managing risk.
2761.26 -> Now Systems Manager as a quick review
2763.21 -> is what we like to call at AWS our operations hub.
2766.183 -> It's a service that does three things very well.
2768.81 -> It first, allows you to group resources
2770.62 -> in a way that's meaningful for your operations.
2772.98 -> It then allows you to visualize
2774.39 -> important data about those resources,
2777.33 -> about the workloads that you're running on those resources.
2779.97 -> And third, it allows you to take action
2782.11 -> to manage those resources.
2783.99 -> So there are some features within
2785.58 -> and Systems Manager has a lot of features,
2787.72 -> but we're gonna focus on a few that are very important,
2790.78 -> one of them for managing risk.
2792.73 -> One of them is Quick Setup
2794.46 -> and Quick Setup is a feature that allows you
2797 -> to perform in a simplified way
2800.94 -> certain configuration actions for services in AWS,
2803.84 -> and one of those is AWS Config.
2805.94 -> So if you had a large environment
2808.45 -> where you needed to deploy AWS Config
2811.131 -> and you were not using Control Tower
2813.09 -> 'cause Control Tower does that automatically for you,
2815.5 -> you could take advantage of Quick Setup
2817.57 -> to deploy the AWS Config recorder
2819.75 -> which essentially activates the recording of resources
2822.9 -> in AWS in a very easy way.
2825.57 -> It also allows you to deploy conformance packs
2827.83 -> in a very easy way
2829.27 -> and deploy them across different accounts
2831.03 -> and across multiple regions.
2833.75 -> So that's why it's so important to the story
2836.61 -> of managing risk and compliance.
2838.78 -> The other one that I wanna call your attention to
2841.22 -> is automation, what is automation?
2843.67 -> Automation is a feature that allows you
2845.15 -> to design repetitive IT workflows
2847.78 -> that you need perform on AWS infrastructure,
2851.59 -> and this is the engine behind remediation actions
2854.97 -> that we showed you in the demo a minute ago.
2857.16 -> So you can write in automation
2859.93 -> the specific API actions that you wanna execute
2863.21 -> and then you could potentially use
2865.12 -> to fix a resource that is noncompliant.
2867.72 -> In the demo, we show you the example
2869.12 -> of an S3 bucket that is not encrypted
2871.15 -> and using a Systems Manager automation document
2874.2 -> to call the API that encrypts that bucket.
2877.49 -> So that's why that one is so important.
2879.9 -> Then we have Run Command and State Manager
2882.45 -> which are tools that allow you to extend
2885.75 -> the power of automation all the way down to an EC2 instance.
2889.34 -> So think of a scenario where you have
2891.73 -> a large set of EC2 instances
2893.74 -> and you need to change a setting in them
2895.65 -> to make them compliant.
2897.19 -> Well, that's where Run Command allows you
2898.93 -> to write a very simple document
2901.18 -> that executes the automated steps to do that
2903.88 -> and then you can do it very quickly at scale
2905.63 -> on all those resources.
2907.24 -> When you combine that with Inventory and Patch Management,
2910.45 -> now you can ensure you're assessing all your resources
2913.12 -> and making sure that they are compliant
2915.44 -> with very simple steps.
2916.58 -> Not only in terms of patching,
2918.75 -> but also in terms of the applications that are running,
2921.74 -> maybe network configurations requirements that they need be.
2925.43 -> So when we talk about managing risks,
2927.53 -> we need to talk about Systems Manager
2929.08 -> and take advantage of these features.
2932.06 -> Another service that is very important is CloudTrail
2934.87 -> when we discuss managing risk.
2937.12 -> CloudTrail is our managed audit trail platform.
2939.31 -> Essentially it tracks everything that happens
2942.22 -> on an AWS account, records it,
2944.72 -> and then you can review it.
2946.19 -> It creates a trail for every single action
2948.93 -> from logging into the console,
2950.42 -> performing API actions that are done
2952.61 -> through the console, through the API,
2954.359 -> and through the command line, everything is recorded.
2956.9 -> CloudTrail is so important to us
2958.67 -> that when you open up brand new AWS account,
2960.72 -> it's already enabled by default to track 90 days for you.
2964.49 -> However we do encourage customers to create their own trails
2968.13 -> so that they can keep longer than 90 days.
2971.18 -> But CloudTrail provides two types of trails
2976.25 -> that you can configure.
2977.083 -> You can configure what we call a management trail
2980.09 -> and a data events trail.
2981.73 -> The management trails is gonna track
2983.39 -> all the operations done in resources
2985.37 -> like creating them and modify them
2987.4 -> and the data events is gonna track
2989.01 -> operations that happen within a resource.
2991.26 -> Think of an S3 bucket
2994.43 -> and if you wanna track every read operation
2996.68 -> and every delete or write operation on a bucket,
2999.49 -> you can take advantage of data events to do that.
3001.98 -> In fact, many of the compliance frameworks
3004.23 -> that are out there require you to have a mechanism
3007.24 -> to track operations on files
3009.76 -> and audit trail, the capabilities of data events
3016.47 -> will help you to do specifically that.
3020.06 -> So this is a very important service
3022.44 -> when we're discussing managing risk at scale.
3026.69 -> Now Ed is getting the story, right?
3028.8 -> Remember we're talking about Ed
3030.01 -> and his journey through learning all these things.
3031.61 -> He's learning about managing risk.
3032.593 -> He's learning about Config.
3034.761 -> He's learning about CloudTrail now and Systems Manager.
3037.79 -> He's putting the picture together.
3038.84 -> He has a very good grasp on how to manage risk.
3042.04 -> But now let's talk about the second line of defense
3044.09 -> and he's wondering, "Well, good, perfect,
3046.3 -> but how do I get started with overseeing risk?
3049.68 -> What are some of the options that I have to get started?"
3052.69 -> Let's talk about a couple of them.
3054.15 -> The first one is within AWS Config.
3056.71 -> Yeah, AWS Config is also part of the story
3058.93 -> related to overseeing risk
3060.21 -> because there's a couple of features in AWS Config
3062.51 -> that will help you precisely do that.
3064.45 -> One of them is aggregators.
3066.55 -> Now what do aggregators do?
3068.69 -> Well, an aggregator will help you,
3071.81 -> once you configure it,
3072.98 -> it will take all the data that is being recorded
3076.8 -> across multiple regions and across multiple accounts
3079.6 -> and centralize it into a single place.
3082.48 -> You have the ability of seeing this data
3084.48 -> in the console, in a dashboard.
3086.2 -> It will show you what resources are noncompliant,
3088.2 -> what resources are compliant,
3089.367 -> and will give you information
3090.57 -> about specific resource configuration.
3093.55 -> All that is very valuable to the second line of defense
3096.38 -> which is to have an effective mechanism
3097.98 -> that you use to oversee risk.
3099.97 -> On top of that,
3100.803 -> you can use a feature called Advanced Query
3102.64 -> and Advanced Query allows you to write queries
3106.44 -> using the very familiar SQL syntax
3108.68 -> that will allow you to take advantage of that data
3110.343 -> that is being collected by the aggregator
3112.7 -> and then construct queries that extract specific information
3117.89 -> that you're interested in obtaining
3119.45 -> from the data that we're collecting.
3121.53 -> We provide a number of sample queries
3123.28 -> and you can create your own queries
3124.82 -> and save them also.
3126.59 -> And by combining this,
3128.14 -> you can have a very good set of tools
3130.62 -> that allow you to oversee risk.
3133.09 -> But the other powerful tool that we need to talk about
3135.75 -> when we are discussing the second line of defense
3138.3 -> and overseeing risk is Security Hub.
3141.66 -> Security Hub, once you turn it on
3143.32 -> will give you a comprehensive view
3145 -> of all your security alerts
3147.09 -> and your security posture
3148.12 -> across all your AWS accounts and regions.
3151.35 -> You will have a single place that aggregates,
3154.23 -> organizes, and prioritizes your security alerts,
3157.09 -> all the findings across
3159.17 -> all these different accounts and regions.
3161.32 -> It collects that data from different services.
3164.09 -> It collects the data from CloudTrail.
3166.19 -> It collects the data from AWS Config, from GuardDuty,
3169.29 -> from Inspector, from Amazon Macie, from IAM Access Analyzer.
3174.57 -> All these data funnel into Security Hub.
3177.03 -> It creates these findings.
3178.81 -> It gives you clear alerts.
3180.74 -> It even integrates with partner solutions
3182.61 -> to aggregate data from them also,
3185.52 -> and then you can take actions on those.
3187.82 -> Again, this covers the second line of defense
3190.14 -> that allows you to have a clear overview
3192.84 -> of your security posture across your entire organization.
3197 -> Now we've talked about the first line, the second line
3200.6 -> Ed is feeling better.
3201.69 -> He has a good grasp on how things work.
3204.34 -> He feels like he can start using some of those services
3207 -> on the first and second line of defense,
3208.86 -> but he knows that at some point
3210.72 -> he's gonna get audited, right?
3212.09 -> So he needs to prepare mentally for that
3214.07 -> and he wants to learn a little bit more
3215.36 -> about how you can get ready for it.
3217.26 -> How do I get ready for my audits, right?
3218.9 -> How do I take care of that third line of defense?
3221.68 -> Let's talk about that
3222.57 -> and let's focus on a service
3224.13 -> that we released at re:Invent last year.
3225.82 -> It's called AWS Audit Manager
3227.99 -> and AWS Audit Manager essentially will help you
3231.03 -> collect all the evidence that you need
3234.47 -> for when an audit comes up.
3236.23 -> Now this is why it's so important to understand
3238.96 -> the foundational services that we discussed
3240.457 -> in the first line of defense,
3241.87 -> the second line of defense,
3243.22 -> things like Config, CloudTrail, Systems Manager,
3245.73 -> because all the data
3247.18 -> and all the evidence is gonna be on those services.
3250.02 -> And what Audit Manager's gonna allow you to do
3252.06 -> is collect that information
3253.85 -> and prepare it for auditors.
3255.48 -> How does it do that?
3256.53 -> The way it does that is by providing you with frameworks.
3259.79 -> Those frameworks are a collection of control sets
3262.51 -> and there's a framework
3263.53 -> for the different types of compliance regimes
3266.81 -> like there will be a framework for PCI,
3268.66 -> another one for HIPAA, and so on and so forth.
3272.33 -> And those frameworks contain that set of control sets.
3276.22 -> Some of those control sets
3278.87 -> have controls that automatically collect information
3281.72 -> by using AWS Config,
3283.59 -> by using Security Hub, by using CloudTrail.
3286.33 -> And there's also manual controls there
3289.25 -> that you need to validate to make sure
3292.19 -> that you have a security guard at the door.
3293.96 -> Maybe that's part of a compliance framework requirement.
3298.7 -> There's no way to validate that automatically.
3300.64 -> Well, at least not yet, right?
3302.04 -> But so we provide you with a mechanism in Audit Manager
3305.35 -> to validate that and confirm it.
3307.85 -> Once that's established, that framework can be deployed
3310.92 -> and it creates what's called an assessment.
3312.97 -> That assessment will start collecting
3314.76 -> all that information for you.
3316.26 -> It will make it available.
3317.82 -> It will give you the opportunity to confirm.
3320.6 -> And then as this happens
3322.96 -> and you continue to collect that information,
3324.78 -> the day that you need to report to an auditor
3327.45 -> you just have to click one button
3329.21 -> and we deliver all the documents necessary
3331.84 -> to an S3 bucket in PDF format,
3334.31 -> and you just have to give them to an auditor.
3337.06 -> So Audit Manager simplifies greatly the process
3340.36 -> of collecting all that evidence
3342.01 -> and making it ready for that third line of defense.
3346.63 -> So as you can see,
3349.309 -> if we keep in mind this Three Lines Model,
3353.09 -> it will greatly help us to understand
3355.07 -> how the services come together.
3357.41 -> Now let's talk about some takeaways now,
3360.16 -> things that we want you to take away from this presentation.
3363.97 -> Well, we want you to keep in mind for us
3365.69 -> that Three Lines Model, right?
3367.26 -> How it helps you understand where our different services fit
3370.62 -> and how you can use them to achieve compliance.
3373.37 -> Number two, we want you to understand
3375.5 -> how important Config is
3377.12 -> and how it's the core of the compliance evaluation.
3380.28 -> It was interesting to see how Kaartik explained
3382.42 -> how all these services are related to it
3384.56 -> and how Config is the foundation of it,
3388.96 -> and how they all can work to help you.
3391.83 -> And number three, want you to think about
3394.4 -> all the wide range of options that we have in compliance.
3396.75 -> We talked about preventive compliance
3399.06 -> with CloudFormation Guard.
3400.71 -> We talked about AWS Config, remediation actions,
3403.86 -> rules, conformance packs, aggregators, advanced query.
3410.29 -> All these are things that are gonna help you.
3412.21 -> On top of that, the oversee risk
3414.52 -> with Security Hub and Audit Manager.
3418 -> All of these tools can help you achieve compliance.
3421.06 -> They give you the flexibility to customize things
3423.9 -> to your specific needs which we feel is very important
3426.6 -> and they work in a very efficient way.
3429.4 -> We want to encourage you
3430.38 -> to continue learning about this topic,
3432.23 -> so I wanna share with you a couple of QR codes here
3434.5 -> that you can scan right now
3437.1 -> that will take you to two repositories
3439.48 -> that we have on GitHub that have samples
3442.93 -> that will help you see how you can
3444.44 -> deploy things like Config, conformance packs.
3447.96 -> How you can implement Security Hub,
3449.42 -> how you can deploy Audit Manager,
3452.44 -> how you can deploy controls in Audit manager
3455.2 -> that are related to a conformance pack.
3457.65 -> There's a lot of good interesting samples
3460.33 -> there that are well-documented
3461.96 -> and should get you going to learn
3463.76 -> more about this topic of compliance at scale.
3467.81 -> With that, we wanna thank you
3469.08 -> for listening to our presentation.
3471.02 -> We hope it has helped you to understand
3472.64 -> better how you can achieve compliance in AWS
3478.03 -> and hopefully now you feel better prepared as Ed
3481.13 -> to take on the compliance challenge.
3483.811 -> (bright music)

Source: https://www.youtube.com/watch?v=pdrYGVgb08Y