Professional Documents
Culture Documents
Amazon - Cloud Computing Audit - Short Version
Amazon - Cloud Computing Audit - Short Version
Agustinus Tobing,
Head of Security Assurance, Indonesia
October 2022
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
1. What is Cloud Computing?
2. AWS Global Infrastructure: Overview of Availability Zone, Regions and Data Center
3. AWS Security
• Introduction of AWS Security and the Shared Responsibility Model
• Security IN the Cloud, Security OF the Cloud
• Security Automation: Continuous Compliance & Automatic Remediation
Cloud
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Economics
What is cloud computing?
The on-demand delivery of IT resources over public or private networks with
zero up-front costs, no long-term contracts, and pay-as-you-go pricing
It is similar to how consumers flip a switch to turn on lights in their home and the power company
sends electricity, no need to buy, own, and maintain your own power plants (datacenters and
servers).
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Characteristics of the cloud Types of cloud services
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Efficiency : Economics of the Cloud
Infrastructure
cost $
Autoscaling
Scale Up and Down
Belanja modal
Kurang
resources
Key:
Predicted demand
Kelebihan
resources
Traditional hardware
AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Region design
AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault
tolerance. Applications and data are replicated in real time and consistent in the different AZs.
AWS Availability Zone (AZ)
AWS Region
Transit AZ
Datacenter Datacenter
AZ AZ
Transit AZ
Datacenter
A Region is a physical location in the world where Availability Zones consist of one or more discrete data centers,
we have multiple Availability Zones. each with redundant power, networking, and connectivity,
housed in separate facilities.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Share your security responsibility with AWS
Customer data
Regions
AWS Global Edge
Infrastructure locations
Availability Zones
Customer
AWS
System Security
AWS Compliance OS and App
Patch Mgmt.
Physical
Program
Third Party IAM Roles for EC2
Attestations
IAM Credentials
Security Groups
VPC configuration
Network
Logical Access
Data Security
Web App Firewalls Controls
User
Subnet Authentication
configuration
Encryption
Encryption At-Rest
In-Transit
You are in full control of privacy
AWS Identity & (Access AWS Security Hub AWS Firewall Manager Amazon Macie Amazon Detective AWS Artifact
Management IAM)
Amazon GuardDuty AWS Network Firewall AWS Key Management Service CloudEndure DR AWS Audit Manager
AWS Single Sign-On (KMS)
Amazon Inspector AWS Shield AWS Config Rules
AWS Organizations AWS CloudHSM
Amazon CloudWatch AWS WAF – Web AWS Lambda
AWS Directory Service application firewall AWS Certificate Manager
AWS Config
Amazon Cognito Amazon Virtual Private AWS Secrets Manager
AWS CloudTrail Cloud (VPC)
AWS Resource Access AWS VPN
Manager VPC Flow Logs AWS PrivateLink
Server-Side Encryption
AWS IoT Device Defender AWS Systems Manager
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security Automation - Current Approach to Compliance
Continuous Compliance on AWS
Having the visibility into WHO made WHAT change from WHERE in near real-time allows financial
institutions to DETECT mis-configurations and non-compliance and RESPOND quickly to PREVENT risks
from materializing.
AWS Config Rules – Real-time compliance engine
Automatic email to
security teams when
controls fail in real-time
Compliance Timeline – Deep Insight for Audit
BNM-RMIT-001 - Encryption
AWS Config allows you to record and retrieve the compliance status of a resource over time. This allows your risk
and compliance teams to determine if a resource always has been compliant or has drifted in and out of compliance
with on-going changes.
Automatic Remediation
AWS Config allows you to record and retrieve the compliance status of a resource over time. This allows your risk
and compliance teams to determine if a resource always has been compliant or has drifted in and out of compliance
with on-going changes.
Cloud Certifications and Attestations
SEC Rule
DoD SRG FERPA NIST 17a-4(f)
VPAT
Section 508 FISC ASIP HDS
SOC 2 Scope of Audit
Objective In scope controls
Security Organization • Appropriately assigned roles and responsibilities
• Information security policies
• Formal Risk Management Program to identify, assess, mitigate, report
and monitor risks
• Employee training and awareness
Employee User • Access (including administrator accounts) follow principle of least
Access privileged
• Access is reviewed on a periodic basis
• Timely revocation of access for leavers
Logical Security • Network devices (i.e. firewalls, routers, etc.) are configured correctly to
prevent unauthorized access
• Vulnerability assessments are conducted regularly
Secure Data Handling • Key Management Service (KMS) – all requests are logged, keys are
rotated on a regular basis, logical security to ensure no single AWS
employee can gain access to the keys.
Change Management • AWS applies a systematic approach to managing change to ensure
changes to customer-impacting aspects of a service are reviewed, tested
and approved.
• AWS maintains processes to detect unauthorized changes to its
environment and tracks identified issues to resolution.
• Customer content is not used in test and development environments
SOC 2 Scope of Audit (cont’d)
Control Specified by AWS Test Performed by Auditor Test Result
AWSCA-5.3: • Inquired of an AWS Security Technical Program Manager to ascertain • No deviations noted.
Physical access to data centers is physical access to data centers was reviewed on a quarterly basis by
reviewed on a quarterly basis by appropriate personnel. • No deviations noted.
appropriate personnel. • Selected a sample of quarterly data centers access reviews for a
sample of data centers and inspected the reviews to ascertain the
reviews were performed, that access was re-approved by
appropriate personnel, and that any requested changes were
processed.
AWSCA-5.4: • Inquired of an AWS Security Technical Program Manager and Data • No deviations noted
Closed circuit television camera (CCTV) Center Operations Managers to ascertain physical access points to
are used to monitor server locations in server locations were monitored by a closed-circuit television camera
data centers. Images are retained for 90 (CCTV) and that images were retained for 90 days unless limited by
days, unless limited by legal or contractual legal or contractual obligations. • No deviations noted
obligations. • Selected a sample of data centers and observed areas around access
points to server locations, to ascertain CCTV cameras were placed to
record physical access points to server locations.
AWS Artifact
• Comprehensive Resources
access all of AWS’ auditor issued
reports, certifications,
accreditations and other third-
party attestations
• On-Demand access
https://aws.amazon.com/artifact/
Education programs
https://aws.amazon.com/id/compliance/auditor-learning-path/
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What makes the cloud secure ?
Integrated Security Trusted Security Marketplace and
and Compliance Partner Network
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.