Cloud Computing Audit

Agustinus Tobing,
Head of Security Assurance, Indonesia

October 2022

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Agenda
1. What is Cloud Computing?
2. AWS Global Infrastructure: Overview of Availability Zone, Regions and Data Center
3. AWS Security
• Introduction of AWS Security and the Shared Responsibility Model
• Security IN the Cloud, Security OF the Cloud
• Security Automation: Continuous Compliance & Automatic Remediation

4. AWS Compliance Assurance Program

• Cloud Certifications and Attestations
• SOC Reports
• AWS Artifact, User Guide, and Compliance Center

5. AWS Education Programs

Cloud
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Economics
 What is cloud computing?
The on-demand delivery of IT resources over public or private networks with
zero up-front costs, no long-term contracts, and pay-as-you-go pricing

It is similar to how consumers flip a switch to turn on lights in their home and the power company
sends electricity, no need to buy, own, and maintain your own power plants (datacenters and
servers).

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Characteristics of the cloud Types of cloud services

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Efficiency : Economics of the Cloud

Infrastructure
cost $

Autoscaling
Scale Up and Down
Belanja modal
Kurang
resources

Key:

Predicted demand
Kelebihan
resources
Traditional hardware

Time Actual demand

AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AWS Region design

AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault
tolerance. Applications and data are replicated in real time and consistent in the different AZs.
AWS Availability Zone (AZ)

AWS Region

Transit AZ

Datacenter Datacenter
AZ AZ

Transit AZ
Datacenter

A Region is a physical location in the world where Availability Zones consist of one or more discrete data centers,
we have multiple Availability Zones. each with redundant power, networking, and connectivity,
housed in separate facilities.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Share your security responsibility with AWS

Customer data

Platform, applications, identity, & access management

Operating system, network, & firewall configuration

Client-side data encryption & Server-side encryption Network traffic protection
data integrity authentication (file system &/or data) (encryption/integrity/identity)

Customer is responsible for

security in the cloud Compute Storage Database Networking

Regions
AWS Global Edge
Infrastructure locations
Availability Zones
Customer
AWS

AWS is responsible for

security of the cloud
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
 Defense-in-depth
Hardened AMIs

System Security
AWS Compliance OS and App
Patch Mgmt.
Physical

Program
Third Party IAM Roles for EC2
Attestations
IAM Credentials

Security Groups

VPC configuration
Network

Logical Access

Data Security
Web App Firewalls Controls
User
Subnet Authentication
configuration
Encryption
Encryption At-Rest
In-Transit
You are in full control of privacy

Customers retain full ownership and control of their content

Choose an AWS Region and AWS will not

replicate it elsewhere unless you choose to do
so

Control format, accuracy and encryption any

way that you choose

Control who can access content, it’s lifecycle

and disposal

We publish GDPR resources on our website to

help you meet your own compliance
 AWS security, identity, and compliance solutions

Identity & access Infrastructure Data Incident

Detection Compliance
management protection protection response

AWS Identity & (Access AWS Security Hub AWS Firewall Manager Amazon Macie Amazon Detective AWS Artifact
Management IAM)
Amazon GuardDuty AWS Network Firewall AWS Key Management Service CloudEndure DR AWS Audit Manager
AWS Single Sign-On (KMS)
Amazon Inspector AWS Shield AWS Config Rules
AWS Organizations AWS CloudHSM
Amazon CloudWatch AWS WAF – Web AWS Lambda
AWS Directory Service application firewall AWS Certificate Manager
AWS Config
Amazon Cognito Amazon Virtual Private AWS Secrets Manager
AWS CloudTrail Cloud (VPC)
AWS Resource Access AWS VPN
Manager VPC Flow Logs AWS PrivateLink
Server-Side Encryption
AWS IoT Device Defender AWS Systems Manager

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security Automation - Current Approach to Compliance
Continuous Compliance on AWS

Unprecedented Visibility Near Real-Time Automation Continuous Compliance/

Continuous Auditing/
Continuous Monitoring

Having the visibility into WHO made WHAT change from WHERE in near real-time allows financial
institutions to DETECT mis-configurations and non-compliance and RESPOND quickly to PREVENT risks
from materializing.
AWS Config Rules – Real-time compliance engine

Automatic email to
security teams when
controls fail in real-time
 Compliance Timeline – Deep Insight for Audit

BNM-RMIT-001 - Encryption

AWS Config allows you to record and retrieve the compliance status of a resource over time. This allows your risk
and compliance teams to determine if a resource always has been compliant or has drifted in and out of compliance
with on-going changes.
 Automatic Remediation

AWS Config allows you to record and retrieve the compliance status of a resource over time. This allows your risk
and compliance teams to determine if a resource always has been compliant or has drifted in and out of compliance
with on-going changes.
Cloud Certifications and Attestations

SOC 1 SOC 2 SOC 3 CJIS

SEC Rule
DoD SRG FERPA NIST 17a-4(f)

GxP MPAA G-Cloud

VPAT
Section 508 FISC ASIP HDS
SOC 2 Scope of Audit
Objective In scope controls
Security Organization • Appropriately assigned roles and responsibilities
• Information security policies
• Formal Risk Management Program to identify, assess, mitigate, report
and monitor risks
• Employee training and awareness
Employee User • Access (including administrator accounts) follow principle of least
Access privileged
• Access is reviewed on a periodic basis
• Timely revocation of access for leavers
Logical Security • Network devices (i.e. firewalls, routers, etc.) are configured correctly to
prevent unauthorized access
• Vulnerability assessments are conducted regularly
Secure Data Handling • Key Management Service (KMS) – all requests are logged, keys are
rotated on a regular basis, logical security to ensure no single AWS
employee can gain access to the keys.
Change Management • AWS applies a systematic approach to managing change to ensure
changes to customer-impacting aspects of a service are reviewed, tested
and approved.
• AWS maintains processes to detect unauthorized changes to its
environment and tracks identified issues to resolution.
• Customer content is not used in test and development environments
SOC 2 Scope of Audit (cont’d)
Control Specified by AWS
AWSCA-3.5:
AWS enables customers to articulate who
has access to AWS services and resources
(if resource-level permissions are
applicable to the service) that they own.
AWS prevents customers from accessing
AWS resources that are not assigned to • Inspected the access permissions to ascertain unauthorized
them via access permissions. Content is
only returned to individuals authorized to
access the specified AWS
Test Performed by Auditor Test Result
• Inquired of Software Development Managers to ascertain AWS • No deviations noted.
enabled customers to allocate who had access to AWS services and
resources that they owned, that customers were prevented from
accessing AWS resources that were not assigned to them via access
permissions, and that content was only returned to individuals
authorized to access the specific AWS service or resource.
• No deviations noted.
individuals were prevented from accessing AWS services or resources
(if resource-level permissions were applicable to the service).
• Observed a user with authorized access permissions attempt to • No deviations noted
access AWS services and resources, to ascertain that services
returned content only to individuals authorized to access the
specified AWS service or resource. • No deviations noted
• Observed a user without authorized access permissions attempt to
access AWS services and resources, to ascertain that services did not
return content to individuals without authorized access to the
specified service or resource.
SOC 2 Scope of Audit (cont’d)
Objective In scope controls
Physical Security and • Physical access is reviewed regularly
Environmental • Physical access points are monitored by CCTV
Protection • Electronic intrusion detection systems are installed within data server
locations to monitor, detect, and automatically alert appropriate personnel of
security incidents.
• Server locations are secured by dual authentication electronic access controls
• Fire detection and suppression systems
• Systems to monitor air temperature and humidity levels
• Uninterruptible Power Supply (UPS) to provide back up power in the event of a
power failure
• Production media is securely decommissioned and physically destroyed prior
to leaving secure zones.

Data Integrity, • Continuous integrity checks of data at rest

Availability and • Automated data restoration and object storage redundancy
Redundancy • AWS provides customers the ability to delete their content. Once successfully
removed the data is rendered unreadable.
Incident Handling • Monitoring and alarming are configured by Service Owners to identify and
notify operational and management personnel of incidents when early
warning thresholds are crossed on key operational metrics.
• Incidents are logged and tracked to resolution
SOC 2 Scope of Audit (cont’d)
Control Specified by AWS Test Performed by Auditor Test Result

AWSCA-5.3:
Physical access to data centers is
reviewed on a quarterly basis by
appropriate personnel.
• Inquired of an AWS Security Technical Program Manager to ascertain • No deviations noted.
physical access to data centers was reviewed on a quarterly basis by
appropriate personnel. • No deviations noted.
• Selected a sample of quarterly data centers access reviews for a
sample of data centers and inspected the reviews to ascertain the
reviews were performed, that access was re-approved by
appropriate personnel, and that any requested changes were
processed.

AWSCA-5.4:
Closed circuit television camera (CCTV)
are used to monitor server locations in
data centers. Images are retained for 90
days, unless limited by legal or contractual
obligations.
• Inquired of an AWS Security Technical Program Manager and Data • No deviations noted
Center Operations Managers to ascertain physical access points to
server locations were monitored by a closed-circuit television camera
(CCTV) and that images were retained for 90 days unless limited by
legal or contractual obligations. • No deviations noted
• Selected a sample of data centers and observed areas around access
points to server locations, to ascertain CCTV cameras were placed to
record physical access points to server locations.
AWS Artifact

AWS Artifact A central resource for

compliance-related information for
our customer

• Comprehensive Resources
access all of AWS’ auditor issued
reports, certifications,
accreditations and other third-
party attestations

• On-Demand access

https://aws.amazon.com/artifact/
 Education programs

• SMA, SMK, General • Self-pace learning

Learners • Skill and knowledge
• 14-17 minors, 18+ adult
• 12 Career Pathways
• Jobs Board
• Only for 18 years and above • Classroom
• Universitas, Polytechnic • Certification driven
• Digital completion badge

• Only for 18 years and above • Classroom and

• Graduate Students online
• Professional • Certification driven

https://aws.amazon.com/id/compliance/auditor-learning-path/
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What makes the cloud secure ?
Integrated Security Trusted Security Marketplace and
and Compliance Partner Network

Scale with Enhanced

Visibility and Control Improved Security Through
Automation

Protect your Security Innovation at Scale

privacy and data
 Thank You

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.