AWS Partner Network (APN) Blog
How to Leverage the AWS Cloud Adoption Framework for VMware Cloud on AWS
By Ben Lipman, Sr. Solutions Architect – VMware Cloud on AWS
By Hemant Ahire, Principal Solutions Architect, Migrations and Modernization – AWS
By Jeff Montgomery, Sr. Assurance Consultant – AWS Security Assurance
Since launching in 2017, Amazon Web Services (AWS) customers have had the ability to run native VMware virtual machines (VMs) on AWS global infrastructure using VMware Cloud on AWS.
If you’re already running or planning to use VMware Cloud on AWS, you may have wondered if there are any special security considerations. This post explores how you can apply the AWS Cloud Adoption Framework (AWS CAF) to this architecture, helping you review each objective and apply the relevant capabilities to meet your security and compliance requirements.
VMware Cloud on AWS offers you the same VMware software in the cloud that’s used on-premises today. This allows lift and shift of workloads to AWS rapidly, but also presents a new lens through which to view security, compliance, and governance. Customers who use VMware Cloud on AWS to lift and shift need help applying this framework to the new infrastructure.
AWS CAF groups its capabilities in six perspectives: Business, People, Governance, Platform, Security, and Operations. Each comprises a set of capabilities that functionally-related stakeholders own or manage in the cloud transformation journey.
The CAF security perspective is used to guide you in building security capabilities and adopting best practices for AWS workloads. You can use these capabilities (described below) to evaluate cloud security, compliance, and governance to help achieve confidentiality, integrity, and availability of cloud workloads.
Note that VMware Cloud on AWS requires additional insight to apply both VMware and AWS security and compliance scopes.
Figure 1 – AWS CAF security perspective capabilities.
Customer Perspective
While there are many resources around security best practices and patterns for AWS cloud deployments, VMware Cloud on AWS introduces new aspects to consider; for example, it isn’t integrated into services such as Amazon GuardDuty and Amazon Inspector (agent-less), for example.
VMware Cloud on AWS is a managed service operated by VMware in a managed Virtual Private Cloud (VPC) so you will apply more of a hybrid cloud/on-premises approach to scanning and configuration management. Also, some aspects of security and compliance are the responsibility of VMware such as scanning the managed VPC and securing the underlying service components.
When you migrate to AWS, VMC on AWS allows you to increase velocity and reduce risk by maintaining the same VMware tools and processes as you have in the on-premises datacenter. In highly-regulated industries, the security and compliance aspects are critically important and can increase migration time by introducing additional underlying technologies which require new consideration.
VMware Cloud on AWS integrates with native AWS services. Your security and compliance landscape might include Amazon Inspector, AWS Config, Amazon EventBridge, or a host of services which could aggregate findings into AWS Security Hub. You typically already have solutions on-premises for security and governance, but you must integrate these with AWS Security Hub or operate two distinct systems.
Applying the CAF Security Perspective to VMware Cloud on AWS
The AWS CAF security perspective consists of nine capabilities. Here, you’ll learn how to apply these capabilities in a hybrid landscape of AWS native workloads, VMware Cloud on AWS workloads, and on-premises systems. This holistic approach enables you to migrate and modernize faster with increased confidence in your security posture.
Security Governance
Security governance involves defining and communicating roles and responsibilities. You create policies, processes, and procedures that ensure accountability is clear. Applicable laws and regulations must be applied and continuously updated.
Figure 2 below shows the shared responsibilities between VMware, AWS, and the customer. You are responsible for the configuration of workloads within the software-defined data center (SDDC), VMware firewall rules, and other SDDC configurations.
In the blue section, you can see that VMware is responsible for the SDDC as well as the managed virtual private cloud (VPC) and associated AWS resources. Meanwhile, AWS is responsible for the global infrastructure and foundational services.
Figure 2 – VMware Cloud on AWS Shared Responsibility Model.
New constructs exist, such as the SDDC and the VMware firewalls, which require security and compliance consideration. Some of these configuration areas are managed by VMware but you are able to make changes.
Security Assurance
For security assurance, you monitor, evaluate, and manage security mechanisms while applying continuous improvement, in addition to reviewing cloud vendor reports and compliance attestations to understand controls that are in place. You’re responsible for establishing which compliance frameworks apply and mapping VMware controls to those requirements.
VMware is responsible for providing compliance documentation as well as implementing their respective controls. Visit the VMware Trust Center for more details related to the VMware scope. This can be used in conjunction with AWS Artifact where AWS security and compliance information is found.
Identity and Access Management
With identity and access management (IAM), you can implement a least use privilege design with a central identity provider and multi-factor authentication (MFA).
VMware requires customers to have a valid AWS account prior to provisioning an SDDC which establishes the identity of the customer. The Service Description page provides more information on how VMware secures the Cloud Services Portal (CSP) and supports MFA integration.
You are responsible for managing authentication of virtual machines within the SDDC as well as your identity provider (federation with an existing identity provider is recommended). You can find prescriptive guidance for managing identity and access to VMware Cloud on AWS.
Threat Detection
This capability involves scanning for vulnerabilities and remediation findings which should be correlated from various data sources, and then communicating remediation and resulting state to stakeholders. You are responsible for threat detection for virtual machines within the SDDC, including logging user activity, network activity, and application activity.
For user activity logging, you can leverage Aria Operations for Logs which records administrative activity performed in an SDDC, including CSP and API actions. Network activity logging involves packet capture on the SDDC networks, and SDDC enables port mirroring to observe this traffic.
Additionally, IP Flow Information Export (IPFIX) logs can be sent to a collector for network traffic summarization. Application logs can be forwarded to Amazon CloudWatch using the CloudWatch Logs Agent, and log forwarding can be done by sending copies of logs to a security information event management (SIEM) or other log ingest solution for aggregation and alerting.
VMware is responsible for detection of threats as well as classification, escalation, and remediation for the service offering systems, as described in the Service Description.
Vulnerability Management
The vulnerability management capability involves scanning and patching systems used to deliver the VMware Cloud on AWS service as well as the VMs within the SDDC. You are responsible for scanning and patching workloads within the SDDC, which can be done using AWS Systems Manager.
VMware manages scanning and patching of the SDDC and underlying service components, as described in the Service Lifecycle guide.
Infrastructure Protection
This capability involves leveraging defense-in-depth and providing layers of security, while defining network zones for grouping systems together and implementing traffic inspection and filtering where appropriate. You configure the SDDC firewalls to create access control lists (ACLs) and permit traffic as well as configure routing to establish traffic flow.
Additionally, you manage VPC route tables, security groups, and network access control lists (NACLs) to control traffic flowing from SDDC to your VPCs. Consider a zero-trust approach to securing sensitive systems.
VMware manages the SDDC firewall and router components patching and ensures uptime.
Application Security
This capability describes detecting and addressing vulnerabilities during the software development process, which enhances the security of code pushed into production. You should minimize manual human effort by automating scanning and patching code for security issues.
VMware is responsible for securing the code pertaining to the VMware Cloud on AWs service offering.
Incident Response
Incident response involves incident and problem management and includes following runbooks and acting in a timely manner. You can simulate security events through gameday exercises and continually improve responses, and conduct analysis of incidents after the fact to establish the root cause and learn from findings.
VMware is responsible for incident and problem management (detection, classification, recording, escalation, return to service) pertaining to the VMware Cloud on AWS service offering.
Conclusion
Organizations use VMware Cloud on AWS to simplify and accelerate cloud migration to AWS. This strategy provides operational consistency with your data center, but from a security and compliance lens it’s critical to understand the additional insights that need to be applied to these VMware workloads running on AWS.
In this post, we demonstrated how to evaluate and apply the AWS Cloud Adoption Framework (CAF) security perspective to VMware Cloud on AWS. We also walked through the AWS Shared Responsibility Model and how responsibilities are divided between VMware, AWS, and the customer.
Resources: