Category: Compliance

I am pleased to announce AWS Artifact, a no-cost, self-service audit report and certification retrieval portal in the AWS Management Console that gives AWS customers on-demand access to AWS compliance reports.

To document the current and historical compliance of the AWS infrastructure and services, many AWS customers provide compliance reports—including those for ISO, SOC, and PCI—to their auditors or regulators. You can now sign in to the AWS Management Console on your computer or mobile phone, and pull relevant reports in minutes. You can also give auditors and regulators direct access to one or more AWS compliance reports using AWS Identity and Access Management (IAM) permissions.

AWS Director of Risk and Compliance Chad Woolf spoke about his vision of Artifact: “Naturally, we’re excited to provide customers and their auditors with selection and convenience when assessing the security that AWS provides,” Woolf said. “The release of AWS Artifact sets the stage for AWS to transform the auditing industry, moving auditing from being time-intensive and manual to highly automated and continuous in the cloud.”

You can start downloading the audit reports in the AWS Management Console today. Many of the documents are confidential and require you to accept Amazon’s confidentiality terms and conditions, but after you review and agree to those terms, you will be granted instant access to review documents.  You can also see Getting Started with AWS Artifact for more details.

To learn more about Artifact, see the Artifact home page. See the AWS Cloud Compliance home page for more about AWS Cloud compliance and certifications.

– Sara

Today, the following security and compliance sessions will be presented at AWS re:Invent 2016 in Las Vegas (all times local). See the re:Invent Session Catalog for complete information about every session. You can also download the AWS re:Invent 2016 Event App for the latest updates and information.

If you are not attending re:Invent 2016, keep in mind that all videos of and slide decks from these sessions will be made available next week. We will publish a post on the Security Blog next week that links to all videos and slide decks from security and compliance sessions.

9:00 A.M.

• SAC306-R (The Venetian): [REPEAT] Encryption: It Was the Best of Controls, It Was the Worst of Controls
• SAC311 (The Venetian): Evolving an Enterprise-Level Compliance Framework with Amazon CloudWatch Events and AWS Lambda

9:30 A.M.

• SAC401-R (The Venetian): [REPEAT] 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules

10:30 A.M.

• SAC316-R (The Venetian): [REPEAT] Security Automation: Spend Less Time Securing Your Applications
• SAC322-R (The Venetian): [REPEAT] NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service

11:00 A.M.

• SAC307-R (The Venetian): [REPEAT] The Psychology of Security Automation
• SAC315 (The Venetian): Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
• SAC317 (The Venetian): IAM Best Practices to Live By

12:30 P.M.

• SAC318 (The Venetian): Life Without SSH: Immutable Infrastructure in Production

– Craig

Today, the following security and compliance sessions will be presented at AWS re:Invent 2016 in Las Vegas (all times local). See the re:Invent Session Catalog for complete information about every session. You can also download the AWS re:Invent 2016 Event App for the latest updates and information.

If you are not attending re:Invent 2016, keep in mind that all videos of and slide decks from these sessions will be made available next week. We will publish a post on the Security Blog next week that links to all videos and slide decks from security and compliance sessions.

11:00 A.M.

• SAC201 (The Venetian): Lessons from a Chief Security Officer: Achieving Continuous Compliance in Elastic Environments
• SAC320 (The Venetian): Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy

11:30 A.M.

• SAC318-R (The Venetian): [REPEAT] Life Without SSH: Immutable Infrastructure in Production

12:30 P.M.

• SAC307 (The Venetian): The Psychology of Security Automation
• SAC312 (The Venetian): Architecting for End-to-End Security in the Enterprise
• SEC301-R (The Venetian): [REPEAT] Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks

1:00 P.M.

• SAC313 (The Venetian): Enterprise Patterns for Payment Card Industry Data Security Standard (PCI DSS)

2:00 P.M.

• SAC306 (The Venetian): Encryption: It Was the Best of Controls, It Was the Worst of Controls

2:30 P.M.

• SAC314 (The Venetian): GxP Compliance in the Cloud

3:30 P.M.

• SAC401 (The Venetian): 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules

4:00 P.M.

• SAC316 (The Venetian): Security Automation: Spend Less Time Securing Your Applications
• SEC313-R (The Venetian): [REPEAT] Automating Security Event Response, from Idea to Code to Execution

– Craig

Today, the following security and compliance sessions will be presented at AWS re:Invent 2016 in Las Vegas (all times local). See the re:Invent Session Catalog for complete information about every session. You can also download the AWS re:Invent 2016 Event App for the latest updates and information.

If you are not attending re:Invent 2016, keep in mind that all videos of and slide decks from these sessions will be made available next week. We will publish a post on the Security Blog next week that links to all videos and slide decks from security and compliance sessions.

11:00 A.M.

• SAC303 (The Venetian): Become an AWS IAM Policy Ninja in 60 Minutes or Less
• SAC327 (The Venetian): No More Ransomware: How Europol, the Dutch Police, and AWS Are Helping Millions Deal with Cybercrime

2:30 P.M.

• SAC304 (The Venetian): Predictive Security: Using Big Data to Fortify Your Defenses
• SAC310 (The Venetian): Securing Serverless Architectures, and API Filtering at Layer 7
• SAC402 (The Venetian): The AWS Hero’s Journey to Achieving Autonomous, Self-Healing Security

3:30 P.M.

• SAC305 (The Venetian): How AWS Automates Internal Compliance at Massive Scale using AWS Services

5:30 P.M.

• SAC319 (The Venetian): Architecting Security and Governance Across a Multi-Account Strategy

– Craig

Today, AWS launched AWS Organizations: a new way for you to centrally manage all the AWS accounts your organization owns. Now you can arrange your AWS accounts into groups called organizational units (OUs) and apply policies to OUs or directly to accounts. For example, you can organize your accounts by application, environment, team, or any other grouping that makes sense for your business.

Organizations removes the need to manage security policies through separate AWS accounts. Before Organizations, if you had a set of AWS accounts, you had to ensure that users in those AWS accounts had the right level of access to AWS services. You had to either configure security settings on each account individually or write a custom script to iterate through each account. However, any user with administrative permissions in those AWS accounts could have bypassed the defined permissions. Organizations includes the launch of service control policies (SCPs), which give you the ability to configure one policy and have it apply to your entire organization, an OU, or an individual account. In this blog post, I walk through an example of how to use Organizations. (more…)

Today, the following security and compliance sessions will be presented at AWS re:Invent 2016 in Las Vegas. All times are local. See the re:Invent Session Catalog for complete information about every session. You can also download the AWS re:Invent 2016 Event App for the latest updates and information.

If you are not attending re:Invent 2016, keep in mind that all videos of and slide decks from these sessions will be made available next week. We will publish a post on the Security Blog next week that links to all videos and slide decks.

9:30 A.M.

• SAC202 (The Mirage): Workshop: Secure Your Web Application with AWS WAF and Amazon CloudFront

10:00 A.M.

• SAC326 (The Venetian): How Harvard University Improves Scalable Cloud Network Security, Visibility, and Automation

11:00 A.M.

• SAC309 (The Venetian): You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Validation from Adobe
• SEC312 (The Mirage): re:Source Mini Con for Security Services State of the Union

12:30 P.M.

• SEC301 (The Mirage): Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks
• SEC305 (The Mirage): Scaling Security Resources for Your First 10 Million Customers
• SEC306 (The Mirage): Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery
• SEC308 (The Mirage): Securing Enterprise Big Data Workloads on AWS

1:00 P.M.

• SAC308 (The Venetian): Hackproof Your Cloud: Responding to 2016 Threats

2:00 P.M.

• SAC321 (The Venetian): Cyber Resiliency – Surviving the Breach
• SEC307 (The Mirage): Microservices, Macro Security Needs: How Nike Uses a Multi-Layer, End-to-End Security Approach to Protect Microservice-Based Solutions at Scale
• SEC310 (The Mirage): Mitigating DDoS Attacks on AWS: Five Vectors and Four Use Cases
• SEC314 (The Mirage): Common Considerations for Data Integrity Controls in Healthcare

3:30 P.M.

• SEC302 (The Mirage): Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC)
• SEC311 (The Mirage): How to Automate Policy Validation
• SEC313 (The Mirage): Automating Security Event Response, from Idea to Code to Execution
• SEC401 (The Mirage): Automated Formal Reasoning About AWS Systems

5:00 P.M.

• SEC303 (The Mirage): Get the Most from AWS KMS: Architecting Applications for High Security
• SEC304 (The Mirage): Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service
• SEC309 (The Mirage): Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing

– Craig

AWS re:Invent 2016 will  take place November 28 through December 2 in Las Vegas, Nevada, and the following security and compliance sessions will be presented. See the re:Invent Session Catalog for complete information about these sessions.

If you are not attending re:Invent 2016, keep in mind that we will publish a post on the Security Blog the week after re:Invent that links to all videos and slide decks from these sessions. (more…)

Update: This webinar is now available as an on-demand video and slide deck.

As part of the AWS Webinar Series, AWS will present Automating Compliance Defense in the Cloud on Tuesday, September 27. This webinar will start at 9:00 A.M. and end at 10:00 A.M. Pacific Time.

AWS Cloud Compliance Strategist Jodi Scrofani will share best practices around infrastructure design, configuration setup, and monitoring to augment your compliance operating model so that you can easily automate updates and real-time notifications.

You will:

• Learn what a comprehensive governance model looks like.
• Learn why it is important for an organization to automate in its 3 lines of defense—operations, compliance, and internal audit.
• Learn what AWS services you can enable to help take human error out of your compliance functions and demonstrate comprehensive governance of your business.

The webinar is free, but space is limited and registration is required. Register today.

– Craig

In case you missed any AWS Security Blog posts from June, July, and August, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from a tagging limit increase to recording SSH sessions established through a bastion host.

August

August 16: Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency
We recently released the 2016 version of the AWS Best Practices for DDoS Resiliency Whitepaper, which can be helpful if you have public-facing endpoints that might attract unwanted distributed denial of service (DDoS) activity.

August 15: Now Organize Your AWS Resources by Using up to 50 Tags per Resource
Tagging AWS resources simplifies the way you organize and discover resources, allocate costs, and control resource access across services. Many of you have told us that as the number of applications, teams, and projects running on AWS increases, you need more than 10 tags per resource. Based on this feedback, we now support up to 50 tags per resource. You do not need to take additional action—you can begin applying as many as 50 tags per resource today.

August 11: New! Import Your Own Keys into AWS Key Management Service
Today, we are happy to announce the launch of the new import key feature that enables you to import keys from your own key management infrastructure (KMI) into AWS Key Management Service (KMS). After you have exported keys from your existing systems and imported them into KMS, you can use them in all KMS-integrated AWS services and custom applications.

August 2: Customer Update: Amazon Web Services and the EU-US Privacy Shield
Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. AWS welcomes this new framework for transatlantic data flow. As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

August 2: How to Remove Single Points of Failure by Using a High-Availability Partition Group in Your AWS CloudHSM Environment
In this post, I will walk you through steps to remove single points of failure in your AWS CloudHSM environment by setting up a high-availability (HA) partition group. Single points of failure occur when a single CloudHSM device fails in a non-HA configuration, which can result in the permanent loss of keys and data. The HA partition group, however, allows for one or more CloudHSM devices to fail, while still keeping your environment operational. (more…)

Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. Amazon Web Services (AWS) welcomes this new framework for transatlantic data flow.

As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

The new EU-US Privacy Shield does not impact AWS customers for two reasons. First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them. Second, for customers who wish to transfer personal data from an AWS region in the European Economic Area (EEA) to one in another part of the world, including the US, AWS customers can do this in compliance with EU data protection law under the terms of the AWS Data Processing Addendum with Model Clauses, which was approved in 2015 by the EU data protection authorities (called the Article 29 Working Party). These options are available to all AWS customers who are processing personal data, whether they are established in, or a global company operating in, the EEA. (more…)