Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Transcription

1 Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS September 2015

2 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents AWS s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS s products or services, each of which is provided as is without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. Page 2 of 17

3 Contents Abstract 3 Architecting for Compliance in AWS 4 Compliance in the Enterprise 4 Compliance Standards 4 AWS GoldBase in AWS 5 Benefits 5 AWS GoldBase Package 6 AWS GoldBase Delivery 8 Automating Compliance with AWS GoldBase 9 Example Use Case: Tiered Web Application 12 Conclusion 16 Contributors 17 Notes 17 Abstract This document describes the AWS GoldBase offering from Amazon Web Services (AWS) and the benefits it can provide to customers. AWS GoldBase is a joint offering from AWS Risk & Compliance and AWS Professional Services to provide customers with pre-validated, deployable AWS configurations which adhere to specific customer compliance requirements. This solution can streamline and simplify application deployment in AWS. It allows you to automate standardized reference architectures that meet AWS best practices and customer compliance requirements. This approach allows for a repeatable process that you can use to ensure compliant configuration of AWS resources in the cloud while reducing the time needed to approve applications for production use. Page 3 of 17

4 Architecting for Compliance in AWS Compliance in the Enterprise Compliance is a broad term used within technology and business. The simplest definition of comply is to meet specified standards. 1 Ensuring compliance in the enterprise includes adhering to the following standards: Third Party Assurance Frameworks Standards established within the customer organization AWS best practices Within the context of deploying applications on AWS, compliance will incorporate the concepts of secure, available, and scalable technology. Compliance Standards The AWS Shared Responsibility Model 2 puts the final responsibility for system security on the customer. AWS provides many different options and controls for building a highly secure application in the cloud. Customers must be able to ensure their architectures meet the compliance requirements of their organization. Examples of compliance standards that have unique requirements include the following: NIST SP The Special Publication (SP) published by the National Institute of Standards and Technology (NIST) is a catalog of security controls that most U.S. federal agencies must comply with and that are widely used within private-sector enterprises. ICD 503 The security requirements and accreditation of this Intelligence Community Directive (ICD) apply to the intelligence community; it s based on NIST SP security controls. Page 4 of 17

5 FedRAMP 4 The Federal Risk and Authorization Program (FedRAMP) is a U.S. Government program for ensuring standards in security assessment, authorization, and continuous monitoring. DoD Cloud Security Model (CSM) 5 Standards for cloud computing issued by the Defense Information Systems Agency (DISA) and documented in the U.S. Department of Defense (DoD) Security Requirements Guide (SRG). HIPAA 6 The Health Insurance Portability and Accountability Act (HIPAA) standards must be followed by any organization processing or storing Protected Health Information (PHI). ISO International Organization for Standardization (ISO) is a widely adopted global security standard that outlines the requirements for information security management systems. CJIS Security Policy 8 Criminal Justice Information Services (CJIS) security policies are guidelines for state, local, and federal law enforcement agencies that follow the NIST SP standards. PCI DSS 9 Payment Card Industry (PCI) Data Security Standard (DSS) are standards for merchants who process credit card payments that require strict security standards to protect cardholder data. AWS GoldBase in AWS In AWS, AWS GoldBase is a packaged solution to help customers streamline, automate, and implement the entire process of application deployment on AWS from initial design to operational readiness. AWS GoldBase incorporates the expertise of AWS solutions architects that is required to build a secure and reliable architecture in an easy-to-implement package that automates the process. Benefits Security controls compliance Reduced time to production deployment Transparency and support for continuous monitoring Page 5 of 17

6 Ease of deployment through automation Decreased level of effort in architectural decisions Standardization based on best practices AWS GoldBase Package The AWS GoldBase package includes the following four items for customer use: Security Controls Implementation Matrix Architecture diagrams AWS CloudFormation templates User Guide with deployment instructions Security Controls Implementation Matrix The AWS GoldBase package includes an Excel formatted security controls implementation matrix that maps features and resources to specific controls based on the required compliance standard of a customer. Security and risk evaluators use this document as a reference that makes accrediting a system easier when it is deployed in AWS. The matrix describes which controls a reference architecture meets and reduces the number of total security controls for which the application owner is ultimately responsible. Figure 1: Snippet of a section of the matrix that describes how a reference architecture applies to sections of the NIST SP controls Page 6 of 17

7 Architectural Diagrams Architectural diagrams in PowerPoint or Visio are included with the package. These diagrams illustrate and document the design of the use case. They provide a visual reference that demonstrates the components deployed by the AWS CloudFormation templates. This accompanies the description of security features implemented by the AWS GoldBase templates. Figure 2: Sample architectural diagrams showing base AWS components deployed by the templates AWS CloudFormation Templates The AWS GoldBase AWS CloudFormation templates allow for a fully automated deployment of a compliant architecture. The default AWS CloudFormation package consists of four JSON template files (AWS CloudFormation stacks): Page 7 of 17

8 Figure 3: AWS CloudFormation stacks An additional template file, main.json, is the entry point from which the set of stacks are launched. This design provides modularity, which enables the ability to deploy a subset of resources if needed. The design facilitates reusability of templates for multiple use cases. A AWS GoldBase use case package consists of a main.json along with all required nested stacks. User Guide with Deployment Instructions The AWS GoldBase package includes a user guide that provides step-by-step instructions on how to deploy an application in AWS using the AWS CloudFormation templates. The user guide also contains information on how to customize the package to meet customer requirements. AWS GoldBase Delivery Existing AWS GoldBase packages can be provided directly to customers and used as a starting point. The AWS GoldBase packages can be customized to meet the deployment needs of specific applications. The existing AWS CloudFormation Page 8 of 17

9 templates and related documentation can be updated to match specific use cases within the customer organization. Custom Built Packages The AWS GoldBase package can be offered as a customized deliverable to customers working with AWS Professional Services or a qualified Amazon Partner Network (APN) partner. AWS or partner resources can work with the customers to accomplish all the following necessary steps for providing a complete working solution: 1. Identifying common use cases along with security and compliance requirements. 2. Designing a base architecture based on one or more common use cases. 3. Building an automated solution using AWS CloudFormation templates, documentation, security controls matrix, and related artifacts. 4. Validating and testing the AWS GoldBase package. Automating Compliance with AWS GoldBase AWS provides customers with the capability to develop and manage infrastructure as code. The AWS GoldBase solution automates the deployment of compliant architectures. It can be used in conjunction with other services and solutions to deliver a truly automated infrastructure that meets the compliance and governance requirements of the customer organization. Multiple Layers of Compliance The AWS GoldBase package provides for the ability to customize levels of automation beyond AWS resources. The following additional layers of compliance can be integrated with AWS GoldBase: Custom AMIs The AWS GoldBase package provides the capability to enforce the use of pre-built golden baseline AMIs when deploying applications. Custom Page 9 of 17

10 Amazon Machine Images (AMIs) can be centrally managed and updated based on compliance requirements related to Configuration Management (CM). Configuration Management EC2 instances deployed by the Trusted Architect templates can be bootstrapped to automatically integrate with centrally managed Configuration Management (CM) solutions such as Chef, Puppet, or Ansible which can apply hardening scripts upon deployment and ensure a consistent instance-level configuration which meets compliance requirements. Containerization Containers allow one or more applications to run independently on a single instance within an isolated user space. Securityhardened containers used by the Amazon EC2 Container Service (Amazon ECS) or Docker can be deployed using the Trusted Architect template package through additional customization at the instance level. Continuous Monitoring Trusted Architect can automate and enforce the use of features such as AWS CloudTrail, Amazon CloudWatch, and centralized logging of applications to Amazon S3 buckets. It can also ensure instances are using the Host Based Security System (HBSS) and application VPCs are accessible via peering to centrally managed security VPCs for additional monitoring capabilities. AWS GoldBase and AWS Service Catalog The AWS Service Catalog allows administrators to create and manage approved catalogs of resources that end users can access via a personalized portal. 10 AWS Service Catalog allows the creation of portfolios of one or more products that AWS end users and workload owners can launch. The AWS GoldBase template package can be delivered to workload owners and application developers as an AWS Service Catalog product. Product Each template package, based on a use case, can be a product in the form of a single AWS CloudFormation template which can include additional nested templates to deploy and automate the configuration of an AWS architecture or application. Page 10 of 17

11 Portfolios A portfolio consists of one or more products, which can have common tags and constraints applied. Portfolios can include products for different types of use cases and can be organized by compliance type. Permissions End users and workload owners specified in the AWS Identity and Access Management (IAM) service can be given permission to access portfolios based on the level of access that they need and what they need to deploy. Constraints Constraints are granular controls applied at a portfolio or product level that restrict the ways that resources can be deployed. Constraints can be used to allow templates to deploy all resources at an administrator level of access while limiting permissions to certain resources for workload owners. Tags Tagging can be enforced at the portfolio or product level, by providing custom tags for controlling access to resources or for cost allocation. Benefits of using AWS GoldBase with AWS Service Catalog include the following: A complete storefront capability for delivering applications to end users and workload owners Ease of use in deployment and management of AWS Service Catalog products Enforcement of existing separation of duties and access controls which adhere to the customer s governance model Standardization in design of AWS Service Catalog products Simplification of developing and updating AWS Service Catalog products Continuous Integration/Continuous Delivery (CI/CD) capabilities of AWS Service Catalog products that meet compliance and best practices AWS GoldBase and DevOps DevOps incorporates principles, practices, and methods that allow integration between software development and IT operations. 11 Tools and methods for automation, continuous delivery, monitoring, and security are key to developing DevOps practices. AWS GoldBase provides a use case package for both Page 11 of 17

12 infrastructure and application components that can be developed, deployed, and managed with the same DevOps principles as any software application. Example: AWS GoldBase Lifecycle Using AWS Service Catalog The example in Figure 4 illustrates the concept of CI/CD in a centralized governance model using AWS Service Catalog and AWS GoldBase. The workload owners use the AWS Service Catalog portal as a storefront to deploy complete workloads. AWS Service Catalog products are AWS GoldBase template packages that are managed by a central provisioning team. Figure 4: CI/CD using AWS Service Catalog and AWS GoldBase AWS GoldBase is managed using a source code repository such as Git or AWS CodeCommit while integration is handled by a continuous integration (CI) server, such as Jenkins. A new commit triggers an automated build of the architecture and/or application in a test account that can be fully validated for compliance and security before being pushed as an update to the AWS Service Catalog product. Example Use Case: Tiered Web Application In the example in Figure 5, a AWS GoldBase package has been designed for the reusable deployment of a three-tier web application. In this simple use case, the Page 12 of 17

13 application consists of Amazon Virtual Private Cloud VPCs for both production and management use. Instances are placed in separate private and public subnets depending on where they will be accessed. An Internet gateway allows application end users access to the web instances from the Internet. The management VPC is strictly for developer and administrator use and is accessed through the customer network via a virtual private network (VPN) gateway. Deployment Figure 5: Example three-tier web application AWS CloudFormation templates provide automation. For configuration at the Amazon Elastic Compute Cloud (EC2) level, specify user data in the templates to bootstrap additional application configuration. In this example, Amazon EC2 configuration takes place by simply using user data scripts. Alternatively, instances can be bootstrapped to pull configuration from another source, such as a Chef server. Deployment of the entire package follows an organized sequence automatically by how the CloudFormation templates are structured. Deployment of this sample package follows these steps: 1. IAM users, roles, groups, and policies are created; CloudTrail and logging to an Amazon S3 bucket are enabled. 2. Amazon VPC architecture is deployed complete with subnets, gateways, NACLs, route tables, and NAT instances. Page 13 of 17

14 3. Security groups, Amazon S3 buckets, and Elastic Load Balancing (ELB) load balancers are created. 4. EC2 instances and an Amazon Relational Database Service (RDS) database are deployed. a. EC2 instances are launched using user-specified Amazon Machine Images (AMIs). b. An Amazon RDS database is created with user-specified size, type, and capacity. c. User data scripts install the latest version and configuration of software on EC2 instances. d. App instances are configured to connect to the Amazon RDS database. Deployment Options Workload owners can use parameters to customize the architecture on deployment based on their specific application requirements. The templates are designed so that different applications with similar architectures can be deployed using the same package. Page 14 of 17

15 Parameter Description Conditional createvpcmanagement Option to specify whether or not to create Management VPC If true, creates Management VPC. createvpcdevelopment Option to specify whether or not to create Development VPC If true, creates Development VPC. Stack1URL S3 URL of Stack1 template If blank, existing IAM/security config already deployed. Stack2URL S3 URL of Stack2 template If blank, VPC networking already deployed. Stack3URL S3 URL of Stack3 template If blank, does not deploy Stack3 resources. Stack4URL S3 URL of Stack4 template If blank, does not deploy any instancelevel resources. Example of parameter-specified deployment options Compliance with Third Party Assurance Frameworks In this example, the customer must comply with the NIST SP control set. The controls provide requirements that must be met from the system (application) level or from the use of common services. The following is an example control from the Boundary Protection NIST control family: SC-07(2) BOUNDARY PROTECTION (2) The information system prevents public access into the organization s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. Page 15 of 17

16 The documentation included with this automation package provides the following description, including the names of AWS CloudFormation resources, of how this control works at the AWS architecture level: ROUTE TABLES (rtbproductionpublic, rtbmanagement) and security groups limit public traffic to the public subnet and private traffic to the private subnet. Conclusion Developing an automated solution for compliance can reduce the cost, time, and effort to deploy applications in AWS while minimizing risk and simplifying architectural design. AWS GoldBase provides enterprise customers with an easyto-use, customized solution that alleviates the challenges of architecting for the cloud while reducing the level of effort normally required to build such a solution from scratch. Page 16 of 17

17 Contributors The following individuals contributed to this document: Mike Dixon, Consultant, AWS Public Sector Lou Vecchioni, Senior Consultant, AWS Public Sector, Pro Serve Brett Miller, Senior Consultant, AWS Public Sector, Pro Serve Notes mapping_ pdf Page 17 of 17