© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.

GRC231-R1

Let’s talk: Assessing AWS with

Cloud Audit Academy

Paul Hong Karthik Amrutesh Joe Witles

Manager, Security Senior Manager, Director of Compliance
Assurance Security Assurance VMware
AWS AWS

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expectations and assumptions

1. Geared toward those seeking compliance in regulated industries

2. Use cases may be industry-/region-specific, but applicability

is agnostic

3. Cloud Audit Academy content presented serves as a preview only

4. This session is meant to be interactive

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda

• Overview
 Cloud compliance/audit challenges
 AWS shared responsibility model (AWS and VMware perspectives)
• Cloud Audit Academy
 Program overview
 Example module (AU and IR)
 How to sign up
• Q&A

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud compliance/audit challenges

1. Control framework language and requirements are catered

towards on-premises environments
2. Governance, risk, and compliance teams are uncertain how AWS
can help them meet their compliance requirements (security and
compliance of and in the cloud)
3. Shared responsibility model is often not fully understood and
can vary service to service

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared responsibility model: Overview

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the cloud:
AWS perspective

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inherit global security and compliance controls

SOC 1 SOC 2 SOC 3

CCCS
PIPEDA CJIS FERPA

SEC Rule VPAT

GxP MPAA 17a-4(f) Section 508

FISC

G-Cloud

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the cloud:
Customer (VMware) perspective

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VMware approach

People Process Technology

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VMware approach

People Process Technology

Platform
Education Automation
(engineering)

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared responsibility model: VMware perspective

CUSTOMER DATA ~20%–45% of security controls

Customer
APPLICATIONS CUSTOMER CONFIGURATIONS Controls inherited by the customer

VMware APPLICATION SECURITY ~25%–30% of security controls

service
APPLICATION APPLICATION CHANGE Controls evaluated during
SAML SUPPORT
AUDITING MANAGEMENT service onboarding

CONTROL PLANE

CONFIGURATION AUDIT &

ACCESS CONTROL
MANAGEMENT ACCOUNTABILITY ~50%–55% of security controls
VGS
Inheritance through VGS
MANAGEMENT PLANE
FedRAMP authorization
IDENTITY & ACCESS LIFECYCLE VULNERABILITY
MANAGEMENT MANAGEMENT MANAGEMENT

IaaS PHYSICAL INFRASTRUCTURE ~20% of security controls

provider
PHYSICAL & Inheritance through IaaS
MEDIA PROTECTION MAINTENANCE
ENVIRONMENTAL FedRAMP authorization

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Audit Academy

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Audit Academy (CAA) overview

• The Cloud Audit Academy

educates customers on
cloud-specific verification
techniques in the cloud
through interactive learning
• Three versions
 101 – foundational (cloud agnostic)
 201 – AWS-specific (industry agnostic)
 301 – AWS and industry-/framework-
specific (NIST)

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Course modules (example)

01 04
Introduction to Federal and DoD Risk Assessment and
Workloads in AWS Security Assessment

02 05
Access Control and Identification System and Communications
and Authentication Protection

03 06
Audit and Accountability and Configuration Management
Incident Response and Maintenance

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Course modules (example)

01 04
Introduction to Federal and DoD Risk Assessment and
Workloads in AWS Security Assessment

02 05
Access Control and Identification System and Communications
and Authentication Protection

03 06
Audit and Accountability and Configuration Management
Incident Response and Maintenance

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
03 – Audit and accountability and incident response
REQUIREMENT 3.6.1 – INCIDENT RESPONSE PLANNING

• NIST requirements/controls
• Application to AWS
• Test plan
• Best practices

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST SP 800-171 security requirement
STEP 1

3.6.1
Establish operational
incident-handling
capability

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST SP 800-171 security requirement
STEP 1

3.6.1
Establish operational Requirement
incident-handling
capability  Development of a comprehensive
incident response plan (IRP)
 Preparation
 Detection
 Analysis
 Containment
 Recovery
 User response activities

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application to AWS: Relevant services
STEP 2

Logging/monitoring Alerting/aggregation

AWS CloudTrail Amazon CloudWatch

Amazon GuardDuty AWS Security Hub

AWS Config Amazon SNS

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Test plan
STEP 3

Requirement 3.6.1
Establish an operational incident-handling capability for organizational systems that includes
preparation, detection, analysis, containment, recovery, and user response activities

Example test plan

Obtain and inspect Confirm IRP Understand customer’s Validate AWS

customer IRP review evidence architecture and usage configurations
of AWS services

1 2 3 4

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auditor best practices
STEP 4

Check that the customer does the following:

1. Formalizes IRP and periodically reviews/updates
2. Appropriately configures AWS services in IRP
 Example: Configures log retention on AWS CloudTrail, Amazon CloudWatch, and Amazon S3
 Example: Enables logging on services to be backed up to Amazon S3
 Example: Enables compliance check rules with AWS Config
 Example: Aggregates findings in AWS Security Hub

3. Integrates AWS services for end-to-end incident response

4. Integrates on-premises environment with AWS environment

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interactive walkthrough (AWS Skill Builder)
1. Register for AWS Skill Builder by navigating to https://explore.skillbuilder.aws
and selecting Sign in in the upper-right corner
2. Follow the steps to either create a new account or sign in with an existing
account, selecting the option applicable to you
3. Once your account is created, you can access the interactive
walkthrough exercises referenced during the course:
https://explore.skillbuilder.aws/learn/course/
internal/view/elearning/14755/cloud-audit-
academy-fdw-interactive-modules

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Audit Academy: How to sign up

aws.amazon.com/compliance/
auditor-learning-path

Questions?

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Please complete
the session survey
in the mobile app

Paul Hong Karthik Amrutesh Joe Witles

paulhong@amazon.com amrutek@amazon.com jwitles@vmware.com

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.