WIXLIB

Securing your organization's AWS network and infrastructureOne component of Deloitte’s Cyber frameworkdescribes reference security architecturepatterns to protect the AWS networkand infrastructure. These patterns focuson protecting network traffic, hardeningendpoints, devices, and protecting ApplicationProgramming Interfaces (APIs) and services.As part of the framework, Deloitte hasdeveloped assets specifically aligned to AWScloud environments that focus on protectingingress and egress points, segmenting internaltraffic, managing IAM to provide access toresources using a least privileged approach,gaining visibility to data assets, monitoringevents, and remediating vulnerabilities.Architecting and securing AWS network andinfrastructure services begins with a focuson the data classification for the data that thecloud environment will process, transfer, andstore. Multiple standard architectures shouldbe created for environments with differentclassifications by applying a tailored set ofcontrols and configurations in alignment withthe data classification and related regulatoryrequirements. There are two important designaspects relating to data classification and thenetwork and infrastructure design for AWSenvironments. First, the classification informsdesign decisions for addressing specificsecurity requirements such as segmentingthe environment into manageable VPCsand subnets to provide segmentation foraccess, administration, and automation of thesecurity configurations. Second, different datarequirements should factor into balancingrisk and cost management across differentenvironments and rationalizing costs ofregulated and non-regulated workloads. Forexample, a reduced number of controls arerequired for a development environment withnon-critical data vs. a production environmentwith confidential data that typically wouldrequire additional protection such ascompliance with Payment Card Industry (PCI)security standards.Deloitte’s approach to manage cyber risksassociated with network and infrastructure forAWS also enables and supports other cyberdomains. Just as a configuration managementdatabase (CMDB) supports threat andvulnerability management, predictablenetwork security design aids with managingaccess controls and security monitoring in astandard manner. Automation is also easier tore-use across environments with standardizednetwork and infrastructure security design.Network SecuritySeveral AWS services can be configured forsecuring network communications betweenthe enterprise, AWS VPCs, and applicationsdeployed to AWS accounts. For example, AWSDirect Connect can be used to create a secureprivate network connection, which can lead toreduced costs for heavy-bandwidth workloadsas well as a more consistent networkexperience. By transferring data directly,companies can reduce their bandwidthcommitment to their Internet service provider,as well as transfer data at a reduced ratewhen moving large amounts of data. AWSDirect Connect also can provide a resilientconnection to AWS, by connecting throughtwo different locations and mitigating the riskof a single point of failure. This is one examplethat illustrates some of the value and casefor leveraging additional network protectionservices for AWS such as AWS Shield, AWS WAF(Web Application Firewall), and AWS PrivateLinkto help organizations manage security relatedto the virtual network. These AWS networkprotection services and features can beenabled and configured versus having toprocure and install appliances and servers.Configuring and protecting network trafficwithin the AWS cloud is another importantconsideration. Through the use of NetworkAccess Control Lists (NACLs), Security Groups,and subnets, traffic can be restricted toonly authorized connections and servicesby using a zero trust model. These controlfeatures can provide micro-segmentationof the internal cloud networks and providelayers of security to create a defense-in-depthapproach. NACLs can protect the perimeterof VPCs and segment networks with differentcharacteristics and different sensitivity levelsacross different VPCs. Security Groups can beapplied for further granularity by segmentingVPCs into smaller sub-groups for additionallayers of protection.Infrastructure SecurityEach AWS service provides a specific set offunctions and therefore has a unique set ofrisks to address that may require tailoredsecurity controls applied with the installationof the service. For example, Amazon APIGateway should implement Client-Side SSLCertificates for authentication by the backendto verify application program interface (API)requests while Amazon Cognito shouldimplement ‘Invite Only’ as a security optionto restrict which users can sign up for anaccount. Each unique AWS service has avariety of security configurations that maybe mistakenly overlooked or misconfiguredby technical teams. Each AWS service shouldhave the standard security configurationsapplied as embedded configurations with thedeployment script. AWS development teamsshould incorporate the security controls aspart of the deployment script implementationand configuration templates. These securitysettings should be verified and monitored forcompliance on a real-time basis with securitymonitoring as well. Therefore, the securitymonitoring use cases should be updated toinclude monitoring for deviations from thesecurity standard for deployed services.There should be additional focus for securingorganizations' Amazon EC2 configurations inyour cloud environment. Enterprise-level“golden” Amazon Machine Images (AMIs) shouldbe created and made availablewhich can be leveraged to deploy secureinstances by AWS DevOps teams. The goalshould be to continuously improve the securitythrough hardening, vulnerability scanning, andpatching of the “golden” AMI. The utilization of a“golden” AMI can facilitate deployment speed ina secure manner and reduce operationaloverhead. For example, using the cloud’sdynamic nature and services like AWSCodeDeploy, the use of blue-greendeployments can be simplified, thus reducingthe risk of down time as a by-product ofupgrading software. Blue-green deployments isone method to automatically provision newinstances of your application while at the sametime controlling the routing of load balancernetwork traffic dynamically to the newlydeployed application instances.

Maturing yourorganization's AWSnetwork andinfrastructureCreating more mature capabilities includesextending security monitoring to a virtualizedcloud infrastructure, managing ephemeralassets, and integrating threat intelligence. It alsorequires AWS-aware alerts leveraging a varietyof services such as AWS CloudTrail, AmazonCloudWatch, Lambda, Amazon GuardDuty anda security information and event managementtool (SIEM).Existing enterprise vulnerability managementcapabilities should be enhanced and integratedwith AWS Systems Manager to augmentvulnerability scans of configurations at theapplication, Operating System (OS), and AWSservice layers. For example, vulnerabilitiesrelated to containers and other applicationcode should have vulnerability scanning andpenetration testing as part of the deploymentcycle to identify issues before they are deployedto production. Patching, hardening, andendpoint protection should be integrated withthe AWS service environment as well. The assetsdeployed to AWS should be tracked as part ofthe environment’s lifecycle. AWS Config andLambda functions can tag and record assets,creating an inventory or feeding an existingCMDB.Another important aspect for enabling visibilityinto assets and the AWS environment is toimplement logging and monitoring. The logging,monitoring, and alerting services for capturingVPC flow logs, activity and event logs viaCloudWatch and CloudTrail should beintegrated with the security monitoring programto provide visibility into inter-network and intranetwork communications, providing anopportunity for detection or post-morteminvestigation of misconfigured or unauthorizedtraffic. Additional AWS services such asGuardDuty with its abilityto identify anomalous behavior and leverageexternal threat intelligence sources should beintegrated for additional visibility, alerting, andanalytics. Furthermore, AWS Security Hub maybe enabled as a central mechanism toaggregate security alerts from multiple AWSservices and third-party solutions.These capabilities can be standardized andapplied for each cloud deployment andintegrated as part of a shared services module.The dynamic nature of infrastructure in AWSprovides opportunities for cost effective faulttolerant designs in ways that neverexisted before.Incorporating resiliencyinto AWS network andinfrastructureAs cloud computing becomes a moreintegral part of core business operations, theimperative is to take advantage of the dynamicnature of the cloud and reduce downtimedue to disruptions from minutes to seconds.Virtual infrastructure and services in AWSprovide opportunities for cost effective andfault tolerant designs in way that never existedbefore. Resiliency includes elastic designsfor “always on” solutions, new models forcontingency planning, recovery, and availability.AWS provides accessible features suchas scalable, on-demand APIs that enablecompanies to create highly available, scalableserverless architectures. Incorporating anetwork and infrastructure design thatleverages multiple availability zones andcross-region failover can provide efficient andrapid recovery and response from the AWSarchitecture thereby reducing impacts fromunplanned incidents.In addition, virtual infrastructure can bedeployed with automatic and redundantbackups with low latency and optimized coststhrough elasticity and efficient data storageto mitigate disruptions. For example, anorganization could use techniques such ascross-region replication of virtual instancesand data archiving services like Amazon SimpleStorage Service Glacier to enhance recoveryfrom a disaster recovery scenario.Implement proactive measures for incidentresponse, such as the use of security “tripwires” to accelerate incident identification, andautomated orchestration of pre-tested,validated self-healing infrastructure solutions.Create scripts for incident management torapidly and consistently collect and analyzeevidence utilizing tools such as AWSCloudWatch and Lambda to more quicklyachieve containment and eradication.Virtual infrastructure and servicesin AWS provide opportunities forcost effective and fault tolerantdesigns in ways that never existedbefore.

Securing Infrastructure as Code and automating securityAWS provides the ability to implement network,infrastructure, and services as part of the totaltechnology solution. Cloud has now introducedcore virtual infrastructure services as additionalconfiguration and coding components ratherthan physically separated assets in adata center.Implementing the design of AWS infrastructureservices can be accomplished with reusable AWSCloudFormation Templates and configurationmodules of the base network architecture andinfrastructure service configurations. Compositearchitecturescan be achieved through the combination ofcontainers, scripting, templates, and dynamicinputs. Infrastructure can be rapidly deployedand destroyed through automation andconfiguration. This is “Infrastructure as Code”.Because the AWS environment can beexpressed through code and configuration, thecode should follow secure developmentpractices in addition to having security controlsembedded as part of the automated code andstandard configuration templates.Secure Development Practices: Securedevelopment practices are a critical control formitigating cloud security risks related to theSoftware Development Life Cycle (SDLC) andDevOps processes for “Infrastructure as Code”given there is more code developed related toautomation for cloud. The automation code andconfiguration applies the network andinfrastructure changes which introduces newrisks within the SDLC. A higher priority should beplaced upon verifying that the security controlsfor the SDLC and Continuous Integration andContinuous Delivery (CI/CD) processes are in place. For example, it isimportant to implement access controls for thecode repository and tracking privileged users forcritical automation code and configurationtemplates as well as conducting applicationsecurity testing and hardening of thedevelopment software and tools used. Theautomation should stop code migration shouldthese controls not be satisfied.Automating Security: The standard scripts thatthe DevOps teams use to deploy and manageAWS services and the virtual infrastructureshould also apply security controls witheach component introduced to the AWSenvironment by a deployment script. Effortscan be made to include security and auditcontrols directly into the deployment elements.This proactive approach provides better valueand agility instead of trying to secure and auditthe infrastructure reactively, after deploymentto production.for applications with modules that have securityalready built in for re-use. For example,automated security scanning can be added tothe CI/CD process and toolset that builds thecontainer. Implemented in the appropriatemanner, these standard containers can enablerapid deployment of infrastructure to supporta diverse rangeof applications and business services withembedded security. This approach allowsmodules to be combined into portabletemplates and containers with security built-in.A variety of compliance and audit controlsas well as repetitive security tasks, likescanning, creating backups and generatingalerts, can all be automated. For example,the automated detection and remediation ofmisconfigured resources as well as generatingalerts for unauthorized access attemptscan be implemented. Features such as AWSConfig and AWS CloudFormation related toconfiguration combined with the automationwith Lambda and CloudWatch can helpmanage standard configuration settingsand provide active alerts if modifications ormisconfiguration is detected. To illustratethis point, AWS Config can record instanceswhere an Amazon Simple Storage Service(Amazon S3) bucket is created, updated ordeleted, allowing for visibility on how thoseevents occurred and Lambda can initiate activealerting for where compliance issuesare detected.Prioritize security codeenhancements to the DevOpsworkflow to account for securingcode repositories and integrationswith AWS and third-party tools toautomate control checks withinthe pipeline before code isdeployed to production.Once the infrastructure has been designed,for example, using AWS Cloud Formationtemplates, Security Groups can bestandardized and can be configured forautomated deployment. Scripts can includestandard information or allow for input todynamically assign values for constantlychanging elements, such as IP addressing.Therefore, the same automation that deploysthe resources can deploy the security controlsto the environment.Embedded Security: AWS deploymentscan be combined and architected withcontainerization to enable cloud infrastructure

Harness the benefits of Infrastructure as Code to secure the cloud Provide a highly available infrastructure by taking advantage of the multi-region, multi-availability zonenature of AWS. Improve security by automatically deploying, configuring, and monitoring standardized environments. Reduce latency, connectivity issues, and optimize costs by fully utilizing automatic elasticity of the cloudby dynamically expanding and contracting with demand, not based on guesses orunreliable predictions. Promote business value and market agility by reducing time and investment with the ability to rapidlyprototype, fail fast, and accelerate value through more deployments of product iterations. Protect against evolving cyber threats and leverage features such as access controls and direct visibilityto network and infrastructure services. Benefit from AWS native services and features such as VPCs,Security Groups, AWS Shield, and AWS Web Application Firewall

The strength of the Deloitte /AWS relationshipPartnernetworkOur relationship brings together Deloitte’sextensive industry experience in cyber andenterprise risk management with thesecurity-enabled cloud infrastructure of AWS.PremierConsultingPartnerSecurity CompetencyGovernmentCompetencyFinancial ServicesCompetencyPublic Sector PartnerMSP PartnerIn 2006, AWS began offering IT infrastructureservices to businesses in the form of webservices—now commonly known as cloudcomputing. Today AWS provides a highly reliable,secure, scalable, low-cost infrastructure thatpowers hundreds of thousands of businesses in190 countries around the world, with over a millionactive customers spread across many industriesand geographies.Deloitte can help organizations adopt AWSsecurely and establish a security-first cloudstrategy. Deloitte is a leading informationtechnology and advisory company. Deloitte is anAPN Premier Consulting Partner and an AWSSecurity Competency Partner (Launch Partner)and was one of the first eight organizationsglobally to achieve the Security Competency as alaunch partner. Deloitte’s vast experience in CyberRisk, combined with its extensive experience withAWS and Cloud technologies, enable us to provideend-to-end security solutions.

AuthorsAaron BrownPartner, Cyber Risk ServicesAWS Alliance Leader Deloitte & Touche LLPaaronbrown@deloitte.comMark CampbellSenior Manager, Cyber Risk ServicesCloud Security Architect & AWS Alliance ManagerDeloitte & Touche LLPmarkcampbell@deloitte.comRavi DhavalManager, Cyber Risk ServicesCloud & IoT Security ArchitectDeloitte & Touche LLPrdhaval@deloitte.comLuis PastorSenior Consultant, Cyber Risk ServicesCloud Security ArchitectDeloitte & Touche LLPlpastor@deloitte.comAmazon Web ServicesPiyum ZonoozGlobal Partner Solution Architectpzonooz@amazon.comContributorsAshwin SatyanarayanConsultant, Cyber Risk ServicesDeloitte & Touche LLPLeeAnn GerosolinaConsultant, Cyber Risk ServicesDeloitte & Touche LLPAbout DeloitteThis document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or otherprofessional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that mayaffect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this document. As used in this document, “Deloitte” means Deloitte & Touche LLP, asubsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients underthe rules and regulations of public accounting.Copyright 2019 Deloitte Development LLC. All rights reserved.

network security design aids with managing access controls and security monitoring in a standard manner. Automation is also easier to re-use across environments with standardized network and infrastructure security design. Network Security Several AWS services can