AWS re:Inforce 2024
A Close Look at Compliance with Aws Cloud Audit Academy Grc227

Title: AWS re:Inforce 2024 - A close look at compliance with AWS Cloud Audit Academy (GRC227)

Insights:

  • Introduction and Speaker Background: The session is led by Paul Hong, an AWS security assurance manager, who oversees security and compliance for AWS's global infrastructure, including data centers and logical security across various frameworks like NIST, SOC, ISO, and PCI.
  • Target Audience: The talk is aimed at professionals in security and compliance roles, dealing with audits, internal assessments, or preparing systems for compliance.
  • Cloud Compliance Challenges:
    • Regulatory Knowledge Gap: Regulators often lack in-depth knowledge of cloud security, leading to outdated compliance methods.
    • Uncertainty in Responsibilities: GRC teams may be unclear about their compliance responsibilities versus those of AWS.
    • Shared Responsibility Model: The division of security responsibilities between AWS and customers can vary by service, causing confusion.
  • AWS Shared Responsibility Model:
    • Customer Responsibilities: Security in the cloud, including workloads and configurations.
    • AWS Responsibilities: Security of the cloud, including global infrastructure and core services.
  • AWS Cloud Audit Academy (CAA):
    • Purpose: Educates customers on using AWS to meet security and compliance needs, offering practical guidance on evidence and automation.
    • Versions:
      • 101: Introductory, cloud-agnostic, self-paced or instructor-led.
      • 201: AWS-specific, deep dive into common frameworks, instructor-led.
      • 301: Industry-specific, detailed training for frameworks like NIST and PCI.
  • Example Module (NIST-based):
    • Incident Response Planning: Covers preparation, detection, analysis, containment, recovery, and closure of incidents.
    • Core AWS Services:
      • Logging and Monitoring: AWS CloudTrail, Amazon GuardDuty, AWS Config.
      • Alerting and Aggregation: Amazon CloudWatch, Amazon SNS, AWS Security Hub.
    • Test Plan: Steps to assess compliance, including inspecting incident response plans and ensuring configurations match documented policies.
    • Best Practices: Summarizes key points and provides implementation details for compliance.

Quotes:

  • "The goal of Cloud Auto Academy is really to help consolidate that so that we can provide a common solution, or at least a common approach to finding a solution for compliance within AWS."
  • "When it comes into the cloud, that's one of the biggest risks is misconfiguration when it is on behalf of the customer to make sure they're configuring it for security and for compliance."
  • "Cloud Audit Academy is our training program, again, to help educate our customers on how they can use AWS to meet their security and compliance needs and prove out security."
  • "We manage over 143 different audits each year across all regions, industries, countries, regulators, in many, many different forms and fashions."
  • "AWS Config... allows for continuous compliance, continuous auditing, and it's a rules-based service that allows you to use AWS-managed rules or your own custom rules to set and configure on your resources within AWS."
  • "Everyone wants to know about the services, right, and where to look and how to evidence to make that audit process a little easier, a little smoother."

This document provides a comprehensive overview of the session, highlighting the key points and valuable insights shared by the speaker, along with notable quotes that capture the essence of the discussion.

20 Minutes 8 Security Layers Secure Amazon Eks and Kubernetes Tdr327 SAccelerate Business with Tri Party Engagements Grc222