By Mark Campbell, Managing Director, Cyber Cloud Leader - Deloitte & Touche LLP\nSid Kantroo, Specialist Leader, AWS Cloud Security Architect \u2013 Deloitte & Touche Assurance & Enterprise Risk Services India Private Limited\nDeloitte\u2019s Zero Trust framework\nAs enterprises design security patterns for their cloud environments, they are increasingly looking to incorporate Zero Trust principles to implement security and improve their systems and data availability. This blog will focus on implementing automation to support Zero Trust capabilities on native Amazon Web Services (AWS). Security Automation and Orchestration is a core capability of Deloitte\u2019s Zero Trust Framework (Figure 1). This capability spans across the framework pillars to incorporate integrated security guardrails using automation to enable rapid development in the cloud while incorporating Zero Trust principles.\n AWS\n\nFigure 1 - Deloitte Zero Trust Framework\n\n\nAt a high level, Zero Trust entails removing the assumption of trust from security architecture and authenticating each action, user, and system.\u00a0 Deloitte\u2019s Zero Trust framework revolves around five pillars: Users, Workloads, Data, Networks, and Devices with the horizontals of Telemetry & Analytics and Automation & Orchestration. In the context of AWS, identity & access management (IAM) principles refer to users and their associated roles, groups, and privileges. Workloads are collections of resources such as Amazon ECS\/EKS containers, EC2 instances, or Lambdas. In addition, the Data pillar involves information processed by those workloads that integrate with data services such as Amazon RDS, Amazon S3, Amazon Aurora, Amazon Redshift, or Amazon Dynamo DB. The information processed and generated by those workloads and infrastructure logging in Amazon CloudWatch, Amazon CloudTrail, and Amazon Config, and monitoring with Amazon GuardDuty and AWS Security Hub, comprise the Data pillar. Networks include Amazon VPCs, subnets, security groups, the routes between them, and services such as AWS Network Firewall, AWS PrivateLink, and AWS WAF. Devices, while out of scope for this blog, can include the assets used to access the cloud environments and their associated configurations.\nIngesting data from Telemetry & Analytics horizontal involves building out capabilities for continuous monitoring, automatically responding to incidents, vulnerabilities, and misconfigurations, and leveraging this data to secure the AWS environment proactively.\nDeloitte\u2019s Security Automation and Orchestration is at the core of enabling Zero Trust\nOrganizations use AWS infrastructure to become more agile, simplify their technology stack and rapidly deploy new solutions. These transformational changes are driving the need to evolve their approach to cloud security to keep pace with the scale of DevOps, automation, and an evolving cloud attack surface. The increased proliferation of Continuous Integration\/Continuous Deployment (CI\/CD) and Infrastructure as Code automation mean the scope for security responsibility increases for the organizations. While AWS provides and manages security for their native services, it is up to the organizations to manage their own security controls effectively.\nMeanwhile, Security Operations Center (SOC) teams are tasked to keep pace with the volume of data generated by security controls and technologies to \u00a0have visibility into what\u2019s taking place across AWS accounts. In addition, the SOC should incorporate automation and orchestration to shorten incident response times, standardize processes, and integrate disparate technologies. \u00a0AWS services such as AWS Security Hub, AWS IAM Access Analyzer, Amazon GuardDuty, AWS Firewall Manager provide organizations an opportunity to improve and manage their security posture continuously by analyzing data generated to inform the SOC on potential risks related to the deployment of resources and organizational guardrails. SOC teams can further ingest the information generated by these services to gain visibility within their AWS environments.\nMany organizations are leveraging automation and orchestration to integrate detective, corrective and preventative controls across the landscape:\n1.\u00a0\u00a0\u00a0\u00a0 Detective controls identify the risks related to actions and changes that deviate from defined compliance baselines and enterprise policies.\n2.\u00a0\u00a0\u00a0\u00a0 Corrective controls include measures to mitigate, revert, or remediate risks identified by detective controls\n3.\u00a0\u00a0\u00a0\u00a0 Preventative controls are designed to be implemented alongside the deployment of resources to reduce and manage potential security\u00a0 risks by incorporating security configurations that align with enterprise security policies and help reduce the occurrence of non-compliant actions and security risks.\nSecurity as an enabler for speed and agility of cloud\nOrganizations can take advantage of many opportunities to incorporate security automation for their own governance program to align with their portion of the AWS shared responsibility model. Deploying consistent baseline and preventative controls to each new and existing cloud account and cloud architecture should be a foundational aspect for cloud governance. A critical success factor is to codify cloud security policies and incorporate into the automated process steps across the governance lifecycle to establish secure baselines while updating and improving those guardrails over time. Services such as AWS Control Tower or AWS Service Catalog and configuration features such as AWS Config Rules and Service Control Policies can be used to automate governance.\nAnother success factor is to analyze constant feedback using telemetry from detective controls to prioritize improvements to baseline and preventative controls, shifting security left and addressing issues at the source. Thus, organizations should consider deploying detective and corrective controls such as AWS Security Hub with AWS Foundational Security Best Practices controls enabled to mitigate until baseline and preventive controls can be deployed.\nTo illustrate this end-to-end picture and show how users can get started with automation on AWS, we will go through three scenarios to illustrate the opportunity to use automation to support Zero Trust objectives related to Users, Workloads, Data, and Networks. The information will be used to inform and automate the implementation of baseline and preventative controls:\nScenario 1 - Users: Automated detection and remediation of unintended access with AWS IAM Access Analyzer\n AWS\n\nFigure 2 \u2013 AWS IAM Access Analyzer Findings\n\n\nFor the Users pillar of the Zero Trust Framework, AWS IAM Access Analyzer continuously monitors resources within the same Region in and identifies public or cross-account access. It is a feature that executes analysis each time a new resource is created or a new policy is attached to a resource and generates findings across accounts to identify potential unintended access to resources and data.\nTo help address the identity-related detective controls, Access Analyzer can continuously monitor access control policies for services such as S3, KMS, Lambda, and SQS. For example, Access Analyzer can detect when access is granted for a KMS Customer Master Key (CMK) to a user in an external account. Access Analyzer findings can be integrated with Security Hub for centralized visibility into the permissions of services across AWS accounts.\nOnce AWS Access Analyzer is deployed as an automated detective control \u00a0for visibility to permissions and privileges in an AWS account, automated corrective controls can be deployed to help address and resolve the findings. Implement Lambda \u00a0to ingest findings, analyze them for violations against baseline configuration standards and remediate specific misconfigurations or over-permissive resources. For example, the Lambda function can implement automation with the SOC team\u2019s toolset by passing relevant information via an SNS Topic, CloudWatch log group or automatically calling an API to initiate a remediation workflow. The workflow can orchestrate the remediation actions or the process for granting a security exception.\nWhen it comes time to migrate workloads to production environments, development teams can use Access Analyzer to proactively generate fine-grained permissions that provide only the required access as part of the CI\/CD process rather than generating overly-permissive configurations. Access Analyzer can generate IAM policies based on access activity from CloudTrail. This action makes implementing least privilege permissions easier as the policy will grant only the required permissions for the account, resource, or workload. This process can be applied to develop policies in non-production environments with more coarse-grained permissions and determine the actions and access needed.\nScenario 2 - Workloads and Data: Orchestration of incident response to address anomalous account activity\n AWS\n\nFigure 3 \u2013 Amazon Guard Duty Findings\n\n\nFor the Workloads and Data pillars of the Zero Trust Framework, there are a variety of services that can provide opportunities for automation such as AWS Inspector, AWS IoT Device Defender, and Amazon GuardDuty. Amazon GuardDuty combined with Security Hub can be used to prevent, detect, and remediate anomalous activity. GuardDuty monitors and analyzes data sources such as DNS Logs, VPC Flow Logs, and CloudTrail S3 data event logs. For Workloads, it can generate alerts on suspected compromised EC2 instances based on, for example, an instance that is communicating with a known command and control server. GuardDuty can also help manage security risks related to your data stored in S3 buckets by detecting when objects or buckets are being accessed by unknown or suspicious IP addresses or in an anomalous manner. These findings can be integrated into Security Hub for a centralized view across your AWS accounts. However, organizations should implement automation to proactively initiate remediation actions.\nOnce findings have been aggregated in Security Hub, you can leverage automation to manage, remediate and close a high volume of alerts, saving time and effort to focus on investigations that require a high level of manual effort. You can use Amazon EventBridge to trigger automatic remediation playbooks that leverage AWS Lambda for customized automated remediation playbooks and Step Functions for orchestration. In addition, AWS Security Hub Automated Response and Remediation (SHARR) offers prebuilt playbooks based on Center for Internet Security (CIS) AWS Foundations Benchmark standard, including event rules for automated triggers, runbooks, and Lambda functions for remediation.\u00a0\u00a0\nTo take this further, you can integrate with AWS Step Functions or a third-party Security Orchestration, Automation and Response (SOAR) tool to automate much of the incident response process. For example, AWS GuardDuty may generate a finding that indicates a compromised EC2 instance (e.g., being used for crypto mining). You can automate the steps to remediate the initial threat and leverage orchestration to collect contextual information about the event in order to expediate and optimize incident management steps as time is critical for managing security incidents. More specifically, you can use AWS Lambda to stop the instance automatically, take a snapshot, and update the security group to isolate the instance from certain traffic except the forensics team. You can then use Step Functions and AWS Systems Manager to capture a memory dump of the instance and CloudTrail to collect recently associated logs. Next, you can leverage AWS SNS to send notifications to the required team and proactively provide them with the data collected in the previous step to continue the investigation.\nScenario 3 \u2013 Network: Automate network access control and firewall management\nFor the Networks pillar of the Zero Trust Framework, AWS Firewall Manager provides centralized policy management and visibility for the firewall rules across accounts in AWS Organizations. It allows you to create and enforce a set of policies to protect VPCs when using services such as AWS WAF, AWS Shield Advanced, Security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall.\n AWS\n\nFIgure 4 -- AWS Firewall Manager Policies\n\n\nManually reviewing each account could be a time-consuming and error-prone task. To protect high-risk applications from unintended network access, AWS Firewall Manager enables you to enforce policies across your environments and the ability to automatically remediate firewall rules when they are determined to be over-permissive. For corrective controls, you can choose to have Firewall Manager automatically remediate non-compliant resources or identify the resources that are not compliant with your defined security policies. These findings can be integrated with Security Hub for a central view of\u00a0 AWS findings related to network security risks.\n AWS\n\nFigure 5 \u2013 AWS Firewall Manager findings in AWS Security Hub\n\n\nYou can use this data to continually refine baseline controls and review that permissions associated with applications are appropriate to their risk level. Service Control Policies can enforce network controls at the Organization level, prohibiting resources from being created that violate security policies.\nConclusion\nIn this post, we explored some of the starting points to leverage automation and AWS security services to proactively manage detective, corrective, and preventative security controls across \u00a0your Users, Workloads, Data, and Networks to align with Zero Trust principles. Leveraging automation to integrate detective, corrective and preventative controls across accounts and organizations not only reduces the risk of human error, but incorporates security as an enabler to cloud governance and \u00a0improves cloud security posture and maturity.\nTo read about how these concepts are put into practice in the Deloitte Guardian for AWS managed security service please link to the APN blog below:\nManaging Cybersecurity Risks with the Next Generation of Managed Security Services\nReferences\nhttps:\/\/aws.amazon.com\/blogs\/aws\/identify-unintended-resource-access-with-aws-identity-and-access-management-iam-access-analyzer\/\nhttps:\/\/aws.amazon.com\/blogs\/security\/iam-access-analyzer-makes-it-easier-to-implement-least-privilege-permissions-by-generating-iam-policies-based-on-access-activity\/\nhttps:\/\/aws.amazon.com\/blogs\/security\/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager\/\nThis publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.\u00a0 Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.\nAll product names mentioned in this publication are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only. The screen captured and data provided in this publication are for informational purposes only.\u00a0 Deloitte & Touche LLP is not responsible for the functionality or technology related to the Vendor or other systems or technologies as defined in this publication.\u00a0\nAs used in this document, \u201cDeloitte\u201d means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com\/us\/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.\n\u00a0\u00a0\nCopyright \u00a9 2021 Deloitte Development LLC. All rights reserved.