ASD Protected Classification for AWS Sydney

On the 23rd of January, 2019, Australian Signals Directorate (ASD) and AWS announced that the AWS Sydney Region (ap-southeast-2) was suitable of processing workloads rated at PROTECTED level DLM.

The primary place for this is a little green table on the ASD site that looks like this:

ASD Cloud Services February 2019
ASD Protected Cloud Status as at February 2019

AWS had previously announced on 28 March 2018 that public sector companies could self-assess AWS to PROTECTED level workloads; now that self assessment is no longer necessary. However a guide does exist (as noted by the asterisk in the above table) that there are conditions on doing this.

That guide is available to AWS customers via the NDA-enforcement system of AWS Artefact. The guide shows how to meet the PROTECTED level, and it should come as no surprise that using strong, managed encryption is a key part of this (pun intended).

There’s other reasons for Australian customers to look in at Artefact, such as agreements around compulsory breach notification, etc. These are specific to regulatory requirements in Australia.

So what services changed to reach PROTECTED

From what I can tell (and its been 4 years since I worked at AWS), none. The guidance that recommends using strong encryption (Key Management Service) appears to be dates some time in the past. With 42 services in scope for PROTECTED, its a big step up from the previous 6 or so that were covered under self-assessment.

A complete matrix of services in scope can be seen here.

It’s interesting to see just 4 services that have now got UNCLASSIFIED rating that are not also available under PROTECTED: Route53, Organi[sz]ations, Shield, and Trusted Advisor. If you were using DNS for storing PROTECTED data you’ve probably got something wrong with you, to be honest; while Organi[sz]ations and trusted Advisor don’t store your information — they configure other services and give you operational recommendations respectively.

UNCLASSIFIED goes world-wide

One thing that I hadn’t noticed, by was told, was that unclassified workloads could now be run in any of the AWS Commercial Regions (i.e., except China). I couldn’t find a reference to this, but it’s worth asking your local AWS team about for your workload.

This would mean that those workloads that were previously running in the Cloud that were not rated PROTECTED can now look again at things like S3 inter-region replication, multi-Region redundancy, and more. Things like VPC Peering between Regions for distributed fault-tolerance make this just as trival for VM-based services to communicate across the world.

This is particularly attractive for services that are only available in, for example, US-East-1, or where costs are cheaper (e.g., Storage).

My Favourite service for Protected workloads

So back to the long list of protected services, what’s my favourite top 10 items to choose from:

  1. IAM
  2. CloudTrail (but my preference is an Organisation CloudTrail these days)
  3. CloudFormation
  4. S3
  5. Lambda
  6. VPC, EC2, EBS, RDS, ELB (ok, thats 5, but they’re so tightly interrelated)
  7. DirectConnect
  8. CloudWatch & CloudWatch Logs
  9. CloudFront & Lambda@Edge
  10. DynamoDB

So why this lot? Well, I think with just this combination I can probably solve around 95% of all workloads, reducing the TCO and increasing reliability and security posture at the same time.

So the time has come. If you’re in the IT department of any public sector, at Local, State or Federal, you should already be working this out.


If you can’t figure this out, reach out. If you’re needing training, check out Nephology’s Advanced Security & Operations on AWS in person training course, available throughout Australia (just ask). We’ve had over 10 years continuous production use of AWS, with critical workloads.