AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This presentation focuses on the top 5 ways you can make use of AWS security features to meet your own organization's security and compliance objectives.
Reasons to attend:
Learn about the AWS approach to security and how responsibilities are shared between AWS and our customers.
Learn how to build your own secure virtual private cloud and integrate it with your existing solutions.
Learn how to use AWS services and scale to assist in mitigation against attacks.
Learn best practices for securing your AWS account, your content and your applications.
3. Top 5 Ways to Secure
Your Business on the Cloud
Shaun Ray – Enterprise Solutions Architect
4. What we will cover today
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
5. What we will cover today
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
7. v
AWS looks after
the security OF
the platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key Management Client and Server Encryption Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Content
Customers
Security is shared between AWS and Customers
Customers are
responsible for
their security IN
the Cloud
8. v
1. Security is our number one priority
2. Every customer receives the same security
3. We do not have access to your data or guest OS
4. Reduce the scope of your own compliance audits
5. You can focus on securing your own content
To Summarise…….
9. What we will cover next
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
10. v
Region
US-‐WEST
(N.
California)
EU-‐WEST
(Ireland)
ASIA
PAC
(Tokyo)
ASIA
PAC
(Singapore)
US-‐WEST
(Oregon)
SOUTH
AMERICA
(Sao
Paulo)
US-‐EAST
(Virginia)
GOV
CLOUD
ASIA
PAC
(Sydney)
Customers can use any AWS region around the world
EU-‐CENTRAL
(Frankfurt)
11. v
Availability
Zone
Each region offers resilience and high-availability
US-‐WEST
(N.
California)
ASIA
PAC
(Tokyo)
ASIA
PAC
(Singapore)
US-‐WEST
(Oregon)
SOUTH
AMERICA
(Sao
Paulo)
US-‐EAST
(Virginia)
GOV
CLOUD
ASIA
PAC
(Sydney)
EU-‐WEST
(Ireland)
EU-‐CENTRAL
(Frankfurt)
12. v
Edge
LocaLons
Dallas(2)
St.Louis
Miami
Jacksonville
Los Angeles (2)
Palo Alto
Seattle
Ashburn(2)
Newark
New York (2)
Dublin
London(2)
Amsterdam
Stockholm
Frankfurt
Paris(2)
Singapore(2)
Hong Kong (2)
Tokyo
Sao Paulo
South Bend
San Jose
Osaka
Milan
Sydney
Chennai
Mumbai
Use edge locations to serve content close to your customers
Rio
de
Janeiro
Melbourne
Taipei
Manila
13. v
Build your own resilient, fault tolerant solutions
AWS delivers scalable, fault tolerant services
• Build resilient solutions operating in multiple datacenters
• AWS helps simplify active-active operations
All AWS facilities are always on
• No need for a “Disaster Recovery Datacenter” when you can have
resilience
• Every one managed to the same global standards
AWS has robust connectivity and bandwidth
• Each AZ has multiple, redundant Tier 1 ISP Service Providers
• Resilient network infrastructure
14. v
Each AWS Region has multiple availability zones
AvailabilityZoneA
AvailabilityZoneB
15. v
Your VPC spans every availability zone in the Region
AvailabilityZoneA
AvailabilityZoneB
16. v
Customers control their VPC IP address ranges
VPC A - 10.0.0.0/16
AvailabilityZoneA
AvailabilityZoneB
Choose your VPC address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space
• That maximum CIDR block you
can allocate is /16
• For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP
addresses
Select IP addressing strategy
• You can’t change the VPC
address space once it’s created
• Think about overlaps with other
VPCs or existing corporate
networks
• Don’t waste address space, but
don’t’ constrain your growth
either
17. v
We will concentrate on a single availability zone just now
VPC A - 10.0.0.0/16
AvailabilityZoneA
18. v
Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
NAT
10.0.5.0/2410.0.4.0/24
EC2
EC2
Web
19. v
Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
20. v
Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
“Web servers can connect to app
servers on port 8080”
Log
EC2
Web
21. v
Each instance can be in up to five security groups
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
“Web servers can connect to app
servers on port 8080”
“Allow outbound
connections to
the log server”
Log
EC2
Web
22. v
Use separate security groups for applications and management
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
“Web servers can connect to app
servers on port 8080”
“Allow outbound
connections to
the log server”
“Allow SSH and
ICMP from hosts
in the Jump Hosts
security group”
Log
EC2
Web
23. v
Security groups are stateful with both ingress and egress rules
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
Security
groups
• Operate
at
the
instance
level
• Supports
ALLOW
rules
only
• Are
stateful
• Max
50
rules
per
security
group
24. v
The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
25. v
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
26. v
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
“Deny all traffic between the web
server subnet and the database
server subnet”
27. v
Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
NACLs
are
opLonal
• Applied
at
subnet
level,
stateless
and
permit
all
by
default
• ALLOW
and
DENY
• Applies
to
all
instances
in
the
subnet
• Use
as
a
second
line
of
defence
28. v
Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
EC2
Web
Elas?c
Load
Balancer
29. v
Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
EC2
Web
EC2
EC2
EC2
Web
Elas?c
Load
Balancer
30. v
Your security can scale up and down with your solution
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2
App
Log
EC2
Web
EC2
Web
EC2
EC2
Web
ElasLc
load
balancers
• Instances
can
automaLcally
be
added
and
removed
from
the
balancing
pool
using
rules
• You
can
add
instances
into
security
groups
at
launch
Lme
Elas?c
Load
Balancer
Auto
scaling
32. v
Add an Internet Gateway to route Internet traffic from your VPC
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
Internet
Gateway
VPC
Router
33. v
You choose what subnets can route to the Internet
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
Internet
Gateway
VPC
Router
Internet
rouLng
• Add
route
tables
to
subnets
to
control
Internet
traffic
flows
–
these
become
Public
subnets
• Internet
Gateway
rouLng
allows
you
to
allocate
a
staLc
Elas?c
IP
address
or
use
AWS-‐managed
public
IP
addresses
to
your
instance
34. v
NAT instances allow outbound Internet traffic from private subnets
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
Internet
Gateway
VPC
Router
Internet
rouLng
• Use
a
NAT
instance
to
provide
Internet
connecLvity
for
private
subnets
-‐
required
to
access
AWS
update
repositories
• This
will
also
allow
back-‐end
servers
to
route
to
AWS
APIs
–
for
example
storing
logs
on
S3,
or
using
Dynamo,
SQS,
SNS
and
SWS
NAT
36. v
Add a Virtual Private Gateway to route traffic to your premises
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Virtual
Private
Gateway
Your
premises
37. v
You can create multiple IPSEC tunnels to your own VPN endpoints
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Virtual
Private
Gateway
Customer
Gateway
Your
premises
38. v
You can also connect privately using AWS Direct Connect
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Direct
ConnectVirtual
Private
Gateway
Customer
Gateway
Your
premises
39. v
You can also create VPNs over Direct Connect if required
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Direct
ConnectVirtual
Private
Gateway
Customer
Gateway
Your
premises
40. v
You can route VPC Internet connections through your own gateways
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Direct
ConnectVirtual
Private
Gateway
Customer
Gateway
Your
premises
41. v
You can have both Internet and private connectivity to your VPC
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2
App
EC2
Web
EC2
Web
EC2
EC2
Web
VPC
Router
Direct
ConnectVirtual
Private
Gateway
Internet
Gateway
Amazon S3 DynamoDB
NAT
Customer
Gateway
Your
premises
42. v
You have full control in designing robust hybrid solutions
VPC A - 10.0.0.0/16
AvailabilityZoneA
EC2
EC2
NAT
EC2
EC2
VPC
Router
Direct
ConnectVirtual
Private
Gateway
Internet
Gateway
Amazon S3 DynamoDB
NAT
Your
premises
Elas?c
Load
Balancer
Web
Public subnet
Private subnet
Web
Auto
scaling
Master
EC2
Failover
43. v
1. Your VPC is private until you decide to make it public
2. Security groups block horizontal as well as vertical traffic
3. You can use your own internet in your DC
4. Protect your instances with NAT and ELB
5. Create hybrid architectures with Direct Connect
To Summarise…….
44. What we will cover next
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Securing and auditing your account
4. Protecting your content on AWS
5. Building secure applications on AWS
45. v
§ Enable multi-factor authentication to secure your root account for login
§ Manage risk by not putting services and instances in your root account
§ Enable CloudTrail alerting and logging for auditing changes
§ Create roles to assign temporary access to your resources
§ Federate users with on-premise sign on solutions to reduce administration
Controlling your Root account
46. v
Segregate duties between roles with IAM
Region
Internet
Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
You get to choose
who can do what in
your AWS
environment and
from where
A web server can
access S3 to read
static images from
your private subnet
Simon can create
snapshots for RDS.
But cannot restore
data from them.
Cloudtrail can log all
interactions with AWS
API’s for your account.
47. v
Federate with on-premise
directories like Active Directory or
another SAML 2.0 compliant
identity provider
Federate AWS IAM with your existing directories
48. v
Increase
your
visibility
of
what
happened
in
your
AWS
environment
–
who
did
what
and
when,
from
where
CloudTrail
will
record
access
to
API
calls
and
save
logs
in
your
S3
buckets,
no
ma^er
how
those
API
calls
were
made
Use AWS CloudTrail to track access to APIs and IAM
49. v
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail
can
help
you
achieve
many
tasks
• Security
analysis
• Record
changes
to
AWS
resources,
for
example
VPC
security
groups
and
NACLs
• Compliance
–
understand
AWS
API
call
history
• Troubleshoot
operaLonal
issues
–
quickly
idenLfy
the
most
recent
changes
to
your
environment
50. v
Amazon
CloudWatch
Logs
can
monitor
your
system,
applicaLon
and
custom
log
files.
Monitor
your
web
server
h^p
log
files
and
use
CloudWatch
Metrics
filters
to
idenLfy
404
errors
and
count
the
number
of
occurrences
within
a
specified
Lme
period
Alarm
when
thresholds
are
reach
and
automaLcally
generate
a
Lcket
for
invesLgaLon.
Monitor everything with CloudWatch logs
51. v
Use AWS Config to audit changes to your environment
53. What we will cover today
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
54. v
AWS has many different content storage services
EBS
S3
S3
RDS
REDSHIFT
Simple Storage Service (S3) for static objects and web hosting
Redshift for data warehousing of large datasets
Relational Database Service (RDS) for hosting managed SQL databases
Elastic Block Store (EBS) for storing workloads on EC2
55. v
AWS Key Management Service
Customer
Master
Key(s)
Data
Key
1
Amazon
S3
Object
Amazon
EBS
Volume
Amazon
Redshie
Cluster
Data
Key
2
Data
Key
3
Data
Key
4
Custom
ApplicaLon
AWS KMS
56. v
Configure S3 access controls at bucket and object level
• Restrict access and rights as tightly as possible and regularly review access logs
• Use versioning for important file, with MFA required for delete
Use S3 cryptographic features
• Use HTTPS to protect data in transit
• S3 server side encryption
• AWS will transparently encrypt your objects using AES-256 and manage the keys on your
behalf, or manage those keys using AWS Key Management Service (KMS)
• Use S3 client side encryption
• Encrypt information before sending it to S3
• Build yourself or use the AWS Java SDK
Use MD5 checksums to verify the integrity of objects loaded into S3 over long periods of
time
Making use of available Amazon S3 security features
57. v
Understanding Amazon RedShift security features
Redshift has one-click full disk encryption as standard
• If chosen, backups to S3 are also encrypted
• You can use the AWS CloudHSM to store your keys or supply
keys from AWS Key Management Service (KMS)
You can build end-to-end encryption for your data pipeline
• Use S3 client side encryption to load data into S3
• Pass RedShift the same key and it will decrypt when loading
Configure security groups and consider deploying within VPC
• RedShift loads data from S3 over SSL
• Limit access to those S3 buckets and consider the end-to-end
data load process from source
Use SSL to protect data in transit if querying over the Internet
58. v
Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases
• Limit security group access to RDS instances
• Limit RDS management plane access with AWS IAM permissions
Encrypt data in flight
• Oracle Native Network Encryption, SSL for SQL Server, MySQL
and PostgreSQL – especially if the database is accessible from the
Internet
Encrypt data at rest in sensitive table space
• Native RDS via SQL Server and Oracle Transparent Data
Encryption
• Encrypt sensitive information at application level or use a DB proxy
Configure automatic patching of minor updates – let AWS do the heavy
lifting for you within a maintenance window you choose
DBA
RDS
59. v
Encrypting EBS volumes on Amazon EC2 instances
Use AWS native encryption, roll your own or use commercial solutions from AWS partners
• AWS EBS native encryption at the click of a mouse. Encryption keys are managed and
visible using AWS Key Management Service
• Use Windows BitLocker or Linux LUKS for encrypted volumes
• SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer boot volume
encryption, including hardware key storage options
Managing encryption keys is critical and difficult!
• How will you manage keys and make sure they are available when required, for example at
instance start-up?
• How will you keep them available and prevent loss? How will you rotate keys on a regular
basis and keep them private?
EBS
60. v
AWS CloudHSM can integrate with on-premise SafeNet HSMs
Your
premises
Applica?ons
Your
HSM
NAT
CloudHSM
NAT
CloudHSM
Volume,
object,
database
encryp?on
Transac?on
signing
/
DRM
/
apps
EC2
H/A
PAIR
SYNC
EBS
S3
Amazon S3
Amazon
Glacier
61. What we will cover next
1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
62. v
Traditional network intrusion detection and prevention is less relevant now
• Dude, where’s my SPAN port?
• Attackers have moved to layer 7 (HTTP) so we need to follow them there
• You can still build an effective DMZ within the VPC using a wide-range of
open source or AWS technology partner solutions
Drop bad traffic before it hits your application and databases
• Can be deployed in two-way configuration to implement simple DLP, for
example scan outgoing traffic for Credit Card Numbers
• Design for scale and high-availability using ELBs
• Scale fast and wide to cope with huge traffic volumes
• Build a solution designed to cope with volumetric attacks
Lets build an example in the next slides
Block threats to your application
63. v
Building a scalable threat protection layer in your VPC
VPC A - 10.0.0.0/16
AvailabilityZoneA
Elas?c
Load
Balancer
AvailabilityZoneB
WAF
Public subnet
EC2
EC2
Private subnet
Private subnet
WAF
Auto
scaling
Web
Applica?on
Web
Applica?on
Elas?c
Load
Balancer
Private subnet
Elas?c
Load
Balancer
Public subnet
WAF
Private subnet
WAF
Elas?c
Load
Balancer
Private subnet
EC2
Private subnet
Web
Applica?on
Web
Applica?on
Auto
scaling
Auto
scaling
Auto
scaling
Internet
Gateway
64. v
Use VPC peering to build common security gateways
Web
App
(HTTP/S)
Amazon
S3
APIs
Internet
users
/
customers
VPC
Peering
Provides secure
access to APIs
from
applications
All customer
access is routed
through WAF web
applications
Web
App
(HTTP/S)
Web
App
(HTTP/S)
Web
App
(HTTP/S)
WAF
Service
(HTTP/S)
Apps
and
OperaLons
Team
Security
Team
Proxy
Service
(HTTP/S)
65. v
You don’t have to be alone when facing volumetric attacks
66. v
You can build a solution that can scale and offload attacks
Player
one:
your
VPC
Auto
scaling
67. v
You can build a solution that can scale and offload attacks
Player
one:
your
VPC
Auto
scaling
Vital statistics
You can scale your VPC up to your financial threshold
• You have AWS scale and bandwidth at your disposal
• Auto-scale your application
• Use queues and worker instances to process traffic
• Think how you can shard your databases
68. v
You can also bring AWS resources to assist you
Player
one:
your
VPC
Auto
scaling
CloudFront
Route
53
S3
Player
two:
AWS
69. v
You can also bring AWS resources to assist you
CloudFront
Route
53
S3
Player
two:
AWS
Vital statistics
AWS provides large-scale Global endpoints
• 52 CloudFront edge locations and
growing all the time
• 100% Route53 availability SLA
• 24x7 dedicated teams responding
• Drop malformed requests
• Soaking up load and watching your back
70. v
Your VPC can use auto-scaling to serve dynamic content
E
C
2
E
C
2
E
C
2
Customers
71. v
Serve your static content from S3
E
C
2
E
C
2
E
C
2
Region
Amazon S3
S3
is
processing
more
than
a
million
requests/s
Customers
72. v
Use CloudFront to cache your origin servers
E
C
2
E
C
2
E
C
2
Amazon S3
CloudFront
Edge
Loca?on
CloudFront
has
over
52
global
edge
loca?ons
Customers
Region
73. v
CloudFront can also proxy your dynamic content
E
C
2
E
C
2
E
C
2
Amazon S3
Customers
Customers
Customers
Region
74. v
CloudFront will unload volume from your VPC and drop bad requests
E
C
2
E
C
2
E
C
2
Amazon S3
Distributed
aYackers
Distributed
aYackers
Distributed
aYackers
Region
75. v
Route 53 is a global, resilient DNS to keep your traffic coming
E
C
2
E
C
2
E
C
2
Amazon S3
Distributed
aYackers
Distributed
aYackers
Distributed
aYackers
Route53
Region
76. v
AWS is delivering and defending large-scale endpoints 24x7
E
C
2
E
C
2
E
C
2
Amazon S3
Distributed
aYackers
Distributed
aYackers
Distributed
aYackers
Route53
Region
77. v
You can out-scale your attacker until their resources diminish
E
C
2
E
C
2
E
C
2
Amazon S3
Customers
Customers
Customers
Route53
Region
78. v
Route 53 can also load balance traffic across multiple AWS Regions
SYDNEY
AvailabilityZoneA
NAT
EC2
EC2
NAT
EC2
DUBLIN
AvailabilityZoneA
NAT
EC2
EC2
AvailabilityZoneB
NAT
EC2
Route
53
AvailabilityZoneB
79. v
You can use health-checks to failover Regions or even just VPCs
SYDNEY
AvailabilityZoneA
NAT
EC2
EC2
NAT
EC2
DUBLIN
AvailabilityZoneA
NAT
EC2
EC2
AvailabilityZoneB
NAT
EC2
Route
53
AvailabilityZoneB
80. v
DNS is hard and complex from a security viewpoint
• Route 53 lets AWS take care of the heavy-lifting
• Customers just have to configure DNS entries
• Latency-based routing and app health-checking
• Fall back to static website if main site down
• Round-robin load balance across VPCs / Regions
Security best practices for Route 53
• DNS is a critical service – understand and limit who can
access and change Route 53 configurations using AWS
IAM
• Use two-factor authentication for those users
• Use new Private DNS features to limit internal domain
visibility
Amazon Route53 makes DNS easy and reliable
81. v
Amazon CloudFront will deliver your content from the nearest edge
Use CloudFront to increase your solutions performance and
availability
• Cache more than static content – now with more supported
HTTP verbs
• Highly reliable global network of edge locations
• Can help absorb volumetric attack and drop bad HTTP
requests
Security best practices for CloudFront
• Use private content option to authorise only signed requests
• Use SSL when POSTing sensitive information
• Review logs for attack intelligence – are you being targeted?
• Lock CloudFront to specific S3 origin buckets when possible
• Configure HTTPS only for downloads
82. v
AWS partners can help you build and implement secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =
AWS partner solutions
These
products
and
more
are
available
on
the
AWS
marketplace
-‐
WAF,
VPN,
IPS,
AV,
API
gateways,
data
encrypLon,
user
management
Your
secure
AWS
soluLons
83. v
Browse and read AWS security whitepapers and good practices
• http://blogs.aws.amazon.com/security
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, including CSA questionnaire response
• Security best practices
• Audit and operational checklists to help you assess security
before you go live
• Regularly check Trusted Advisor
Sign up for AWS support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment
Where you can go for help and further information