Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

AWS Cloud Security & Compliance Basics Webinar

512 vues

Publié le

Data protection is the highest priority for any organisation, so we answer common questions about GDPR, data residency, freedom of information, and privacy. We also address security-related compliance, risk management strategies, and best practices for securing data on AWS.

AWS Cloud Security & Compliance Basics Webinar

  1. 1. Cloud Security Webinar: AWS Security & Compliance Basics June, 2019 Tim Rains, Regional Leader Security & Compliance Business Acceleration EMEA ,WWPS Enrico Massi, Security Specialist Solutions Architect, EMEA
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Low degree of automation Lack of visibility
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OR
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORAND
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Worldwide Public Sector AWS customer success stories in the public sector https://aws.amazon.com/solutions/case-studies/government-education/all-government-education-nonprofit/
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  7. 7. AWS Pace of Innovation
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure
  9. 9. AWS Global Infrastructure The AWS Cloud spans 66 Availability Zones within 21 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Cape Town, Jakarta, and Milan
  10. 10. Amazon CloudFront & Route 53 Edge Infrastructure Amazon CloudFront uses a global network of 187 Points of Presence (176 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries Europe Edge locations: Amsterdam, The Netherlands (2); Berlin, Germany (2); Copenhagen, Denmark; Dublin, Ireland; Frankfurt, Germany (8); Helsinki, Finland; London, England (9); Madrid, Spain (2); Manchester, England (2); Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland (2) Middle East Edge location: Dubai, United Arab Emirates; Fujairah, United Arab Emirates Africa Edge locations: Johannesburg, South Africa; Cape Town, South Africa
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Basics
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Compliance Programs https://aws.amazon.com/compliance/programs/
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service Compliance Reports – AWS Artifact
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attestation Shared Security Assurance Certifications External Audits Customer Responsible for obtaining and maintaining certifications and accreditations through internal/external audits (as required) for their end-user system leveraging AWS and Vendors. Vendor Responsible for obtaining and maintaining certifications and accreditations through external audits (as required) for their cloud offerings. AWS Security Assurance Responsible for obtaining and maintaining AWS infrastructure certifications and accreditations through external audits. CustomerAWSVendor
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Basics
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Infrastructure Services Examples of infrastructure services: Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Auto Scaling, and Amazon Virtual Private Cloud (Amazon VPC)
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Container Services Examples of container services: Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR) and AWS Elastic Beanstalk
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Abstracted Services Examples of abstracted services: Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES)
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adopting AWS you can… …concentrate on securing your own application, using automation and many built- in security tools designed to meet the most stringent regulations and requirements + = • Facilities • Physical security • Compute infrastructure • Storage infrastructure • Network infrastructure • Virtualization layer (EC2) • Hardened service endpoints • Rich IAM capabilities • Extensive set of security services • Extensive assurance program • Network configuration • Security groups • OS / Network firewalls • Operating systems security • Application security • Proper service configuration • AuthN and account management • Authorization policies • Data Security • Operational Security Automation More secure and compliant systems
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Segmentation  Infrastructure as code  VPCs  Private and Public subnets  Security group and ACLs  Every instance is protected by a stateful firewall  NACL (stateless rules, second level of protection at network level)  Private connectivity to on-premise environment Multi-dimensional Defence in depth EC2 OS Firewall VPC Subnets Inbound Traffic VPC + Network ACLs Region Security Group
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Risk Mitigations - Ubiquitous Encryption AWS CloudTrail AWS IAMEBS RDS Amazon Redshift S3 GlacierEncrypted in transit Encrypted at rest Fully auditable Fully managed keys Restricted access EMR Encrypted in process DynamoDB AWS KMS
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access a deep set of cloud security tools Encryption & Data Protection Networking & Infrastructure Monitoring & Governance Identity & Access Management Security Groups Endpoints g VPN Gateway Customer gateway Internet gateway Network access control list Route table Alarm Rule AutomationInventory Parameter Store Patch manager Run command State manager Change set Checklist security Flow logs Checklist AWS Organizations AWS STS Temporary security credential Permissions Long-term security credential MFA token Role Federation Data encryption key SAML, OAuth OpenID Connect Template Server-Side Encryption Client-Side Encryption
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using These Building Blocks
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS architecture AWS Cloud AWS Region VPC AWS Region: • Independent geographic areas • Customer chooses Region • Data Stays within Region AWS Shield: • Built-in L3/4 DDoS protection • L7 Available as well Web Application Firewall • Optional L7 DDoS and application security protection • Free with Advanced DDoS protection (AWS Shield Advanced) AWS Virtual Private Cloud (VPC): • Your private, isolated virtual network in AWS • You have complete control over your virtual network • You can assign 4 IP address space as large as a /16 CIDR block (65,536 addresses) • VPC CIDR block spans AZs VPN Gateway Amazon Route53: Public/Private DNS Server Amazon CloudFront: Content Distribution Network AWS Direct Connect / VPN: Connectivity with existing Datacenters
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public Subnet Public Subnet AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Availability Zones (AZs): • 2 or more AZs for customer use per region • Physically isolated from each other • Each AZ as independent failure zone • Connected with low latency links (< 2 msec) VPC Subnets: • Defines a range of IP addresses in your VPC • Can be used to create separate network zones • Subnets are AZ specific (they don’t span AZs) • Example CIDR block 10.10.10.0/24 (256 IP addresses) Network Access Control List (NACLs): • Stateless network filters applied to inter-subnet traffic Security Groups • Stateful virtual firewalls • Exist as an independent objects and can be “attached” to different resources • Can be cross-referenced to create n-tier architectures Route Tables: • Define rules to determine where traffic is directed
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling group Public Subnet Public Subnet Auto Scaling group AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Synchronous Replication Web Servers App Servers App Servers ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Encryption at Rest Database Encryption HTTPS HTTPS Database Encryption Encryption at Rest
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where to Start?
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Adoption Framework n Identity & access management Detective controls Infrastructure protection Incident response Data protection https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk, & compliance Security operations & automation Consulting competency partners with demonstrated expertise
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security

×