SlideShare une entreprise Scribd logo

AWS Cloud Security & Compliance Basics Webinar

Amazon Web Services
Amazon Web Services

Data protection is the highest priority for any organisation, so we answer common questions about GDPR, data residency, freedom of information, and privacy. We also address security-related compliance, risk management strategies, and best practices for securing data on AWS.

1  sur  35
Cloud Security Webinar: AWS Security & Compliance Basics June, 2019 Tim Rains, Regional Leader Security & Compliance Business Acceleration EMEA ,WWPS Enrico Massi, Security Specialist Solutions Architect, EMEA
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Low degree of automation Lack of visibility
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OR
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORAND
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Worldwide Public Sector AWS customer success stories in the public sector https://aws.amazon.com/solutions/case-studies/government-education/all-government-education-nonprofit/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Pace of Innovation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure
AWS Global Infrastructure The AWS Cloud spans 66 Availability Zones within 21 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Cape Town, Jakarta, and Milan
Amazon CloudFront & Route 53 Edge Infrastructure Amazon CloudFront uses a global network of 187 Points of Presence (176 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries Europe Edge locations: Amsterdam, The Netherlands (2); Berlin, Germany (2); Copenhagen, Denmark; Dublin, Ireland; Frankfurt, Germany (8); Helsinki, Finland; London, England (9); Madrid, Spain (2); Manchester, England (2); Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland (2) Middle East Edge location: Dubai, United Arab Emirates; Fujairah, United Arab Emirates Africa Edge locations: Johannesburg, South Africa; Cape Town, South Africa
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Basics
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Compliance Programs https://aws.amazon.com/compliance/programs/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service Compliance Reports – AWS Artifact
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attestation Shared Security Assurance Certifications External Audits Customer Responsible for obtaining and maintaining certifications and accreditations through internal/external audits (as required) for their end-user system leveraging AWS and Vendors. Vendor Responsible for obtaining and maintaining certifications and accreditations through external audits (as required) for their cloud offerings. AWS Security Assurance Responsible for obtaining and maintaining AWS infrastructure certifications and accreditations through external audits. CustomerAWSVendor
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Basics
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Infrastructure Services Examples of infrastructure services: Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Auto Scaling, and Amazon Virtual Private Cloud (Amazon VPC)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Container Services Examples of container services: Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR) and AWS Elastic Beanstalk
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Abstracted Services Examples of abstracted services: Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adopting AWS you can… …concentrate on securing your own application, using automation and many built- in security tools designed to meet the most stringent regulations and requirements + = • Facilities • Physical security • Compute infrastructure • Storage infrastructure • Network infrastructure • Virtualization layer (EC2) • Hardened service endpoints • Rich IAM capabilities • Extensive set of security services • Extensive assurance program • Network configuration • Security groups • OS / Network firewalls • Operating systems security • Application security • Proper service configuration • AuthN and account management • Authorization policies • Data Security • Operational Security Automation More secure and compliant systems
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Segmentation  Infrastructure as code  VPCs  Private and Public subnets  Security group and ACLs  Every instance is protected by a stateful firewall  NACL (stateless rules, second level of protection at network level)  Private connectivity to on-premise environment Multi-dimensional Defence in depth EC2 OS Firewall VPC Subnets Inbound Traffic VPC + Network ACLs Region Security Group
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Risk Mitigations - Ubiquitous Encryption AWS CloudTrail AWS IAMEBS RDS Amazon Redshift S3 GlacierEncrypted in transit Encrypted at rest Fully auditable Fully managed keys Restricted access EMR Encrypted in process DynamoDB AWS KMS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access a deep set of cloud security tools Encryption & Data Protection Networking & Infrastructure Monitoring & Governance Identity & Access Management Security Groups Endpoints g VPN Gateway Customer gateway Internet gateway Network access control list Route table Alarm Rule AutomationInventory Parameter Store Patch manager Run command State manager Change set Checklist security Flow logs Checklist AWS Organizations AWS STS Temporary security credential Permissions Long-term security credential MFA token Role Federation Data encryption key SAML, OAuth OpenID Connect Template Server-Side Encryption Client-Side Encryption
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using These Building Blocks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS architecture AWS Cloud AWS Region VPC AWS Region: • Independent geographic areas • Customer chooses Region • Data Stays within Region AWS Shield: • Built-in L3/4 DDoS protection • L7 Available as well Web Application Firewall • Optional L7 DDoS and application security protection • Free with Advanced DDoS protection (AWS Shield Advanced) AWS Virtual Private Cloud (VPC): • Your private, isolated virtual network in AWS • You have complete control over your virtual network • You can assign 4 IP address space as large as a /16 CIDR block (65,536 addresses) • VPC CIDR block spans AZs VPN Gateway Amazon Route53: Public/Private DNS Server Amazon CloudFront: Content Distribution Network AWS Direct Connect / VPN: Connectivity with existing Datacenters
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public Subnet Public Subnet AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Availability Zones (AZs): • 2 or more AZs for customer use per region • Physically isolated from each other • Each AZ as independent failure zone • Connected with low latency links (< 2 msec) VPC Subnets: • Defines a range of IP addresses in your VPC • Can be used to create separate network zones • Subnets are AZ specific (they don’t span AZs) • Example CIDR block 10.10.10.0/24 (256 IP addresses) Network Access Control List (NACLs): • Stateless network filters applied to inter-subnet traffic Security Groups • Stateful virtual firewalls • Exist as an independent objects and can be “attached” to different resources • Can be cross-referenced to create n-tier architectures Route Tables: • Define rules to determine where traffic is directed
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling group Public Subnet Public Subnet Auto Scaling group AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Synchronous Replication Web Servers App Servers App Servers ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Encryption at Rest Database Encryption HTTPS HTTPS Database Encryption Encryption at Rest
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where to Start?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Adoption Framework n Identity & access management Detective controls Infrastructure protection Incident response Data protection https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk, & compliance Security operations & automation Consulting competency partners with demonstrated expertise
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security

Recommandé

AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 

Recommandé

AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAMAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
 
Securityhub
SecurityhubSecurityhub
SecurityhubRichard Harvey
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsFelipe
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduVladimir Simek
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAmazon Web Services
 

Contenu connexe

Tendances

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsFelipe
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

Tendances (20)

AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundations
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
 
Securityhub
SecurityhubSecurityhub
Securityhub
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and Alarms
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 

Similaire à AWS Cloud Security & Compliance Basics Webinar

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduVladimir Simek
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Intro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsIntro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsBela Sojina MBA, PMP
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWSAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewEagleDream Technologies
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 

Similaire à AWS Cloud Security & Compliance Basics Webinar (20)

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & Compliance
 
EC2_and_VPC_workshop
EC2_and_VPC_workshopEC2_and_VPC_workshop
EC2_and_VPC_workshop
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Intro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsIntro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on aws
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWS
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Protecting Your Data
Protecting Your DataProtecting Your Data
Protecting Your Data
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF Loft
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS Foundations
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Cloud Security & Compliance Basics Webinar

  • 1. Cloud Security Webinar: AWS Security & Compliance Basics June, 2019 Tim Rains, Regional Leader Security & Compliance Business Acceleration EMEA ,WWPS Enrico Massi, Security Specialist Solutions Architect, EMEA
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Low degree of automation Lack of visibility
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OR
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORAND
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Worldwide Public Sector AWS customer success stories in the public sector https://aws.amazon.com/solutions/case-studies/government-education/all-government-education-nonprofit/
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 7. AWS Pace of Innovation
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure
  • 9.
  • 10. AWS Global Infrastructure The AWS Cloud spans 66 Availability Zones within 21 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Cape Town, Jakarta, and Milan
  • 11. Amazon CloudFront & Route 53 Edge Infrastructure Amazon CloudFront uses a global network of 187 Points of Presence (176 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries Europe Edge locations: Amsterdam, The Netherlands (2); Berlin, Germany (2); Copenhagen, Denmark; Dublin, Ireland; Frankfurt, Germany (8); Helsinki, Finland; London, England (9); Madrid, Spain (2); Manchester, England (2); Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (5); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland (2) Middle East Edge location: Dubai, United Arab Emirates; Fujairah, United Arab Emirates Africa Edge locations: Johannesburg, South Africa; Cape Town, South Africa
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance Basics
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Compliance Programs https://aws.amazon.com/compliance/programs/
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. General Data Protection Regulation https://aws.amazon.com/compliance/gdpr-center
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service Compliance Reports – AWS Artifact
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attestation Shared Security Assurance Certifications External Audits Customer Responsible for obtaining and maintaining certifications and accreditations through internal/external audits (as required) for their end-user system leveraging AWS and Vendors. Vendor Responsible for obtaining and maintaining certifications and accreditations through external audits (as required) for their cloud offerings. AWS Security Assurance Responsible for obtaining and maintaining AWS infrastructure certifications and accreditations through external audits. CustomerAWSVendor
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Basics
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Infrastructure Services Examples of infrastructure services: Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Auto Scaling, and Amazon Virtual Private Cloud (Amazon VPC)
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Container Services Examples of container services: Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR) and AWS Elastic Beanstalk
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model Details available at: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf Abstracted Services Examples of abstracted services: Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES)
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adopting AWS you can… …concentrate on securing your own application, using automation and many built- in security tools designed to meet the most stringent regulations and requirements + = • Facilities • Physical security • Compute infrastructure • Storage infrastructure • Network infrastructure • Virtualization layer (EC2) • Hardened service endpoints • Rich IAM capabilities • Extensive set of security services • Extensive assurance program • Network configuration • Security groups • OS / Network firewalls • Operating systems security • Application security • Proper service configuration • AuthN and account management • Authorization policies • Data Security • Operational Security Automation More secure and compliant systems
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Segmentation  Infrastructure as code  VPCs  Private and Public subnets  Security group and ACLs  Every instance is protected by a stateful firewall  NACL (stateless rules, second level of protection at network level)  Private connectivity to on-premise environment Multi-dimensional Defence in depth EC2 OS Firewall VPC Subnets Inbound Traffic VPC + Network ACLs Region Security Group
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Risk Mitigations - Ubiquitous Encryption AWS CloudTrail AWS IAMEBS RDS Amazon Redshift S3 GlacierEncrypted in transit Encrypted at rest Fully auditable Fully managed keys Restricted access EMR Encrypted in process DynamoDB AWS KMS
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access a deep set of cloud security tools Encryption & Data Protection Networking & Infrastructure Monitoring & Governance Identity & Access Management Security Groups Endpoints g VPN Gateway Customer gateway Internet gateway Network access control list Route table Alarm Rule AutomationInventory Parameter Store Patch manager Run command State manager Change set Checklist security Flow logs Checklist AWS Organizations AWS STS Temporary security credential Permissions Long-term security credential MFA token Role Federation Data encryption key SAML, OAuth OpenID Connect Template Server-Side Encryption Client-Side Encryption
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using These Building Blocks
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS architecture AWS Cloud AWS Region VPC AWS Region: • Independent geographic areas • Customer chooses Region • Data Stays within Region AWS Shield: • Built-in L3/4 DDoS protection • L7 Available as well Web Application Firewall • Optional L7 DDoS and application security protection • Free with Advanced DDoS protection (AWS Shield Advanced) AWS Virtual Private Cloud (VPC): • Your private, isolated virtual network in AWS • You have complete control over your virtual network • You can assign 4 IP address space as large as a /16 CIDR block (65,536 addresses) • VPC CIDR block spans AZs VPN Gateway Amazon Route53: Public/Private DNS Server Amazon CloudFront: Content Distribution Network AWS Direct Connect / VPN: Connectivity with existing Datacenters
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public Subnet Public Subnet AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Availability Zones (AZs): • 2 or more AZs for customer use per region • Physically isolated from each other • Each AZ as independent failure zone • Connected with low latency links (< 2 msec) VPC Subnets: • Defines a range of IP addresses in your VPC • Can be used to create separate network zones • Subnets are AZ specific (they don’t span AZs) • Example CIDR block 10.10.10.0/24 (256 IP addresses) Network Access Control List (NACLs): • Stateless network filters applied to inter-subnet traffic Security Groups • Stateful virtual firewalls • Exist as an independent objects and can be “attached” to different resources • Can be cross-referenced to create n-tier architectures Route Tables: • Define rules to determine where traffic is directed
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling group Public Subnet Public Subnet Auto Scaling group AWS architecture AWS Cloud AWS Region VPC Availability Zone A Availability Zone B App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Servers Synchronous Replication Web Servers App Servers App Servers ACL ACL ACL ACL ACL ACL Security Group Security Group Security Group Security Group Security Group Security Group Encryption at Rest Database Encryption HTTPS HTTPS Database Encryption Encryption at Rest
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where to Start?
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Adoption Framework n Identity & access management Detective controls Infrastructure protection Incident response Data protection https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk, & compliance Security operations & automation Consulting competency partners with demonstrated expertise
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security