The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

1. AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014
Security
as
an
enabler
–
improving
security
with
the
AWS
cloud
Stephen Quigg
Principal Security Solutions Architect, Asia Pacific
Amazon Web Services

2. AWS
Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
AWS has Regions across the globe – including Sydney

3. You can stay onshore in Australia with AWS
AWS Sydney Region
Multiple availability
zones

4. You can
improve your security
with the AWS cloud

5. AWS
Founda;on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca;ons
Client-­‐side
Data
Encryp8on
Server-­‐side
Data
Encryp8on
Network
Traffic
Protec8on
Pla@orm,
Applica8ons,
Iden8ty
&
Access
Management
Opera8ng
System,
Network
&
Firewall
Configura8on
Customer
content
Customers
You can deploy a consistent security model every time
Customers
control their level
of security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

6. You can build everything to be resilient and fault tolerant
AWS
operates
scalable,
fault
tolerant
services
Build
resilient
solu8ons
opera8ng
in
mul8ple
datacenters
AWS
helps
simplify
ac8ve-­‐ac8ve
resilient
solu8ons
All
AWS
facili8es
are
always
on
No
need
for
a
“Disaster
Recovery
Datacenter”
when
you
can
have
resilience
Every
AWS
facility
managed
to
the
same
global
standards
AWS has robust connectivity and bandwidth
Each AZ has multiple, redundant Tier 1 ISP Service Providers
Resilient network infrastructure

7. Everything can have fine-grained network security
AvailabilityZoneA
AvailabilityZoneB
You control your VPC
address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space you define
• Create your own subnets and
control all internal and
external connectivity
AWS network security
• AWS network will prevent
spoofing and other common
layer 2 attacks
• Every compute instance gets
multiple security groups -
stateful firewalls
• Every subnet gets network
access control lists

8. Create multi-tier architectures every time
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
host
10.0.4.0/24
EC
2
App Log
EC
2
Web
Load
balancing

9. Firewall every single compute instance
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App
“Web servers will accept Port 80
from load balancers”
“App servers will
accept Port 8080
from web
servers”
“Allow SSH
access only from
from Jump Hosts”
Log
EC
2
Web
Load
balancing

10. Enable network access control on every subnet
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App Log
EC
2
Web
“Deny all traffic between the web
server subnet and the database
server subnet”
Load
balancing

11. Control every Internet connection
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Internet Gateway
Control Internet routing
• Create Public subnets and
Private subnets
• Implement DMZ architectures
as per normal best practices
• Allocate static Elastic IP
addresses or use AWS-
managed public IP addresses
Load
balancing

12. Connect in private to your existing datacentres
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Use Internet VPNs
or use AWS Direct
Connect
Your premises
Load
balancing

13. You can route to the Internet using your gateway
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Use Internet VPNs
or use AWS Direct
Connect
Your premises
Load
balancing

14. Create flexible multi-VPC hybrid environments
Your organisation
Project Teams Marketing
Business Units Reporting
Digital /
Websites
Dev and
Test
Redshift
EMR
Analytics
Internal
Enterprise
Apps
Amazon
S3
Amazon
Glacier
Storage/
Backup

15. Every website can absorb attacks and scale out
Amazon S3
Distributed
attackers
Customers
Customers
Route53
Sydney region
CloudFront
Your VPC
WAFWAF WAFWAF
ELB ELB
ELB ELB
App App App App
Auto
Scaling
Auto
Scaling
Auto
Scaling
Auto
Scaling

16.
Encrypt
your
Elas8c
Block
Store
volumes
any
way
you
like
• Many
free
u8li8es,
plus
Trend,
SafeNet
and
other
partners
offer
high-­‐assurance
solu8ons
Amazon
S3
offers
either
server
or
client-­‐side
encryp8on
• Manage
your
own
keys
or
let
AWS
do
it
for
you
RedshiR
has
one-­‐click
disk
encryp8on
as
standard
• Encrypt
your
data
analy8cs
• You
can
supply
your
own
keys
RDS
supports
transparent
data
encryp8on
(TDE)
• Easily
encrypt
sensi8ve
database
tables
You can encrypt your sensitive information everywhere
DBA

17. Tamper-resistant customer controlled hardware
security modules within your VPC
• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who manage and
maintain the appliance
• High availability and replication with on-premise HSMs
Reliable & Durable Key Storage
• Use for transparent data encryption on self-managed
databases and natively with AWS Redshift
• Integrate with applications using Java APIs
• Integration with marketplace disk-encryption and SSL
Store your encryption keys securely in CloudHSM

18. Use your own HSMs if you want
Your premises
Applications
Your HSM
NATCloudHSM NATCloudHSM
Volume, object,
database encryption
Signing / DRM /
apps
EC2
SYNC
EBS
S3
Amazon S3
Amazon Glacier

19. You can enforce consistent host security
Launch
instanc
e
EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configur
e
instance
You
control
the
configura8on
of
your
servers
Harden operating system and platforms to your own spec
Use host-based protection software
• Apply ASD Top 35 mitigation strategies!
Think about how you will manage administrative users
• Restrict access as much as possible
Build out the rest of your standard security environment
• Connect to your existing services, e.g. SIEM

20. Control access and segregate duties everywhere
Region
Internet
Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
You
get
to
control
who
can
do
what
in
your
AWS
environment
and
from
where
Fine-­‐grained
control
of
your
en8re
cloud
environment
with
two-­‐factor
authen8ca8on
Integrated
with
your
exis8ng
corporate
directory
using
SAML
2.0
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
Build and run

21. Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were
made
Who did what and when and from what IP address
• Support for many AWS services and growing - includes
EC2, EBS, VPC, RDS, IAM and RedShift
• Easily Aggregate all log information
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and SumoLogic
Get consistent visibility of logs that you can monitor

22. You get to do all of this in
DEVELOPMENT
TESTING
PRE-PRODUCTION
LIVE

23. Lets hear from an AWS
customer who has done it

24. Bruce Haefele
Chief Architect
Heath Direct Australia
Delivering health services on AWS

25. Who we are and what we do

26. We isolate environments into VPCs
Dev
Int
Test
Staging Prod.
Tools Admin Corp.
Sydney region
HSM
Appliance
External Datacenter
Provider
VPN

27. We isolate components within each VPC
AvailabilityZoneA
EC
2
WebEC
2
API
Port.
App.
IAM
Vuln.
PII
Log
SIEM
Mon.
Sec.
Man.
Enc.
Man.
De-id
Auth.
Sec.
Data
Public Unclassified Sensitive / Health
Web
WAF
API.
Gate.
ESB

28. Services we use in the AWS cloud
Dynamo DB
RDS
Elastic Network
Interface
EBS
Elastic Load
Balancer
Glacier
VPC
Storage Gateway
EC2 Cloud FormationAWS IAMAutoscalingElastic IPs
Route 53
Cloudwatch
S3
Cloudfront VPC VPN

29. Things you should think about
• Start
small
and
experiment
• Rethink
your
approach
to
your
infrastructure
• Data
classifica8on
• What
AWS
services
you
can
use
and
what
you
have
to
build
• Defense
in
depth
• Where
and
how
to
encrypt
• What
to
log,
backup
strategies,
archive
and
retrieval
• How
to
federate
and
integrate
–
levels
of
trust
• Privileged
access
• Compliance
• Vendor
licensing
models
• Financial
management

30. Read AWS security whitepapers, tips and good practices
• http://blogs.aws.amazon.com/security
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, best practices, audit guides and
operational checklists to help you before you go live
• Workshop
solu8ons
with
an
AWS
solu8ons
architect,
including
me!
• Get
free
trials
of
security
from
AWS
Partners
on
the
AWS
marketplace
Sign up for AWS premium support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment
Further info and how to get AWS support

31. THANK YOU
Please give us your feedback by filling out the Feedback Forms
AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014

32. AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 20, 2014
Security
as
an
enabler
–
improving
security
with
the
AWS
cloud
Stephen Quigg
Principal Security Solutions Architect, Asia Pacific
Amazon Web Services