Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

AWS Security & Compliance

5 322 vues

Publié le

AWSome Day Warsaw | AWS Security & Compliance

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

AWS Security & Compliance

  1. 1. Security and Compliance in AWS Warsaw Tomasz Stachlewski AWS Solutions Architect stachlew@amazon.pl
  2. 2. 1. AWS Shared Responsibility Model 2. Where is my data? 3. Infrastructure security 4. Identity and access management 5. Encryption 6. Configuration management Topics to discuss
  3. 3. Rob Alexander Capital One's CIO "The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers."
  4. 4. Partner ecosystem Security Benefits from Community Network Effect Customer ecosystem Everyone benefits
  5. 5. AWS • AWS • Facilities • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure CustomerCustomerShared Responsibility • Shared Responsibility  Let AWS do the heavy lifting  Focus on what’s most valuable to your business • Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  6. 6. Amazon EC2, Amazon EBS, Amazon VPC Shared Responsibility: Infrastructure Services
  7. 7. How does AWS get security?
  8. 8. • Amazon has been building large-scale data centers for many years. • Important attributes: – Non-descript facilities – Robust perimeter controls – Strictly controlled physical access – Two or more levels of two-factor authentication • Controlled, need-based access. • All access is logged and reviewed. • Separation of Duties – Employees with physical access don’t have logical privileges. AWS Responsibilities Physical Security of Data Center
  9. 9. This To This How does AWS get security?
  10. 10. Such as Amazon S3, Amazon DynamoDB, and Amazon Kinesis Shared Responsibility: Abstract Services
  11. 11. Choose where to store your data! Ireland EU-CENTRAL (Frankfurt) Frankfurt Sidney Singapore Tokyo Seul Beijing Sao Paulo N. Virginia Oregon N. California GovCloud
  12. 12. IRELAND FRANKFURT S3 designed for 99.999999999% durability Be safe!
  13. 13. … never delete it! Amazon Glacier is a low-cost storage service for archival data with long- term retention requirements. Non-overwrite, non-erasable records
  14. 14. You can choose to keep all your content onshore in any AWS region of YOUR choice: • Managing your privacy objectives any way that you want • Keep data in your chosen format and move it, or delete it, at any time you choose • No automatic replication of data outside of your chosen AWS Region • Customers can encrypt their content any way they choose You always have full ownership and control
  15. 15. Amazon EC2 Multiple Layers of Security
  16. 16. Or maybe no neighbors? ONLY ME! ONLY ME! ONLY ME! ONLY ME!
  17. 17. AWS Service Health Dashboard
  18. 18. AWS CloudTrail • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  19. 19. AWS CloudTrail Web service that records AWS API calls for your account and delivers logs. Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 Alice 8:19am Added Bob to admin group us-east-1 Steve 2:22pm Deleted DynamoDB table eu-west-1
  20. 20. CloudWatch Logs: Centralize Your Logs • Send existing system, application, and custom log files to CloudWatch Logs via our agent, and monitor these logs in near real-time. • This can help you better understand and operate your systems and applications, and you can store your logs using highly durable, low-cost storage for later access
  21. 21. Continuous ChangeRecording AWS Config Changing Resources
  22. 22. Continuous ChangeRecordingChanging Resources AWS Config Snapshot (ex. 2014-11-05) History AWS Config
  23. 23. Amazon Virtual Private Cloud (VPC) Server Server VPC: • Logical isolation of the Amazon Web Services (AWS) Cloud • Complete control of your virtual networking environment
  24. 24. Amazon Virtual Private Cloud (VPC) Server Server Security Control: • Security Groups, Network Access Control List – native AWS Firewalls – control who has got access to servers.
  25. 25. Amazon Virtual Private Cloud (VPC) Server Server DATA CENTER Internet Dedicated Connection
  26. 26. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  27. 27. Encryption. Protecting data in-transit and at-rest. Details about encryption can be found in the AWS Whitepaper, “Securing Data at Rest with Encryption”. Encryption In-Transit HTTPS SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
  28. 28. Key Management Infrastructure Managing encryption keys is critical yet difficult! • How will you manage keys and make sure they are available when required, for example at instance start-up? • How will you keep them available and prevent loss? How will you rotate keys on a regular basis and keep them private?
  29. 29. AWS Key Management Service Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Managed service to securely create, control, rotate, and use encryption keys.
  30. 30. AWS Key Management Service
  31. 31. AWS Key Management Service
  32. 32. AWS CloudHSM AWS CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Amazon Virtual Private Cloud Help meet compliance requirements for data security by using a dedicated Hardware Security Module appliance with AWS. • Dedicated, single-tenant hardware device • Can be deployed as HA and load balanced • Customer use cases: • Oracle TDE • MS SQL Server TDE • Setup SSL connections • Digital Rights Management (DRM) • Document Signing
  33. 33. Trusted advisor
  34. 34. Trusted advisor
  35. 35. AWS Marketplace: over 2600 applications Advanced Threat Analytics Application Security Identity and Access Mgmt Encryption & Key Mgmt Server & Endpoint Protection Network Security Vulnerability & Pen Testing
  36. 36. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom, CTO, NASA JPL Security is Job Zero
  37. 37. ? Questions? stachlew@amazon.pl