SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
Security and Compliance
AWS Solutions Architect
1. AWS Shared Responsibility Model
2. Where is my data?
3. Infrastructure security
4. Identity and access management
6. Configuration management
Topics to discuss
Capital One's CIO
"The financial service industry attracts some of
the worst cyber criminals. We work closely with
AWS to develop a security model, which we
believe enables us to operate more securely
in the public cloud than we can in our own
Security Benefits from Community Network Effect
Customer ecosystem Everyone benefits
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
• Shared Responsibility
Let AWS do the heavy lifting
Focus on what’s most valuable to your business
• Operating System
• Security Groups
• OS Firewalls
• Network Configuration
• Account Management
• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
Physical Security of Data Center
Such as Amazon S3, Amazon DynamoDB, and Amazon Kinesis
Shared Responsibility: Abstract Services
Choose where to store your data!
S3 designed for
… never delete it!
Amazon Glacier is a low-cost storage
service for archival data with long-
term retention requirements.
You can choose to keep all your content onshore in any AWS
region of YOUR choice:
• Managing your privacy objectives any way that you want
• Keep data in your chosen format and move it, or delete it,
at any time you choose
• No automatic replication of data outside of your chosen
• Customers can encrypt their content any way they choose
You always have full ownership and control
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
Web service that records AWS API calls for your account and delivers logs.
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 18.104.22.168
Alice 8:19am Added Bob to
Steve 2:22pm Deleted
CloudWatch Logs: Centralize Your Logs
• Send existing system, application, and
custom log files to CloudWatch Logs
via our agent, and monitor these logs
in near real-time.
• This can help you better understand
and operate your systems and
applications, and you can store your
logs using highly durable, low-cost
storage for later access
Protecting data in-transit and at-rest.
Details about encryption can be found in the AWS Whitepaper,
“Securing Data at Rest with Encryption”.
VPN / IPSEC
Key Management Infrastructure
Managing encryption keys is critical yet difficult!
• How will you manage keys and make sure they
are available when required, for example at
• How will you keep them available and prevent
loss? How will you rotate keys on a regular
basis and keep them private?
AWS Key Management Service
Data Key 1
Data Key 2 Data Key 3 Data Key 4
Managed service to securely create, control, rotate, and
use encryption keys.
AWS Administrator –
manages the appliance
You – control keys and
Amazon Virtual Private Cloud
Help meet compliance requirements for data security by using a dedicated
Hardware Security Module appliance with AWS.
• Dedicated, single-tenant hardware device
• Can be deployed as HA and load balanced
• Customer use cases:
• Oracle TDE
• MS SQL Server TDE
• Setup SSL connections
• Digital Rights Management (DRM)
• Document Signing