2. All lines are muted.
You can ask questions at any time in the
Question box.
We will answer some at the end of the
session and all via email.
3. Agenda
The Shared Responsibility Model
Taking Advantaged of the Shared Model
Using the AWS Security Features
Underlying AWS Infrastructure Security
Your Responsibilities
4. In the cloud security is a shared responsibility
How do we secure our How can you secure your
Infrastructure? application and what is
Infrastructure Application your responsibility?
Security Security
Services Security
What security options and
features are available to
you?
6. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience
7. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience
IAM
Internal
Administration
audience
Architecture
8. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience
IAM AWS Certifications
Internal Regulated
Administration AWS White
audience audience Papers
Architecture AWS QSA Process
9. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC1…)
As with any infrastructure provider, security assessments take time
Derive value from architecture reviews early in deployment cycle
10. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
NEW! CSA consensus assessments
initiative questionnaire
11. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment
12. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions
13. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions
14. Build upon AWS features
Tiered Access Security Groups VPC Direct Connect & VPN
IAM Instance firewalls Network control Private connections to VPC
Control users and allow AWS to Firewall control on instances via Create low level networking Secured access to resources in AWS
manage credentials in running Security Groups constraints for resource access, such over software or hardware VPN and
instances for service access as public and private subnets, dedicated network links
(allocation, rotation) CLIs and APIs internet gateways and NATs
Instantly audit your entire AWS
APIs vs Instance infrastructure from scriptable APIs –
Bastion hosts
Provide developer API credentials generate an on-demand IT inventory Only allow access for management
and control access to SSH keys enabled by programmatic nature of of production resources from a
AWS bastion host. Turn off when not
Temporary Credentials needed
Provide developer API credentials Dedicated Instances
and control access to SSH keys
Only allow access for management
of production resources from a
bastion host. Turn off when not
needed
15. Identity & access management
Account
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin
16. Identity & access management
Groups Account
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin
Multi-factor authentication
17. Identity & access management
Groups Account Roles
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin
Multi-factor authentication AWS system entitlements
18. IAM policies
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
Policy driven "ec2:*",
"elasticloadbalancing:*",
Declarative definition of rights for groups "autoscaling:*",
"cloudwatch:*",
Policies control access to AWS APIs "s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
19. IAM Roles
Aids Automation
Assign role to EC2 instances
Control access without passing
credentials at boot time
Integrated into SDKs
20. Key Management
Decide upon a key Consider SSH key
management rotation &
strategy automation
Control access to EC2 instances Limit exposure to private key
via SSH and embedded public compromise by rotating keys
key: and replacing
e.g. EC2 Key Pair per group of authorized_keys listings
instances, EC2 Key Pair per on running instances
account Consider bootstrap automation
to grant developer access with
Can use your existing SSH or AD developer unique keypairs
strategy
21. Temporary Security Credentials
Containing
Identity for authentication
Access Policy to control permissions
Configurable Expiration (1 – 36 hours)
Supports
AWS Identities (including IAM Users)
Federated Identities (users customer’s system to authenticate)
Scales to millions of users
No need to create an IAM identity for every user
Use Cases
Identity Federation to AWS APIs
Mobile and browser-based applications
Consumer applications with unlimited users
22. Security credentials – the hotel metaphor
AWS Account’s IAM User Temporary Security
Access Key ID Credentials
23. Security Groups
Control ingress of data by port, IP & Security Group
VPC also supports egress data control
User configurable via API, CLI, GUI Web Tier
Create “defence in depth”
Application Tier
Database Tier
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier,
which acts as Bastion
Sync with on-premises Amazon EC2
database Security Grou
Firewall
All other Internet ports
blocked by default
24. CLI & API
Instantly audit the
state of your entire
environment using
the API
Regular calls via command line
or API to determine which web-
based infrastructure services
are being used at any time
Store and compare over time –
track anomalies or non-
governed usage
25. Virtual Private Cloud (VPC)
Logically Isolated Environment
Private IP address ranges & subnets
Ingress and Egress Network Access Control
Internet
Elastic IP addresses, NAT & and Internet Gateway
Hardware encrypted VPN connections and/or Direct Connect
Wizard-based setup
26. EC2 Dedicated Instances
Available within VPC
Instances launched on hardware dedicated to a single customer
Can mix-and-match use of dedicated and non-dedicated instances
27. Bastion Hosts
Server (or servers) used for system management
Access tightly controlled
Management only enabled from these hosts
Stop host when not in use
Access only allowed from specified IP addresses
TCP 22 “Bastion” TCP 22 “Bastion” TCP 22 “Bastion”
Web App DB
Server Server Server Bastion
Host
Web Security App Security DB Security
Group Group Group Bastion
TCP 80,443 “ELB” TCP 8080 “Web” TCP 3306 “App” Security Group
SSH Admin
28. Certifications
Certifications Physical Security HW, SW, Network
SOC 1 Type 2 (formerly SAS- Datacenters in nondescript Systematic change
70) facilities management
ISO 27001 Physical access strictly Phased updates deployment
controlled
PCI DSS for Safe storage decommission
EC2, S3, EBS, VPC, RDS, ELB, I Must pass two-factor
AM authentication at least twice Automated monitoring and
for floor access self-audit
FISMA Moderate Compliant
Controls Physical access logged and Advanced network protection
audited
HIPAA & ITAR Compliant
Architecture
29. Security standards
ISO 27001 PCI DSS Level 1
Achieved 11/2010
Use normally, no special configuration
Follows ISO 27002 best practice guidance Certified services include: EC2, S3, EBS, VPC,
RDS, ELB, IAM, underlying physical
Covers the AWS Information Security infrastructure & AWS Management
Management System (ISMS) Environment
Includes all Regions Leverage the work of our QSA
ISO certifying agent: EY CertifyPoint AWS will work with merchants and designated
Qualified Incident Response Assessors (QIRA)
Certified in all Regions
30. Location of data – Your choice
Deployment & Administration
App Services
Compute Storage Database Regions
An independent collection of AWS resources in a defined
Networking geography
A solid foundation for meeting location-dependent privacy
AWS Global Infrastructure
and compliance requirements
31. Global infrastructure
Deployment & Administration
App Services
Compute Storage Database Availability Zones
Designed as independent failure zones
Networking Physically separated within a typical metropolitan region
AWS Global Infrastructure
32. Global infrastructure
Deployment & Administration
App Services
Compute Storage Database Edge Locations
To deliver content to end users with lower latency
Networking A global network of edge locations
Supports global DNS infrastructure (Route53) and Cloud
AWS Global Infrastructure
Front CDN
33. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions
34. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Use SSL for all AWS API calls & your own application communication
Use SSL Termination with Elastic Load Balancer (ELB) & back-end server authentication
S3 Server Side Encryption – free & easy. Can also implement client-side encryption
Operating system level encryption tools available (e.g. TrueCrypt, BitLocker, etc)
35. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Maintain OS-level firewalls for additional monitoring and control
Install logging tools and log to a separate, central location (e.g. S3)
Partner solutions available (including Trend Micro, Symantec, Check Point, etc.)
Extend your current management and logging tools to the AWS environment
36. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and application libraries patched and up-to-date
Use automated package update services (e.g. YUM, WSUS, YAST, etc)
Apply updates to installed applications, languages, SDKs etc
Easy to do “rolling updates” by creating new AMIs and instantiating a new fleet
Relational Database Service (RDS) provides automated patch application
37. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and applications libraries patched and up-to-date
Design application to protect against Layer 7 attacks (SQL Injection, etc)
Design security into your application from the start
Ensure all entered data is validated and correctly formatted
Perform API authorization and authentication for API-based applications
Use partner solutions (e.g. Layer7tech, SafeNet, AiCache, Incapsula, etc)
38. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and applications libraries patched and up-to-date
Design application to protect against Layer 7 attacks (SQL Injection, etc)
Actively manage your AWS environment to leverage all of the capabilities available
Perform regular security reviews
Rotate keys and credentials
Use AWS Trusted Advisor Security Checks to detect open ports
39. Test and Retest
Penetration Testing
Check to see how secure your application is from
external attack
Must obtain authorization first
Partners also provide this service on & from AWS
http://aws.amazon.com/security
40. Where to find more information?
Risk and compliance paper
AWS security processes paper
NEW! CSA consensus assessments
initiative questionnaire
http://aws.amazon.com/security
In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud.
Security and Operational Excellence is the Top most priority. Its Priority 0. No exceptions allowed. We understand that Security and governance are often the top issues identified when we talk to our customers. Instead of tossing this over the fence, we really advice and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter. Amazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more http://aws.amazon.com/security/.Certifications and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. PCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope. Physical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.Secure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. Data Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)
Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter. Amazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more http://aws.amazon.com/security/.Certifications and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. PCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope. Physical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.Secure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. Data Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)
In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud.