SlideShare une entreprise Scribd logo

AWS Summit 2011: Application Security Best Practices

Amazon Web Services
Amazon Web Services
Technologie
1  sur  21
Application Security Best Practices Matt Tavis | Principal Solutions Architect
Application Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications – See Architecting for the Cloud • Most traditional best practices still apply • There are ways AWS can help
Built Around the Shared Responsibility Model… AWS Customer • Facilities • Operating System • Physical Security • Application • Security Groups • Physical Infrastructure • OS Firewalls • Network Infrastructure • Network Configuration • Virtualization • Account Management Infrastructure
…and AWS Certifications • AWS Environment – SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA) • Customers have deployed various compliant applications: – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA (US Federal Government) – DIACAP MAC III Sensitive IATO
Resources and data are in your control • Specify what Region and AZ to launch in • Customize your AMIs • Create distinct Security Groups groups of EC2 Instances – use rules for controlling access between layers – restrict external access to specific IP ranges • Use AWS Identity & Access Management (IAM) – upload your own keys – use MultiFactor Authentication (MFA) • AWS personnel can’t login to your Instances
Protect your data with encryption • Encrypt data “in-transit” (SSL/TLS) • Encrypt data “at-rest” – Encrypt records before writing in database – Encrypt objects before storing them – Consider encrypted file systems for sensitive data • Windows Bitlocker • Truecrypt • dm-crypt • SafeNet
Traditional Network Topologies in VPC • Create multiple Subnets – specify IP Ranges • Specify Instance private IP Address • Manage Routing • Inbound & Outbound filters – Security Groups: stateful – Network Access Control Lists (ACLs): stateless • Use NAT Instances – Enhance NAT Instances with software VPNs, IDS, logging, etc…
Security best practices still apply • Secure coding standards • Perform penetration testing – http://aws.amazon.com/security/penetration-testing/ • Antivirus where appropriate • Intrusion Detection – Host-based Intrusion Detection (e.g., OSSEC) • Log events • Role-based access control – AWS Identity & Access Management – LDAP and/or Active Directory for Operating Systems & Applications
AWS Credential and Key Management Tips • Create limited IAM Users for application needs • Don’t package privileged key in Instance • Periodic key rotation • One way to pass the application key to an Instance – On the Instance • Decryption key • IAM User with read-only access to a private S3 Bucket that contains the encrypted key – Retrieve the full key and then decrypt it – Use Bucket Logging to monitor attempts to access the key
Extend Your Credentials into AWS • Often done in VPC – easier with static IP for DCs – use egress control • Use Read-only Domain Controllers to scale better • Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/E C2_ADFS_howto_2.0.pdf
New Security Opportunities Arise on AWS Issue Opportunity Spending too much time Throw it away and just replace it. troubleshooting issues? Found questionable log entries? Launch an EMR job and find correlating events. Tired of patching? Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements. High risk site in your datacenter? Move it to AWS and reduce threat vectors to other applications.
Security Belongs In Every Layer
Using AWS Account Isolation to Protect Resources • Environment – development, test, integration, performance, production • Major system • Line of business / function • Customer • Risk level Consolidated Billing lets you bring it all together under one bill!
Leverage Multiple Layers of Defense Feature Standard EC2 Virtual Private Cloud Security Groups Inbound Inbound and Outbound Network ACLs n/a Inbound and Outbound Operating System Use as-is Use as-is firewalls Border firewall Manual configuration* NAT Instance VPN Manual configuration* VPN Gateway Bastion Host Enforce via Security Enforce via Security Groups Groups or Network ACLs IDS HIDS* HIDS* & NAT Instance * Third-party tools / solutions
Public EC2 Multi-tier Security Group Approach Web Tier ssh Application & Bastion Tier Database Tier ssh Ports 80 and 443 only open to the Internet Engineering staff have ssh Sync with on-premises Amazon EC2 database Security Group Firewall All other Internet ports blocked by default
You may still need to patch! • Most traditional tools will work • Emerging options – puppet (www.puppetlabs.com) – chef (www.opscode.com/chef/) – fabric/cuisine (www.fabfile.org) – capistrano (https://github.com/capistrano/capistrano/wiki)
Monitoring Tools • Cloud Watch (now with console!) • Application Monitoring – Cacti – CloudWatch User Metrics • Instance Monitoring – CloudWatch – Nagios • Nagios CloudWatch plugin https://github.com/j3tm0t0/check_cloudwatch
Approaches to Log Management • Distributed Approach – Highly scalable, but not always real-time – Instance-based (push to S3) – Facebook’s Scribe • Centralized Approach – Real-time, but not highly scalable – syslog – Windows Event Logging Service • Analytics – Custom EMR jobs – Splunk (www.splunk.com)
Example Application www.example.com DNS (Route 53) ELB Auto-scaling group : Web Tier Auto-scaling group : Web Tier Web Web Web Web Server Server Server Server SLB SLB App Server App Server App Server App Server Cloud Tomcat Tomcat Front Auto-scaling group : App Tier Auto-scaling group : App Tier RDS RDS S3 Master Slave Availability Zone #1 Availability Zone #2 Availability Zone #n
Example: Build Security into Every Layer www.example.com DNS (Route 53) HA Architecture ELB Security Characteristics: - Route 53 (highly scalable Auto-scaling group : Web Tier Auto-scaling group : Web Tier DNS) Web Web Web Web - Autoscaling Groups Server Server Server Server - Security Groups - ELB Security Group - OS Firewalls (on Instances) SLB SLB - RDS - DB Security Groups - backup window App Server App Server App Server App Server Cloud Tomcat Tomcat - snapshots Front Auto-scaling group : App Tier Auto-scaling group : App Tier - multi-AZ - CloudFront - Private Distribution - pre-signed URLs RDS RDS S3 Master Slave - S3 Bucket Policies - private bucket Availability Zone #1 Availability Zone #2 Availability Zone #n
Thank You! • More reading: – Security Center: http://aws.amazon.com/security

Recommandé

Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...
Malleswar Reddy
 
Azure realtime-interview questions - part 7
Azure realtime-interview questions - part 7Azure realtime-interview questions - part 7
Azure realtime-interview questions - part 7
Malleswar Reddy
 
Azure AWS real time-interview questions part 9
Azure AWS real time-interview questions part 9Azure AWS real time-interview questions part 9
Azure AWS real time-interview questions part 9
Malleswar Reddy
 
Azure IAAS architecture for beginners and developers - Part 1
Azure IAAS architecture for beginners and developers - Part 1Azure IAAS architecture for beginners and developers - Part 1
Azure IAAS architecture for beginners and developers - Part 1
Malleswar Reddy
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
Tensult
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
Raju Kumar
 
DevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloudDevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloud
Lahav Savir
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 

Recommandé

Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...
Malleswar Reddy
 
Azure realtime-interview questions - part 7
Azure realtime-interview questions - part 7Azure realtime-interview questions - part 7
Azure realtime-interview questions - part 7
Malleswar Reddy
 
Azure AWS real time-interview questions part 9
Azure AWS real time-interview questions part 9Azure AWS real time-interview questions part 9
Azure AWS real time-interview questions part 9
Malleswar Reddy
 
Azure IAAS architecture for beginners and developers - Part 1
Azure IAAS architecture for beginners and developers - Part 1Azure IAAS architecture for beginners and developers - Part 1
Azure IAAS architecture for beginners and developers - Part 1
Malleswar Reddy
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
Tensult
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
Raju Kumar
 
DevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloudDevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloud
Lahav Savir
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 
Secure Cloud governance - AWS landing zone
Secure Cloud governance - AWS landing zoneSecure Cloud governance - AWS landing zone
Secure Cloud governance - AWS landing zone
Tushar Gupta
 
Simplify your BCDR strategy with Azure
Simplify your BCDR strategy with AzureSimplify your BCDR strategy with Azure
Simplify your BCDR strategy with Azure
Muditha Chathuranga
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
Lahav Savir
 
Azure bastion
Azure bastionAzure bastion
Azure bastion
Mohit Chhabra
 
Microsoft SQL Server Dive Deep.pdf
Microsoft SQL Server Dive Deep.pdfMicrosoft SQL Server Dive Deep.pdf
Microsoft SQL Server Dive Deep.pdf
Amazon Web Services
 
Microsoft Azure Traffic Manager
Microsoft Azure Traffic ManagerMicrosoft Azure Traffic Manager
Microsoft Azure Traffic Manager
Ido Katz
 
Hybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS CloudHybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS Cloud
Amazon Web Services
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
Amazon Web Services
 
Brief Security Overview
Brief Security OverviewBrief Security Overview
Brief Security Overview
Amazon Web Services
 
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Amazon Web Services
 
Resiilient Architectures on AWS
Resiilient Architectures on AWSResiilient Architectures on AWS
Resiilient Architectures on AWS
Crishantha Nanayakkara
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
Amazon Web Services
 
Incident Response in the Cloud | AWS Public Sector Summit 2017
Incident Response in the Cloud | AWS Public Sector Summit 2017Incident Response in the Cloud | AWS Public Sector Summit 2017
Incident Response in the Cloud | AWS Public Sector Summit 2017
Amazon Web Services
 
SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge
WSO2
 
Cloud inventory analytics Maestro server
Cloud inventory analytics Maestro serverCloud inventory analytics Maestro server
Cloud inventory analytics Maestro server
Felipe Klerk Signorini
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems Manager
Crishantha Nanayakkara
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185
jtaylor707
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Amazon Web Services
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Amazon Web Services Korea
 
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Amazon EC2 Systems Manager for Hybrid Cloud Management at ScaleAmazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Amazon Web Services
 
야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피
dasomygirl
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
Amazon Web Services
 

Contenu connexe

Tendances

Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
Lahav Savir
 
Hybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS CloudHybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS Cloud
Amazon Web Services
 
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Amazon Web Services
 
SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge
WSO2
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Amazon Web Services Korea
 

Tendances (20)

Secure Cloud governance - AWS landing zone
Secure Cloud governance - AWS landing zoneSecure Cloud governance - AWS landing zone
Secure Cloud governance - AWS landing zone
 
Simplify your BCDR strategy with Azure
Simplify your BCDR strategy with AzureSimplify your BCDR strategy with Azure
Simplify your BCDR strategy with Azure
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
 
Azure bastion
Azure bastionAzure bastion
Azure bastion
 
Microsoft SQL Server Dive Deep.pdf
Microsoft SQL Server Dive Deep.pdfMicrosoft SQL Server Dive Deep.pdf
Microsoft SQL Server Dive Deep.pdf
 
Microsoft Azure Traffic Manager
Microsoft Azure Traffic ManagerMicrosoft Azure Traffic Manager
Microsoft Azure Traffic Manager
 
Hybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS CloudHybrid IT Approach and Technologies with the AWS Cloud
Hybrid IT Approach and Technologies with the AWS Cloud
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
 
Brief Security Overview
Brief Security OverviewBrief Security Overview
Brief Security Overview
 
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
Army's Cyber Defense Operations: Building the Right Solutions for the Data Su...
 
Resiilient Architectures on AWS
Resiilient Architectures on AWSResiilient Architectures on AWS
Resiilient Architectures on AWS
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 
Incident Response in the Cloud | AWS Public Sector Summit 2017
Incident Response in the Cloud | AWS Public Sector Summit 2017Incident Response in the Cloud | AWS Public Sector Summit 2017
Incident Response in the Cloud | AWS Public Sector Summit 2017
 
SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge SaaS App Development with Windows Cartridge
SaaS App Development with Windows Cartridge
 
Cloud inventory analytics Maestro server
Cloud inventory analytics Maestro serverCloud inventory analytics Maestro server
Cloud inventory analytics Maestro server
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems Manager
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational Models
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
 
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Amazon EC2 Systems Manager for Hybrid Cloud Management at ScaleAmazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
 

En vedette

야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피
dasomygirl
 
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Amazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
Amazon Web Services
 

En vedette (20)

야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피야탑오피&천안오피#사이트【http://dasom10.net】수원오피
야탑오피&천안오피#사이트【http://dasom10.net】수원오피
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Securing Your Data In The Cloud
Securing Your Data In The CloudSecuring Your Data In The Cloud
Securing Your Data In The Cloud
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
 
AWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the CloudAWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the Cloud
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
AWS Deployment Best Practices
AWS Deployment Best PracticesAWS Deployment Best Practices
AWS Deployment Best Practices
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
(SEC201) How Should We All Think About Security?
(SEC201) How Should We All Think About Security?(SEC201) How Should We All Think About Security?
(SEC201) How Should We All Think About Security?
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
 

Similaire à AWS Summit 2011: Application Security Best Practices

AWS Summit 2011: Overview of Security and Compliance in the cloud
AWS Summit 2011: Overview of Security and Compliance in the cloudAWS Summit 2011: Overview of Security and Compliance in the cloud
AWS Summit 2011: Overview of Security and Compliance in the cloud
Amazon Web Services
 
Ram chinta hug-20120922-v1
Ram chinta hug-20120922-v1Ram chinta hug-20120922-v1
Ram chinta hug-20120922-v1
Ram Chinta
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Amazon Web Services
 
Aws security overview q3 2010 v2
Aws security overview q3 2010 v2Aws security overview q3 2010 v2
Aws security overview q3 2010 v2
ReadMaloney
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
Amazon Web Services
 
Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS Cloud
Amazon Web Services
 

Similaire à AWS Summit 2011: Application Security Best Practices (20)

AWS Summit 2011: Overview of Security and Compliance in the cloud
AWS Summit 2011: Overview of Security and Compliance in the cloudAWS Summit 2011: Overview of Security and Compliance in the cloud
AWS Summit 2011: Overview of Security and Compliance in the cloud
 
Ram chinta hug-20120922-v1
Ram chinta hug-20120922-v1Ram chinta hug-20120922-v1
Ram chinta hug-20120922-v1
 
Amazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic BeanstalkAmazon Web Services - Elastic Beanstalk
Amazon Web Services - Elastic Beanstalk
 
Architecting for the Cloud: Best Practices
Architecting for the Cloud: Best PracticesArchitecting for the Cloud: Best Practices
Architecting for the Cloud: Best Practices
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
 
Aws security overview q3 2010 v2
Aws security overview q3 2010 v2Aws security overview q3 2010 v2
Aws security overview q3 2010 v2
 
Aws Security Overview
Aws Security OverviewAws Security Overview
Aws Security Overview
 
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 
Web Scale Applications using NeflixOSS Cloud Platform
Web Scale Applications using NeflixOSS Cloud PlatformWeb Scale Applications using NeflixOSS Cloud Platform
Web Scale Applications using NeflixOSS Cloud Platform
 
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
 
[Jun AWS 201] Technical Workshop
[Jun AWS 201] Technical Workshop[Jun AWS 201] Technical Workshop
[Jun AWS 201] Technical Workshop
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
How Netflix’s Tools Can Help Accelerate Your Start-up (SVC202) | AWS re:Inven...
 
Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS Cloud
 
Svc 202-netflix-open-source
Svc 202-netflix-open-sourceSvc 202-netflix-open-source
Svc 202-netflix-open-source
 
Netflix and Open Source
Netflix and Open SourceNetflix and Open Source
Netflix and Open Source
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

AWS Summit 2011: Application Security Best Practices

  • 1. Application Security Best Practices Matt Tavis | Principal Solutions Architect
  • 2. Application Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications – See Architecting for the Cloud • Most traditional best practices still apply • There are ways AWS can help
  • 3. Built Around the Shared Responsibility Model… AWS Customer • Facilities • Operating System • Physical Security • Application • Security Groups • Physical Infrastructure • OS Firewalls • Network Infrastructure • Network Configuration • Virtualization • Account Management Infrastructure
  • 4. …and AWS Certifications • AWS Environment – SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA) • Customers have deployed various compliant applications: – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA (US Federal Government) – DIACAP MAC III Sensitive IATO
  • 5. Resources and data are in your control • Specify what Region and AZ to launch in • Customize your AMIs • Create distinct Security Groups groups of EC2 Instances – use rules for controlling access between layers – restrict external access to specific IP ranges • Use AWS Identity & Access Management (IAM) – upload your own keys – use MultiFactor Authentication (MFA) • AWS personnel can’t login to your Instances
  • 6. Protect your data with encryption • Encrypt data “in-transit” (SSL/TLS) • Encrypt data “at-rest” – Encrypt records before writing in database – Encrypt objects before storing them – Consider encrypted file systems for sensitive data • Windows Bitlocker • Truecrypt • dm-crypt • SafeNet
  • 7. Traditional Network Topologies in VPC • Create multiple Subnets – specify IP Ranges • Specify Instance private IP Address • Manage Routing • Inbound & Outbound filters – Security Groups: stateful – Network Access Control Lists (ACLs): stateless • Use NAT Instances – Enhance NAT Instances with software VPNs, IDS, logging, etc…
  • 8. Security best practices still apply • Secure coding standards • Perform penetration testing – http://aws.amazon.com/security/penetration-testing/ • Antivirus where appropriate • Intrusion Detection – Host-based Intrusion Detection (e.g., OSSEC) • Log events • Role-based access control – AWS Identity & Access Management – LDAP and/or Active Directory for Operating Systems & Applications
  • 9. AWS Credential and Key Management Tips • Create limited IAM Users for application needs • Don’t package privileged key in Instance • Periodic key rotation • One way to pass the application key to an Instance – On the Instance • Decryption key • IAM User with read-only access to a private S3 Bucket that contains the encrypted key – Retrieve the full key and then decrypt it – Use Bucket Logging to monitor attempts to access the key
  • 10. Extend Your Credentials into AWS • Often done in VPC – easier with static IP for DCs – use egress control • Use Read-only Domain Controllers to scale better • Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/E C2_ADFS_howto_2.0.pdf
  • 11. New Security Opportunities Arise on AWS Issue Opportunity Spending too much time Throw it away and just replace it. troubleshooting issues? Found questionable log entries? Launch an EMR job and find correlating events. Tired of patching? Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements. High risk site in your datacenter? Move it to AWS and reduce threat vectors to other applications.
  • 12. Security Belongs In Every Layer
  • 13. Using AWS Account Isolation to Protect Resources • Environment – development, test, integration, performance, production • Major system • Line of business / function • Customer • Risk level Consolidated Billing lets you bring it all together under one bill!
  • 14. Leverage Multiple Layers of Defense Feature Standard EC2 Virtual Private Cloud Security Groups Inbound Inbound and Outbound Network ACLs n/a Inbound and Outbound Operating System Use as-is Use as-is firewalls Border firewall Manual configuration* NAT Instance VPN Manual configuration* VPN Gateway Bastion Host Enforce via Security Enforce via Security Groups Groups or Network ACLs IDS HIDS* HIDS* & NAT Instance * Third-party tools / solutions
  • 15. Public EC2 Multi-tier Security Group Approach Web Tier ssh Application & Bastion Tier Database Tier ssh Ports 80 and 443 only open to the Internet Engineering staff have ssh Sync with on-premises Amazon EC2 database Security Group Firewall All other Internet ports blocked by default
  • 16. You may still need to patch! • Most traditional tools will work • Emerging options – puppet (www.puppetlabs.com) – chef (www.opscode.com/chef/) – fabric/cuisine (www.fabfile.org) – capistrano (https://github.com/capistrano/capistrano/wiki)
  • 17. Monitoring Tools • Cloud Watch (now with console!) • Application Monitoring – Cacti – CloudWatch User Metrics • Instance Monitoring – CloudWatch – Nagios • Nagios CloudWatch plugin https://github.com/j3tm0t0/check_cloudwatch
  • 18. Approaches to Log Management • Distributed Approach – Highly scalable, but not always real-time – Instance-based (push to S3) – Facebook’s Scribe • Centralized Approach – Real-time, but not highly scalable – syslog – Windows Event Logging Service • Analytics – Custom EMR jobs – Splunk (www.splunk.com)
  • 19. Example Application www.example.com DNS (Route 53) ELB Auto-scaling group : Web Tier Auto-scaling group : Web Tier Web Web Web Web Server Server Server Server SLB SLB App Server App Server App Server App Server Cloud Tomcat Tomcat Front Auto-scaling group : App Tier Auto-scaling group : App Tier RDS RDS S3 Master Slave Availability Zone #1 Availability Zone #2 Availability Zone #n
  • 20. Example: Build Security into Every Layer www.example.com DNS (Route 53) HA Architecture ELB Security Characteristics: - Route 53 (highly scalable Auto-scaling group : Web Tier Auto-scaling group : Web Tier DNS) Web Web Web Web - Autoscaling Groups Server Server Server Server - Security Groups - ELB Security Group - OS Firewalls (on Instances) SLB SLB - RDS - DB Security Groups - backup window App Server App Server App Server App Server Cloud Tomcat Tomcat - snapshots Front Auto-scaling group : App Tier Auto-scaling group : App Tier - multi-AZ - CloudFront - Private Distribution - pre-signed URLs RDS RDS S3 Master Slave - S3 Bucket Policies - private bucket Availability Zone #1 Availability Zone #2 Availability Zone #n
  • 21. Thank You! • More reading: – Security Center: http://aws.amazon.com/security