AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
6. Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
10. Intro to AWS
11 Regions
30 Availability Zones
53 Edge Locations
Over 1 Million Active Customers
Across 190 Countries
Everyday, AWS adds enough new server capacity to support Amazon.com
when it was a $7 billion global enterprise.
11. A European view of Cloud
• Regions:
– Dublin (EU-West) – 3 x Availability Zones
• Launched in 2007
– Frankfurt (EU-Central) – 2 x Availability Zones
• Launched in 2014
• Edge Locations:
– Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt,
Germany (3), London, England (3), Madrid, Spain, Marseille,
France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and
Warsaw, Poland
• Direct Connect POPs:
– Dublin, London, Frankfurt
12. Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t
move unless you choose to move it
13. AWS Global Infrastructure
AWS Global Infrastructure
Your Applications
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
Regions Availability Zones Edge Locations
Foundation
Services
Application
Services
Deployment &
Management
Compute Storage Networking Databases
Content Delivery Applications Distributed Computing Libraries & SDK’s
EC2 S3 EBS Glacier Storage
Gateway
VPC Direct
Connect
ELB Route53 RDS ElastiCacheDynamo RedShift
CloudFront SES SNS SQS Elastic
Transcoder
CloudSearch SWF EMR
CloudWatch
Monitoring
BeanStalk OpsWorks Cloud
Formation
DataPipe
Deployment & Automation
IAM Federation
Identity & Access
Management
Console
Billing
Web Interface Human Interaction
Mechanical
Turk
AWS Global Infrastructure
Enterprise
Applications
Workspaces Zocalo
Virtual Desktop Document Collaboration
Overview of AWS Services
14. How does a customer interact with AWS
services?
Common Protocols
• SSH, RDP, HTTP, SSL, SQL etc
API Calls
(Management Console, SDKs, Unified CLI)
• S3, EC2, RDS
15. API Calls
• Authentication is provided by IAM (Identity Access Management)
• API calls are secured within an TLS connection
• API Calls are made to AWS Service endpoints deployed globally
• A full list of endpoints available here:
– http://docs.aws.amazon.com/general/latest/gr/rande.html
• AWS Unified CLI
– aws ec2 start-instances
– aws ec2 stop-instances
– aws s3 ls
– aws s3 cp <source> <destionation>
16. Lets look at how customers traditionally manage IT
17. Core Services
Server Storage Networking
Platform & Applications Management
Customer Data
Customer view
Customer Responsibility:
- Data & Network
Protection
- High Availability
- Disaster Recovery
- Backup
- Scalability
- Audit
Operating System
Data Centre
HVAC UPS Security
Data Encryption
Data
Integrity/Backup
Network Protection
Management,Monitoring&Logging
18. AWS Shared Responsibility Model
Lets talk about Security within the Cloud and who is responsible for which parts?
Security OF the Cloud
vs
Security IN the Cloud
19. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAM
CustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
File System and/or Data
APIEndpoint
20. Infrastructure Service
Example – EC2
• AWS Responsibility:
• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
•Customer Responsibility:
• Customer Data
• Customer Application/Platform
• Operating System
• Network & Firewall
• Customer IAM
• High Availability, Scaling
• Instance Management,
• Data Protection (Transit, Rest, Backup)
21. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Container Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
APIEndpointCustomerIAM
AWSIAM
22. Infrastructure Service
Example – RDS
• AWS Responsibility:
• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
•Customer Responsibility:
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table Permissions)
• High Availability
• Data Protection (Transit, Rest, Backup)
• Scaling
23. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Abstract Services
Managed by
Managed by
Optional – Opaque Data: 1’s and
0’s
(in flight / at rest)
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
Client-Side Data Encryption
& Data Integrity Authentication
APIEndpoint
AWSIAM
24. Infrastructure Service
Example – S3
• AWS Responsibility:
• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
•Customer Responsibility:
• Customer Data
• Data Protection
25. Shared Responsibility
Summary of Security IN the Cloud (Customer Responsibility
Infrastructure Services
Applications
Operating System
Container Services Abstract Services
Networking/Firewall
Data
Customer IAM
AWS IAM
Networking/Firewall
Data
AWS IAM
Data
Customer IAM
AWS IAM
27. Security Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Network
AWS Global
Infrastructure
Regions
AWS is responsible
for the security OF
the cloud
AWS
Availability Zones Edge Locations
28. on AWS
•Start on base of accredited services
•Functionally necessary – high watermark of
requirements
•Audits done by third party experts
•Accountable to everyone
•Continuous monitoring
•Compliance approach based on all workload
scenarios
•Security innovation drives broad compliance
on-Prem
• Start with bare concrete
• Functionally optional
– (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in security innovation
Auditing - Comparison
on-Prem vs on AWS
29. What this means
• You benefit from an environment built for the most security sensitive
organizations
• AWS manages 1,800+ security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data
30. AWS Assurance Program Updates
SOC:
New services in scope after successful assessment
KMS, Workspace, SES
PCI:
New services in scope after achieving PCI DSS 3.1 certification
KMS, Cloudtrail, Cloudfront
ISO 27017:
International code of practice focusing on Cloud providers
ISO 27018:
International code of practice that focuses on protection of PII in the cloud.
31. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits Customer scope and
effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
Customers
32. Why AWS?
How AWS Security features and services
can help our Customers
34. Why Amazon Inspector?
Applications testing key to moving fast but staying safe
Security assessment highly manual, resulting in delays or
missed security checks
Valuable security subject matter experts spending too
much time on routine security assessment
37. Amazon Inspector rulesets
CVE
Network Security Best Practices
Authentication Best Practices
Operating System Best Practices
Application Security Best Practices
PCI DCSS 3.0 Readiness
47. Fully managed service which provides:
• An Inventory of your AWS resources
• Lets you audit the resource configuration
history
• Notifies you of resource configuration
changes
• Logs are placed in customer defined S3
bucket
AWS Config
48. AWS Config Rules features
Flexible rules evaluated continuously and
retroactively
Dashboard and reports for common goals
Customizable remediation
API automation
49. AWS Config Rules – example rules
Is Cloudtrail Enabled?
Are in-use volumes encrypted?
Are resources appropriately tagged?
Is incoming SSH disabled?
Are instanced running in the correct VPC?
Are Elastic IPs attached to the correct EC2 instances?
51. AWS Config Rules benefits
Continuous monitoring for
unexpected changes
Shared compliance
across your organization
Simplified management of
configuration changes
54. Evolution of security & compliance at AWS
AWS
certifications
Customer
enabler docs
Customer
case studies
Security by
Design
(SbD)
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
55. Security by Design - SbD
Security by Design (SbD) is a modern, security
assurance approach that formalizes AWS
account design, automates security controls, and
streamlines auditing.
It is a systematic approach to ensure security;
instead of relying on after-the-fact auditing, SbD
provides control insights throughout the IT
management process.
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
56. Putting it all together (SbD)
Build your AWS
applications
using Security by
Design
Continuous
Compliance
through Config
Rules
Continuous
Compliance
through
Inspector
Customer
Workload
58. New security training
Training
Security Fundamentals on AWS
– Free online course for Security
Auditors, Analysts and Management
– 5 modules over 3 hours
Progress is saved
Details at aws.amazon.com/training
59. New security training
Training
Security Operations on AWS
– 3 day class for:
Security Engineers/Architects
Security Analysts and Auditors
– 11 modules with X Labs
Details at aws.amazon.com/training
64. Getting help - Trusted Advisor
Performs a series of security
configuration checks of your AWS
environment:
----------------
• Open ports
• Unrestricted access
• IAM use
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor authentication
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer configuration