Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

New AWS Security Solutions to Protect Your Workload

525 vues

Publié le

New AWS Security Solutions to Protect Your Workload
亞馬遜 AWS 於 2018 年 11 月底在美國拉斯維加斯所舉辦的第七屆 AWS re:Invent 2018 大會,在 AWS 客戶、合作夥伴、媒體人士、產業分析師及 AWS 員工共襄盛舉下,與會人數再創新高,超過 5 萬人。會中 AWS 發布超過 20 款雲端方案,且一半以上專攻雲端 AI、機器學習、物聯網,包括對 SageMaker 強化更多進階功能,推出第一款專用的機器學習推論晶片、加入深度的機器學習運算法支援,及其他包括儲存、資料庫、混合雲、邊緣運算 IoT 等解決方案。而具備微型機器學習能力的迷你自駕遙控車 DeepRacer 的現身,驚人之舉不僅抓人眼球,深入客戶體驗的用心,更成功抓住全球使用者的心。

為讓您與全球先進技術同步,共享最新趨勢資訊,解決您開發機器學習和發展 AIoT 所遇到的難題,AWS 台灣團隊將於 2019 年 1 月 31 日 (四) 舉辦《AWS re:Invent 2018 Recap 台北》,特別嚴選最適切國內諸位先進和企業需求的內容,從「技術創新」、「AIoT」兩大分組議程,發表 AWS 的新服務和新方案。大會除了邀請亞馬遜 AWS 大中華區首席雲計算企業顧問 (Principal Evangelist) 張俠博士分享 AWS 的解決方案藍圖外,眾多 AWS 資深專家也將分享包含機器學習、深度學習推理加速等新方案,完全託管的文件系統、資料庫,無伺服器、容器技術與安全性,以及大數據與分析、物聯網服務應用、儲存方案等最新技術。歡迎您親臨會場,全方位體驗 AWS 新服務將能為您創造的驚人創新之效益。

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

New AWS Security Solutions to Protect Your Workload

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Recap James Chiang(蔣宗恩), Solution Architect Amazon Web Services
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 239 new security features
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Behind the scenes - SecOps on-call AWS Security Ticket - Port Scanning abuse case created …
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Management, security, and monitoring Storage Customer instances Network Hypervisor Original Amazon EC2 host architecture SERVER
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Improved performance by isolating functions within the hypervisor; moving them away from hardware • Offloaded network processing to dedicated hardware within the system, decoupling from hardware that managed the hypervisor, saving significant CPU time through more efficient network packet processing • Offloaded storage, requiring Amazon EC2 host software to validate, encrypt and route storage requests Amazon EC2 - C3 & C4 instances launched
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Management, security, and monitoring Storage Customer instances Network Nitro hypervisor 2017: Amazon EC2 C5 instances launched SERVER NITRO SYSTEM
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based policies
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN Connection Network Load Balancer Inter-Region VPC Peering Bring Your Own IP Address
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous changeRecordingChanging resources AWS Config - Overview History Stream Snapshot (ex. 2018-06-05)
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Store the compliance history of AWS resources evaluated by Config rules
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Now offers agentless network assessments
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty adds three new threat detections UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay CryptoCurrency:EC2/BitcoinTool.B.
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Processes an average 92.7million/sec flow log records
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty = automatic cost savings • Travel company | 44% reduction in GuardDuty spend • Financial services company | 82% reduction • Automotive company | 79% reduction • Social media company | 86% reduction
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing: Amazon S3 block public access
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 block public access
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. From reactive to proactive Pace of innovation: 1800+ updates Meets pace of protection: 239 security updates … through automation
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pattern for automated remediation Detection Alerting Remediation Countermeasures Forensics VPC Flow logs APIs Team collaboration
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch + AWS Lambda + AWS Systems Manager Amazon EC2 instance contents Amazon EC2 instance: ec2-user$ top ec2-user$ pcap Event Documents Amazon EBS Volume Amazon EBS snapshot
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSsecurityworkflow ArchiveSnapshot Protect Detect Respond RecoverIdentify Investigate Automate Amazon Macie © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Problemstatement Largevolume of alerts and the need to prioritize 13 Dozensof security tools with different data formats 2 Ensurethat your AWSinfrastructure meets compliance requirements 1 PrioritizationMultiple formats VisibilityCompliance Lackof asingle pane of glassacross security and compliance tools 4 © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSSecurityHuboverview © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Partnerintegrations Firewalls Vulnerability SOAR SIEM Endpoint Compliance MSSP Other © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Partner integration examples—CrowdStrike © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Setupandmulti-account © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliancechecks © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Insights © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responseandremediation Event(event- based) Rule © 2 0 1 8 , A m a z o n W e b S e r v i c e s , I n c . o r i t s a f f i l i a t e s . A l l r i g h t s r e s e r v e d .
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers end up with Multi-account Challenges Paradox of Choice Too many design decisions Setup Complexity Granular AWS policies across multiple accounts & services Ongoing management Centrally managing compliance and security of multiple accounts
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Account Recommended Approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Optional Network Path Network Path Log Flow Data CenterDeveloper Accounts Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing AWS Control Tower (preview) Consistent and simple multi account management. Automated AWS Setup Launch an automated landing zone with best- practices blueprints Policy Enforcement Pre-packaged guardrails to enforce policies or detect violations Dashboard for Oversight Continuous visibility into workload compliance with controls
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing AWS Control Tower (preview) Consistent and simple multi account management. Automated AWS Setup Launch an automated landing zone with best- practices blueprints Policy Enforcement Pre-packaged guardrails to enforce policies or detect violations Dashboard for Oversight Continuous visibility into workload compliance with controls
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key Features / Benefits Account Setup Automated, secure, and scalable landing zone Multi-account management using AWS Organizations Central logging and multi-account configuration consistency Built-in best practices Multi-account preventive and detective guardrails Easy to use dashboard and notifications Curated rules in plain EnglishAccount provisioning wizard Guardrails Landin g Zone
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Control Tower - Building Blocks AWS Control Tower Account Management Guardrail Enforcement AWS Security Hub Landing Zone AWS Landing Zone AWS Organizations
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Control Tower’s automated landing zone  AWS Organizations with a master and pre-created accounts for central log archive, cross-account audit, and shared services  Pre-configured directory and single sign-on using AWS SSO (with Active Directory custom option*)  Centralized monitoring and alerts using AWS Config, AWS CloudTrail, and AWS CloudWatch Control Tower Master Account AWS Control Tower *Active Directory support is a roadmap feature post GA
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Factory • Account factory for controls on account provisioning • Pre-approved account baselines with VPC options • Pre-approved configuration options • End user configuration and provisioning through AWS Service Catalog • Create/update AWS accounts under organizational units
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Factory - AWS Service Catalog
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Service Catalog: Simplifying Provisioning End UsersOrganizations Curation Compliance Standardization Agility Self-Service Time to Market SpeedSecurity Service Catalog enables organizations to deploy and manage AWS infrastructure and applications that reflect the organization’s security and operational policies
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service Catalog: Simplified Provisioning Constraint Security, governance and deployment controls Product IT service or resource Products list User see which products they can launch Portfolio Admins create collections of products Provisioned products Users can update or perform service actions Service Catalog Administrator Service Catalog End User
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing AWS Key Management Service • A service that enables you to provision and use encryption keys to protect your data • Allows you to create, use, and manage encryption keys from within… – Your own applications via AWS SDK – Supported AWS services (S3, EBS, RDS, Redshift) • Available in all commercial regions
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How AWS Key Management Service Works 1 Client AuthN 5 Data Client (Customer or AWS Service) 4 Data Key Encrypted Data Key + and AuthZ KMS Service Endpoint AWS Authorization Crypto operations on customer master keys 2 3 Durable, Encrypted Key Store 1. Client makes authenticated request of KMS for data key 2. KMS generates data key 3. KMS pulls encrypted customer master key from durable storage; decrypts in the KMS crypto module 4. KMS encrypts data key with named customer master key and returns plaintext data key and encrypted data key 5. Client uses data key to encrypt data, stores encrypted data key. To decrypt: client submits encrypted data key to KMS for decryption; data key is needed to decrypt data KMS crypto module
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How AWS Services Integrate with KMS • 2-tiered key hierarchy using envelope encryption • Data keys encrypt customer data • KMS master keys encrypt data keys • Benefits: • Limits blast radius of compromised resources and their keys • Better performance Data Key 1 Master Key(s) Keys encrypted Data Key 2 Data Key 3 Data encrypted KMS Data Key 4 Data Key 5 • Easier to manage a small number of master keys than billions of resource keys S3 Object EBS Volume RDS Instance Redshift Cluster Your Application
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does a custom key store work
  50. 50. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×