More Related Content Similar to Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services (20) More from Amazon Web Services (20) Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services1. P U B L I C S E C T O R
S U M M I T
NEW DELHI
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Secure Your Cloud with Recommended Best Practices
Enabled by AWS Security and Governance Services
Durga Prasad Kakaraparthi
Manager, Solutions Architecture
AISPL
Kaushik Mohanty
Principal BD, AWS Service Catalog and AWS
Control Tower
AWS
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
AWS Shared Responsibility Model
AWS Security Best Practices
AWS Service Catalog and AWS Control Tower
Take Action
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security is everyone’s job
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security and compliance – Shared responsibility
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Strong identity foundation
Root account should never be used
Consider AWS Organizations
Set account security questions & contacts
Centralize identities
Audit periodically
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Strong identity foundation
Never store credentials or secrets in code
Enforce MFA on everything
Use IAM roles for users and services
Establish least privileged policies
Use temporary credentials
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Enforce MFA
User can only assume a role with MFA
MFA token
Permissions RoleUser AWS CloudPermissions
http://bit.ly/AWSWALabs
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Enable traceability
Consider Amazon GuardDuty
Configure application & infrastructure
logging
Centralize using a SIEM
Proactively monitor
Regular reviews of news & best practices
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Enable traceability
Use AWS CloudFormation!
http://bit.ly/D3T3cT
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Network protection
Amazon CloudFront + AWS WAF
Amazon VPC and security groups
Private connectivity – VPC peering, VPN, AWS Direct Connect
Service endpoints
Enforce service level permission
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Network protection
Bucket
Instances
Region
VPCUsers
https://amzn.to/2PbHOpz
WAF Automation
www.example.com
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Apply security at all layers
Harden operating systems & defaults
Use anti-malware + intrusion
detection
Scan infrastructure
Scan code
Patch vulnerabilities
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Compute protection
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Scan vulnerabilities
Scan instances with Amazon Inspector
https://amzn.to/2DT9jyg
Scan code in the pipeline
Dependency Check: http://bit.ly/2SPzUAp
Testing
OWASP Zap: http://bit.ly/2yWwzqN
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Serverless
• Authorization and authentication – API
• Enforce boundaries – AWS services & network
• Input validation
• Protect sensitive data
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Automate security best practices
Template infra: AWS CloudFormation/AWS
SAM
Automate build and test
AWS Config rules for verification
Automate response to non-compliance
Automate response to events
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Automate management
Automation
Patch manager
State manager
https://amzn.to/2AaOwSg
https://amzn.to/2DSTLdK
https://amzn.to/2Qihzxm
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Automate checks
AWS Config
Rules
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Protect data
Encryption mechanisms are enforced
Verify accessibility of data (e.g. Amazon S3 & Amazon EBS)
Consider AWS Certificate Manager (ACM)
Consider tokenization to substitute sensitive data
Data segmentation and isolation
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Classify your data
• Start classifying data based on sensitivity
• Use resource tags to help define the policy
Amazon Macie discover, classify, and protect sensitive data in AWS
IAM control: http://bit.ly/IAMctrlTAG
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Keep people away from data
Dashboards for users
Tools for administrators
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Top best practices: Incident response
Prepare for different scenarios
Pre-deploy tools using automation
Pre-provision access for response teams
Practice responding through game days
Continuously improve your processes
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Run incident response game day
1. Schedule a four to eight hour block
2. Find a prize (bribery)
3. Supply junk food and beverages
4. Pick relevant scenarios from:
https://amzn.to/2PetNro
5. Create a runbook
6. Practice
7. Have fun
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to: Simple run book
Event description
[Attack Type]
[Attack Description]
Data to gather for troubleshooting
[Evaluation of current data]
Steps to troubleshoot and fix
[Contain / impact / recovery / forensics]
Urgency category
[Critical, Important, moderate, informational]
Communications and escalation
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
DevSecOps CI/CD
pipelines
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security & Compliance enforced by
AWS Management & Governance
Services:
Overview of AWS Service Catalog & AWS Control Tower
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Enable agility + governance as you secure your cloud
YOUR AWS RESOURCES ARE GROWING OVER TIME
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog: Provisioning and secure
deployment in the cloud
End usersOrganizations
Curation
Compliance
Standardization
Agility
Self-service
Time to market
SpeedSecurity
AWS Service Catalog enables organizations to
deploy and manage AWS infrastructure and
applications that reflect the organization’s security
and operational policies
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key attributes of AWS Service Catalog
Configure Consume
One-stop shop
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Control Tower: Easiest way to set up and govern
a multi-account environment on AWS
Automated
AWS setup
Automated landing zone
with best practice blueprints
Policy
enforcement
Prepackaged preventive
and detective guardrails
Dashboard
for oversight
Continuous visibility into
accounts and workloads
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key attributes of AWS Control Tower
Account setup
Automated secure and
scalable landing zone
Multi-account management
using AWS Organizations
Central logging and multi-
account configuration
consistency
Built-in best practices
Multi-account preventive
and detective guardrails
Easy-to-use dashboard
and notifications
Curated rules in plain
English
Account provisioning wizard
Guardrails
Landin
g Zone
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Take action!
CAF: aws.amazon.com/professional-services/CAF/
W-A: aws.amazon.com/well-architected
W-A Labs: http://bit.ly/AWSWALabs
AWS sec twitter: @AWSSecurityInfo
AWS sec blog: https://aws.amazon.com/blogs/security/
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Durga Prasad Kakaraparthi
Manager, Solutions Architecture
AWS
Kaushik Mohanty
Principal BD, AWS Service Catalog and AWS
Control Tower
AWS
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Download our app to enhance
your Summit experience
Access the agenda, build your own
schedule, provide feedback easily
and more
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Three ways to get started:
• Scan the QR code on the screen or at
the back of your attendee badge
• Search “AWS Global Summits” in
Apple Store or Google Play
• Visit guidebook.com/app/aws
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Tap on the
featured guide
Tap “Download
Guide”
Tap
“Open”
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Summit Session Feedback
Take a quick five question survey – let us
know how we can improve.
Three ways to take the survey:
• Access the Summit app - session survey tab
• Scan the QR code
• Visit https://amzn.to/summit-session
Ballroom 1 & 2
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T