SlideShare une entreprise Scribd logo

Transparency and Control with AWS CloudTrail and AWS Config

Télécharger en tant que PPTX, PDF
Amazon Web Services
Amazon Web Services

Notes on the "Transparency and Control with AWS CloudTrail and AWS Config" presentation.

Technologie
1  sur  26
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Transparency and Control with AWS CloudTrail and AWS Config ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon Web Services (AWS)Your Applications AWS Infrastructure Foundation Services Deployment & Management Application Services Amazon EC2 AWS Lambda Compute Storage & Content Delivery Amazon S3 AWS Storage Gateway Amazon EBS Amazon Glacier Amazon CloudFront Database Amazon RDS Amazon DynamoDB Amazon Elasticache Amazon Redshift Networking Amazon VPC AWS Direct Connect Amazon Route 53 Administration & Security AWS Directory Service AWS Config Deployment & Management AWS Elastic Beanstalk AWS OpsWorks AWS CloudFormation AWS Code Deploy Analytics Amazon EMR Amazon Kinesis AWS Data Pipeline Application Services Amazon SQS Amazon SWF Amazon AppStream Amazon Elastic Transcoder Amazon SES Amazon CloudSearch Mobile Services Amazon Mobile Analytics Amazon Cognito Amazon SNS Enterprise Applications Amazon WorkDocs Amazon WorkSpaces Amazon WorkMail AWS Identity and Access Management AWS Trusted Advisor AWS CloudTrail Amazon CloudWatch AWS CloudHSM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Talk about AWS [‘CloudTrail’, ‘Config’] • Ponder AWS [‘CloudTrail’, ‘Config’] • Contemplate AWS [‘CloudTrail’, ‘Config’] – Log diving • Correlation between [‘CloudTrail’, ‘Config’] • Cross-account, role-based access
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 TL;DR – These are “complementary services” AWS CloudTrail (an entity did something) • Record of API requests and response elements – who did what and when, from where AWS Config (resources changes and status) • AWS account configuration – Configuration item history – Configuration item stream – Configuration item snapshots • Optionally, a notification whenever a resource is created, modified, or deleted with the resulting configuration
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. AWS CloudTrail The recorded information includes: • The identity of the API caller • The time of the API call • The source IP address of the API caller • The request parameters • The response elements returned by the AWS service
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Increase your visibility of what happened in your AWS environment – who did what and when, from where • CloudTrail will record access to API calls and save logs in your Amazon S3 bucket, no matter how those API calls were made • Who did what and when and from what IP address • Receive notification of log file delivery using the Amazon Simple Notification Service (Amazon SNS) • Rapid integration of AWS services since launch with more supported services coming soon • Aggregate log information into a single S3 bucket • AWS Partner integration with log analysis tools from AlertLogic, Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk, and SumoLogic. Use AWS CloudTrail to track access to APIs and IAM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail logs can be used for many powerful use cases CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources • e.g., VPC security groups and NACLs • Compliance • Understand AWS API call history • Troubleshoot operational issues • Quickly identify the most recent changes to your environment • AWS CloudTrail console API activity history search • Look up API activity captured for your AWS account in the last 7 days • Filter with an attribute and time range
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances and other sources, for example: • Monitor your web server HTTP log files and use CloudWatch metrics filters to identify 404 errors and count the number of occurrences within a specified time period • Use CloudWatch alarms to notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation Now monitor everything with Amazon CloudWatch logs
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config is a fully managed service that provides an inventory of your AWS resources, lets you audit the resource configuration history, and notifies you of resource configuration changes AWS Config
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2015-06-26) AWS Config
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships • Bi-directional map of dependencies automatically assigned • Change to a resource propagates to create configuration items for related resources
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships Resource Relationship Related Resource CustomerGateway is attached to VPN Connection Elastic IP (EIP) is attached to Network Interface is attached to Instance Instance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC) InternetGateway is attached to Virtual Private Cloud (VPC) … …. …..
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Configuration item All configuration attributes for a given resource at a given point in time, captured on every configuration change
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Component Description Contains Metadata Information about this configuration item Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, resource type. Amazon Resource Name (ARN), Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i- a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource e.g., for EBS volume state of DeleteOnTermination flag. Type of volume. For example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID. Configuration item
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config use cases • Security analysis • Audit compliance • Change management • Troubleshooting • Discovery
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Log diving • This is the case of the surprise Elastic IP (bad surprise) – What was done? • Easy: an EIP was created – When was it created? – Who created it? – Where did it come from?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What • Starting with AWS Config – Search for the origin of "eipalloc-184efb7d“ – Utilize the AWS Config console Resource Lookup tool or search the AWS Config log files in Amazon S3 • AWS Config Partners http://aws.amazon.com/config/partners/ • Roll a bit of code … • The EventID leads us to AWS CloudTrail – "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 When • The AWS Config log file contains a timestamp – "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z" • Pivot to the specific AWS CloudTrail log file based on: – Timestamp – EventID
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … }
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … } • ACME corporation uses a federated identity broker that leverages the company’s existing Directory Services and access control systems. • CloudTrail logs indicate “bob” was issued a token by the broker to use the NetManager role. – The RoleSessionName, “bob- corpbroker”, was set by the broker when generating the STS token for “bob” via the AssumeRole API. • “bob” connected to the EC2 API endpoint from the IP Address 198.51.100.178. • Federated Identity broker logs created by ACME corporation contain additional details. • Now we know the EIP was created by an STS token issued from the corporation.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Identity and Access Management (AWS IAM) enables you to securely control access to AWS services and resources • Control who can do what and when from where • Fine-grained control of user permissions, resources, and actions • Add multi-factor authentication • Hardware token or smartphone apps • Test out your new policies using the IAM policy simulator You have fine-grained control of your AWS environment
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Segregate duties between roles with IAM Region Internet Gateway Subnet 10.0.1.0/24 Subnet 10.0.2.0/24 VPC A - 10.0.0.0/16 Availability Zone Availability Zone Router Internet Customer Gateway You get to choose who can do what in your AWS environment and from where AWS account owner (master) Network management Security management Server management Storage management Manage and operate
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Keep control of who can do what on AWS using your existing directory • AWS IAM now supports SAML 2.0 • Federate with on-premises directories like Active Directory or another SAML 2.0 compliant identity provider • Use Active Directory users and groups in AWS for authentication and authorization • For example, a ‘Network Administrators’ AD security group can have access to create and manage on- premises and AWS EC2 instances or Elastic IP addresses Federate AWS IAM with your existing directories
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

Recommandé

Aws config
Aws configAws config
Aws configShagun Rathore
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & ComplianceAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Amazon Web Services Korea
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 

Recommandé

Aws config
Aws configAws config
Aws configShagun Rathore
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & ComplianceAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Amazon Web Services Korea
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)Amazon Web Services Korea
 
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020 AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020 AWSKRUG - AWS한국사용자모임
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)Amazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환Amazon Web Services Korea
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon CognitoAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...Amazon Web Services
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesAmazon Web Services
 

Contenu connexe

Tendances

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)Amazon Web Services Korea
 
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020 AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020 AWSKRUG - AWS한국사용자모임
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)Amazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환Amazon Web Services Korea
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 

Tendances (20)

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
9월 웨비나 - AWS에서의 네트워크 보안 (이경수 솔루션즈 아키텍트)
 
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020 AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
AWS SAM으로 서버리스 아키텍쳐 운영하기 - 이재면(마이뮤직테이스트) :: AWS Community Day 2020
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)Deep Dive on Amazon RDS (Relational Database Service)
Deep Dive on Amazon RDS (Relational Database Service)
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환세션 3: IT 담당자를 위한 Cloud 로의 전환
세션 3: IT 담당자를 위한 Cloud 로의 전환
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 

En vedette

Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...Amazon Web Services
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesAmazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
 
Cloudwatch: Monitoring your AWS services with Metrics and Alarms
Cloudwatch: Monitoring your AWS services with Metrics and AlarmsCloudwatch: Monitoring your AWS services with Metrics and Alarms
Cloudwatch: Monitoring your AWS services with Metrics and AlarmsFelipe
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesIntroduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesAmazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
AWS 101: Introduction to AWS
AWS 101: Introduction to AWSAWS 101: Introduction to AWS
AWS 101: Introduction to AWSIan Massingham
 
AWS Config Rules - Advanced AWS Meetup
AWS Config Rules - Advanced AWS MeetupAWS Config Rules - Advanced AWS Meetup
AWS Config Rules - Advanced AWS MeetupAriel Smoliar
 
AWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAmazon Web Services
 
Weaving Containers in Amazon's ECA
Weaving Containers in Amazon's ECAWeaving Containers in Amazon's ECA
Weaving Containers in Amazon's ECAAmazon Web Services
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSAmazon Web Services
 
(DAT302) Relational Database Management Systems in the Cloud
(DAT302) Relational Database Management Systems in the Cloud(DAT302) Relational Database Management Systems in the Cloud
(DAT302) Relational Database Management Systems in the CloudAmazon Web Services
 
(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace
(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace
(SPOT208) How to Sponsor a Diversity Circle in a Tech WorkplaceAmazon Web Services
 
Intro to AWS: Amazon EC2 and Compute Services
Intro to AWS: Amazon EC2 and Compute ServicesIntro to AWS: Amazon EC2 and Compute Services
Intro to AWS: Amazon EC2 and Compute ServicesAmazon Web Services
 
Strengthening Operations with Splunk and AWS CloudTrail
Strengthening Operations with Splunk and AWS CloudTrailStrengthening Operations with Splunk and AWS CloudTrail
Strengthening Operations with Splunk and AWS CloudTrailAlan Williams
 

En vedette (20)

Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
Revolutionising Cloud Operations with AWS Config, AWS CloudTrail and AWS Clou...
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
 
Cloudwatch: Monitoring your AWS services with Metrics and Alarms
Cloudwatch: Monitoring your AWS services with Metrics and AlarmsCloudwatch: Monitoring your AWS services with Metrics and Alarms
Cloudwatch: Monitoring your AWS services with Metrics and Alarms
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web ServicesIntroduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
AWS 101: Introduction to AWS
AWS 101: Introduction to AWSAWS 101: Introduction to AWS
AWS 101: Introduction to AWS
 
AWS Config Rules - Advanced AWS Meetup
AWS Config Rules - Advanced AWS MeetupAWS Config Rules - Advanced AWS Meetup
AWS Config Rules - Advanced AWS Meetup
 
Monitoring and Alerting
Monitoring and AlertingMonitoring and Alerting
Monitoring and Alerting
 
AWS Service Catalog
AWS Service CatalogAWS Service Catalog
AWS Service Catalog
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
 
AWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config Rules
 
Weaving Containers in Amazon's ECA
Weaving Containers in Amazon's ECAWeaving Containers in Amazon's ECA
Weaving Containers in Amazon's ECA
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWS
 
(DAT302) Relational Database Management Systems in the Cloud
(DAT302) Relational Database Management Systems in the Cloud(DAT302) Relational Database Management Systems in the Cloud
(DAT302) Relational Database Management Systems in the Cloud
 
(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace
(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace
(SPOT208) How to Sponsor a Diversity Circle in a Tech Workplace
 
Intro to AWS: Amazon EC2 and Compute Services
Intro to AWS: Amazon EC2 and Compute ServicesIntro to AWS: Amazon EC2 and Compute Services
Intro to AWS: Amazon EC2 and Compute Services
 
Strengthening Operations with Splunk and AWS CloudTrail
Strengthening Operations with Splunk and AWS CloudTrailStrengthening Operations with Splunk and AWS CloudTrail
Strengthening Operations with Splunk and AWS CloudTrail
 

Similaire à Transparency and Control with AWS CloudTrail and AWS Config

AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAmazon Web Services
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
C2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingC2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingAmazon Web Services
 
Manage Security & Compliance of Your AWS Account using CloudTrail
Manage Security & Compliance of Your AWS Account using CloudTrailManage Security & Compliance of Your AWS Account using CloudTrail
Manage Security & Compliance of Your AWS Account using CloudTrailCloudlytics
 
Using AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSUsing AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
Hybrid IT Approach and Technologies on AWS
Hybrid IT Approach and Technologies on AWSHybrid IT Approach and Technologies on AWS
Hybrid IT Approach and Technologies on AWSAmazon Web Services
 
ModernizationAWS.pdf
ModernizationAWS.pdfModernizationAWS.pdf
ModernizationAWS.pdfIsmailCassiem
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWSAmazon Web Services
 
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...Amazon Web Services
 
(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWSAmazon Web Services
 
DevOps You Build It, You Own It!
DevOps You Build It, You Own It!DevOps You Build It, You Own It!
DevOps You Build It, You Own It!Amazon Web Services
 
Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Amazon Web Services
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
 
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 5
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 502 amazon workspaces aws wwps dc symposium - halachmi - version 1 5
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 5Amazon Web Services
 

Similaire à Transparency and Control with AWS CloudTrail and AWS Config (20)

AWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLIAWS Power Tools: Advanced AWS CloudFormation and CLI
AWS Power Tools: Advanced AWS CloudFormation and CLI
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWS
 
C2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingC2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid Prototyping
 
AWS as a Data Platform
AWS as a Data PlatformAWS as a Data Platform
AWS as a Data Platform
 
Manage Security & Compliance of Your AWS Account using CloudTrail
Manage Security & Compliance of Your AWS Account using CloudTrailManage Security & Compliance of Your AWS Account using CloudTrail
Manage Security & Compliance of Your AWS Account using CloudTrail
 
Using AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSUsing AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWS
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services Patterns
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services Patterns
 
C2S: What’s Next
C2S: What’s NextC2S: What’s Next
C2S: What’s Next
 
Big Data and Analytics on AWS
Big Data and Analytics on AWS Big Data and Analytics on AWS
Big Data and Analytics on AWS
 
Hybrid IT Approach and Technologies on AWS
Hybrid IT Approach and Technologies on AWSHybrid IT Approach and Technologies on AWS
Hybrid IT Approach and Technologies on AWS
 
ModernizationAWS.pdf
ModernizationAWS.pdfModernizationAWS.pdf
ModernizationAWS.pdf
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWS
 
AWS GovCloud (US) - An Overview
AWS GovCloud (US) - An OverviewAWS GovCloud (US) - An Overview
AWS GovCloud (US) - An Overview
 
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...
DevOps in the Public Sector: How the Democratic Party Implemented DevOps to M...
 
(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS
 
DevOps You Build It, You Own It!
DevOps You Build It, You Own It!DevOps You Build It, You Own It!
DevOps You Build It, You Own It!
 
Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud Networking: New Capabilities for Amazon Virtual Private Cloud
Networking: New Capabilities for Amazon Virtual Private Cloud
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
 
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 5
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 502 amazon workspaces aws wwps dc symposium - halachmi - version 1 5
02 amazon workspaces aws wwps dc symposium - halachmi - version 1 5
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Transparency and Control with AWS CloudTrail and AWS Config

  • 1. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Transparency and Control with AWS CloudTrail and AWS Config ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 2. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon Web Services (AWS)Your Applications AWS Infrastructure Foundation Services Deployment & Management Application Services Amazon EC2 AWS Lambda Compute Storage & Content Delivery Amazon S3 AWS Storage Gateway Amazon EBS Amazon Glacier Amazon CloudFront Database Amazon RDS Amazon DynamoDB Amazon Elasticache Amazon Redshift Networking Amazon VPC AWS Direct Connect Amazon Route 53 Administration & Security AWS Directory Service AWS Config Deployment & Management AWS Elastic Beanstalk AWS OpsWorks AWS CloudFormation AWS Code Deploy Analytics Amazon EMR Amazon Kinesis AWS Data Pipeline Application Services Amazon SQS Amazon SWF Amazon AppStream Amazon Elastic Transcoder Amazon SES Amazon CloudSearch Mobile Services Amazon Mobile Analytics Amazon Cognito Amazon SNS Enterprise Applications Amazon WorkDocs Amazon WorkSpaces Amazon WorkMail AWS Identity and Access Management AWS Trusted Advisor AWS CloudTrail Amazon CloudWatch AWS CloudHSM
  • 3. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Talk about AWS [‘CloudTrail’, ‘Config’] • Ponder AWS [‘CloudTrail’, ‘Config’] • Contemplate AWS [‘CloudTrail’, ‘Config’] – Log diving • Correlation between [‘CloudTrail’, ‘Config’] • Cross-account, role-based access
  • 4. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 TL;DR – These are “complementary services” AWS CloudTrail (an entity did something) • Record of API requests and response elements – who did what and when, from where AWS Config (resources changes and status) • AWS account configuration – Configuration item history – Configuration item stream – Configuration item snapshots • Optionally, a notification whenever a resource is created, modified, or deleted with the resulting configuration
  • 5. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. AWS CloudTrail The recorded information includes: • The identity of the API caller • The time of the API call • The source IP address of the API caller • The request parameters • The response elements returned by the AWS service
  • 6. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Increase your visibility of what happened in your AWS environment – who did what and when, from where • CloudTrail will record access to API calls and save logs in your Amazon S3 bucket, no matter how those API calls were made • Who did what and when and from what IP address • Receive notification of log file delivery using the Amazon Simple Notification Service (Amazon SNS) • Rapid integration of AWS services since launch with more supported services coming soon • Aggregate log information into a single S3 bucket • AWS Partner integration with log analysis tools from AlertLogic, Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk, and SumoLogic. Use AWS CloudTrail to track access to APIs and IAM
  • 7. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail logs can be used for many powerful use cases CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources • e.g., VPC security groups and NACLs • Compliance • Understand AWS API call history • Troubleshoot operational issues • Quickly identify the most recent changes to your environment • AWS CloudTrail console API activity history search • Look up API activity captured for your AWS account in the last 7 days • Filter with an attribute and time range
  • 8. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances and other sources, for example: • Monitor your web server HTTP log files and use CloudWatch metrics filters to identify 404 errors and count the number of occurrences within a specified time period • Use CloudWatch alarms to notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation Now monitor everything with Amazon CloudWatch logs
  • 9. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config is a fully managed service that provides an inventory of your AWS resources, lets you audit the resource configuration history, and notifies you of resource configuration changes AWS Config
  • 10. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2015-06-26) AWS Config
  • 11. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships • Bi-directional map of dependencies automatically assigned • Change to a resource propagates to create configuration items for related resources
  • 12. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships Resource Relationship Related Resource CustomerGateway is attached to VPN Connection Elastic IP (EIP) is attached to Network Interface is attached to Instance Instance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC) InternetGateway is attached to Virtual Private Cloud (VPC) … …. …..
  • 13. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Configuration item All configuration attributes for a given resource at a given point in time, captured on every configuration change
  • 14. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Component Description Contains Metadata Information about this configuration item Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, resource type. Amazon Resource Name (ARN), Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i- a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource e.g., for EBS volume state of DeleteOnTermination flag. Type of volume. For example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID. Configuration item
  • 15. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config use cases • Security analysis • Audit compliance • Change management • Troubleshooting • Discovery
  • 16. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
  • 17. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
  • 18. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Log diving • This is the case of the surprise Elastic IP (bad surprise) – What was done? • Easy: an EIP was created – When was it created? – Who created it? – Where did it come from?
  • 19. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What • Starting with AWS Config – Search for the origin of "eipalloc-184efb7d“ – Utilize the AWS Config console Resource Lookup tool or search the AWS Config log files in Amazon S3 • AWS Config Partners http://aws.amazon.com/config/partners/ • Roll a bit of code … • The EventID leads us to AWS CloudTrail – "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
  • 20. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 When • The AWS Config log file contains a timestamp – "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z" • Pivot to the specific AWS CloudTrail log file based on: – Timestamp – EventID
  • 21. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … }
  • 22. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … } • ACME corporation uses a federated identity broker that leverages the company’s existing Directory Services and access control systems. • CloudTrail logs indicate “bob” was issued a token by the broker to use the NetManager role. – The RoleSessionName, “bob- corpbroker”, was set by the broker when generating the STS token for “bob” via the AssumeRole API. • “bob” connected to the EC2 API endpoint from the IP Address 198.51.100.178. • Federated Identity broker logs created by ACME corporation contain additional details. • Now we know the EIP was created by an STS token issued from the corporation.
  • 23. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Identity and Access Management (AWS IAM) enables you to securely control access to AWS services and resources • Control who can do what and when from where • Fine-grained control of user permissions, resources, and actions • Add multi-factor authentication • Hardware token or smartphone apps • Test out your new policies using the IAM policy simulator You have fine-grained control of your AWS environment
  • 24. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Segregate duties between roles with IAM Region Internet Gateway Subnet 10.0.1.0/24 Subnet 10.0.2.0/24 VPC A - 10.0.0.0/16 Availability Zone Availability Zone Router Internet Customer Gateway You get to choose who can do what in your AWS environment and from where AWS account owner (master) Network management Security management Server management Storage management Manage and operate
  • 25. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Keep control of who can do what on AWS using your existing directory • AWS IAM now supports SAML 2.0 • Federate with on-premises directories like Active Directory or another SAML 2.0 compliant identity provider • Use Active Directory users and groups in AWS for authentication and authorization • For example, a ‘Network Administrators’ AD security group can have access to create and manage on- premises and AWS EC2 instances or Elastic IP addresses Federate AWS IAM with your existing directories
  • 26. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

Notes de l'éditeur

  1. When was each launched?
  2. 41 services shown of the 48
  3. When was each launched?
  4. They help you answer 4 of the 5 Whys: Who What When Where, but not why. We will let you know when the AWS Psychic service launches. Someone always needs to take a call  so now you can split.
  5. CloudTrail covers 4 of the 5 Ws – We are researching mechanisms into the use of Amazon Machine Learning to investigation the WHY CloudTrail Processing library on GitHub no matter how those API calls were made -> console, SDK, CLI, cross-account, federation UNSUPPORTED SERVICES: S3 Mobile Analytics Cognito WorkMail EFS AppStream Machine Learning SimpleDb Import/Export WAM
  6. Regional service with the option to deliver global service logs to each region – enable global services in one region unless you need duplicate logs
  7. CloudTrail integration with CloudWatch logs is available in All Public Region with South America (Sao Paulo) coming soon
  8. No setup needed S3 Mobile Analytics Cognito WorkMail EFS AppStream EML
  9. No setup needed
  10. Every change to a resource causes a new configuration item to be created that captures the new configuration of the resource
  11. Security Analysis: Am I safe? Audit Compliance: Where is the evidence? Change Management: What will this change affect? Troubleshooting: What has changed? What did I have before things went side-ways? Discovery: What resources exist?
  12. Who is buried in Grants Tomb? Logs from an EC2:AllocatesAddress API action are less verbose than EC2:RunInstances is This could easily have been a more complex issue such as the termination of a critical compute instance
  13. Segregate s and responsibilities to a fine-grained level that is probably in excess of what you can do in a physical environment User A can change firewalls tagged ‘development’ only User B can snapshot database storage volumes, but cannot access those volumes All of this can be federated back to the existing enterprise directory – you do not need to setup a new directory within AWS. Your users sign into the existing directory (using existing authentication and MFA solutions), then are granted a temporary role within AWS to perform whatever duty they have been allocated. This role exists for a configurable period of time. One even more awesome feature is that your EC2 instances themselves can have roles within identity and access management, to restrict what AWS APIs the instance can call. Thus, an attacker cannot use an EC2 instance to upload data to S3, if the role assigned to the instance does not include S3 API permissions. AWS IAM also includes full multi-factor authentication for users, using either hardware Gemalto tokens, or soft tokens running on all three major phone platforms.
  14. Enterprises segregate important duties to reduce risk of accidental or malicious changes AWS allows fine-grained segregation across virtually all aspects of the service For example, you can segregate Who can change network configuration Who can change firewalls Who can change how the VPC connects to the Internet or back to your corporate premises Who can start and stop servers Who can snapshot and restore storage volumes AWS IAM offers a programmatic level of control and granularity that would not be possible to implement in traditional on-premise environments