SlideShare une entreprise Scribd logo

What's New in AWS Security Features

Amazon Web Services
Amazon Web Services
1  sur  31
Télécharger pour lire hors ligne
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre:Invent - Security, Identity, & Compliance Manage access to AWS centrally for Azure AD users with AWS Single Sign-on Improve the Security Between AWS Applications and Your Self-Managed Active Directory with Secure LDAP using AWS Managed Microsoft AD Amazon Cognito now supports account recovery method prioritization AWS Secrets Manager makes it easier to rotate secrets through CloudFormation, including secrets for Redshift clusters and DocumentDB databases New partner integrations available for AWS Security Hub Simplify application configuration with AWS AppConfig AWS Key Management Service supports asymmetric keys Simplify permissions management by using employee attributes from your corporate directory for access control Introducing AWS Managed Rules for AWS WAF AWS Service Catalog adds High Reliability Architectures to the Getting Started Library Tag-on Create and Tag-Based IAM for AWS Certificate Manager and Private Certificate Authority Amazon Elasticsearch Service announces support for encryption at rest and node-to-node encryption in AWS China (Beijing) Region, Operated by Sinnet, and the AWS China (Ningxia) Region, Operated by NWCD Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations Amazon Cognito now supports Sign in with Apple Identify unused IAM roles easily and remove them confidently by using the last used timestamp Announcing Updates to Amazon EC2 Instance Metadata Service Amazon GuardDuty Supports Exporting Findings to an Amazon S3 Bucket
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Create or use existing identities, including Azure AD, and manage access centrally to multiple AWS accounts and business applications, for easy browser, command line, or mobile single sign-on access by employees. New Feature AWS Single Sign-On support for Azure AD General Availability DRAFTSecurity LEARN MORE SEC308: Manage federated user permissions at scale with AWS SSO
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On-premises active directory ADFS AWS Account 1 AWS Account 2 AWS Account 3 Method 1 – URL Attributes Method 2 – Group Name On-Premises Active Directory Federation Services (ADFS)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Amazon VPCVPN connection AWS Directory Service AD Connector AWS Managed Microsoft AD AWS Single Sign-On AWS Single-Sign-On
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://docs.microsoft.com/zh-tw/azure/active- directory/saas-apps/amazon-web-service-tutorial Azure AD Connect IDP (identity provider) AWS App1 AWS App2 AWS App3 IDP (identity provider) IDP (identity provider) AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Azure Single-Sign-On Azure AD 1. Password hash synchronization 2. Pass-through Authentication
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Azure AD Connect AWS App AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Azure AD as an Identity Source for AWS Single Sign-On Azure AD AWS Single Sign-On https://aws.amazon.com/blogs/aws/the-next-evolution-in- aws-single-sign-on/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DRAFTManagement Tools General Availability Identify unusual activity in your AWS accounts  Save time sifting through logs  Get ahead of issues before they impact your business CloudTrail Insights Introducing • Unexpected spikes in resource provisioning • Bursts of IAM management actions • Gaps in periodic maintenance activity L E A R N M O R E MGT420-R: CloudTrail Insights: Identify and Solve Operational Issues
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect Detect Respond Automate Investigate RecoverIdentify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender KMSIAM AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Foundational and Layered Security Services AWS Organizations Personal Health Dashboard Amazon Route 53 AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink AWS Step Functions Amazon Cloud Directory AWS CloudHSM AWS Certificate Manager AWS Control Tower AWS Service Catalog AWS Well- Architected Tool AWS Trusted Advisor Resource Access manager AWS Directory Service Amazon Cognito Amazon S3 Glacier AWS Security Hub AWS Systems Manager AWS CloudFormation AWS OpsWorks Amazon Detective
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Investigations are resource intensive & time consuming Collect and combine terabytes of log data Transform the data using ETL tools, custom scripting Finding right set of visualization tools to view the data Translate investigation questions into queries to help answer questions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Detective Introducing Quickly analyze, investigate, and identify the root cause of security findings and suspicious activities. Automatically distills & organizes data into a graph model Easy to use visualizations for faster & effective investigation Continuously updated as new telemetry becomes available Preview DRAFTSecurity LEARN MORE SEC312: Introduction to Amazon Detective
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon Detective Works?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Abnormal activity in Sydney region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Failed calls spiking and then falling Successful calls ramping up
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Finding indicating crypto-mining activity
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Traffic to Bitcoin-related IPs
Amazon Detective example use cases Incident investigation
Amazon Detective example use cases Finding investigation
Incident scoping Amazon Detective example use cases Incident investigation
Indicator search Amazon Detective example use cases Did this suspicious user agent issue any API calls? Did this IP address from this threat report communicate with any of my instances over the last year?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Access Analyzer Introducing Continuously ensure that policies provide the intended public and cross-account access to resources, such as Amazon S3 buckets, AWS KMS keys, & AWS Identity and Access Management roles. General Availability DRAFTSecurity Uses automated reasoning, a form of mathematical logic, to determine all possible access paths allowed by a resource policy Analyzes new or updated resource policies to help you understand potential security implications Analyzes resource policies for public or cross-account access LEARN MORE SEC309: Deep Dive into AWS IAM Access Analyzer
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Access Analyzer An IAM capability to generate comprehensive findings if your resource policies grant public or cross-account access Continuously identify resources with overly broad permissions Resolve findings by updating policies to protect your resources from unintended access before it occurs, or archive findings for intended access Automated Reasoning evaluates all possible access paths verified by mathematical proofs. Thousands of policies can be analyzed in a few seconds AWS Identity and Access Management Access Analyzer General Availability Security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How it works IAM Roles S3 Buckets Lambda Functions KMS Keys SQS Queues Who has access to what Who has access to what
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of AWS IAM Access Analyzer Uses automated reasoning, a form of mathematical logic & inference, to determine all possible access paths allowed by a resource policy Continuously monitors and automatically analyzes any new or updated resource policy to help you understand potential security implications Analyzes thousands of policies in seconds for public or cross- account access
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Access Analyzer for S3 An S3 capability to generate comprehensive findings if your resource policies grant public or cross-account access Continuously identify resources with overly broad permissions across your entire AWS organization Resolve findings by updating policies to protect your resources from unintended access before it occurs, or archive findings for intended access Access Analyzer for S3 General Availability Security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommandé

Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Amazon Web Services
 
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation OverviewAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 

Recommandé

Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Amazon Web Services
 
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation OverviewAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Features of AWS - IAM
Features of AWS - IAMFeatures of AWS - IAM
Features of AWS - IAMManuj Aggarwal
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_EssentialsAmazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep DiveAmazon Web Services
 
State of the Union : Security
State of the Union : SecurityState of the Union : Security
State of the Union : SecurityAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Aws
AwsAws
AwsAhamedBashaN
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 

Contenu connexe

Tendances

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 

Tendances (20)

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Features of AWS - IAM
Features of AWS - IAMFeatures of AWS - IAM
Features of AWS - IAM
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud Encryption
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
State of the Union : Security
State of the Union : SecurityState of the Union : Security
State of the Union : Security
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Aws
AwsAws
Aws
 

Similaire à What's New in AWS Security Features

How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Riyadh User Group
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftAmazon Web Services
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesAmazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Amazon Web Services
 

Similaire à What's New in AWS Security Features (20)

How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
AWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - SecurityAWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - Security
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF Loft
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and Features
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

What's New in AWS Security Features

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre:Invent - Security, Identity, & Compliance Manage access to AWS centrally for Azure AD users with AWS Single Sign-on Improve the Security Between AWS Applications and Your Self-Managed Active Directory with Secure LDAP using AWS Managed Microsoft AD Amazon Cognito now supports account recovery method prioritization AWS Secrets Manager makes it easier to rotate secrets through CloudFormation, including secrets for Redshift clusters and DocumentDB databases New partner integrations available for AWS Security Hub Simplify application configuration with AWS AppConfig AWS Key Management Service supports asymmetric keys Simplify permissions management by using employee attributes from your corporate directory for access control Introducing AWS Managed Rules for AWS WAF AWS Service Catalog adds High Reliability Architectures to the Getting Started Library Tag-on Create and Tag-Based IAM for AWS Certificate Manager and Private Certificate Authority Amazon Elasticsearch Service announces support for encryption at rest and node-to-node encryption in AWS China (Beijing) Region, Operated by Sinnet, and the AWS China (Ningxia) Region, Operated by NWCD Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations Amazon Cognito now supports Sign in with Apple Identify unused IAM roles easily and remove them confidently by using the last used timestamp Announcing Updates to Amazon EC2 Instance Metadata Service Amazon GuardDuty Supports Exporting Findings to an Amazon S3 Bucket
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Create or use existing identities, including Azure AD, and manage access centrally to multiple AWS accounts and business applications, for easy browser, command line, or mobile single sign-on access by employees. New Feature AWS Single Sign-On support for Azure AD General Availability DRAFTSecurity LEARN MORE SEC308: Manage federated user permissions at scale with AWS SSO
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On-premises active directory ADFS AWS Account 1 AWS Account 2 AWS Account 3 Method 1 – URL Attributes Method 2 – Group Name On-Premises Active Directory Federation Services (ADFS)
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Amazon VPCVPN connection AWS Directory Service AD Connector AWS Managed Microsoft AD AWS Single Sign-On AWS Single-Sign-On
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://docs.microsoft.com/zh-tw/azure/active- directory/saas-apps/amazon-web-service-tutorial Azure AD Connect IDP (identity provider) AWS App1 AWS App2 AWS App3 IDP (identity provider) IDP (identity provider) AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Azure Single-Sign-On Azure AD 1. Password hash synchronization 2. Pass-through Authentication
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Azure AD Connect AWS App AWS Account 1 AWS Account 2 AWS Account 3 On-premises active directory Azure AD as an Identity Source for AWS Single Sign-On Azure AD AWS Single Sign-On https://aws.amazon.com/blogs/aws/the-next-evolution-in- aws-single-sign-on/
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DRAFTManagement Tools General Availability Identify unusual activity in your AWS accounts  Save time sifting through logs  Get ahead of issues before they impact your business CloudTrail Insights Introducing • Unexpected spikes in resource provisioning • Bursts of IAM management actions • Gaps in periodic maintenance activity L E A R N M O R E MGT420-R: CloudTrail Insights: Identify and Solve Operational Issues
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect Detect Respond Automate Investigate RecoverIdentify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender KMSIAM AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Foundational and Layered Security Services AWS Organizations Personal Health Dashboard Amazon Route 53 AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink AWS Step Functions Amazon Cloud Directory AWS CloudHSM AWS Certificate Manager AWS Control Tower AWS Service Catalog AWS Well- Architected Tool AWS Trusted Advisor Resource Access manager AWS Directory Service Amazon Cognito Amazon S3 Glacier AWS Security Hub AWS Systems Manager AWS CloudFormation AWS OpsWorks Amazon Detective
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Investigations are resource intensive & time consuming Collect and combine terabytes of log data Transform the data using ETL tools, custom scripting Finding right set of visualization tools to view the data Translate investigation questions into queries to help answer questions
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Detective Introducing Quickly analyze, investigate, and identify the root cause of security findings and suspicious activities. Automatically distills & organizes data into a graph model Easy to use visualizations for faster & effective investigation Continuously updated as new telemetry becomes available Preview DRAFTSecurity LEARN MORE SEC312: Introduction to Amazon Detective
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon Detective Works?
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Abnormal activity in Sydney region
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Failed calls spiking and then falling Successful calls ramping up
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Finding indicating crypto-mining activity
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective – Investigation Example Traffic to Bitcoin-related IPs
  • 19. Amazon Detective example use cases Incident investigation
  • 20. Amazon Detective example use cases Finding investigation
  • 21. Incident scoping Amazon Detective example use cases Incident investigation
  • 22. Indicator search Amazon Detective example use cases Did this suspicious user agent issue any API calls? Did this IP address from this threat report communicate with any of my instances over the last year?
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Access Analyzer Introducing Continuously ensure that policies provide the intended public and cross-account access to resources, such as Amazon S3 buckets, AWS KMS keys, & AWS Identity and Access Management roles. General Availability DRAFTSecurity Uses automated reasoning, a form of mathematical logic, to determine all possible access paths allowed by a resource policy Analyzes new or updated resource policies to help you understand potential security implications Analyzes resource policies for public or cross-account access LEARN MORE SEC309: Deep Dive into AWS IAM Access Analyzer
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Access Analyzer An IAM capability to generate comprehensive findings if your resource policies grant public or cross-account access Continuously identify resources with overly broad permissions Resolve findings by updating policies to protect your resources from unintended access before it occurs, or archive findings for intended access Automated Reasoning evaluates all possible access paths verified by mathematical proofs. Thousands of policies can be analyzed in a few seconds AWS Identity and Access Management Access Analyzer General Availability Security
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How it works IAM Roles S3 Buckets Lambda Functions KMS Keys SQS Queues Who has access to what Who has access to what
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of AWS IAM Access Analyzer Uses automated reasoning, a form of mathematical logic & inference, to determine all possible access paths allowed by a resource policy Continuously monitors and automatically analyzes any new or updated resource policy to help you understand potential security implications Analyzes thousands of policies in seconds for public or cross- account access
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Access Analyzer for S3 An S3 capability to generate comprehensive findings if your resource policies grant public or cross-account access Continuously identify resources with overly broad permissions across your entire AWS organization Resolve findings by updating policies to protect your resources from unintended access before it occurs, or archive findings for intended access Access Analyzer for S3 General Availability Security
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 31. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.