Contenu connexe Similaire à What's New in AWS Security Features Similaire à What's New in AWS Security Features (20) Plus de Amazon Web Services Plus de Amazon Web Services (20) What's New in AWS Security Features1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pre:Invent - Security, Identity, & Compliance
Manage access to AWS centrally for Azure AD users with AWS Single Sign-on
Improve the Security Between AWS Applications and Your Self-Managed Active Directory with Secure LDAP using AWS Managed Microsoft AD
Amazon Cognito now supports account recovery method prioritization
AWS Secrets Manager makes it easier to rotate secrets through CloudFormation, including secrets for Redshift clusters and DocumentDB databases
New partner integrations available for AWS Security Hub
Simplify application configuration with AWS AppConfig
AWS Key Management Service supports asymmetric keys
Simplify permissions management by using employee attributes from your corporate directory for access control
Introducing AWS Managed Rules for AWS WAF
AWS Service Catalog adds High Reliability Architectures to the Getting Started Library
Tag-on Create and Tag-Based IAM for AWS Certificate Manager and Private Certificate Authority
Amazon Elasticsearch Service announces support for encryption at rest and node-to-node encryption in AWS China (Beijing) Region, Operated by Sinnet, and the AWS China (Ningxia)
Region, Operated by NWCD
Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
Amazon Cognito now supports Sign in with Apple
Identify unused IAM roles easily and remove them confidently by using the last used timestamp
Announcing Updates to Amazon EC2 Instance Metadata Service
Amazon GuardDuty Supports Exporting Findings to an Amazon S3 Bucket
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create or use existing identities, including Azure AD, and manage access
centrally to multiple AWS accounts and business applications, for easy
browser, command line, or mobile single sign-on access by employees.
New Feature
AWS Single Sign-On support for Azure AD
General Availability
DRAFTSecurity
LEARN MORE SEC308: Manage federated user permissions at scale with AWS SSO
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
On-premises
active directory
ADFS
AWS Account 1
AWS Account 2
AWS Account 3
Method 1 – URL Attributes
Method 2 – Group Name
On-Premises Active Directory Federation Services (ADFS)
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Account 1
AWS Account 2
AWS Account 3
On-premises
active directory
Amazon VPCVPN
connection
AWS Directory Service
AD Connector
AWS Managed Microsoft AD
AWS Single Sign-On
AWS Single-Sign-On
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://docs.microsoft.com/zh-tw/azure/active-
directory/saas-apps/amazon-web-service-tutorial
Azure AD Connect
IDP (identity provider)
AWS App1
AWS App2
AWS App3
IDP (identity provider)
IDP (identity provider)
AWS Account 1
AWS Account 2
AWS Account 3
On-premises
active directory
Azure Single-Sign-On
Azure AD
1. Password hash synchronization
2. Pass-through Authentication
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Azure AD Connect
AWS App
AWS Account 1
AWS Account 2
AWS Account 3
On-premises
active directory
Azure AD as an Identity Source for AWS Single Sign-On
Azure AD
AWS Single Sign-On
https://aws.amazon.com/blogs/aws/the-next-evolution-in-
aws-single-sign-on/
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DRAFTManagement Tools
General Availability
Identify unusual activity in your AWS accounts
Save time sifting through logs
Get ahead of issues before
they impact your business
CloudTrail Insights
Introducing
• Unexpected spikes in resource
provisioning
• Bursts of IAM management
actions
• Gaps in periodic maintenance
activity
L E A R N M O R E MGT420-R: CloudTrail Insights: Identify and Solve Operational Issues
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot Archive
AWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS WAF
AWS Shield AWS Secrets
Manager
AWS
Firewall
Manager
AWS Foundational and Layered Security Services
AWS
Organizations
Personal Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS Control
Tower
AWS Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS Systems
Manager AWS CloudFormation
AWS
OpsWorks
Amazon
Detective
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Investigations are resource intensive & time consuming
Collect and combine
terabytes of log data
Transform the data
using ETL tools,
custom scripting
Finding right set of
visualization tools to
view the data
Translate
investigation
questions into queries
to help answer
questions
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Detective
Introducing
Quickly analyze, investigate, and identify the root cause of security
findings and suspicious activities.
Automatically distills
& organizes data into
a graph model
Easy to use visualizations
for faster & effective
investigation
Continuously updated as
new telemetry becomes
available
Preview
DRAFTSecurity
LEARN MORE SEC312: Introduction to Amazon Detective
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Amazon Detective Works?
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Detective – Investigation Example
Abnormal activity in
Sydney region
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Detective – Investigation Example
Failed calls
spiking and then
falling
Successful calls
ramping up
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Detective – Investigation Example
Finding indicating
crypto-mining
activity
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Detective – Investigation Example
Traffic to
Bitcoin-related
IPs
22. Indicator search
Amazon Detective example use cases
Did this suspicious user agent issue any
API calls?
Did this IP address from this
threat report communicate
with any of my instances over
the last year?
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Access Analyzer
Introducing
Continuously ensure that policies provide the intended public and cross-account access
to resources, such as Amazon S3 buckets, AWS KMS keys, & AWS Identity and Access
Management roles.
General Availability
DRAFTSecurity
Uses automated reasoning, a form of
mathematical logic, to determine all possible
access paths allowed by a resource policy
Analyzes new or updated resource
policies to help you understand
potential security implications
Analyzes resource policies for
public or cross-account access
LEARN MORE SEC309: Deep Dive into AWS IAM Access Analyzer
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Access Analyzer
An IAM capability to generate comprehensive findings if your
resource policies grant public or cross-account access
Continuously identify resources with overly broad permissions
Resolve findings by updating policies to protect your resources
from unintended access before it occurs, or archive findings for
intended access
Automated Reasoning evaluates all possible access paths verified
by mathematical proofs. Thousands of policies can be analyzed in
a few seconds
AWS Identity and
Access Management
Access Analyzer
General Availability
Security
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How it works
IAM Roles S3 Buckets Lambda Functions KMS Keys SQS Queues
Who has
access
to what
Who has
access
to what
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of AWS IAM Access Analyzer
Uses automated reasoning, a form
of mathematical logic & inference,
to determine all possible access
paths allowed by a resource policy
Continuously monitors and
automatically analyzes any new
or updated resource policy to
help you understand potential
security implications
Analyzes thousands of policies in
seconds for public or cross-
account access
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Access Analyzer for S3
An S3 capability to generate comprehensive findings if your
resource policies grant public or cross-account access
Continuously identify resources with overly broad permissions
across your entire AWS organization
Resolve findings by updating policies to protect your
resources from unintended access before it occurs, or archive
findings for intended access
Access Analyzer for S3
General Availability
Security
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.