Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Best Practices for AWS Cloud Security & Cost Optimization

I presented it for "Pune cloud Engineer and Architects" Meetup

Meetup Link :
https://www.meetup.com/Pune-Cloud-Engineers-and-Architects-AWS/events/247948687/

  • Identifiez-vous pour voir les commentaires

Best Practices for AWS Cloud Security & Cost Optimization

  1. 1. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Best Practices for AWS cloud security & Cost optimization Presented By Pulkit Gupta
  2. 2. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Agenda • What is Cloud Security? • AWS Shared Security Model • AWS Security Best Practices • AWS Guard Duty: Intelligent threat detection • Automate security checks • AWS Cost Saving and Optimization Strategies • AWS Cost analysis tool : Netflix ICE • Discussion, Q&A
  3. 3. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Cloud Security ? Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
  4. 4. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Cloud security controls • Preventive controls Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities • Detective controls Detective controls are intended to detect and react appropriately to any incidents that occur. • Corrective controls Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident.
  5. 5. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Shared Security Model
  6. 6. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  7. 7. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Shared Security Model for Infrastructure services (EC2, EBS, VPC)
  8. 8. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  9. 9. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Shared Security Model for Platform Services (RDS, EMR etc)
  10. 10. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  11. 11. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Security Best Practices
  12. 12. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Encrypt Everything !!
  13. 13. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Encryption options Server-side encryption for most services S3, EBS, RDS, Redshift, etc. Flexible key management • AWS Key Management Service(KMS) • AWS CloudHSM 3rd-party encryption • Trend Micro, SafeNet, Vormetric, Hytrust, Sophos etc. • AWS Marketplace : https://aws.amazon.com/marketplace/ Client-side encryption Tricky business, please be careful
  14. 14. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Encryption while EBS Creation
  15. 15. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Encryption while RDS Creation
  16. 16. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights IAM Best Practices 1. Create users 2. Apply the principle of least privilege 3. Factorize permissions with groups 4. Enable Cloudtrail to log all API calls 5. Use a strong password policy 6. Rotate security credentials regularly 7. Enable MFA for privileged users 8. Use IAM roles to delegate permissions 9. Delete credentials for the root account
  17. 17. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Log Everything
  18. 18. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Logs? Sure, we got logs! Infrastructure Logs • AWS CloudTrail • VPC Flow Logs Service Logs Service logs • Amazon S3 • AWS Elastic Load Balancing • Amazon CloudFront • AWS Lambda • AWS Elastic Beanstalk Instance Logs • UNIX / Windows logs • NGINX/Apache/IIS • Your own logs
  19. 19. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Cloudtrail Logs Enable Cloudtrail in all regions • This takes 10 seconds • It works for all regions, even if you don’t use them yet. Encrypt logs • SSE-S3 by default • KMS is supported too Export logs to Cloudwatch Logs • Easier to search • Trigger alerts on specific events Centralize logs in a single place • Single bucket , Could be in a dedicated account
  20. 20. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Automate Security checks
  21. 21. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights You can automate on multiple levels • Infrastructure / application automation - AWS CloudFormation - AWS OpsWorks • DIY automation - AWS CloudTrail > CloudWatch Logs > CloudWatch alerts - API calls > Amazon CloudWatch Events > SNS / Lambda • Compliance automation - AWS Inspector - AWS Config
  22. 22. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Inspector • Automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
  23. 23. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Amazon Inspector • This service allows you to check the configuration and the behaviour of EC2 instances. • Agent-based • Can run from 15 minutes to 24 hours • Reports and advice on how to fix issues • Can be automated with the AWS API • Built-in rule packages
  24. 24. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  25. 25. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  26. 26. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Config • AWS service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
  27. 27. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Config Rules • Config Rules checks that AWS resources are compliant • You can use: -Pre-defined rules: MFA on, CloudTrail on, EBS encryption, etc. -Your own rules • Checks can be: -Periodic (1, 3, 6, 12 or 24 hours) -Triggered by configuration changes • Notifications are sent to SNS… ... Which means that you can process them with Lambda functions • Non-compliant instance? Kill it!
  28. 28. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Trusted Advisor • AWS online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment
  29. 29. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Trusted Advisor
  30. 30. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  31. 31. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Trusted Advisor
  32. 32. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behaviour and protects entire AWS accounts & workload. • Latest service by AWS, Launched in re:Invent, Nov. 2017 • Can be enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately begin analysing billions of events across your AWS accounts for signs of risk. • When it has found something, GuardDuty gives that warning a severity rating of low, medium, or high, and customers can link those alerts into existing monitoring systems like Splunk or PagerDuty. AWS GuardDuty
  33. 33. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights • It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. • GuardDuty also detects potentially compromised instances or reconnaissance by attackers. • GuardDuty runs on AWS’s own infrastructure, which means customers don’t have to pay for computing instances to run it, although it’s not free. • When you enable GuardDuty for the first time, your AWS account is automatically enrolled in a 30-day GuardDuty free trial.
  34. 34. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights How GuardDuty works
  35. 35. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Benefits • Intelligent threat detection • Centralized threat detection across all of your AWS accounts • Strengthens security through automation • Pricing : https://aws.amazon.com/guardduty/pricing/ • Amazon GuardDuty is priced is based on two dimensions. • Quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) • Volume of Amazon VPC Flow Log and DNS Log data analyzed (per GB).
  36. 36. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS GuardDuty
  37. 37. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights AWS Accounts one or many ? 37 Use a single AWS account when: • You only need simple controls on who does what • You don’t need to isolate projects or teams • You don’t need to track costs separately Use multiple accounts when: • You need total isolation between projects or teams • You need total isolation for some of your data (such as Cloudtrail logs) • You want to keep track of costs separately (you can still get a single bill with Consolidated Billing)
  38. 38. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Please promise me this !!! • Never share credentials across users / applications • Never store credentials in source code (they’ll end up on Github) • Never store credentials on EC2 instances • (Almost) never work with the root account • Use MFA for privileged accounts • Enable CloudTrail in all regions • Encrypt everything • Automate security checks and alarms
  39. 39. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Best Practices for AWS Cost Optimization
  40. 40. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Who is responsible for cost control??
  41. 41. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  42. 42. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights If you don’t Measure it. You cant Improve it
  43. 43. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  44. 44. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  45. 45. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Cost Optimization
  46. 46. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  47. 47. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  48. 48. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Knowing your usage
  49. 49. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Pillar 2 : Increase Elasticity
  50. 50. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  51. 51. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  52. 52. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  53. 53. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  54. 54. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Auto scaling Options
  55. 55. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  56. 56. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Pillar 3 : Right Pricing Model
  57. 57. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  58. 58. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  59. 59. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  60. 60. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  61. 61. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  62. 62. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  63. 63. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  64. 64. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  65. 65. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  66. 66. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  67. 67. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  68. 68. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  69. 69. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Use Appropriate Size EBS
  70. 70. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  71. 71. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  72. 72. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
  73. 73. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights • Tools that measure and monitor AWS usage and spending • ICE • Cloudyn • Cloudability • Newvem • CloudCheckr • Cloud Vertical
  74. 74. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Netflix ICE • A cost analysis tool that measure and monitor AWS usage and spending. • Ice is a Grails project. It consists of three parts: processor, reader and UI. Processor processes the Amazon detailed billing file into data readable by reader. • Reader reads data generated by processor and renders them to UI. UI queries reader and renders interactive graphs and tables in the browser.
  75. 75. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights • Ice communicates with AWS Programmatic Billing Access and maintains knowledge of the following key AWS entity categories: • Accounts • Regions • Services (e.g. EC2, S3, EBS) • Usage types (e.g. EC2 - m1.xlarge) • Cost and Usage Categories (On-Demand, Reserved, etc.) The UI allows you to filter directly on the above categories to custom tailor your view.
  76. 76. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights • Installation of ICE: • https://github.com/Teevity/ice • Ice Docker Image: • A community image is available for deploying Ice via Docker https://github.com/jonbrouse/docker-ice • Ice Cookbook: • A community cookbook is available for deploying Ice via Chef https://github.com/mdsol/ice_cookbook.
  77. 77. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Detail page grouped by product
  78. 78. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Reservation page grouped by on-demand, un-used, reserved, upfront costs
  79. 79. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Questions ??
  80. 80. Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights Thank You  Presented By Pulkit Guptapulkitgupta378@gmail.com https://github.com/pulkitgupta378 https://twitter.com/pulkitgupta378 https://www.linkedin.com/in/pulkit-gupta-55095224/

×