AWS Summit 2014 Melbourne - Breakout 3
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Presenter: Stephen Quigg, Solutions Architect, APAC, Amazon Web Services
2. Our customers have different viewpoints on security
PR
Keep out of the news!
CEO
Protect shareholder
value
CI(S)O
Preserve the
confidentiality, integrity
and availability of data
3. Security is always our number one priority at AWS
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
Comprehensive Security Capabilities to Support Virtually Any Workload
21. You are making
API calls...
On a growing set of
services …
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
22. Security analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track changes to AWS resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot operational issues
Quickly identify the most recent changes made to resources in your environment.
Compliance and audit aid
Easier to demonstrate compliance with internal policies and regulatory standards.
23. ‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files,
including Splunk, SumoLogic and
Loggly
24. Amazon CloudWatch Logs can monitor your system,
application and custom log files from Amazon EC2
instances and other sources, for example:
Monitor your web server http log files and use
CloudWatch Metrics filters to identify 404 errors and
count the number of occurrences within a specified
time period
CloudWatch Alarms can then notify you when the
number of 404 errors breaches whatever threshold you
decide to set – you could use this to automatically
generate a ticket for investigation
Now monitor everything with CloudWatch logs
26. Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security DATA
27. AWS Security Delivers More Control & Granularity
Choose what’s right for your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
28. AWS EMPLOYEE ACCESS
‣ Staff vetting
‣ No logical access to customer instances
‣ Control-plane access limited and monitored
Bastion hosts, Least privileged model, Zoned data center
access
‣ Access based on strict business needs
‣ Separate PAMS
31. Create your own private, isolated section of the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private Cloud
• Provision a logically
isolated section of the
AWS cloud
• You choose a private IP
range for your VPC
• Segment this into subnets
to deploy your compute
instances
AWS network security
• AWS network will prevent
spoofing and other
common layer 2 attacks
• You cannot sniff anything
but your own EC2 host
network interface
• Control all external routing
and connectivity
32. Segregate your VPC into subnets to create your architecture
Web App
DBWeb
33. Each subnet has directional network access control lists
App
DBWeb
Web
Deny all traffic
Allow
34. Each EC2 instance has five stateful security group firewalls
App
DBWeb
Web
Port 443
Port
443
35. Control which subnets can route to the Internet or on-premise
App
DBWeb
Web
PUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
36. You can securely share resources between VPCs
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPCs in private and
peer specific subnets
between each VPC
Even between AWS
accounts
Common Services
AWS VPC
Peering
37. You can connect in private to your existing datacentres
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Websites
Big Data
Analytics
Dev and
Test
Enterprise
Apps
AWS
Internet
VPN
38. Build solutions that can absorb attacks and scale out
Amazon S3
Distributed
attackers
Customers
Customers
Route53
Sydney region
CloudFront
Your VPC
WAFWAF WAFWAF
ELB ELB
ELB ELB
App App App App
Auto
Scaling
Auto
Scaling
Auto
Scaling
Auto
Scaling
41. AWS
Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
It’s not just having services in a couple of regions
42. You can stay onshore in Australia if you need to
AWS Sydney Region
Multiple availability
zones
45. YOU CAN ENCRYPT ALL OF YOUR DATA
CHOOSE WHAT’S RIGHT FOR YOU
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption their own way
46. ENCRYPT YOUR SENSITIVE DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
47. Managed and monitored by AWS, but
you control the keys
Increase performance for applications
that use HSMs for key storage or
encryption
Comply with stringent regulatory and
contractual requirements for key
protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can store your encryption keys in AWS CloudHSM
50. Control access and segregate duties everywhere
With
AWS
IAM
you
get
to
control
who
can
do
what
in
your
AWS
environment
and
from
where
Fine-‐grained
control
of
your
AWS
cloud
with
two-‐
factor
authen<ca<on
Integrated
with
your
exis<ng
corporate
directory
using
SAML
2.0
and
single
sign-‐on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
51. AWS IAM: Recent innovations
Securely control access to AWS services and resources
• Delegation
– Roles for Amazon EC2
– Cross-account access
• Powerful integrated permissions
– Resource level permissions:
Amazon EC2, Amazon RDS,
Amazon DynamoDB, AWS
CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon
SWF, Amazon EMR, AWS Storage
Gateway, AWS CloudFormation,
Amazon Redshift, Elastic Beanstalk
• Federation
– Web Identity Federation
– AD and Shibboleth examples
– Partner integrations
• Strong authentication
– MFA-protected API access
– Password policies
• Enhanced documentation and
videos
53. You get to do all of this in
DEVELOPMENT
TESTING
PRODUCTION
54. Expand your skills with AWS
Certification
aws.amazon.com/certification
Exams
Validate your proven
technical expertise with
the AWS platform
On-Demand
Resources
aws.amazon.com/training/
self-paced-labs
Videos & Labs
Get hands-on practice
working with AWS
technologies in a live
environment
aws.amazon.com/training
Instructor-Led
Courses
Training Classes
Expand your technical
expertise to design, deploy,
and operate scalable,
efficient applications on AWS