More Related Content
Similar to The AWS Shared Responsibility Model in Practice (20)
More from Alert Logic (20)
The AWS Shared Responsibility Model in Practice
- 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security, Identity,
and Compliance
Patrick McDowell, Amazon Web Services
April 2018
- 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation
- 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
- 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
- 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to boost our
own security is really important for our business. AWS does a much
better job at security than we could ever do running a cage in a data
center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises data
center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
- 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead apply
their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?
- 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
forInfrastructureServices
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Mgmt
Protocols
API
Calls
- 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
InfrastructureService
Example –EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate
Directory Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest,
Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
Customers
RESPONSIBILITIES
- 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
forContainerServices Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Mgmt
Protocols
API
Calls
- 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ContainerService
Example –RDS
• Foundational Services –
Networking, Compute,
Storage
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability
• Data Protection (Transit, Rest,
Backup)
• Scaling
Customers
RESPONSIBILITIES
- 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
forAbstractServices
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
& Data Integrity Authentication
APIEndpoints
AWSIAM
API Calls
- 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE,
Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
CustomersAbstractService
Example –S3,Lambda
- 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services
- 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and solutions
Scale with superior
visibility and
control
Move to AWS
Strengthen your security posture
- 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
- 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
- 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale with
keys managed by
our AWS Key Management
System (KMS) or managing
your own encryption keys
with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs
Meet data
residency requirements
Choose an AWS Region
and AWS will not replicate it
elsewhere unless you choose
to do so
Access services and tools that
enable you to
build compliant
infrastructure
on top of AWS
Comply with local
data privacy laws
by controlling who
can access content, its
lifecycle, and disposal
Highest standards for privacy
- 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate with integrated services
CloudWatch Events
Amazon
CloudWatch
CloudWatch
Event
Lambda
Lambda
Function
AWS Lambda
GuardDuty
Amazon
GuardDuty
Automated threat remediation
- 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application Firewall
(WAF)
Amazon Inspector
Amazon Virtual Private Cloud
(VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
- 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS accounts and
business applications
Define, enforce, and audit user
permissions across
AWS services, actions
and resources.
Identity & access
management
Identity and access
management
- 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable compliance
auditing, security analysis, resource change tracking, and troubleshooting
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect your AWS
accounts and workloads
VPC Flow Logs
Capture information about the IP traffic going to and from network interfaces
in your VPC. Flow log data is stored using Amazon
CloudWatch Logs
Gain the visibility you need
to spot issues before they impact
the business, improve your
security posture, and reduce the
risk profile of
your environment.
Detective
control
- 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can GuardDuty detect?
RDP Brute
Force
RAT Installed
Exfiltrate temp
IAM creds over
DNS
Probe api with
temp creds
Attempt to
compromise
account
Known Malicious IP
(Potentially)
Unusual Ports DNS Exfiltration
RDP Brute Force
Unusual Traffic VolumeConnect to Blacklisted Site
(Potentially)
Recon
Anonymizing Proxy
Temp credentials
Used off-instance
Unusual ISP Caller
Bitcoin Activity
Unusual Instance Launch
- 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to apply
OS patches, create secure system images, and configure secure operating
systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS Web Application Firewall (WAF)
Protects your web applications from common web exploits ensuring
availability and security
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Amazon Virtual Private Cloud (VPC)
Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security
- 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for use with AWS
services
Server Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic data
encryption and management
services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection
- 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or managing
servers so you can scale your programmed, automated
response to incidents
During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incident
response
- 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I have come to realize that as a relatively small organization, we can be far more secure in the cloud and
achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We
determined that security in AWS is superior to our on-premises data center across several dimensions,
including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over
nearly 6 billion shares traded in U.S. equities
markets every day
• Processes approximately 6 terabytes of data
and 37 billion records on an average day
• Went from 3–4 weeks for server hardening
to 3–4 minutes
• DevOps teams focus on automation and tools to raise the
compliance bar and simplify controls
• Achieved incredible levels of assurance for consistencies of
builds and patching via rebooting
with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority