SlideShare uma empresa Scribd logo

AWS and the ASD Essential Eight

Amazon Web Services
Amazon Web Services

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help security professionals thwart cyber security incidents. Within this list of strategies, eight have been identified as essential for government agencies to implement as a security baseline starting point. This session offers customers practical guidance for meeting the ASD Essential Eight using AWS services to help them achieve compliance goals faster and more cost effectively.

1 de 32
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. AWS and the ASD Essential Eight John Hildebrandt Principal Solutions Architect, AWS
Agenda ASD Essential Eight Security at AWS Shared Responsibility Model Essential Eight Walkthrough Patching Whitelisting Restrict privilege and MFA Backup Application Hardening and Disable Macros
ASD Essential Eight
Strategies to mitigate Cyber Security incidents Australian Signals Directorate (ASD) developed prioritised mitigation strategies. No single strategy is guaranteed to prevent incidents. Includes eight mitigation strategies with an 'essential' effectiveness rating that ASD considers them to be the cyber security baseline for all organisations. https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm
The Essential Eight To prevent malware running: • Patch Applications (Top 4) • Application Whitelisting (Top 4) • Disable untrusted Microsoft Office macros • User application hardening To limit the extent of incidents and recover data: • Patch operating systems (Top 4) • Restrict administrative privileges (Top 4) • Multi-factor authentication • Daily backup of important data https://www.asd.gov.au/publications/protect/essential-eight-explained.htm
Security at AWS
Security is Job Zero Network Security Physical Security Platform Security People & Procedures
AWS Security & Compliance – Every Customer benefits AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud https://www.asd.gov.au/infosec/irap/certified_clouds.htm
Shared Responsibility Model
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Customers have their choice of security configurations IN the cloud AWS is responsible for the security OF the cloud Customers decide how to implement their own security policies
Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely including the “Core Five Epics”: • Identity and Access Management • Detective control • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
Essential Eight walkthrough
Patching Security In the Cloud Existing Tools • Existing Linux and Windows tooling. Leverage AWS services • Amazon EC2 SSM Patching • AWS Elastic Beanstalk • Amazon RDS • Amazon Redshift Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Serverless: AWS Lambda
Introducing Amazon EC2 Systems Manager A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all of your Windows and Linux workloads, running in Amazon EC2 or on-premises
Systems Manager capabilities Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities
Patch Manager • Express custom patch policies as patch baselines, e.g., apply critical patches on day 1 but wait 7 days for non-critical patches • Perform patching during scheduled maintenance windows • Built-in patch compliance reporting • Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities Roll out patches using custom-defined rules and pre- scheduled maintenance windows
Patch Manager
Immutable Infrastructure - AMI Build Pipeline Base AMI AMI Registry AMI Builder instances Foundational AMI Full-Stack AMI Developer CI/CD Pipeline Code Repository Configuration Service
AWS Lambda: Serverless computing Run code without servers. Pay only for the compute time you consume. Triggered by events or called from APIs: • PUT to an Amazon S3 bucket • Updates to Amazon DynamoDB table • Call to an Amazon API Gateway endpoint • Mobile app back-end call • And many more… Makes it easy to: • Perform real-time data processing • Build scalable back-end services • Glue and choreograph systems
Application Whitelisting Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • GPO • Windows Applauncher • PowerShell DSC Leverage AWS services to augment • AWS Directory Service, SSM Run command and Automation. • Amazon EC2 SSM Inventory, SSM State Manager • AWS Config Rules • Security Groups Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Serverless: AWS Lambda • Amazon AppStream 2.0
SSM - State Manager • Example: Configuring firewall and updating anti-malware definitions • Define new policies using simple JSON-based Documents • Control how and when a configuration is applied and maintained • Helps enforce enterprise-wide compliance of configuration policies Define and maintain a consistent configuration of OS and applications
SSM - Inventory • Instance and OS details, network configuration, list of files, installed software and patches • Collect data from predefined inventory types or write a custom one using JSON Document • AWS Config integration enables tracking the history of changes • Use AWS Config Rules to monitor changes, notify • Simplifies management scenarios, such as licensing usage tracking and identifying zero-day vulnerabilities Scalable way of collecting, querying, and auditing detailed software inventory information
Inventory – System Diagram SSMAgent Amazon EC2 Windows Instance SSMAgent Amazon EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager Amazon EC2 Inventory SSM document Inventory Store Amazon EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
AWS Config
AWS Config Rules
Restrict administrative privileges and multi- factor authentication Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • AD and MFA • OS controls and best practices at Amazon EC2 OS level. Leverage AWS services • AWS API layer • AWS IAM • AWS Organisations • MFA - AWS Console, CLI, and API • Follow best practices. • Federation • Amazon Workspaces • AWS Directory Services • Automate validation • Amazon Inspector • AWS Config Rules • AWS IAM • AWS CloudTrail Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Run command • Serverless approaches • AWS Service Catalog • Restrict based on usage https://aws.amazon.com/iam/details/mfa/
IAM Access Advisor
Amazon Inspector Detect and Remediate Security Issues Early and Often Built-In Content Library Check common security standards & vulnerabilities Detailed Reports Prioritize potential issues & get remediation recommendations
Daily backup of important data Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • Amazon EC2, Amazon EBS • Existing backup tools • Amazon S3 and Amazon Glacier target support Leverage AWS services • Amazon RDS: automated backups and database snapshots (DB Snapshots). • Amazon Redshift: data continuously backed up to Amazon S3. Stores automated snapshots. Can take your own snapshots at any time. Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Reduce server backup sizes • Amazon S3 versioning, MFA delete.
User application hardening Disable untrusted Microsoft Office macros Security In the Cloud Existing Tools • Amazon EC2, Amazon Workspaces • Customers control their own guest operating systems, software and applications. • Leverage existing tools and processes. Leverage AWS services • Leverage SSM • CIS images • VPC controls – NACL, Security groups Cloud native approaches • Isolate applications and deliver securely. • A separate Amazon Workspace • Known set of ports to desktop (or Web access) • Amazon AppStream 2.0 • Secure application streaming to HTML5 browser.
Summary ASD Essential Eight provides practical actions for organisations to secure IT environments. Develop an understanding of the Shared Responsibility Model when leveraging AWS. Meet Essential 8 in AWS via: Existing tools and knowledge AWS features and services Leveraging Cloud Native concepts https://d0.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cloud_Computing_Security_for_ Tenants_in_the_Context_of_AWS.pdf
© 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!

Recomendados

Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Amazon Web Services
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
Application Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternApplication Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternTom Laszewski
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationAtlassian
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitAmazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1ManageEngine, Zoho Corporation
 

Recomendados

Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Amazon Web Services
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
Application Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternApplication Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternTom Laszewski
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationAtlassian
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitAmazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1ManageEngine, Zoho Corporation
 
Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Salesforce Engineering
 
AWS Marketplace
AWS MarketplaceAWS Marketplace
AWS MarketplaceAmazon Web Services
 
Microservices architecture overview v2
Microservices architecture overview v2Microservices architecture overview v2
Microservices architecture overview v2Dmitry Skaredov
 
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesMigrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesOSSCube
 
Cloud Strategy First
Cloud Strategy First Cloud Strategy First
Cloud Strategy FirstAmazon Web Services
 
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018Amazon Web Services
 
AWS Service Catalog
AWS Service CatalogAWS Service Catalog
AWS Service CatalogAmazon Web Services
 
Intro to AWS Lambda
Intro to AWS Lambda Intro to AWS Lambda
Intro to AWS Lambda Amazon Web Services
 
20150115 AWS BlackBelt - Amazon VPC (Korea)
20150115 AWS BlackBelt - Amazon VPC (Korea)20150115 AWS BlackBelt - Amazon VPC (Korea)
20150115 AWS BlackBelt - Amazon VPC (Korea)Amazon Web Services Korea
 
Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...confluent
 
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...Amazon Web Services Korea
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatHostedbyConfluent
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunk
 
BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012Amazon Web Services
 
Taking conditional access to the next level
Taking conditional access to the next levelTaking conditional access to the next level
Taking conditional access to the next levelRonny de Jong
 
Multi-cloud integration architecture
Multi-cloud integration architectureMulti-cloud integration architecture
Multi-cloud integration architectureKim Clark
 
AWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon WorkspacesAWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon WorkspacesAmazon Web Services Japan
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culturerouanw
 
Where to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio MigrationWhere to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio MigrationAmazon Web Services
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven ArchitectureLourens Naudé
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Salesforce Engineering
 
Microservices architecture overview v2
Microservices architecture overview v2Microservices architecture overview v2
Microservices architecture overview v2Dmitry Skaredov
 
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesMigrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesOSSCube
 
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018Amazon Web Services
 
Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...confluent
 
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...Amazon Web Services Korea
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatHostedbyConfluent
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunk
 
BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012Amazon Web Services
 
Taking conditional access to the next level
Taking conditional access to the next levelTaking conditional access to the next level
Taking conditional access to the next levelRonny de Jong
 
Multi-cloud integration architecture
Multi-cloud integration architectureMulti-cloud integration architecture
Multi-cloud integration architectureKim Clark
 
AWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon WorkspacesAWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon WorkspacesAmazon Web Services Japan
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culturerouanw
 
Where to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio MigrationWhere to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio MigrationAmazon Web Services
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven ArchitectureLourens Naudé
 

Mais procurados (20)

Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce
 
AWS Marketplace
AWS MarketplaceAWS Marketplace
AWS Marketplace
 
Microservices architecture overview v2
Microservices architecture overview v2Microservices architecture overview v2
Microservices architecture overview v2
 
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesMigrating Legacy Applications to AWS Cloud: Strategies and Challenges
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
 
Cloud Strategy First
Cloud Strategy First Cloud Strategy First
Cloud Strategy First
 
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
How To Run Your Containers on AWS with ECS & Fargate: Collision 2018
 
AWS Service Catalog
AWS Service CatalogAWS Service Catalog
AWS Service Catalog
 
Intro to AWS Lambda
Intro to AWS Lambda Intro to AWS Lambda
Intro to AWS Lambda
 
20150115 AWS BlackBelt - Amazon VPC (Korea)
20150115 AWS BlackBelt - Amazon VPC (Korea)20150115 AWS BlackBelt - Amazon VPC (Korea)
20150115 AWS BlackBelt - Amazon VPC (Korea)
 
Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...
 
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
엔터프라이즈 클라우드 마이그레이션 준비와 실행. 그리고, 클라우드 운영 모범 사례 공유-최지웅, 오픈소스컨설팅 CTO / 장진환, 스마일샤...
 
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red HatSpeed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
Speed-Up Kafka Delivery with AsyncAPI & Microcks | Hugo Guerrero, Red Hat
 
SplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNowSplunkLive! Customer Presentation--ServiceNow
SplunkLive! Customer Presentation--ServiceNow
 
BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012BDT201 AWS Data Pipeline - AWS re: Invent 2012
BDT201 AWS Data Pipeline - AWS re: Invent 2012
 
Taking conditional access to the next level
Taking conditional access to the next levelTaking conditional access to the next level
Taking conditional access to the next level
 
Multi-cloud integration architecture
Multi-cloud integration architectureMulti-cloud integration architecture
Multi-cloud integration architecture
 
AWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon WorkspacesAWS Black Belt Techシリーズ Amazon Workspaces
AWS Black Belt Techシリーズ Amazon Workspaces
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culture
 
Where to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio MigrationWhere to Begin? Application Portfolio Migration
Where to Begin? Application Portfolio Migration
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
 

Semelhante a AWS and the ASD Essential Eight

Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
From your First Migration to Mass migrations.
From your First Migration to Mass migrations. From your First Migration to Mass migrations.
From your First Migration to Mass migrations. Amazon Web Services
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtHelen Rogers
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools Amazon Web Services
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Amazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 Amazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - TorontoAmazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Amazon Web Services
 
Secure Management of Fleet at Scale
Secure Management of Fleet at ScaleSecure Management of Fleet at Scale
Secure Management of Fleet at ScaleAmazon Web Services
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerAmazon Web Services
 
Accelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAccelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAmazon Web Services
 
Uses, considerations, and recommendations for AWS
Uses, considerations, and recommendations for AWSUses, considerations, and recommendations for AWS
Uses, considerations, and recommendations for AWSScalar Decisions
 
re:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudre:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudAmazon Web Services
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
AWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneAWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneIdan Tohami
 

Semelhante a AWS and the ASD Essential Eight (20)

Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
From your First Migration to Mass migrations.
From your First Migration to Mass migrations. From your First Migration to Mass migrations.
From your First Migration to Mass migrations.
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
Secure Management of Fleet at Scale
Secure Management of Fleet at ScaleSecure Management of Fleet at Scale
Secure Management of Fleet at Scale
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems Manager
 
Accelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAccelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform Services
 
Uses, considerations, and recommendations for AWS
Uses, considerations, and recommendations for AWSUses, considerations, and recommendations for AWS
Uses, considerations, and recommendations for AWS
 
re:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudre:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloud
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
AWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneAWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZone
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS and the ASD Essential Eight

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. AWS and the ASD Essential Eight John Hildebrandt Principal Solutions Architect, AWS
  • 2. Agenda ASD Essential Eight Security at AWS Shared Responsibility Model Essential Eight Walkthrough Patching Whitelisting Restrict privilege and MFA Backup Application Hardening and Disable Macros
  • 4. Strategies to mitigate Cyber Security incidents Australian Signals Directorate (ASD) developed prioritised mitigation strategies. No single strategy is guaranteed to prevent incidents. Includes eight mitigation strategies with an 'essential' effectiveness rating that ASD considers them to be the cyber security baseline for all organisations. https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm
  • 5. The Essential Eight To prevent malware running: • Patch Applications (Top 4) • Application Whitelisting (Top 4) • Disable untrusted Microsoft Office macros • User application hardening To limit the extent of incidents and recover data: • Patch operating systems (Top 4) • Restrict administrative privileges (Top 4) • Multi-factor authentication • Daily backup of important data https://www.asd.gov.au/publications/protect/essential-eight-explained.htm
  • 7. Security is Job Zero Network Security Physical Security Platform Security People & Procedures
  • 8. AWS Security & Compliance – Every Customer benefits AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud https://www.asd.gov.au/infosec/irap/certified_clouds.htm
  • 10. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Customers have their choice of security configurations IN the cloud AWS is responsible for the security OF the cloud Customers decide how to implement their own security policies
  • 11. Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely including the “Core Five Epics”: • Identity and Access Management • Detective control • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
  • 13. Patching Security In the Cloud Existing Tools • Existing Linux and Windows tooling. Leverage AWS services • Amazon EC2 SSM Patching • AWS Elastic Beanstalk • Amazon RDS • Amazon Redshift Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Serverless: AWS Lambda
  • 14. Introducing Amazon EC2 Systems Manager A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all of your Windows and Linux workloads, running in Amazon EC2 or on-premises
  • 15. Systems Manager capabilities Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities
  • 16. Patch Manager • Express custom patch policies as patch baselines, e.g., apply critical patches on day 1 but wait 7 days for non-critical patches • Perform patching during scheduled maintenance windows • Built-in patch compliance reporting • Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities Roll out patches using custom-defined rules and pre- scheduled maintenance windows
  • 18. Immutable Infrastructure - AMI Build Pipeline Base AMI AMI Registry AMI Builder instances Foundational AMI Full-Stack AMI Developer CI/CD Pipeline Code Repository Configuration Service
  • 19. AWS Lambda: Serverless computing Run code without servers. Pay only for the compute time you consume. Triggered by events or called from APIs: • PUT to an Amazon S3 bucket • Updates to Amazon DynamoDB table • Call to an Amazon API Gateway endpoint • Mobile app back-end call • And many more… Makes it easy to: • Perform real-time data processing • Build scalable back-end services • Glue and choreograph systems
  • 20. Application Whitelisting Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • GPO • Windows Applauncher • PowerShell DSC Leverage AWS services to augment • AWS Directory Service, SSM Run command and Automation. • Amazon EC2 SSM Inventory, SSM State Manager • AWS Config Rules • Security Groups Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Serverless: AWS Lambda • Amazon AppStream 2.0
  • 21. SSM - State Manager • Example: Configuring firewall and updating anti-malware definitions • Define new policies using simple JSON-based Documents • Control how and when a configuration is applied and maintained • Helps enforce enterprise-wide compliance of configuration policies Define and maintain a consistent configuration of OS and applications
  • 22. SSM - Inventory • Instance and OS details, network configuration, list of files, installed software and patches • Collect data from predefined inventory types or write a custom one using JSON Document • AWS Config integration enables tracking the history of changes • Use AWS Config Rules to monitor changes, notify • Simplifies management scenarios, such as licensing usage tracking and identifying zero-day vulnerabilities Scalable way of collecting, querying, and auditing detailed software inventory information
  • 23. Inventory – System Diagram SSMAgent Amazon EC2 Windows Instance SSMAgent Amazon EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager Amazon EC2 Inventory SSM document Inventory Store Amazon EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
  • 26. Restrict administrative privileges and multi- factor authentication Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • AD and MFA • OS controls and best practices at Amazon EC2 OS level. Leverage AWS services • AWS API layer • AWS IAM • AWS Organisations • MFA - AWS Console, CLI, and API • Follow best practices. • Federation • Amazon Workspaces • AWS Directory Services • Automate validation • Amazon Inspector • AWS Config Rules • AWS IAM • AWS CloudTrail Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Run command • Serverless approaches • AWS Service Catalog • Restrict based on usage https://aws.amazon.com/iam/details/mfa/
  • 28. Amazon Inspector Detect and Remediate Security Issues Early and Often Built-In Content Library Check common security standards & vulnerabilities Detailed Reports Prioritize potential issues & get remediation recommendations
  • 29. Daily backup of important data Security In the Cloud Existing Tools • Existing Linux and Windows tooling. • Amazon EC2, Amazon EBS • Existing backup tools • Amazon S3 and Amazon Glacier target support Leverage AWS services • Amazon RDS: automated backups and database snapshots (DB Snapshots). • Amazon Redshift: data continuously backed up to Amazon S3. Stores automated snapshots. Can take your own snapshots at any time. Cloud native approaches • Immutable Infrastructure, “Image baking”, AWS CloudFormation • Reduce server backup sizes • Amazon S3 versioning, MFA delete.
  • 30. User application hardening Disable untrusted Microsoft Office macros Security In the Cloud Existing Tools • Amazon EC2, Amazon Workspaces • Customers control their own guest operating systems, software and applications. • Leverage existing tools and processes. Leverage AWS services • Leverage SSM • CIS images • VPC controls – NACL, Security groups Cloud native approaches • Isolate applications and deliver securely. • A separate Amazon Workspace • Known set of ports to desktop (or Web access) • Amazon AppStream 2.0 • Secure application streaming to HTML5 browser.
  • 31. Summary ASD Essential Eight provides practical actions for organisations to secure IT environments. Develop an understanding of the Shared Responsibility Model when leveraging AWS. Meet Essential 8 in AWS via: Existing tools and knowledge AWS features and services Leveraging Cloud Native concepts https://d0.awsstatic.com/whitepapers/compliance/Understanding_the_ASDs_Cloud_Computing_Security_for_ Tenants_in_the_Context_of_AWS.pdf
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!