AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
5. Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholderin business success
• Enables easier and smoothercommunication
Distributed Embedded
7. AWS can strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1 million+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations
8. Get strong assurance over AWS security controls
AWS formal control environment
SOC 1 Type II
SOC 2 Type II and public SOC 3 report
ISO 27001, 27017, 27018 Certification
PCI DSS Level 1 Service Provider
FedRAMP Authorization
Achieve HIPAA compliance
9. AWS Foundation Services
Compute Storage Database Networking
AWS global
infrastructure
Regions
Availability Zones
Edge locations
Client-side data
encryption
Server-side data
encryption
Network traffic
protection
Platform, applications,identity and access management
Operating system, network,and firewall configuration
Customer content
Customers
Customers choose the required level of security
Customers are
responsible for
their security IN
the cloud
AWS is
responsible for
the security OF
the cloud
14. AWS CloudTrail and Amazon CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
ü Enable globally for all AWS Regions
ü Encryption and integrity validation
ü Archive and forward
ü Amazon CloudWatch Logs
ü Metrics and filters
ü Alarms and notifications
16. Control where your content is stored
13 AWS Regions (11
public, China region and
GovCloud region)
Canada, Ohio, UK and
another China region
planned for 2016 and
beyond
35 Availability Zones
(adding 9 more in 2016
across new AWS Regions)
55+ edge locations
Region
Edge location
17. VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public
Elastic Load Balancing
Internal Elastic Load Balancing
Amazon
RDS
Master
Auto Scaling
Web Tier
Auto Scaling
Application Tier
Internet
Gateway
Amazon
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Data Center
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
AWS
Direct Connect
Network
Partner
Location
Administrators and
Corporate Users
Amazon Virtual Private Cloud
18. Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security groups
sg_Backend (Backend Security Group)
20. VPC Flow Logs
• Agentless
• Enable per Elastic Network Interface (ENI), per subnet, or per VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics and take appropriate actions
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
24. Cryptographic services
Amazon
CloudHSM
ü Deep integration withAWS services
ü CloudTrail
ü AWS SDK for application encryption
ü Dedicated HSM
ü Integrate with on-premises HSMs
ü Hybrid architectures
AWS Key Management Service
(AWS KMS)
26. AWS Config and Config rules
AWS
Config
Amazon
Config rules
ü Record configuration changes
continuously
ü Time-series view of resource
changes
ü Archive and compare
ü Enforce best practices
ü Automatically roll back unwanted
changes
ü Trigger additional workflow
34. Evolving the practice of security architecture
Security architecture as a separate function can no longer
exist
Static position papers,
architecture diagrams, and
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current security
architecture
practice
35. AWS CloudFormation—infrastructure as code
Template StackAWS
CloudFormation
ü Orchestrate changes acrossAWS
services
ü Use as foundation toAWS Service
Catalog products
ü Use with source code repositories to
manage infrastructure changes
ü JSON-based text file describing
infrastructure
ü Resources created from
a template
ü Can be updated
ü Updates can be
restructured
36. Evolving the practice of security architecture
Security architecture can now be part of the “maker” team
Architecture artifacts
(design choices, narrative,
and so on) committed to
common repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved security
architecture
practice
AWS
CodeCommit
AWS
CodePipeline Jenkins
37. Get training in AWS security
Security Fundamentals on AWS
(Free online course)
Security Operations on AWS
(Three-day class)
Details at aws.amazon.com/training
38. Lets hear how Sage is doing
secure continuous delivery
with AWS
39. 33 Sage Products and Services in AWS – why?
• Scalability
• Fault tolerant – highly available
• Cost
• Agility
41. CD Pipeline + Security
7/11/16
41
Deploy
Visible to all stakeholders
Static
Analysis
Dependency
Scan
Labs
Unit Test
TestBuild
Dynamic
Analysis
Automated Test
Create
Scan Scan
Continuous Integration
Automated
Test
Source
Control
Artifact
Management
Configuration
Management
Infrastructure as code +
Hosting platform
Check in
Deployment
Automation
Security Check
Pass/Fail – changes will proceed no further on failure
Quality metric – changes will proceed no further if threshold is breached
Alarm
42. CD Pipeline + Security
7/11/16
42
Deploy
Visible to all stakeholders
Static
Analysis
Dependency
Scan
Labs
Unit Test
TestBuild
Dynamic
Analysis
Automated Test
Create
Scan Scan
Continuous Integration
Automated
Test
Source
Control
Artifact
Management
Configuration
Management
Infrastructure as code +
Hosting platform
Check in
Deployment
Automation
Security Check
Pass/Fail – changes will proceed no further on failure
Quality metric – changes will proceed no further if threshold is breached
Alarm
43. CD Pipeline + Security
7/11/16
43
Deploy
Visible to all stakeholders
Static
Analysis
Dependency
Scan
Labs
Unit Test
TestBuild
Dynamic
Analysis
Automated Test
Create
Scan Scan
Continuous Integration
Automated
Test
Source
Control
Artifact
Management
Configuration
Management
Infrastructure as code +
Hosting platform
Check in
Deployment
Automation
Security Check
Pass/Fail – changes will proceed no further on failure
Quality metric – changes will proceed no further if threshold is breached
Alarm
Latest Amazon AMI
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
44. CD Pipeline + Security
7/11/16
44
Deploy
Visible to all stakeholders
Static
Analysis
Dependency
Scan
Labs
Unit Test
TestBuild
Dynamic
Analysis
Automated Test
Create
Scan Scan
Continuous Integration
Automated
Test
Source
Control
Artifact
Management
Configuration
Management
Infrastructure as code +
Hosting platform
Check in
Deployment
Automation
Security Check
Pass/Fail – changes will proceed no further on failure
Quality metric – changes will proceed no further if threshold is breached
Alarm
Latest Amazon Linux AMI
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
45. CD Pipeline + Security
7/11/16
45
Deploy
Visible to all stakeholders
Static
Analysis
Dependency
Scan
Labs
Unit Test
TestBuild
Dynamic
Analysis
Automated Test
Create
Scan Scan
Continuous Integration
Automated
Test
Source
Control
Artifact
Management
Configuration
Management
Infrastructure as code +
Hosting platform
Check in
Deployment
Automation
Security Check
Pass/Fail – changes will proceed no further on failure
Quality metric – changes will proceed no further if threshold is breached
Alarm
Latest Amazon Linux AMI
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
46. AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
QA
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
Performance Test
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
Production
47. AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
QA
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
Performance Test
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
AMI_SERV_BUILD
Patch
Harden
Anti-virus
Amazon Tools
Web Container +
dependencies
Application
specific
Production
48. Outcomes
• Security patches/mitigations take hours instead of days
to apply across the entire fleet
• Frees up the team to work on further improvements
• Non-production environments representative of Live –
better confidence in testing