Introduction to AWS Security

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security, Identity,
and Compliance
An Overview
October 22, 2018
Don Edwards, CISSP, CCNA Security
Sr. Technical Delivery Manager, Managed Services EMEA
Amazon Web Services (AWS)

Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation

ORMove fast Stay secure
Before…

ORANDMove fast Stay secure
Now…

The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to
boost our own security is really important for our business.
AWS does a much better job at security than we could ever
do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises
data center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)

Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture

Inherit global security and compliance controls

Scale with visibility and control

Encryption at scale
with keys managed by
our AWS Key Management
Service (KMS) or managing
your own encryption keys
with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs
Meet data
residency
requirements
Choose an AWS Region
and AWS will not replicate
it elsewhere unless you
choose to do so
Access services and tools
that enable you to
build compliant
infrastructure
on top of AWS
Comply with local
data privacy laws
by controlling who
can access content, its
lifecycle, and disposal
Highest standards for privacy
and data security

Automate with integrated services
CloudWatch Events
Amazon
CloudWatch
CloudWatch
Event
Lambda
Lambda Function
AWS Lambda
GuardDuty
Amazon
GuardDuty
Automated threat remediation

Infrastructure
security
Logging
& monitoring
Identity &
access control
Configuration
& vulnerability
analysis
Data
protection
Largest ecosystem
of security partners and solutions
Infrastructure
security

Security
engineering
Governance, risk &
compliance
Security operations
& automation
Consulting competency partners
with demonstrated expertise
Security
engineering

AWS Cloud Adoption Framework
The Cloud Adoption Framework (CAF) helps organizations
understand how cloud adoption transforms the way they work, by
identifying the stakeholders that are critical to cloud adoption and
groups them into 6 Perspectives

CAF Security Perspective
Security Perspective
Directive
Preventative Detective
Responsive

Enterprise Governance for Cloud Adoption
Develop Cloud Governance Program

Review Data Classification

Review Company policies

Review Company policies
Build Security Standards Control Framework

Review Company Policies
Build Security Standards Control Framework
Develop a Cloud Security Strategy
 Get executive buy-in
 Communicate and educate

AWS Security Epics
We identified ten themes, that are treated as Epics in an agile methodology and contain the user
stories including both use cases & abuse cases. Frequent iteration via sprints will lead to increase
maturity whilst retaining flexibility to adapt to business pace and demand.
1st Sprint Example
• Define the account
structure and implement
the core set of best
practices
2nd Sprint Example
• Implement federation
3rd Sprint Example
• Expand account
management to cater for
multiple accounts

AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Secrets Manager
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions

AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API keys,
and other secrets through their lifecycle
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications
Define, enforce, and audit
user permissions across
AWS services, actions
and resources.
Identity & access
management
Identity and access
management

AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable
compliance auditing, security analysis, resource change tracking, and
troubleshooting
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect
your AWS accounts and workloads
VPC Flow Logs
Capture information about the IP traffic going to and from network
interfaces in your VPC. Flow log data is stored using Amazon
CloudWatch Logs
Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment.
Detective
control

AWS Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to
apply OS patches, create secure system images, and configure secure
operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS WAF – Web application firewall
Protects your web applications from common web exploits ensuring
availability and security
AWS Firewall Manager
Centrally configure and manage AWS WAF rules across accounts and
applications
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Amazon Virtual Private Cloud (VPC)
Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security

AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for use
with AWS services
Server-Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic
data encryption and
management services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection

AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or
managing servers so you can scale your programmed, automated
response to incidents
During an incident, containing
the event and returning to a
known good state are important
elements of a response plan.
AWS provides the following
tools to automate aspects of
this best practice.
Incident
response

“I have come to realize that as a relatively small organization, we can be far more secure in the cloud
and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested.
We determined that security in AWS is superior to our on-premises data center across several
dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over
nearly 6 billion shares traded in U.S. equities
markets every day
• Processes approximately 6 terabytes of data
and 37 billion records on an average day
• Went from 3–4 weeks for server hardening
to 3–4 minutes
• DevOps teams focus on automation and tools to raise
the compliance bar and simplify controls
• Achieved incredible levels of assurance for
consistencies of builds and patching via rebooting
with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority

“Previously all our servers were configured and updated by hand or through limited automation, we didn’t
take full advantage of a configuration management …All our new services are built as stateless docker
containers, allowing us to deploy and scale them easily using Amazon’s ECS.”
“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security
—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”
• Migrated all-in on AWS in under
12 months, becoming a HIPAA compliant
cloud-first organization
• New York based startup leveraged infrastructure
as code to securely scale to 6 million patients
per month
• Data liberation—use data to innovate and drive
more solutions for patients, reducing patient
wait times from 24 days to 24 hours
• Maintain end to end visibility of patient data
using AWS
Online medical care scheduling

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Humans and Data Don’t Mix
Best Practices to Secure Your Cloud

Things you don’t want to hear from either
a surgeon or a privileged user
• What is that?
• Inventory of systems
and data
• Where did that come from?
• Infrastructure change
management
• Oops, those were old
instructions
• Source control
• Is this important?
• Data classification
• Where should I put this?
• Data segmentation
• Why is that happening?
• System interaction and
data access patterns
• I need more coffee
• Repeatability and scale

Get Humans Away from Your Data

Security Blind Spots
Disparate sources

Lack of rigorDisparate sources

Can’t scaleLack of rigorDisparate sources

Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Original Amazon EC2 Host Architecture
SERVER

Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Amazon EC2 C3 Instances
SERVER
NITRO
SYSTEM

Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
SERVER
NITRO
SYSTEM

Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Nitro Hypervisor
SERVER
NITRO
SYSTEM

No Shell Access!
40

COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Maintaining Runtime Environment
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
AWS
CodeBuild
AWS
CodePipeline

Automate Answering the Tough Questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and
compliance needs?

AWS CloudTrail
Track user
activity and API
usage
Automation: Log Data Inputs
VPC Flow Logs
IP traffic to/from
network
interfaces in your
VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver

Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Automation: Machine Learning
Amazon Macie
Machine learning-powered
security service to discover,
classify, & protect sensitive
data

Using NLP and ML together
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)

Content Classification with NLP
PII and personal data
Source code
SSL certificates, private keys
iOS and Android app signing keys
Database backups
OAuth and Cloud SaaS API Keys

Use ML and Scaled Services
• Use behavioral
analytics to
baseline normal
behavior patterns
• Contextualize by
value of data being
accessed

Amazon GuardDuty Threat Detection and
Notification

Automation: Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config Rules
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules

Automating Remediation
AWS Systems
Manager
Automate patching and
proactively mitigate threats
at the instance level
AWS Lambda
Capture info about the IP
traffic going to and from
network interfaces in your
VPC

• Asynchronously
execute
commands
• No need to
SSH/RDP
• Commands and
output logged
Remediating Threats on Amazon EC2 Instances
Amazon EC2 Systems Manager -
Run Command
EC2 Instances
Lambda
function
AWS Systems
Manager
Amazon
EC2

Tools we use: COEs

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
https://aws.amazon.com/products/security

Introduction to AWS Security

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Introduction to AWS Security

Semelhante a Introduction to AWS Security (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Introduction to AWS Security