More Related Content Similar to Protecting Your Data- AWS Security Tools and Features (20) More from Amazon Web Services (20) Protecting Your Data- AWS Security Tools and Features1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Protecting Your Data
AWS Security Tools and Features
Brad Dispensa | Specialist
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Why is Enterprise Security Traditionally Hard?
Lack of visibility Low degree of automation
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OR
Move
Fast
Stay
Secure
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AND
Move
Fast
Stay
Secure
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Making life easier
• Choosing security does not mean giving up
on convenience or introducing complexity
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security (“Of” & “In”)
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security “Of” The Cloud
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Strengthen your security posture
Leverage security
enhancements from 1M+
customer experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity
organizations
Over 50 global
compliance
certifications and
accreditations
“We work closely with AWS to
develop a security model, which we
believe enables us to operate more
securely in the public cloud than we
can in our own data centers.”
Rob Alexander - CIO, Capital One
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The AWS Compliance “Display Cabinet”
Certificates: Programs:
ISO 27001
Certified
ISO 9001
CertifiedMPAA
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
18 Regions – 54 Availability Zones
Region & Number of Availability Zones
AWS GovCloud (3) EU
Ireland (3)
US West Frankfurt (3)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (6)
Sydney (3)
Tokyo (4)
Ohio (3)
Seoul (2)
Mumbai (2)
Osaka-local(1)
Canada
Central (2) China
Beijing (2)
Ningxia (2)
South America
São Paulo (3) New regions coming soon
Hongkong,Sweden, AWS Gov
Cloud (US-East), Bahrain
AWS Global Infrastructure
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
114 Edge locations (103 edge locations and 11 Regional Edge Caches) in 56 cities across 24 countries.
Global – CloudFront Edge Network
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security “In” The Cloud
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security end-to-end
– Help customer build/deploy/operate secure applications
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Identity and Access Management
• Identities: Developers, Solutions Architects, Testers, Software/Platform
• Interaction of AWS Identities: EC2, ELB, S3, DynamoDB, SQS, SNS etc.
IAM Users IAM Groups IAM Roles IAM Policies
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Detective Controls
AWS
CloudTrail
Amazon
CloudWatch
ü Enable globally for all AWS Regions
ü Encryption & Integrity Validation
ü Archive & Forward
ü Amazon CloudWatch Logs
ü Metrics & Filters
ü Alarms & Notifications
Amazon Macie
Amazon GuardDuty
ü DLP for S3
ü ML anomaly detection
ü User behavior
ü Threat intelligence
ü VPC network monitor
ü ML Behavioral Stateful Findings and
Anomaly Detections
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Change Management & Visibility
AWS
Config
Amazon
Config
Rules
ü Record configuration changes
continuously
ü Time-series view of resource
changes
ü Archive & Compare
ü Enforce best practices
ü Automatically roll-back
unwanted changes
ü Trigger additional
workflow
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Data Protection
Amazon
CloudHSM
ü Deep integration with AWS Services
ü Audit KMS Key Usage via CloudTrail
ü KMS Import Key
ü AWS SDK for application encryption
ü Security of the keys themselves
ü Plaintext keys never stored in persistent memory
ü Automatically rotate keys
ü Separation of duties between systems that use master keys and data keys
ü Multi-party control for all maintenance on systems that use master keys
ü Dedicated HSM
ü Integrate with on-premises HSMs
ü Hybrid Architectures
AWS Key Management Service
140-2 validated HSMs
https://amzn.to/2G9zWiY
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automated Security Functions
Template
Stack
AWS
CloudFormation
ü Orchestrate changes across AWS Services
ü Use as foundation to Service Catalog products
ü Use with source code repositories to manage
infrastructure changes
ü JSON-based text file describing
infrastructure
ü Resources created from
a template
ü Can be updated
ü Updates can be
restrictured
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Network Security
Flow Logs
Amazon
VPC
AWS Direct
Connect
VPN
Gateway
Availability Zone A
Private
subnet
Public
subnet
Private
subnet
Availability Zone B
Public
subnet
Private
subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
sg_Backend (Backend Security Group)
Security Group
Security Group
Security Group
AWS WAF
AWS Shield
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Virtual Private Cloud
Isolated cloud resources
Web Application
Firewall
Filter Malicious Web Traffic
Shield
DDoS protection
Certificate Manager
Provision, manage, and
deploy SSL/TSL certificates
Networking
Key Management
Service
Manage creation and control
of encryption keys
CloudHSM
Hardware-based key storage
Server-Side Encryption
Flexible data encryption
options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to allow
on-prem identity integration
Directory Service
Host and manage Microsoft
Active Directory
Organizations
Manage settings for multiple
accounts
Identity & Management
Service Catalog
Create and use standardized
products
Config
Track resource inventory and
changes
CloudTrail
Track user activity and API
usage
CloudWatch
Monitor resources and
applications
Inspector
Analyze application security
Artifact
Self-service for AWS’
compliance reports
Compliance
Access a deep set of cloud security tools
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Batches and Streams
Direct ConnectSnowball data
transport
3rd Party
Connectors
Transfer
Acceleration
Storage
Gateway
Kinesis Firehose
File
Amazon EFS
Block
Amazon EBS
(persistent)
Object
Amazon GlacierAmazon S3 Amazon EC2
Instance Store
(ephemeral)
Robust Security for Your Entire Storage Infrastructure
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Storage
Service
IAM Encryption More info
Amazon S3 IAM Policy –
Resource, Bucket
& User/Role policy
ACLs
Query String Auth
SSE-S3 , SSE-C, SSE-KMS
Client Side Encryption
SSL
Versioning
MFA-Delete
Access Log – Audit,
Customer base,S3 Bill
Amazon Glacier IAM Policy – Vault
Operations
Vault Access
Policies
Server Side Encryption
AES-256 (Block Cipher)
Lock Vault Policy..
E.g. WORM
Cloud Trail Integration
Amazon EBS IAM Policy –
Access EBS
Volumes
Seamless EBS Encryption (C, KMS)– Data Vol,
Snapshots,
Encryption occurs on Servers hosting EC2 & data &
boot volume. Redundancy – Same AZ
Security for AWS Storage Services… High Level Info…
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Storage
Service
IAM Encryption More info
AWS Snowball IAM Policy Supports Server Side
encryption with S3
managed keys.
AES GCM 256 bit keys
SSL Encryption
Physically Secured
– TPM Chip
Amazon EFS IAM Policy Seamless encryption using
KMS – Data at rest
Security Group for
EC2 Instances,
EFS Mount (e.g.
NFS 2049 port)
Amazon
Instance Store
IAM Policy –
EC2 Operations
Encryption via linux lib
and/or 3rd party
Data erased when
instance stops or
terminates
Security for AWS Storage Services… High Level Info…
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Demos
DO IT LIVE!
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How can I make sure S3 is secure?
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How do I encrypt EBS volumes?
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How do I protect log files from tampering?
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automate all the things!!
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Typical Enterprise Cloud Migration Journey…
Landing Zone
Backup & Recovery
Security (Data, Network)
CI/CD – DevSecOps
Compliance Automation
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Flexibility and Complexity
Single VPC orMultiple VPCs
How many AWS
accounts
Public or private
subnets
What type of
encryption Who will manage
the keys
IAM groups or
roles
Security groupsor NACLs
What is the regulatory
requirement?
What's in-scope or out-of-
scope?
How to verify the standards
are met?
Can we use S3 for
this
Which AWS
database
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security by Design – Soln to Automate Security Compliance
and Auditing in AWS
Security by Design (SbD) is a security assurance
approach that formalizes AWS account design,
automates security controls, and streamlines
auditing.
Instead of relying on auditing security
retroactively, SbD provides security control built in
throughout the AWS IT management process.
https://d0.awsstatic.com/whitepapers/complianc
e/Intro_to_Security_by_Design.pdf
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security by Design - Design Principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for Breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as Code
– Modular
– Versioned
– Constrained
Developing new risk mitigation capabilities, which go beyond global security frameworks, by
treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes
through rigid automation
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Trusted Advisor
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Visit our Security and Compliance Hubs
Consult the AWS Security & Compliance Quick
Reference Guide
https://d0.awsstatic.com/whitepapers/compliance/AWS_Complia
nce_Quick_Reference.pdf
Explore the AWS Artifact portal https://aws.amazon.com/artifact/
Learn more about our security & compliance
accelerators
https://aws.amazon.com/quickstart/
http://aws.amazon.com/security
http://aws.amazon.com/compliance
Where to learn more about AWS’ security & compliance resources
Getting Started
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS