SlideShare a Scribd company logo

Protecting Your Data- AWS Security Tools and Features

Amazon Web Services
Amazon Web Services

by Brad Dispensa, Sr.SA–Security and Compliance At AWS, security is job zero and we have architected our infrastructure for the most data-sensitive organizations in the world. In this session, we will cover our Shared Responsibility Model in relation to Security and our Compliance Program, and what that means for our customers when using our suite of storage services.

1 of 39
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Protecting Your Data AWS Security Tools and Features Brad Dispensa | Specialist
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved OR Move Fast Stay Secure
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AND Move Fast Stay Secure
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Making life easier • Choosing security does not mean giving up on convenience or introducing complexity
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Security (“Of” & “In”)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security “Of” The Cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Strengthen your security posture Leverage security enhancements from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations Over 50 global compliance certifications and accreditations “We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers.” Rob Alexander - CIO, Capital One
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved The AWS Compliance “Display Cabinet” Certificates: Programs: ISO 27001 Certified ISO 9001 CertifiedMPAA
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved 18 Regions – 54 Availability Zones Region & Number of Availability Zones AWS GovCloud (3) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6) Sydney (3) Tokyo (4) Ohio (3) Seoul (2) Mumbai (2) Osaka-local(1) Canada Central (2) China Beijing (2) Ningxia (2) South America São Paulo (3) New regions coming soon Hongkong,Sweden, AWS Gov Cloud (US-East), Bahrain AWS Global Infrastructure
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved 114 Edge locations (103 edge locations and 11 Regional Edge Caches) in 56 cities across 24 countries. Global – CloudFront Edge Network
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security “In” The Cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security end-to-end – Help customer build/deploy/operate secure applications Secure Cloud Application SHARED RESPONSIBILITY Strong Compliance Foundation Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Identity and Access Management • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: EC2, ELB, S3, DynamoDB, SQS, SNS etc. IAM Users IAM Groups IAM Roles IAM Policies
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Detective Controls AWS CloudTrail Amazon CloudWatch ü Enable globally for all AWS Regions ü Encryption & Integrity Validation ü Archive & Forward ü Amazon CloudWatch Logs ü Metrics & Filters ü Alarms & Notifications Amazon Macie Amazon GuardDuty ü DLP for S3 ü ML anomaly detection ü User behavior ü Threat intelligence ü VPC network monitor ü ML Behavioral Stateful Findings and Anomaly Detections
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Change Management & Visibility AWS Config Amazon Config Rules ü Record configuration changes continuously ü Time-series view of resource changes ü Archive & Compare ü Enforce best practices ü Automatically roll-back unwanted changes ü Trigger additional workflow
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Data Protection Amazon CloudHSM ü Deep integration with AWS Services ü Audit KMS Key Usage via CloudTrail ü KMS Import Key ü AWS SDK for application encryption ü Security of the keys themselves ü Plaintext keys never stored in persistent memory ü Automatically rotate keys ü Separation of duties between systems that use master keys and data keys ü Multi-party control for all maintenance on systems that use master keys ü Dedicated HSM ü Integrate with on-premises HSMs ü Hybrid Architectures AWS Key Management Service 140-2 validated HSMs https://amzn.to/2G9zWiY
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automated Security Functions Template Stack AWS CloudFormation ü Orchestrate changes across AWS Services ü Use as foundation to Service Catalog products ü Use with source code repositories to manage infrastructure changes ü JSON-based text file describing infrastructure ü Resources created from a template ü Can be updated ü Updates can be restrictured
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Network Security Flow Logs Amazon VPC AWS Direct Connect VPN Gateway Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) sg_Backend (Backend Security Group) Security Group Security Group Security Group AWS WAF AWS Shield
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud Isolated cloud resources Web Application Firewall Filter Malicious Web Traffic Shield DDoS protection Certificate Manager Provision, manage, and deploy SSL/TSL certificates Networking Key Management Service Manage creation and control of encryption keys CloudHSM Hardware-based key storage Server-Side Encryption Flexible data encryption options Encryption IAM Manage user access and encryption keys SAML Federation SAML 2.0 support to allow on-prem identity integration Directory Service Host and manage Microsoft Active Directory Organizations Manage settings for multiple accounts Identity & Management Service Catalog Create and use standardized products Config Track resource inventory and changes CloudTrail Track user activity and API usage CloudWatch Monitor resources and applications Inspector Analyze application security Artifact Self-service for AWS’ compliance reports Compliance Access a deep set of cloud security tools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Batches and Streams Direct ConnectSnowball data transport 3rd Party Connectors Transfer Acceleration Storage Gateway Kinesis Firehose File Amazon EFS Block Amazon EBS (persistent) Object Amazon GlacierAmazon S3 Amazon EC2 Instance Store (ephemeral) Robust Security for Your Entire Storage Infrastructure
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Storage Service IAM Encryption More info Amazon S3 IAM Policy – Resource, Bucket & User/Role policy ACLs Query String Auth SSE-S3 , SSE-C, SSE-KMS Client Side Encryption SSL Versioning MFA-Delete Access Log – Audit, Customer base,S3 Bill Amazon Glacier IAM Policy – Vault Operations Vault Access Policies Server Side Encryption AES-256 (Block Cipher) Lock Vault Policy.. E.g. WORM Cloud Trail Integration Amazon EBS IAM Policy – Access EBS Volumes Seamless EBS Encryption (C, KMS)– Data Vol, Snapshots, Encryption occurs on Servers hosting EC2 & data & boot volume. Redundancy – Same AZ Security for AWS Storage Services… High Level Info…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Storage Service IAM Encryption More info AWS Snowball IAM Policy Supports Server Side encryption with S3 managed keys. AES GCM 256 bit keys SSL Encryption Physically Secured – TPM Chip Amazon EFS IAM Policy Seamless encryption using KMS – Data at rest Security Group for EC2 Instances, EFS Mount (e.g. NFS 2049 port) Amazon Instance Store IAM Policy – EC2 Operations Encryption via linux lib and/or 3rd party Data erased when instance stops or terminates Security for AWS Storage Services… High Level Info…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demos DO IT LIVE!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How can I make sure S3 is secure?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How do I encrypt EBS volumes?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How do I protect log files from tampering?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automate all the things!!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Enterprise Cloud Migration Journey… Landing Zone Backup & Recovery Security (Data, Network) CI/CD – DevSecOps Compliance Automation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Flexibility and Complexity Single VPC orMultiple VPCs How many AWS accounts Public or private subnets What type of encryption Who will manage the keys IAM groups or roles Security groupsor NACLs What is the regulatory requirement? What's in-scope or out-of- scope? How to verify the standards are met? Can we use S3 for this Which AWS database
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security by Design – Soln to Automate Security Compliance and Auditing in AWS Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. https://d0.awsstatic.com/whitepapers/complianc e/Intro_to_Security_by_Design.pdf Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security by Design - Design Principles • Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach • Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code – Modular – Versioned – Constrained Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Trusted Advisor
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Visit our Security and Compliance Hubs Consult the AWS Security & Compliance Quick Reference Guide https://d0.awsstatic.com/whitepapers/compliance/AWS_Complia nce_Quick_Reference.pdf Explore the AWS Artifact portal https://aws.amazon.com/artifact/ Learn more about our security & compliance accelerators https://aws.amazon.com/quickstart/ http://aws.amazon.com/security http://aws.amazon.com/compliance Where to learn more about AWS’ security & compliance resources Getting Started
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommended

AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and Recovery
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Lake Formation Deep Dive
AWS Lake Formation Deep DiveAWS Lake Formation Deep Dive
AWS Lake Formation Deep Dive
Cobus Bernard
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
How to backup, restore and archive your data on AWS
How to backup, restore and archive your data on AWSHow to backup, restore and archive your data on AWS
How to backup, restore and archive your data on AWS
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Amazon Web Services
 

Recommended

AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and Recovery
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Lake Formation Deep Dive
AWS Lake Formation Deep DiveAWS Lake Formation Deep Dive
AWS Lake Formation Deep Dive
Cobus Bernard
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
How to backup, restore and archive your data on AWS
How to backup, restore and archive your data on AWSHow to backup, restore and archive your data on AWS
How to backup, restore and archive your data on AWS
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Reduce Costs and Build a Strong Operational Foundation with the AWS Migration...
Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
Amazon Web Services
 
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Amazon Web Services
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
Building-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWSBuilding-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWS
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best PracticesBuild Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
Amazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Accelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdfAccelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdf
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Introduction to AWS Glue
Introduction to AWS GlueIntroduction to AWS Glue
Introduction to AWS Glue
Amazon Web Services
 
Visualizing Big Data Insights with Amazon QuickSight
Visualizing Big Data Insights with Amazon QuickSightVisualizing Big Data Insights with Amazon QuickSight
Visualizing Big Data Insights with Amazon QuickSight
Amazon Web Services
 
AWS Architecting In The Cloud
AWS Architecting In The CloudAWS Architecting In The Cloud
AWS Architecting In The Cloud
Amazon Web Services
 
Amazon QuickSight
Amazon QuickSightAmazon QuickSight
Amazon QuickSight
Amazon Web Services
 
Implementing a Data Lake
Implementing a Data LakeImplementing a Data Lake
Implementing a Data Lake
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Amazon Web Services
 
Introduction: Security & AWS Storage
Introduction: Security & AWS StorageIntroduction: Security & AWS Storage
Introduction: Security & AWS Storage
Amazon Web Services
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
Amazon Web Services LATAM
 

More Related Content

What's hot

Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best PracticesBuild Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Amazon QuickSight
Amazon QuickSightAmazon QuickSight
Amazon QuickSight
Amazon Web Services
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Amazon Web Services
 

What's hot (20)

Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Chicago ...
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Building-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWSBuilding-a-Data-Lake-on-AWS
Building-a-Data-Lake-on-AWS
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best PracticesBuild Data Lakes & Analytics on AWS: Patterns & Best Practices
Build Data Lakes & Analytics on AWS: Patterns & Best Practices
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Accelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdfAccelerate Your Cloud Migration Journey.pdf
Accelerate Your Cloud Migration Journey.pdf
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
 
Introduction to AWS Glue
Introduction to AWS GlueIntroduction to AWS Glue
Introduction to AWS Glue
 
Visualizing Big Data Insights with Amazon QuickSight
Visualizing Big Data Insights with Amazon QuickSightVisualizing Big Data Insights with Amazon QuickSight
Visualizing Big Data Insights with Amazon QuickSight
 
AWS Architecting In The Cloud
AWS Architecting In The CloudAWS Architecting In The Cloud
AWS Architecting In The Cloud
 
Amazon QuickSight
Amazon QuickSightAmazon QuickSight
Amazon QuickSight
 
Implementing a Data Lake
Implementing a Data LakeImplementing a Data Lake
Implementing a Data Lake
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
 

Similar to Protecting Your Data- AWS Security Tools and Features

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Amazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
Amazon Web Services
 

Similar to Protecting Your Data- AWS Security Tools and Features (20)

Introduction: Security & AWS Storage
Introduction: Security & AWS StorageIntroduction: Security & AWS Storage
Introduction: Security & AWS Storage
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Protecting Your Data
Protecting Your DataProtecting Your Data
Protecting Your Data
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF Loft
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
SEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) ScaleSEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) Scale
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Introduction to Security and AWS Storage
Introduction to Security and AWS StorageIntroduction to Security and AWS Storage
Introduction to Security and AWS Storage
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & Compliance
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
 
Security & Compliance in the cloud
Security & Compliance in the cloudSecurity & Compliance in the cloud
Security & Compliance in the cloud
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Protecting Your Data- AWS Security Tools and Features

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Protecting Your Data AWS Security Tools and Features Brad Dispensa | Specialist
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved OR Move Fast Stay Secure
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AND Move Fast Stay Secure
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Making life easier • Choosing security does not mean giving up on convenience or introducing complexity
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Security (“Of” & “In”)
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security “Of” The Cloud
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Strengthen your security posture Leverage security enhancements from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations Over 50 global compliance certifications and accreditations “We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers.” Rob Alexander - CIO, Capital One
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved The AWS Compliance “Display Cabinet” Certificates: Programs: ISO 27001 Certified ISO 9001 CertifiedMPAA
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved 18 Regions – 54 Availability Zones Region & Number of Availability Zones AWS GovCloud (3) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6) Sydney (3) Tokyo (4) Ohio (3) Seoul (2) Mumbai (2) Osaka-local(1) Canada Central (2) China Beijing (2) Ningxia (2) South America São Paulo (3) New regions coming soon Hongkong,Sweden, AWS Gov Cloud (US-East), Bahrain AWS Global Infrastructure
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved 114 Edge locations (103 edge locations and 11 Regional Edge Caches) in 56 cities across 24 countries. Global – CloudFront Edge Network
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security “In” The Cloud
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CUSTOMER CUSTOMER DATA OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT RESPONSIBILITY FOR SECURITY “IN” THE CLOUD COMPUTE STORAGE DATABASE NETWORKING CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND / OR DATA) NETWORKING TRAFFIC PROTECTION (ENCRYPTION / INTEGRITY / IDENTITY) RESPONSIBILITY FOR SECURITY “OF” THE CLOUD AWS GLOBAL INFRA- STRUCTURE EDGE LOCATIONS REGIONS AVAILABILITY ZONES AWS Shared Responsibility Model
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security end-to-end – Help customer build/deploy/operate secure applications Secure Cloud Application SHARED RESPONSIBILITY Strong Compliance Foundation Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Identity and Access Management • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: EC2, ELB, S3, DynamoDB, SQS, SNS etc. IAM Users IAM Groups IAM Roles IAM Policies
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Detective Controls AWS CloudTrail Amazon CloudWatch ü Enable globally for all AWS Regions ü Encryption & Integrity Validation ü Archive & Forward ü Amazon CloudWatch Logs ü Metrics & Filters ü Alarms & Notifications Amazon Macie Amazon GuardDuty ü DLP for S3 ü ML anomaly detection ü User behavior ü Threat intelligence ü VPC network monitor ü ML Behavioral Stateful Findings and Anomaly Detections
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Change Management & Visibility AWS Config Amazon Config Rules ü Record configuration changes continuously ü Time-series view of resource changes ü Archive & Compare ü Enforce best practices ü Automatically roll-back unwanted changes ü Trigger additional workflow
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Data Protection Amazon CloudHSM ü Deep integration with AWS Services ü Audit KMS Key Usage via CloudTrail ü KMS Import Key ü AWS SDK for application encryption ü Security of the keys themselves ü Plaintext keys never stored in persistent memory ü Automatically rotate keys ü Separation of duties between systems that use master keys and data keys ü Multi-party control for all maintenance on systems that use master keys ü Dedicated HSM ü Integrate with on-premises HSMs ü Hybrid Architectures AWS Key Management Service 140-2 validated HSMs https://amzn.to/2G9zWiY
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automated Security Functions Template Stack AWS CloudFormation ü Orchestrate changes across AWS Services ü Use as foundation to Service Catalog products ü Use with source code repositories to manage infrastructure changes ü JSON-based text file describing infrastructure ü Resources created from a template ü Can be updated ü Updates can be restrictured
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Network Security Flow Logs Amazon VPC AWS Direct Connect VPN Gateway Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) sg_Backend (Backend Security Group) Security Group Security Group Security Group AWS WAF AWS Shield
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud Isolated cloud resources Web Application Firewall Filter Malicious Web Traffic Shield DDoS protection Certificate Manager Provision, manage, and deploy SSL/TSL certificates Networking Key Management Service Manage creation and control of encryption keys CloudHSM Hardware-based key storage Server-Side Encryption Flexible data encryption options Encryption IAM Manage user access and encryption keys SAML Federation SAML 2.0 support to allow on-prem identity integration Directory Service Host and manage Microsoft Active Directory Organizations Manage settings for multiple accounts Identity & Management Service Catalog Create and use standardized products Config Track resource inventory and changes CloudTrail Track user activity and API usage CloudWatch Monitor resources and applications Inspector Analyze application security Artifact Self-service for AWS’ compliance reports Compliance Access a deep set of cloud security tools
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Batches and Streams Direct ConnectSnowball data transport 3rd Party Connectors Transfer Acceleration Storage Gateway Kinesis Firehose File Amazon EFS Block Amazon EBS (persistent) Object Amazon GlacierAmazon S3 Amazon EC2 Instance Store (ephemeral) Robust Security for Your Entire Storage Infrastructure
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Storage Service IAM Encryption More info Amazon S3 IAM Policy – Resource, Bucket & User/Role policy ACLs Query String Auth SSE-S3 , SSE-C, SSE-KMS Client Side Encryption SSL Versioning MFA-Delete Access Log – Audit, Customer base,S3 Bill Amazon Glacier IAM Policy – Vault Operations Vault Access Policies Server Side Encryption AES-256 (Block Cipher) Lock Vault Policy.. E.g. WORM Cloud Trail Integration Amazon EBS IAM Policy – Access EBS Volumes Seamless EBS Encryption (C, KMS)– Data Vol, Snapshots, Encryption occurs on Servers hosting EC2 & data & boot volume. Redundancy – Same AZ Security for AWS Storage Services… High Level Info…
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Storage Service IAM Encryption More info AWS Snowball IAM Policy Supports Server Side encryption with S3 managed keys. AES GCM 256 bit keys SSL Encryption Physically Secured – TPM Chip Amazon EFS IAM Policy Seamless encryption using KMS – Data at rest Security Group for EC2 Instances, EFS Mount (e.g. NFS 2049 port) Amazon Instance Store IAM Policy – EC2 Operations Encryption via linux lib and/or 3rd party Data erased when instance stops or terminates Security for AWS Storage Services… High Level Info…
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demos DO IT LIVE!
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How can I make sure S3 is secure?
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How do I encrypt EBS volumes?
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved How do I protect log files from tampering?
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automate all the things!!
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Enterprise Cloud Migration Journey… Landing Zone Backup & Recovery Security (Data, Network) CI/CD – DevSecOps Compliance Automation
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Flexibility and Complexity Single VPC orMultiple VPCs How many AWS accounts Public or private subnets What type of encryption Who will manage the keys IAM groups or roles Security groupsor NACLs What is the regulatory requirement? What's in-scope or out-of- scope? How to verify the standards are met? Can we use S3 for this Which AWS database
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security by Design – Soln to Automate Security Compliance and Auditing in AWS Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. https://d0.awsstatic.com/whitepapers/complianc e/Intro_to_Security_by_Design.pdf Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security by Design - Design Principles • Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach • Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code – Modular – Versioned – Constrained Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Trusted Advisor
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Visit our Security and Compliance Hubs Consult the AWS Security & Compliance Quick Reference Guide https://d0.awsstatic.com/whitepapers/compliance/AWS_Complia nce_Quick_Reference.pdf Explore the AWS Artifact portal https://aws.amazon.com/artifact/ Learn more about our security & compliance accelerators https://aws.amazon.com/quickstart/ http://aws.amazon.com/security http://aws.amazon.com/compliance Where to learn more about AWS’ security & compliance resources Getting Started
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS