SlideShare uma empresa Scribd logo

Security Architectures on AWS

Amazon Web Services
Amazon Web Services

Security Architectures on AWS

1 de 23
Baixar para ler offline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chris Johnson, Solutions Architect April, 2018 Security Architectures on AWS
What we’ll cover today … • Initial considerations before you deploy • Walk through AWS Shared Responsibility Model • Practical advice on AWS security controls to deploy • Practical advice on AWS security audit tooling
But first … (Initial considerations before you deploy)
Ask yourself some questions: 1. How will your service will be accessed (public or private)? 2. What sort of data are you handling? 3. Are there any regulations you need to be compliant with? 4. Are there any compliance assessments you need to plan for? 5. Who will be administering the application? 6. Who needs to audit the platform (internal or external)?
Answers will lead you to where you put your data Availability Zone A Availability Zone B Availability Zone C Each region has at least two Availability Zones
Answers will lead you to AWS Artifact
• Integration with AWS Services • Identity Federation • Granular Permissions Model • Multi-factor Authentication • Identity information for assurance Answers will lead you to Identity and Access Management
Ok - so who manages what? (The AWS Shared Responsibility Model)
Does one model work for all AWS Services? Infrastructure Services Container Services Abstracted Services
Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Management Protocols API Calls
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Management Protocols API Calls
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls AWS Shared Responsibility Model: forAbstracted Services
What should I consider for my Application? (Practical advice on AWS Security Controls to deploy)
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Malformed Packet Requests u SYN/ACK or UDP Flood u Reflection Attacks u DNS Floods u Shuffle Sharding (Forced Data Distribution and Isolation) u Anycast Striping (Ability to advertise IP Scopes from any/all Regions) myapp.com Amazon S3 bucket Route 53 1 www.myapp.com media.myapp.com
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Content Caching u Origin Acceleration u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Cloudfront 2 www.myapp.com media.myapp.com
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Path Based Routing u HTTP/HTTPS Only u SSL/TLS Offload u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Application Load Balancer 3 www.myapp.com media.myapp.com
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u AWS Macie Integration u Static HTTP Web Server u Origin for Cloudfront (use Custom Header for locking down) u No HTTPS capability (use Cloudfront) u Object and Bucket Level Logging myapp.com Amazon S3 bucket S3 Bucket 4 www.myapp.com media.myapp.com
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u RouteTable – Decides which networks can be routed to/from u NACL – Stateless – Rule Based, Order-Priority [Default OPEN] u SG – Stateful – Evaluatative [Default CLOSED] u VPC FlowLogs – Layer 2/3 Logging in a VPC myapp.com Amazon S3 bucket VPC Controls 5 www.myapp.com media.myapp.com
Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Amazon Inspector u CVE / Best Practices u CIS Benchmarks / Network Behavioral Monitoring u AWS Systems Manager Integration – Privileged Command Execution u AWS Systems Manager Integration – Cloudwatch Logging myapp.com Amazon S3 bucket Amazon Inspector 5 www.myapp.com media.myapp.com
How do I ensure it is all working as planned? (Practical advice on AWS Security audit tooling)
Myapp Production Account Myapp Dev Account Myapp Sandbox Account Myapp Audit Account myapp Billing Account CloudTrail Bucket Config Bucket Amazon ES Amazon QuickSight Amazon Athena u CloudTrail (Athena or ElasticSearch) u Config (Aggregator) u Guard Duty u VPC FlowLogs u CloudTrail u Config (incl. Config Rules) u Guard Duty u VPC Flow Logs u Inspector Amazon GuardDuty Multi-Account View Local-Account View
Shall we have a look at this in action? (Demo time!)
Thank you, any questions?

Recomendados

AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughAWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughKaushik Mohanraj
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 

Recomendados

AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughAWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughKaushik Mohanraj
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
AWS Storage Gateway
AWS Storage GatewayAWS Storage Gateway
AWS Storage GatewayzekeLabs Technologies
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAmazon Web Services
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDSAmazon Web Services
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSAlert Logic
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 

Mais conteúdo relacionado

Mais procurados

Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarAmazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSAmazon Web Services
 

Mais procurados (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 
AWS 101
AWS 101AWS 101
AWS 101
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Storage Gateway
AWS Storage GatewayAWS Storage Gateway
AWS Storage Gateway
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDS
 
Overview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWSOverview of AWS by Andy Jassy - SVP, AWS
Overview of AWS by Andy Jassy - SVP, AWS
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 

Semelhante a Security Architectures on AWS

The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSAlert Logic
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Shared Responsibility and Setting Up Secure Account Structures
Shared Responsibility and Setting Up Secure Account StructuresShared Responsibility and Setting Up Secure Account Structures
Shared Responsibility and Setting Up Secure Account StructuresAmazon Web Services
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptxMohammadEnnab4
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...himanipatel524244
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWSAmazon Web Services
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayAWS Germany
 

Semelhante a Security Architectures on AWS (20)

The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Shared Responsibility and Setting Up Secure Account Structures
Shared Responsibility and Setting Up Secure Account StructuresShared Responsibility and Setting Up Secure Account Structures
Shared Responsibility and Setting Up Secure Account Structures
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
 
Getting Started on AWS
Getting Started on AWSGetting Started on AWS
Getting Started on AWS
 
Technical Track
Technical TrackTechnical Track
Technical Track
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
AWSome Day | Tech Track
AWSome Day | Tech TrackAWSome Day | Tech Track
AWSome Day | Tech Track
 
01 aws track 1
01 aws track 101 aws track 1
01 aws track 1
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWS
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web Day
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security Update
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Security Architectures on AWS

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chris Johnson, Solutions Architect April, 2018 Security Architectures on AWS
  • 2. What we’ll cover today … • Initial considerations before you deploy • Walk through AWS Shared Responsibility Model • Practical advice on AWS security controls to deploy • Practical advice on AWS security audit tooling
  • 3. But first … (Initial considerations before you deploy)
  • 4. Ask yourself some questions: 1. How will your service will be accessed (public or private)? 2. What sort of data are you handling? 3. Are there any regulations you need to be compliant with? 4. Are there any compliance assessments you need to plan for? 5. Who will be administering the application? 6. Who needs to audit the platform (internal or external)?
  • 5. Answers will lead you to where you put your data Availability Zone A Availability Zone B Availability Zone C Each region has at least two Availability Zones
  • 6. Answers will lead you to AWS Artifact
  • 7. • Integration with AWS Services • Identity Federation • Granular Permissions Model • Multi-factor Authentication • Identity information for assurance Answers will lead you to Identity and Access Management
  • 8. Ok - so who manages what? (The AWS Shared Responsibility Model)
  • 9. Does one model work for all AWS Services? Infrastructure Services Container Services Abstracted Services
  • 10. Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Management Protocols API Calls
  • 11. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Management Protocols API Calls
  • 12. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls AWS Shared Responsibility Model: forAbstracted Services
  • 13. What should I consider for my Application? (Practical advice on AWS Security Controls to deploy)
  • 14. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Malformed Packet Requests u SYN/ACK or UDP Flood u Reflection Attacks u DNS Floods u Shuffle Sharding (Forced Data Distribution and Isolation) u Anycast Striping (Ability to advertise IP Scopes from any/all Regions) myapp.com Amazon S3 bucket Route 53 1 www.myapp.com media.myapp.com
  • 15. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Content Caching u Origin Acceleration u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Cloudfront 2 www.myapp.com media.myapp.com
  • 16. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Path Based Routing u HTTP/HTTPS Only u SSL/TLS Offload u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Application Load Balancer 3 www.myapp.com media.myapp.com
  • 17. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u AWS Macie Integration u Static HTTP Web Server u Origin for Cloudfront (use Custom Header for locking down) u No HTTPS capability (use Cloudfront) u Object and Bucket Level Logging myapp.com Amazon S3 bucket S3 Bucket 4 www.myapp.com media.myapp.com
  • 18. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u RouteTable – Decides which networks can be routed to/from u NACL – Stateless – Rule Based, Order-Priority [Default OPEN] u SG – Stateful – Evaluatative [Default CLOSED] u VPC FlowLogs – Layer 2/3 Logging in a VPC myapp.com Amazon S3 bucket VPC Controls 5 www.myapp.com media.myapp.com
  • 19. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Amazon Inspector u CVE / Best Practices u CIS Benchmarks / Network Behavioral Monitoring u AWS Systems Manager Integration – Privileged Command Execution u AWS Systems Manager Integration – Cloudwatch Logging myapp.com Amazon S3 bucket Amazon Inspector 5 www.myapp.com media.myapp.com
  • 20. How do I ensure it is all working as planned? (Practical advice on AWS Security audit tooling)
  • 21. Myapp Production Account Myapp Dev Account Myapp Sandbox Account Myapp Audit Account myapp Billing Account CloudTrail Bucket Config Bucket Amazon ES Amazon QuickSight Amazon Athena u CloudTrail (Athena or ElasticSearch) u Config (Aggregator) u Guard Duty u VPC FlowLogs u CloudTrail u Config (incl. Config Rules) u Guard Duty u VPC Flow Logs u Inspector Amazon GuardDuty Multi-Account View Local-Account View
  • 22. Shall we have a look at this in action? (Demo time!)
  • 23. Thank you, any questions?