Mais conteúdo relacionado Semelhante a AWS Initiate: Security framework shakedown (20) Mais de Amazon Web Services LATAM (20) AWS Initiate: Security framework shakedown2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FrameworkemSegurançaparaaNuvem
MapeiesuajornadacomasmelhorespráticasdaAWS
MelissaRavanini
ArquitetadeSoluções
ravanini@amazon.com
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Cloud Adoption Framework: perspectiva de segurança
• AWS Well-Architected Framework: pilar de segurança
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSshared responsibilitymodel
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWScloudadoptionframework
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Definaaestratégia
Identifique os workloads que moverão para
a numve
Identifique stakeholders
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Entregueumprogramadesegurança
Racionalize em cima dos
seus requisitos de
segurança
Defina proteção e controles
de segurança para seus
dados
Documente sua
arquitetura de segurança
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cartografiadesegurança
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operaçõesdesegurançarobustas
Deploy da arquitetura
Automação Monitoramento
contínuo
Testes e
Gamedays
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ident. e controle acesso
Controles e detecção
Segurança Infraestrutura
Proteção de dados
Resposta a incidentes
Semana 1 Semana 2 Semana 5Semana 3 Semana 4
Exemplo de uma Jornada em Segurança
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OqueéoframeworkWell-ArchitecteddaAWS?
Pilares Princípios de
design
Perguntas
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PilaresdoWell-ArchitecteddaAWS
Seguranç
a
Confiabilidade
Eficiência em
performance
Otimização de
custos
Excelência
operacional
16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSTrustedAdvisor
https://console.aws.amazon.com/trustedadvisor
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Melhorespráticas:fortecontrolede identidade
Acesso Root nunca deveria ser utilizado
Considere AWS Organizations
Implemente política de troca de senha
Centralize identidades
Audite periodicamente
19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-accountAccess
https://docs.aws.amazon.com/pt_br/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSSingleSign-On(SSO)
Serviço AWS GRATUITO de single sign-on (SSO) para centralizer a
gestão de acesso à contas AWS e aplicações de negócio
Centralize a gestão
do acesso à
múltiplas contas
AWS
Fácil de habilitar e
usar
Use suas
identidades atuais
Acesso SSO a
aplicações SAML
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Melhorespráticas:fortecontrolede identidade
Nunca armazene credenciais ou senhas em código
Reforce o uso de MFA
Use papéis do IAM para serviços
Estabeleça poíticas de menor privilégio
Use credenciais temporárias
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Melhorespráticas:habilite rastreabilidade
Considere Amazon GuardDuty
Configure log de aplicação e infraestrutura
Centralize usando um SIEM
Monitore proativamente
Reveja regularmente novidades e melhores práticas
24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AmazonGuard Duty
https://console.aws.amazon.com/guardduty/
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Melhorespráticas:proteçãoderede
Amazon CloudFront + AWS WAF
Amazon VPC e security groups
Conectividade privada– Transit Gateway, VPN, AWS Direct Connect
Endpoints dos serviços
Reforce permissão a nível de serviço
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Como:proteçãonacamada derede
Bucket
Instâncias
Região
VPC
Usuários
https://amzn.to/2PbHOpz
Automação de WAF
www.example.com
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Melhorespráticas:apliquesegurançaem todasas
camadas
Proteja sistemas operacionais e mude configurações padrão
Use anti-malware + ferramentas de detecção de intrusão
Escaneie sua infraestrutura
Escaneie seu código
Instale patches contra vulnerabilidades
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Como:automatize verificações
AWS Config Config Rules
https://console.aws.amazon.com/config
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Como:gestãoautomatizada
Automation
Patch
manager
State
manager
https://amzn.to/2AaOwSg
https://amzn.to/2DSTLdK
https://amzn.to/2Qihzxm
Notas do Editor x x Se você não tem um check list de controle de segurança, escolha algum, como por exemplo o ISO ou o NIST, ou Central for Internet Security, Security Controls… Pensando em metodologia ágil, temos sprints semanais…
IAM: não esquecer de falar Federação
Infra: WAF, SG, Route Tables, ACLs,
Data protection: Encryption in transit and at rest
Response plans e procedures: alarmes, monitoramento, notificações Monitoramento de credenciais -> veja se estão usando Se você está usando roles, você já está usando credenciais temporárias via STS (security token service)
GuardDuty: free-tier; VPC Flow logs, DNS logs, Cloud Trail logs
Cloudwatch logs and alerts
SIEM: Security Information and Event Management Marketplace
Inspector OWASP (open source): Open Web Application Security Project