AWS November meetup Slides

1. November 7th 2018 #74PRESENTS

2. Sponsors

3. What’s On Tonight 6:00 pm 1. PolarSeven “AWS Secrets Manager” - Kishore Pandian 6:20 pm 2. Palo Alto Networks “AI Driven Cloud Security” - Craig Dent 6:40 pm Break Have some pizza & beer, on us! 7:20 pm 3. CloudHealth “Best Practices for Cloud Management” - Nick Cannone 7:40 pm Networking

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sydney Nov 20 &Melbourne Nov 21, AWS Offices • AWS TechShift - exclusive event for software companies, independent software vendors (ISVs), application developers and SaaS businesses • Over 14 Business & Technical sessions – Learn how to improve the way you build and deliver software for global success • Guest Speakers: TechnologyOne, SafetyCulture, Atlassian • Network, visit AWS booths & have the opportunity to win an Amazon Echo, AWS DeepLens, AWS credits & more…. REGISTER TODAY! https://aws.amazon.com/events/techshift/australia/

5. Presentation 1 Kishore Pandian Cloud Consultant “AWS Secrets Manager”

6. Intro Kishore Pandian Cloud Engineer “AWS Secrets Manager”

7. Secrets Manager What is a Secret? ● Passwords ● Encryption keys ● SSH Keys ● Access and Secret Access key ID ● Any data you want to be secret..

8. Secrets Manager Challenges with traditional method ● Available solution too complex and expensive ● Unreliable rotation leading to outages ● Too many users with unnecessary access to secrets

9. Secrets Manager Key Features ● Rotate Secrets safely: Built in for RDS, Extensible with lambda, has versioning for roll back ● Fine-grained IAM policies ● Encrypted by default ● Pay as you go

10. Secrets Manager AWS Secrets manager allows customers to rotate, manage, retrieve database credentials,API keys and other secrets throughout the lifecycle ● IT Admins: Store and manage secrets securely and at scale ● Security Admins: Audit and monitor the use of secrets and rotate secrets ● Developers: Avoid credentials in the application

11. Secrets Manager

12. Demo Demo: Store and retrieve an SSH key

13. Secrets Manager Use-case Connect to database from application code ● DBA loads application specific credentials to secrets manager ● DevOps engineer deploys application with an IAM role ● Application bootstrapping retrieves secret from secrets manger and connects to the database

14. Workflow

15. Access Control ● IAM Policies using Resource names ● IAM Policies using Tags

16. Access control IAM using Resource name

17. Access control IAM using Tags

18. Audit using Cloudtrail

19. Pricing PER SECRET PER MONTH ● $0.40 per secret per month. For secrets that are stored for less than a month, the price is prorated (based on the number of hours.) PER 10,000 API CALLS ● $0.05 per 10,000 API calls.

20. Pricing Monthly Cost $6.00 : 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month $0.02 : 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 Total (per month)

21. As you get started Things to keep in mind ● No plain text secrets ● Unique secrets per region, per environment, per account ● Rotate secrets regularly ● Control permissions ● Monitor and audit use, Delete unused secrets ● No charges for versioning of a secret, no charge for default encryption

22. Contact Us hello@polarseven.com

23. Presentation 2 Craig Dent Consulting Engineer “AI Driven Cloud Security”

24. AI Driven Cloud Security for AWS Meetup Craig Dent Systems Engineer Specialist

25. Security in Public Cloud is a Shared Responsibility 2 | © 2018, Palo Alto Networks. All Rights Reserved. The Shared Responsibility Model Hubs Switches Routers Hypervisor Data Center Responsible for security “of” the cloud Cloud Service Provider Resource Configurations Users & Credentials Networks Hosts & Containers Data Security Responsible for security “in” the cloud Organization

26. The Problems We Can Help You Solve 3 | © 2016, Palo Alto Networks. Confidential and Proprietary. Network Security Real-time network visibility and incident investigations Suspicious/malicious traffic detection Virtual firewall for in-line protection Data Security Users & Credentials Account & access key compromise detection Anomalous insider activity detection Privileged activity monitoring Configurations / Control Plane Compliance scanning (CIS, PCI, GDPR, etc.) Storage, snapshots, & image configuration monitoring VPC, security groups & firewall configuration monitoring IAM configuration monitoring Hosts & Containers Runtime security Configuration monitoring (for cloud native) Vulnerable image detection Visibility,Detection&Response DLP / Storage scanning

27. Advanced API-Based Offering 4 | © 2016, Palo Alto Networks. Confidential and Proprietary. APIs Resource Configurations User Activity Network Traffic Host Activity & Vulnerabilities THIRD PARTY FEEDS APIs COLLECTION, AGGREGATION & NORMALIZATION SERVICE DETECTIONSignature Based ML Assisted Cloud CMDB Compliance Reporting Threat Detection & Response 3rd Party AppsStorage DLP Scanning

28. Use Cases

29. UEBA Example 6 | © 2018, Palo Alto Networks. All Rights Reserved. Developer accidentally leaks cloud access keys on GitHub. Hacker attempts to log in and steal data from the cloud account. RedLock detects key usage from an unusual location, performing unusual activities. RedLock alerts the SOC team and also provides full history of all activities associated with this key.

30. User & Entity Behavior Monitoring (UEBA) 7 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. App Servers Cloud Configuration settings RedLock CSP admin baseline (modelling) DB CSP audit trail logs RedLock alerting and analytics Unusual admin activity / location CI/CD pipeline tools / automation CSP admins

31. Network Monitoring Example 8 | © 2018, Palo Alto Networks. All Rights Reserved. User creates a security group but leaves it open. RedLock discovers it, sees it is associated with a VM running MongoDB, and then determines the database is receiving internet traffic coming from a known malicious IP address. RedLock automatically moves the database to a private security group to remediate risk.

33. Configuration Monitoring 10 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. End users App Servers Cloud Configuration settings CI/CD pipeline tools / automation Un-authorized change Authorized change RedLock alerting, analytics & remediation Non CI/CD pipeline user

34. RedLock Query Language (RQL) 11 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. Find all EC2 instances with a public IP address Find all DB instances receiving traffic from public IP addresses Find suspicious user activities in the last 30 days Find VM’s with no tags Find VPCs with internet Gateway attached Find changes done by non-authorized pipeline user. Find public exposed storage buckets Identify application workloads receiving traffic from suspicious IP addresses. RQL examples Question Answer

35. Break & Networking • Refresh your drink • Grab some pizza • Make new contacts • Enter the prize draw!

36. Presentation 3 Nick Cannone “Best Practices for Cloud Management”

37. Best Practices for Cloud Management Developing a mature Cloud Operations Framework Nick Cannone

38. 2 © 2018 CLOUDHEALTH® TECHNOLOGIES INC. The Leader in Multicloud Management Enterprise scale & global presence GLOBAL OFFICES HQ: Boston, MA SAN FRANCISCO SYDNEY AMSTERDAM LONDON TEL AVIV SINGAPORE PARIS FORRESTER CLOUD COST MONITORING & OPTIMIZATION WAVE LEADER VMWARE + CHT: FORRESTER HYBRID CLOUD MANAGEMENT WAVE LEADER / STRONG PERFORMER VMWARE ANNOUCES CH ACQUISITION AUG. 27, 2018 “We will make CloudHealth the cloud operations platform of choice for the industry.” - Pat Gelsinger, CEO VMware ANNUAL CLOUD SPEND MANAGED $5B+ DAILY ASSETS MANAGED 1.8B MONTHLY AVERAGE SAVINGS 25%+ DAILY REPORTS GENERATED 14K CUSTOMERS | PARTNERS 3,800+ | 150+

39. 3 © 2018 CLOUDHEALTH® TECHNOLOGIES INC. Driving increased value at each stage of the your customer’s cloud adoption journey. Your Business Partner for Customer Success Support business KPIs Increase ROI Facilitate stakeholder collaboration Drive continuous optimization Deliver enterprise-class, Cloud Financial showback Increase predictability & improve TCO

40. 4 © 2017 CLOUDHEALTH® TECHNOLOGIES I NC. When initially embarking on the journey of developing mature cloud operations you start with the basics of Cost & Visibility: • Accurately allocate costs & find unused resources (Zombie infrastructure) • Before you can worry about anything else you need to know what you have, where it came from and if it’s actually being used • This could be tying costs back to a project, business unit, or the team that spun that resource up Stage 1 - Beginning the Journey

41. 5 © 2017 CLOUDHEALTH® TECHNOLOGIES I NC. Now that we know where the resources came from, and allocate costs back we can look at the next stage encompassing two areas: • Cost and Visibility: • Optimize costs & Infrastructure - • Security Compliance: • We’ve addressed misconfiguration of Infrastructure; what about security Stage 2 - Establishing Cloud Operations

42. 6 © 2017 CLOUDHEALTH® TECHNOLOGIES I NC. Scalability of best practices: • Cost & Visibility • Giving responsibility back to the teams - • Security Compliance • Different environments/applications have different requirements - • Governance • Proactive, not reactive Stage 3 - Developing a Framework

43. 7 © 2017 CLOUDHEALTH® TECHNOLOGIES I NC. These final stages are typically seen only amongst the most advanced users globally • Cost & Visibility • Business wide strategy - • Security Compliance • Automated remediation - • Governance • Cloud Center of Excellence - • Service Integration • KPIs Stage 4 - Mastery of Best Practices

45. Thank you!

46. Draw Prize This weeks winner is :

47. Thanks For Coming Join Us Next Month for our final Meetup of 2018! We will be hosting an open panel night, with speakers from our sponsors, amazon and more. Be sure to come along! >> Register @ http://www.meetup.com/AWS-Sydney/ <<

AWS November meetup Slides

Esté a ler uma amostra.

Confira estes a seguir

AWS November meetup Slides

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a AWS November meetup Slides (20)

Mais recentes (20)