SlideShare uma empresa Scribd logo

Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

J
John Martinez

This document discusses shared security responsibilities between AWS and customers. It begins with an introduction of the author. It then explains that while AWS manages physical infrastructure and network security, customers are responsible for identity and access management, application security, and compliance. The document provides recommendations for securing IAM, S3, and monitoring for suspicious activity. It emphasizes using services like IAM, CloudTrail, and CloudFormation to automate security best practices.

Tecnologia
1 de 19
Baixar para ler offline
Shared Security Responsibilities in AWS John Martinez, Principal Solutions Architect, Evident.io
The Obligatory “Me” Slide • Principal Solutions Architect at Evident.io • 4+ years AWS and Cloud Experience (but almost all AWS) • Worked in two of the largest AWS environments • Unix & Linux geek • I am NOT a “SECURITY” guy! • Passionate about DevOps, Security and helping people out
Shared Responsibilities???
The minute we gave developers the power to create infrastructure, security became their responsibility, too!
On-Prem Compared to AWS On-Prem! • Physical key(cards) to DC • Firewalls • Network and Power Cables AWS! • API Access Key and Secret • EC2 Security Groups • VPC and EC2 APIs And you still need to allow inbound access to your apps!
The Scary Stuff etc…
Security Responsibilities Where AWS stops and YOU begin Doesn’t have to be scary!
AWS Responsibilities* • Data center access (yes, there’s still data centers back there somewhere!) • Physical infrastructure (servers, storage, network gear and stuff) • Network security • API end-points *Full detail found in the AWS Security Whitepaper (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)
AWS Security Services • Identity and Access Management (IAM) • Secure Token Service (STS) - used indirectly via IAM with Roles • EC2 Security Groups • EC2 Keypairs (SSH) • VPC Subnet ACLs • CloudTrail • CloudHSM
The following suggestions are from personal experience, YMMV ⚠️
The Really Long IAM Section.1 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Enable MFA for root accounts NOW • Then, enable MFA for IAM users next • Enable a password policy for your IAM users • Switch to using Roles for EC2 instances • Limit scope of EC2 Instance Profile policies — only allow what apps need to do, nothing more
The Really Long IAM Section.2 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Limit the amount of people with “Admin” policies attached to their IAM users • Demand that your 3rd party vendors use cross-account delegation using IAM roles • Protect the shit out of your API Access Keys and Secret Keys (encrypt laptop drives, do not store on EC2 instances, do not put in GitHub repos, etc., etc.) • If you’re an enterprise, consider federating Console access with SAML
Notes on S3 • If you’re not careful, you can inadvertently give people access to your secrets…by making the wrong object public • However, it can be a great place to store and distribute secrets…if protected well and used with features like IAM Roles for EC2 • Configure bucket policies so they are complimentary to IAM policies • Use object versioning and lifecycle rules to archive to Glacier
Complimentary Policy Examples IAM User Policy S3 Bucket Policy
Be Vigilant of Strange Activity • Instances in a region you’re not normally in (t1.micro are especially favorites for testing your reaction) • IAM users you don’t recognize • Weird behavior form your applications • More S3 objects and buckets than you remember or missing objects and buckets • An unexpected increase in your AWS bill
So, What Can I do??? • Use CloudFormation to deploy and maintain the state of your infrastructure (infrastructure *IS* code) • Use SNS to alert you where possible: CloudFormation, AutoScaling • Use CloudTrail to keep an eye on API activity • Maintain blacklists/whitelists on reverse proxies behind ELBs • And if you suspect the worst, involve AWS Support ASAP • Subscribe to Evident.io :-)
Resources ! Evident.io AWS Security Resource Center http://evident.io/aws-security- resource-center ! ! ! AWS Security Blog http://blogs.aws.amazon.com/ security/blog AWS Security Center http://aws.amazon.com/security/
Thank you! john@evident.io @johnmartinez http://www.evident.io/
Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

Recomendados

Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020David McDaniel
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureIIMBNSRCEL
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseSeth Law
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 

Recomendados

Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020Denver AWS Users' Group Meetup - May 2020
Denver AWS Users' Group Meetup - May 2020David McDaniel
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureIIMBNSRCEL
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseSeth Law
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Implementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best PracticesImplementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best PracticesSebastian Taphanel CISSP-ISSEP
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environment How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environmentNathan Case
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?TheFamily
 
Server’s variations bsw2015
Server’s variations bsw2015Server’s variations bsw2015
Server’s variations bsw2015Laurent Cerveau
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Cymmetria
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive ScaleAmazon Web Services
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Mais conteúdo relacionado

Semelhante a Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environment How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environmentNathan Case
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?TheFamily
 
Server’s variations bsw2015
Server’s variations bsw2015Server’s variations bsw2015
Server’s variations bsw2015Laurent Cerveau
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Cymmetria
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive ScaleAmazon Web Services
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 

Semelhante a Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17 (20)

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Implementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best PracticesImplementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best Practices
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
 
How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environment How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environment
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?
 
Server’s variations bsw2015
Server’s variations bsw2015Server’s variations bsw2015
Server’s variations bsw2015
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 

Último

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Último (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

  • 1. Shared Security Responsibilities in AWS John Martinez, Principal Solutions Architect, Evident.io
  • 2. The Obligatory “Me” Slide • Principal Solutions Architect at Evident.io • 4+ years AWS and Cloud Experience (but almost all AWS) • Worked in two of the largest AWS environments • Unix & Linux geek • I am NOT a “SECURITY” guy! • Passionate about DevOps, Security and helping people out
  • 4. The minute we gave developers the power to create infrastructure, security became their responsibility, too!
  • 5. On-Prem Compared to AWS On-Prem! • Physical key(cards) to DC • Firewalls • Network and Power Cables AWS! • API Access Key and Secret • EC2 Security Groups • VPC and EC2 APIs And you still need to allow inbound access to your apps!
  • 7. Security Responsibilities Where AWS stops and YOU begin Doesn’t have to be scary!
  • 8. AWS Responsibilities* • Data center access (yes, there’s still data centers back there somewhere!) • Physical infrastructure (servers, storage, network gear and stuff) • Network security • API end-points *Full detail found in the AWS Security Whitepaper (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)
  • 9. AWS Security Services • Identity and Access Management (IAM) • Secure Token Service (STS) - used indirectly via IAM with Roles • EC2 Security Groups • EC2 Keypairs (SSH) • VPC Subnet ACLs • CloudTrail • CloudHSM
  • 10. The following suggestions are from personal experience, YMMV ⚠️
  • 11. The Really Long IAM Section.1 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Enable MFA for root accounts NOW • Then, enable MFA for IAM users next • Enable a password policy for your IAM users • Switch to using Roles for EC2 instances • Limit scope of EC2 Instance Profile policies — only allow what apps need to do, nothing more
  • 12. The Really Long IAM Section.2 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Limit the amount of people with “Admin” policies attached to their IAM users • Demand that your 3rd party vendors use cross-account delegation using IAM roles • Protect the shit out of your API Access Keys and Secret Keys (encrypt laptop drives, do not store on EC2 instances, do not put in GitHub repos, etc., etc.) • If you’re an enterprise, consider federating Console access with SAML
  • 13. Notes on S3 • If you’re not careful, you can inadvertently give people access to your secrets…by making the wrong object public • However, it can be a great place to store and distribute secrets…if protected well and used with features like IAM Roles for EC2 • Configure bucket policies so they are complimentary to IAM policies • Use object versioning and lifecycle rules to archive to Glacier
  • 14. Complimentary Policy Examples IAM User Policy S3 Bucket Policy
  • 15. Be Vigilant of Strange Activity • Instances in a region you’re not normally in (t1.micro are especially favorites for testing your reaction) • IAM users you don’t recognize • Weird behavior form your applications • More S3 objects and buckets than you remember or missing objects and buckets • An unexpected increase in your AWS bill
  • 16. So, What Can I do??? • Use CloudFormation to deploy and maintain the state of your infrastructure (infrastructure *IS* code) • Use SNS to alert you where possible: CloudFormation, AutoScaling • Use CloudTrail to keep an eye on API activity • Maintain blacklists/whitelists on reverse proxies behind ELBs • And if you suspect the worst, involve AWS Support ASAP • Subscribe to Evident.io :-)
  • 17. Resources ! Evident.io AWS Security Resource Center http://evident.io/aws-security- resource-center ! ! ! AWS Security Blog http://blogs.aws.amazon.com/ security/blog AWS Security Center http://aws.amazon.com/security/