More Related Content
Similar to AWS Webinar CZSK 02 Bezpecnost v AWS cloudu (20)
More from Vladimir Simek (18)
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nazar Špak, Territory Manager, AWS
Vladimír Šimek, Senior Solutions Architect, AWS
Bezpečnost v AWS cloudu
- 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Housekeeping
• Taget audience
• Presentation about 45 minutes
• Slides in English – talk in Czech & Slovak
• Not a legal advisory (GDPR, Compliance)
• Post questions online – response via chat window and
email
- 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Shared Responsibility Model
• Compliance and GDPR
• Global Infrastructure and Security
• AWS Security Solutions
• Security Best Practices
• Partners presentation – F5 Networks & Alef
• Resources
- 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
- 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is Job Zero
- 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
Infrastructure
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Traditional On-Premise Security Model
Customers are
responsible for
end-to-end security
in their on-premise
data centers
- 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Security Model when using IaaS (e.g. EC2 instances)
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers
- 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Security Model when using PaaS (managed services)
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers
- 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
•Facilities
•Physical Security
•Physical Infrastructure
•Network Infrastructure
•Virtualization Infrastructure
Operating System
Application
Security Groups
OS Firewalls
Network Configuration
Account Management
Customer
- 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS get security?
Locations in nondescript, undisclosed
facilities
Segregation of duties: staff with physical
access versus staff with logical access
24/7 trained security guards
Physical access is recorded, videoed,
stored, reviewed
Multi-factor authentication for physical
access
And every 90 days…
- 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS get security?
- 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Third party access
Subcontractor Access
We proactively inform our customers of any subcontractors who have access to
customer-owned data you upload onto AWS, including data that may contain personal
data.
Effective date: 15 May 2018
Subcontractors authorized by AWS to access any customer-owned data that you upload
onto AWS are the following: None!
At least 30 days before we authorize and permit any new subcontractor to access any customer-owned data, AWS will
update this website to inform customers.
https://aws.amazon.com/compliance/third-party-access/
- 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
This
To This
Security processes
- 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
New Region (coming soon)
Region & Number
of Availability Zones
- 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prove it!
Accreditations and Certifications
- 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prove what AWS does!
Certifications
Audits & Attestations
• Independent 3rd parties
• Regularly refreshed
• Available to customers
https://aws.amazon.com/compliance/
- 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key AWS Certifications and Assurance Programs
- 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key AWS Certifications and Assurance Programs
- 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GDPR
AWS services comply with the General Data Protection Regulation
(GDPR) and has in place effective technical and organizational
measures for data processors to secure personal data in
accordance with the GDPR.
Customers can deploy AWS services as a key part of their GDPR
compliance plans and use numerous AWS services.
• Amazon GuardDuty – a security service featuring intelligent
threat detection and continuous monitoring
• Amazon Macie – a machine learning tool to assist discovery
and securing of personal data stored in Amazon S3
• Amazon Inspector – an automated security assessment
service to help keep applications in conformity with best
security practices
• AWS Config Rules – a monitoring service that dynamically
checks cloud resources for compliance with security rule
More Info: https://aws.amazon.com/compliance/gdpr-center/
- 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security
Features & Solutions
- 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS can be more secure than your existing
environment
- 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Private Subnets
Within Your AWS Virtual Private Cloud (VPC)
- 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Private Cloud (VPC)
- 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Built-in Firewalls
You Control Access to Your Instances
- 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HTTP
Ports 80 and 443 only
open to the Internet
SSH/RDP
Engineering staff have SSH/RDP
access to Bastion Host
AWS Multi-Tier Security Groups
Bastion
All other internet ports blocked by default
- 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dedicated Connection
with Direct Connect
- 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CORP
Customer
Routers
Colocation
DX Location PRG / VIE
`
AWS Direct
Connect Routers
Direct Connect
- 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security has to be visible
Monitoring & Logging
- 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail records who is accessing APIs
Store/archive
Central logging account
Troubleshoot
Monitor & alarm
AWS accounts
make API call
On a growing set of
AWS services around
the world..
CloudTrail is
continuously
recording API
calls
Amazon
EBS
- 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail log
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176
- 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudWatch
Monitoring services for AWS Resources and AWS-based Applications.
Monitor and Store Logs
Set Alarms (react to changes)
View Graphs and Statistics
Collect and Track Metrics
What does it do?
How can you use it?
React to application log events and availability
Automatically scale EC2 instance fleet
View Operational Status and Identify Issues
Monitor CPU, Memory, Disk I/O, Network, etc.
CloudWatch Logs / CloudWatch Events
CloudWatch Alarms
CloudWatch Dashboards
CloudWatch Metrics
- 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWSConfig
EC2
VPC
EBS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshooting Discovery
- 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, pager,
SMS) Pre-configured rules:
https://github.com/awslabs/aws-config-rules
- 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentication and
Authorization
- 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity and Access Management
Authentication and Authorization
- 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authenticate
1. IAM Username/Password
2. Access Key (+ MFA)
3. Federation
Authorize
IAM Policies
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
SECRET KEY
Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
- 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top 10 IAM best practices
1. Users – Create individual users
2. Permissions – Grant least privilege
3. Groups – Manage permissions with groups
4. Conditions – Restrict privileged access further with conditions
5. Password – Configure a strong password policy
6. Rotate – Rotate security credentials regularly
7. MFA – Enable MFA for privileged users
8. Sharing – Use IAM roles to share access
9. Roles – Use IAM roles for Amazon EC2 instances
10. Root – Reduce or remove use of root
- 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at Rest
- 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift,
WorkSpaces, Amazon Kinesis Firehose, CloudTrail
Options for using encryption in AWS
- 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service
Encryption
Whitepaper:
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
- 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation, deletion, and use of encryption keys in your applications
• Integrated with 19 AWS services for server-side encryption
• Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities
• Available in all commercial regions except China
• Integrated with AWS Identity and Access Management (IAM) console:
- 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bring Your Own Key
• You control how master keys are generated
• You store the master copy of the keys
• You import the key into KMS and set an optional expiration time in the future
• You can use imported keys with all KMS-integrated services
• You can delete and re-import the key at any time to control when AWS can use it to
encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure, including SafeNet Gemalto
and Thales e-Security
- 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudHSM
Encryption
Whitepaper:
https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf
- 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is HSM?
• Tamper-Proof and Tamper-Evident (Destroys its stored
keys if under attack)
• FIPS 140-2 Level 2 certified
• Base position is to be a keystore
• Can also be used to timestamp documents
• You can send data for encrypt / decrypt
• Needs to be backed-up (ideally to HSM on customer
premises)
• Can be (and should) be combined in HA clusters
• Is NOT a key management system
- 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudHSM
• You receive dedicated access to HSM appliances
• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your keys and operations on the keys
• HSMs are inside your Amazon VPC—isolated from the rest of
the network
• Uses Gemalto SafeNet Luna SA HSM appliances
• CloudHSM (and HSMs in general) aren’t for everyone
Customers need trained staff, tight operational practice
Amazon VPC
- 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Best Practices
- 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS security best practices
1. Understand Shared Responsibility model implications to your security processes
2. Understand which AWS services have HA built in and which you have to set up
yourself
3. Manage AWS Accounts, IAM Users, Groups and Roles in-line with IAM best
practices (see IAM section)
4. Use bastion hosts for managing EC2 instances
5. Encrypt your data (at rest & in transit)
6. Secure your OS, Applications & Network
7. Use Logging, Monitoring & Alerting (CloudTrail, CloudWatch, VPC Flow Logs, etc.)
8. Double check which data on S3 you want to make public
9. Don’t keep your Access Key & Secret Key in a code you push to public repositories
(GitHub, GitLab, Bitbucket, ... )
- 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for
availability, cost, performance and security.
- 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Partners
- 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
AWS Security Partners
- 52. DNS
UAC
WAF
Acceleration
ADC
VDI WEBAPPS
FW
• ICSA Certified
• ACL’s
• IP Intelligence
• IP Lists
• DoS
Protections
DNS
• Business Continuity
• GSLB
• DNS Security /
Services
• DNS Firewall
WAF
• L7 Firewall
• BOT Detection
• Anomaly Detection
• Credential Stuffing
• Client Fingerprinting
• L7 DoS Mitigation
• PCI Compliance
UAC
• Remote Access
• Pre-Authentitacion
• Multi-factor/SSO/Federation
• End Point Inspection
ADC
• SLB
• Application
Awareness
• Full Proxy
• SSL/TLS Offload /
Visibility
• Traffic
modification
Acceleration
• TCP Optimisation
• Caching/Compressio
n
• End User
Experience
• HTTP/2
FW
Users Customers Attackers
BIG-IPVE VIPRION
High Performance Services Fabric
Managemen
t
• iRules
• iControl
• iCall
• iApps
• SDx
• Cloud
- 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
- 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Center
Comprehensive security portal to provide a variety of security notifications, information and documentation.
Security Whitepapers
• Overview of Security Process
• AWS Risk and Compliance
• AWS Security Best Practices
Security Bulletin
Security Resources
Vulnerability Reporting
Penetration Testing
Requests
Report Suspicious Emails
http://aws.amazon.com/security
- 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance
List of compliance, assurance programs and resources:
http://aws.amazon.com/compliance/
- 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GDPR
AWS GDPR center
http://aws.amazon.com/compliance/gdpr-center/
- 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Blog
Subscribe to the blog – it’s a great way to stay up-to-date on
AWS security and compliance.
Security Resources
Developer Information, Articles and Tutorials, Security
Products, and Whitepapers
http://aws.amazon.com/security/security-resources/ http://blogs.aws.amazon.com/security/
- 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Děkujeme za pozornost!
nazaspak@amazon.com
vladsim@amazon.com