Building Secure Architectures on AWS

2,147 views
1,882 views

Published on

Amazon Web Services (AWS) approaches security using a shared responsibility model with our customers. We manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. As part of that model, our customers are responsible for building secure applications. We will provide a complete walkthrough from a blank canvas to a secure architecture from a development perspective. No matter the size of your team, you can implement your IT solutions using industry wide best security practices.

Published in: Technology

Building Secure Architectures on AWS

  1. 1. A Walk through the AWS Cloud: BuildingSecure Architectures on AWSOyvind RotiSolutions ArchitectAmazon Web Services
  2. 2. Migrate existing apps &data to the cloudBuild new apps, sites,services & lines ofbusinessesAugment On-Premisesresources with cloudcapacityHow customers use AWS
  3. 3. No Up-Front Capital Expense Pay Only for What You UseEasily Scale Up and Down Improve Agility & Time-to-MarketLow CostDeploySelf-Service Infrastructure
  4. 4. AWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Global Infrastructure - Resilience
  5. 5. ComputeAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Foundation ServicesAmazon EC2Storage Database NetworkingAmazon S3Amazon EBSAmazon GlacierDynamoDBAmazon RDSAmazon Redshift Route 53Amazon VPCAWS Direct ConnectFoundation Services
  6. 6. Foundation ServicesCompute Storage Database NetworkingAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Platform Security• SOC 1 (SSAE 16 & ISAE 3204) Type II Audit (was SAS70)• SOC 2 Type 1 Audit, SOC 3 Report• ISO 27001 Certification• Payment Card Industry Data Security Standard (PCI DSS)Level 1 Service Provider• FedRAMP (FISMA), ITAR, FIPS 140-2• Cloud Security Alliance Questionnaire• MPAA (best practices for storage, processing, delivery)
  7. 7. Foundation ServicesCompute Storage Database NetworkingAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsClient-side Data Encryption & Data IntegrityAuthenticationServer-side Encryption(File System and/or Data)Network Traffic Protection(Encryption/Integrity/Identity)Platform, Applications, Identity & Access ManagementOperating System, Network & Firewall ConfigurationCustomer DataAmazonYouShared responsibility model
  8. 8. Securing your cloudapplications
  9. 9. Resilience and AvailabilityDR in SNGDR in US-WEST
  10. 10. • Security Groups• Inbound traffic must be explicitlyspecified by protocol, port, andsecurity group• VPC adds outbound filters• VPC also adds Network Access ControlLists (ACLs): inbound and outboundstateless filters• OS Firewall (e.g., iptables) may beimplemented• user controlled security layer• granular access control ofdiscrete hosts• logging network eventsEncryptedFile SystemEncryptedSwap FileOSFirewallAmazonSecurityGroupsVPCNetworkACLInbound TrafficNetwork Security Layers
  11. 11. Virtual Private Cloud – an extension of your DCAWS DirectConnectAWS Virtual Private Cloud
  12. 12. Identity and Access Management (IAM)• Users and Groups within Accounts• Unique security credentials• Access keys• Login/Password• optional MFA device• Policies control access to AWS APIs• API calls must be signed by either:• X.509 certificate• secret key• Deep integration into some Services• S3: policies on objects and buckets• Simple DB: domains• AWS Management Console supports User log on• Not for Operating Systems or Applications• use LDAP, Active Directory/ADFS, etc...
  13. 13. IAM Federation
  14. 14. • Access controls at bucket andobject level:– Read, Write, Full• Owner has full control• Customer Encryption• SSL Supported• Durability 99.999999999%• Availability 99.99%• Versioning (MFA Delete)• Detailed Access LoggingAmazon S3 Security
  15. 15. • Secure Key Storage: Tamper-resistant, customer controlledhardware security module within your VPC• Only you have access to your keys (including Amazonadministrators who manage and maintain the appliance).• Common Criteria EAL4+, NIST FIPS 140-2.• Reliable & Durable Key Storage: available in multiple AZs andRegions, or replicate to on-premise HSMshttp://aws.amazon.com/cloudhsm/CloudHSM (new in 2013)
  16. 16. • Answers to many security & privacy questions• Security whitepaper• Risk and Compliance whitepaper• Security bulletins• Customer penetration testing• Security best practices• More information on:• AWS Identity & Access Management (AWS IAM)• AWS Multi-Factor Authentication (AWS MFA)AWS Security and Compliance Centrehttp://aws.amazon.com/security

×