• Save
Building Secure Architectures on AWS
Upcoming SlideShare
Loading in...5
×
 

Building Secure Architectures on AWS

on

  • 3,780 views

Amazon Web Services (AWS) approaches security using a shared responsibility model with our customers. We manage and control the components from the host operating system and virtualization layer down ...

Amazon Web Services (AWS) approaches security using a shared responsibility model with our customers. We manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. As part of that model, our customers are responsible for building secure applications. We will provide a complete walkthrough from a blank canvas to a secure architecture from a development perspective. No matter the size of your team, you can implement your IT solutions using industry wide best security practices.

Statistics

Views

Total Views
3,780
Views on SlideShare
3,378
Embed Views
402

Actions

Likes
5
Downloads
0
Comments
0

4 Embeds 402

http://www.scoop.it 396
http://translate.googleusercontent.com 4
http://svr12 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Building Secure Architectures on AWS Building Secure Architectures on AWS Presentation Transcript

  • A Walk through the AWS Cloud: BuildingSecure Architectures on AWSOyvind RotiSolutions ArchitectAmazon Web Services
  • Migrate existing apps &data to the cloudBuild new apps, sites,services & lines ofbusinessesAugment On-Premisesresources with cloudcapacityHow customers use AWS
  • No Up-Front Capital Expense Pay Only for What You UseEasily Scale Up and Down Improve Agility & Time-to-MarketLow CostDeploySelf-Service Infrastructure
  • AWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Global Infrastructure - Resilience
  • ComputeAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Foundation ServicesAmazon EC2Storage Database NetworkingAmazon S3Amazon EBSAmazon GlacierDynamoDBAmazon RDSAmazon Redshift Route 53Amazon VPCAWS Direct ConnectFoundation Services
  • Foundation ServicesCompute Storage Database NetworkingAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsAmazonAWS Platform Security• SOC 1 (SSAE 16 & ISAE 3204) Type II Audit (was SAS70)• SOC 2 Type 1 Audit, SOC 3 Report• ISO 27001 Certification• Payment Card Industry Data Security Standard (PCI DSS)Level 1 Service Provider• FedRAMP (FISMA), ITAR, FIPS 140-2• Cloud Security Alliance Questionnaire• MPAA (best practices for storage, processing, delivery)
  • Foundation ServicesCompute Storage Database NetworkingAWS Global InfrastructureRegionsAvailability ZonesEdge LocationsClient-side Data Encryption & Data IntegrityAuthenticationServer-side Encryption(File System and/or Data)Network Traffic Protection(Encryption/Integrity/Identity)Platform, Applications, Identity & Access ManagementOperating System, Network & Firewall ConfigurationCustomer DataAmazonYouShared responsibility model
  • Securing your cloudapplications
  • Resilience and AvailabilityDR in SNGDR in US-WEST
  • • Security Groups• Inbound traffic must be explicitlyspecified by protocol, port, andsecurity group• VPC adds outbound filters• VPC also adds Network Access ControlLists (ACLs): inbound and outboundstateless filters• OS Firewall (e.g., iptables) may beimplemented• user controlled security layer• granular access control ofdiscrete hosts• logging network eventsEncryptedFile SystemEncryptedSwap FileOSFirewallAmazonSecurityGroupsVPCNetworkACLInbound TrafficNetwork Security Layers
  • Virtual Private Cloud – an extension of your DCAWS DirectConnectAWS Virtual Private Cloud
  • Identity and Access Management (IAM)• Users and Groups within Accounts• Unique security credentials• Access keys• Login/Password• optional MFA device• Policies control access to AWS APIs• API calls must be signed by either:• X.509 certificate• secret key• Deep integration into some Services• S3: policies on objects and buckets• Simple DB: domains• AWS Management Console supports User log on• Not for Operating Systems or Applications• use LDAP, Active Directory/ADFS, etc...
  • IAM Federation
  • • Access controls at bucket andobject level:– Read, Write, Full• Owner has full control• Customer Encryption• SSL Supported• Durability 99.999999999%• Availability 99.99%• Versioning (MFA Delete)• Detailed Access LoggingAmazon S3 Security
  • • Secure Key Storage: Tamper-resistant, customer controlledhardware security module within your VPC• Only you have access to your keys (including Amazonadministrators who manage and maintain the appliance).• Common Criteria EAL4+, NIST FIPS 140-2.• Reliable & Durable Key Storage: available in multiple AZs andRegions, or replicate to on-premise HSMshttp://aws.amazon.com/cloudhsm/CloudHSM (new in 2013)
  • • Answers to many security & privacy questions• Security whitepaper• Risk and Compliance whitepaper• Security bulletins• Customer penetration testing• Security best practices• More information on:• AWS Identity & Access Management (AWS IAM)• AWS Multi-Factor Authentication (AWS MFA)AWS Security and Compliance Centrehttp://aws.amazon.com/security