SlideShare a Scribd company logo

Architecting for Resiliency

Amazon Web Services
Amazon Web Services

by Andrew Kiggins, Solutions Architect, AWS

Presentations & Public Speaking
1 of 26
© 2016 AWS and affiliates, all rights reserved Security Architecture Loft Architecting For Resiliency Andrew Kiggins Security Solution Architect Aren Sandersen, CTO, FoxPass
© 2016 AWS and affiliates, all rights reserved Goals • Learn how to control access • Learn how AWS services can help implement fault tolerance • Learn how AWS services can reduce security incident blast radius • Understand the security services and features associated with network configuration • Understand how to secure servers and control user access
© 2016 AWS and affiliates, all rights reserved Conditions affecting service availability • Large Scale Events (LSEs) • Disaster recovery • DDoS Attacks • Deployment failures
© 2016 AWS and affiliates, all rights reserved VPCs • Public + Private subnets • IGW • NAT GW virtual private cloud VPC NAT gateway Availability ZoneAvailability ZoneAvailability Zone VPC subnetVPC subnetVPC subnet VPC subnetVPC subnetVPC subnet Internet gateway
© 2016 AWS and affiliates, all rights reserved VPCs • Security Groups – Stateful – Ingress/Egress – Instance specific – Default deny • Network ACLs – Stateless – Inbound/ Outbound – Subnet specific – Default allow virtual private cloud Availability Zone VPC subnetVPC subnet Internet gateway instanceinstance instanceinstance instance security group security groupsecurity group
© 2016 AWS and affiliates, all rights reserved VPC security group HTTP GET TCP(6) Port(80) NTP Buffer Overrun UDP(17) Port(123)
© 2016 AWS and affiliates, all rights reserved Network ACL security group HTTP GET TCP(6) Port(80) HTTP GET TCP(6) Port(80) srcIP=216.246.16.228
© 2016 AWS and affiliates, all rights reserved Obfuscate VPC Amazon Route 53 CloudFront users security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB
© 2016 AWS and affiliates, all rights reserved Layers Of Access Control users Application servers Private subnet security group Public subnet ELB IPS/IDS Private subnet ELB security group WAF Private subnet ELB security group security group ELB
© 2016 AWS and affiliates, all rights reserved Availability Zones • 2 zones good, 3 zones better • Remove AZ dependencies – AZs can and should stand alone
© 2016 AWS and affiliates, all rights reserved Regions (14+) • Regional Isolation – Keys don’t port • Insulate from regional dependency – Reduce centralized resources • Reduce Blast Radius – Don’t interconnect regions – No VPNs – Use protected API endpoint for communication between regions • Disaster recovery
© 2016 AWS and affiliates, all rights reserved Elastic Load Balancer + Application Load Balancers • Cross AZ – Fault tolerance • Auto Scaling – Load/attack resilient • Service isolation Elastic Load Balancing
© 2016 AWS and affiliates, all rights reserved Separation of services Amazon Route 53 CloudFront security group Public subnet servers Private subnet ELB www.foo.commail.foo.com security group Public subnet Mail servers Private subnet ELB security group Public subnet Web servers Private subnet ELB mail.foo.com www.foo.com
© 2016 AWS and affiliates, all rights reserved EC2 Auto-scaling • Create Auto Scaling Groups to span subnets & AZs • Scale up quickly (in jumps) • Scale down slowly (in steps)
© 2016 AWS and affiliates, all rights reserved Introduction • About me • Now: Founder, Foxpass, DevOps security company • Then: Led operations, IT, and security teams for startups over a decade • DevOps/Security consulting
© 2016 AWS and affiliates, all rights reserved Goals • Understand where AWS leaves off and your own security practices must begin, particularly for Linux servers • Learn common threats and how to decrease exposure • Get practical advice on how to configure production access and set IT policies
© 2016 AWS and affiliates, all rights reserved Amazon is easy! • Amazon’s AWS portal makes it extremely simple to bring up servers and get started • Creating firewalls is easy, too – Security groups – Network ACLs in VPCs – WAFs • IAM is extremely granular for portal/api access
© 2016 AWS and affiliates, all rights reserved But more is needed, especially at the machine level • AWS defaults to public-private SSH key on non-root user (ubuntu, ec2-user) which encourages sharing of the private key • Sharing a private key is not a best practice – If an employee leaves, now you have to rotate that key on every server – This is annoying – This is dangerous and can lead to lockouts • AWS defaults to a single user on each Linux machine – Sharing user accounts is (usually) not a best practice • AWS does not give you a bastion host or a VPN – It’s up to you
© 2016 AWS and affiliates, all rights reserved How do I improve this? • Bare minimum: – Update the authorized_keys file for your common user (ubuntu, ec2-user) with the public ssh key(s) of each employee who can log in – Every device should have a separate keypair: ubuntu@staging:~$ cat ~/.ssh/authorized_keys ssh-rsa AAAAB3... 7EFqEu aren@aren-macbook ssh-rsa AAAAB1... 8EcZXy aren@aren-ipad ssh-rsa AAAAB8... HG2AZ6 dave@laptop . . . . . .
© 2016 AWS and affiliates, all rights reserved How do I improve this further? • Get rid of shared user accounts – See who exactly is on a machine – See what they are doing – Assign different permissions to different users • Who can log in • What can they see/do when they log in – Auditable
© 2016 AWS and affiliates, all rights reserved Ok, how? • Add by hand with useradd command – Works fine for one machine, does not scale (user id numbers don’t line up) • Use configuration management like Chef, Puppet, OpsWorks • Use centralized directory server (LDAP) – Run your own – Use a SaaS provider
© 2016 AWS and affiliates, all rights reserved SSH access to production • Don’t keep port 22 open to the world to every host • Instead: – Use a bastion host • Users SSH to the bastion host (jump box) and from there can access another host via the private IP (10.x.x.x) – Use a VPN server • Makes employee laptop a part of the production network • OpenVPN (opensource and Access Server) – Requires special client • Ipsec-based can use built-in client – Foxpass gives one of these away in the marketplace • No matter which you choose, requiring 2-factor for access to your production infrastructure is critical – Google Authenticator – Duo
© 2016 AWS and affiliates, all rights reserved IT security • Easiest way to break into a company is by tricking the employees – Two-factor authentication reduces attack surface and should be required for email accounts • Laptop security – SSH keys should be created with passwords (use ssh-add so you don’t have to re- type the password) – Enforce laptop disk encryption from day 1 – Turn on locking screen savers
© 2016 AWS and affiliates, all rights reserved IT security, continued • Network security – If your office IP is whitelisted into production anywhere, you need to secure your office wireless • Consider not whitelisting it: treat your office like any coffee shop • Whitelists to back-office apps are the worst, many app security holes • Make p/w hard to remember and do not write it on whiteboards (for example) • Rotate the password frequently, especially after an employee leaves – Or set up 802.1x • 802.1x forces the OS to ask a user for his/her name and password before granting access to the WiFi network • Needs a RADIUS server. Run your own or use a SaaS provider
© 2016 AWS and affiliates, all rights reserved Have an employee departure checklist • Servers • VPN • Google Apps account • AWS account • Domain Registrar • DNS
© 2016 AWS and affiliates, all rights reserved Thank you! aren@foxpass.com

Recommended

Real-time Data Processing Using AWS Lambda
Real-time Data Processing Using AWS LambdaReal-time Data Processing Using AWS Lambda
Real-time Data Processing Using AWS LambdaAmazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWSAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
AWSome Day Intro
AWSome Day IntroAWSome Day Intro
AWSome Day IntroAmazon Web Services
 

Recommended

Real-time Data Processing Using AWS Lambda
Real-time Data Processing Using AWS LambdaReal-time Data Processing Using AWS Lambda
Real-time Data Processing Using AWS LambdaAmazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWSAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
AWSome Day Intro
AWSome Day IntroAWSome Day Intro
AWSome Day IntroAmazon Web Services
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - TorontoAmazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWSAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyDeploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyAmazon Web Services
 
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS Amazon Web Services
 
Getting Started on AWS
Getting Started on AWS Getting Started on AWS
Getting Started on AWS Amazon Web Services
 
NEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the EdgeNEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the EdgeAmazon Web Services
 
Intro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWSIntro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWSAmazon Web Services
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Amazon Redshift
Amazon Redshift Amazon Redshift
Amazon Redshift Amazon Web Services
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWSKristana Kane
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...Amazon Web Services
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveKristana Kane
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Introduction to AWS for Android Developers
Introduction to AWS for Android DevelopersIntroduction to AWS for Android Developers
Introduction to AWS for Android DevelopersAmazon Web Services
 
Testing Applications with AWS Device Farm
Testing Applications with AWS Device FarmTesting Applications with AWS Device Farm
Testing Applications with AWS Device FarmAmazon Web Services
 

More Related Content

What's hot

Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - TorontoAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyDeploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyAmazon Web Services
 
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS Amazon Web Services
 
NEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the EdgeNEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the EdgeAmazon Web Services
 
Intro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWSIntro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWSAmazon Web Services
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWSKristana Kane
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...Amazon Web Services
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveKristana Kane
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 

What's hot (20)

Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - Toronto
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv Loft
 
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyDeploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum Efficiency
 
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
 
Getting Started on AWS
Getting Started on AWS Getting Started on AWS
Getting Started on AWS
 
NEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the EdgeNEW LAUNCH! Bringing AWS Lambda to the Edge
NEW LAUNCH! Bringing AWS Lambda to the Edge
 
Intro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWSIntro to Game Development & Operations on AWS
Intro to Game Development & Operations on AWS
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Amazon Redshift
Amazon Redshift Amazon Redshift
Amazon Redshift
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWS
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep Dive
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWS
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 

Viewers also liked

Introduction to AWS for Android Developers
Introduction to AWS for Android DevelopersIntroduction to AWS for Android Developers
Introduction to AWS for Android DevelopersAmazon Web Services
 
Testing Applications with AWS Device Farm
Testing Applications with AWS Device FarmTesting Applications with AWS Device Farm
Testing Applications with AWS Device FarmAmazon Web Services
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAmazon Web Services
 
Getting Started with AWS Mobile Hub
Getting Started with AWS Mobile Hub Getting Started with AWS Mobile Hub
Getting Started with AWS Mobile Hub Amazon Web Services
 
ClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSAmazon Web Services
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesAmazon Web Services
 
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Amazon Web Services
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Mobile Web and App Development with AWS
Mobile Web and App Development with AWSMobile Web and App Development with AWS
Mobile Web and App Development with AWSAmazon Web Services
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Amazon Web Services
 
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...Amazon Web Services
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 

Viewers also liked (20)

Introduction to AWS for Android Developers
Introduction to AWS for Android DevelopersIntroduction to AWS for Android Developers
Introduction to AWS for Android Developers
 
Testing Applications with AWS Device Farm
Testing Applications with AWS Device FarmTesting Applications with AWS Device Farm
Testing Applications with AWS Device Farm
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by Design
 
Getting Started with AWS Mobile Hub
Getting Started with AWS Mobile Hub Getting Started with AWS Mobile Hub
Getting Started with AWS Mobile Hub
 
ClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWS
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
 
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - Keynote
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Serverless Microservices
Serverless MicroservicesServerless Microservices
Serverless Microservices
 
Mobile Web and App Development with AWS
Mobile Web and App Development with AWSMobile Web and App Development with AWS
Mobile Web and App Development with AWS
 
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
Advanced Approaches to Amazon VPC and Amazon Route 53 | AWS Public Sector Sum...
 
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...
AWS re:Invent 2016: Reinventing Disaster Recovery Leveraging AWS Cloud Infras...
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 
Ransomware
RansomwareRansomware
Ransomware
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 

Similar to Architecting for Resiliency

Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
NET309_Best Practices for Securing an Amazon Virtual Private Cloud
NET309_Best Practices for Securing an Amazon Virtual Private CloudNET309_Best Practices for Securing an Amazon Virtual Private Cloud
NET309_Best Practices for Securing an Amazon Virtual Private CloudAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Jarrett Plante
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesAidan Finn
 
Making Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredMaking Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredPaul Fremantle
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsAmazon Web Services
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsAmazon Web Services
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsAmazon Web Services
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittalbuildacloud
 
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...Amazon Web Services
 
analytic engine - a common big data computation service on the aws
analytic engine - a common big data computation service on the awsanalytic engine - a common big data computation service on the aws
analytic engine - a common big data computation service on the awsScott Miao
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle CloudSimon Haslam
 

Similar to Architecting for Resiliency (20)

Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
NET309_Best Practices for Securing an Amazon Virtual Private Cloud
NET309_Best Practices for Securing an Amazon Virtual Private CloudNET309_Best Practices for Securing an Amazon Virtual Private Cloud
NET309_Best Practices for Securing an Amazon Virtual Private Cloud
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For Techies
 
Making Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and MeteredMaking Apache Tomcat Multi-tenant, Elastic and Metered
Making Apache Tomcat Multi-tenant, Elastic and Metered
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 Threats
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittal
 
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...
Customer Sharing: Trend Micro - Analytic Engine - A common Big Data computati...
 
analytic engine - a common big data computation service on the aws
analytic engine - a common big data computation service on the awsanalytic engine - a common big data computation service on the aws
analytic engine - a common big data computation service on the aws
 
3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud3 Ways to Connect to the Oracle Cloud
3 Ways to Connect to the Oracle Cloud
 
AWS Best Practices
AWS Best PracticesAWS Best Practices
AWS Best Practices
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 

Recently uploaded (20)

George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 

Architecting for Resiliency

  • 1. © 2016 AWS and affiliates, all rights reserved Security Architecture Loft Architecting For Resiliency Andrew Kiggins Security Solution Architect Aren Sandersen, CTO, FoxPass
  • 2. © 2016 AWS and affiliates, all rights reserved Goals • Learn how to control access • Learn how AWS services can help implement fault tolerance • Learn how AWS services can reduce security incident blast radius • Understand the security services and features associated with network configuration • Understand how to secure servers and control user access
  • 3. © 2016 AWS and affiliates, all rights reserved Conditions affecting service availability • Large Scale Events (LSEs) • Disaster recovery • DDoS Attacks • Deployment failures
  • 4. © 2016 AWS and affiliates, all rights reserved VPCs • Public + Private subnets • IGW • NAT GW virtual private cloud VPC NAT gateway Availability ZoneAvailability ZoneAvailability Zone VPC subnetVPC subnetVPC subnet VPC subnetVPC subnetVPC subnet Internet gateway
  • 5. © 2016 AWS and affiliates, all rights reserved VPCs • Security Groups – Stateful – Ingress/Egress – Instance specific – Default deny • Network ACLs – Stateless – Inbound/ Outbound – Subnet specific – Default allow virtual private cloud Availability Zone VPC subnetVPC subnet Internet gateway instanceinstance instanceinstance instance security group security groupsecurity group
  • 6. © 2016 AWS and affiliates, all rights reserved VPC security group HTTP GET TCP(6) Port(80) NTP Buffer Overrun UDP(17) Port(123)
  • 7. © 2016 AWS and affiliates, all rights reserved Network ACL security group HTTP GET TCP(6) Port(80) HTTP GET TCP(6) Port(80) srcIP=216.246.16.228
  • 8. © 2016 AWS and affiliates, all rights reserved Obfuscate VPC Amazon Route 53 CloudFront users security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB
  • 9. © 2016 AWS and affiliates, all rights reserved Layers Of Access Control users Application servers Private subnet security group Public subnet ELB IPS/IDS Private subnet ELB security group WAF Private subnet ELB security group security group ELB
  • 10. © 2016 AWS and affiliates, all rights reserved Availability Zones • 2 zones good, 3 zones better • Remove AZ dependencies – AZs can and should stand alone
  • 11. © 2016 AWS and affiliates, all rights reserved Regions (14+) • Regional Isolation – Keys don’t port • Insulate from regional dependency – Reduce centralized resources • Reduce Blast Radius – Don’t interconnect regions – No VPNs – Use protected API endpoint for communication between regions • Disaster recovery
  • 12. © 2016 AWS and affiliates, all rights reserved Elastic Load Balancer + Application Load Balancers • Cross AZ – Fault tolerance • Auto Scaling – Load/attack resilient • Service isolation Elastic Load Balancing
  • 13. © 2016 AWS and affiliates, all rights reserved Separation of services Amazon Route 53 CloudFront security group Public subnet servers Private subnet ELB www.foo.commail.foo.com security group Public subnet Mail servers Private subnet ELB security group Public subnet Web servers Private subnet ELB mail.foo.com www.foo.com
  • 14. © 2016 AWS and affiliates, all rights reserved EC2 Auto-scaling • Create Auto Scaling Groups to span subnets & AZs • Scale up quickly (in jumps) • Scale down slowly (in steps)
  • 15. © 2016 AWS and affiliates, all rights reserved Introduction • About me • Now: Founder, Foxpass, DevOps security company • Then: Led operations, IT, and security teams for startups over a decade • DevOps/Security consulting
  • 16. © 2016 AWS and affiliates, all rights reserved Goals • Understand where AWS leaves off and your own security practices must begin, particularly for Linux servers • Learn common threats and how to decrease exposure • Get practical advice on how to configure production access and set IT policies
  • 17. © 2016 AWS and affiliates, all rights reserved Amazon is easy! • Amazon’s AWS portal makes it extremely simple to bring up servers and get started • Creating firewalls is easy, too – Security groups – Network ACLs in VPCs – WAFs • IAM is extremely granular for portal/api access
  • 18. © 2016 AWS and affiliates, all rights reserved But more is needed, especially at the machine level • AWS defaults to public-private SSH key on non-root user (ubuntu, ec2-user) which encourages sharing of the private key • Sharing a private key is not a best practice – If an employee leaves, now you have to rotate that key on every server – This is annoying – This is dangerous and can lead to lockouts • AWS defaults to a single user on each Linux machine – Sharing user accounts is (usually) not a best practice • AWS does not give you a bastion host or a VPN – It’s up to you
  • 19. © 2016 AWS and affiliates, all rights reserved How do I improve this? • Bare minimum: – Update the authorized_keys file for your common user (ubuntu, ec2-user) with the public ssh key(s) of each employee who can log in – Every device should have a separate keypair: ubuntu@staging:~$ cat ~/.ssh/authorized_keys ssh-rsa AAAAB3... 7EFqEu aren@aren-macbook ssh-rsa AAAAB1... 8EcZXy aren@aren-ipad ssh-rsa AAAAB8... HG2AZ6 dave@laptop . . . . . .
  • 20. © 2016 AWS and affiliates, all rights reserved How do I improve this further? • Get rid of shared user accounts – See who exactly is on a machine – See what they are doing – Assign different permissions to different users • Who can log in • What can they see/do when they log in – Auditable
  • 21. © 2016 AWS and affiliates, all rights reserved Ok, how? • Add by hand with useradd command – Works fine for one machine, does not scale (user id numbers don’t line up) • Use configuration management like Chef, Puppet, OpsWorks • Use centralized directory server (LDAP) – Run your own – Use a SaaS provider
  • 22. © 2016 AWS and affiliates, all rights reserved SSH access to production • Don’t keep port 22 open to the world to every host • Instead: – Use a bastion host • Users SSH to the bastion host (jump box) and from there can access another host via the private IP (10.x.x.x) – Use a VPN server • Makes employee laptop a part of the production network • OpenVPN (opensource and Access Server) – Requires special client • Ipsec-based can use built-in client – Foxpass gives one of these away in the marketplace • No matter which you choose, requiring 2-factor for access to your production infrastructure is critical – Google Authenticator – Duo
  • 23. © 2016 AWS and affiliates, all rights reserved IT security • Easiest way to break into a company is by tricking the employees – Two-factor authentication reduces attack surface and should be required for email accounts • Laptop security – SSH keys should be created with passwords (use ssh-add so you don’t have to re- type the password) – Enforce laptop disk encryption from day 1 – Turn on locking screen savers
  • 24. © 2016 AWS and affiliates, all rights reserved IT security, continued • Network security – If your office IP is whitelisted into production anywhere, you need to secure your office wireless • Consider not whitelisting it: treat your office like any coffee shop • Whitelists to back-office apps are the worst, many app security holes • Make p/w hard to remember and do not write it on whiteboards (for example) • Rotate the password frequently, especially after an employee leaves – Or set up 802.1x • 802.1x forces the OS to ask a user for his/her name and password before granting access to the WiFi network • Needs a RADIUS server. Run your own or use a SaaS provider
  • 25. © 2016 AWS and affiliates, all rights reserved Have an employee departure checklist • Servers • VPN • Google Apps account • AWS account • Domain Registrar • DNS
  • 26. © 2016 AWS and affiliates, all rights reserved Thank you! aren@foxpass.com

Editor's Notes

  1. Control access by CIDR, security group. Why is that important? Auto scaling. Security group live in a VPC, but can span AZs
  2. VPC gets a default Security Group when created but you need to customize it or use multiple We create a security group that only allows TCP traffic to port 80 (knows nothing about HTTP!) By default Security Groups allow nothing in, so we have to poke some holes (e.g. port 80/443) for web traffic) Our HTTP Beer order gets through The NTP Buffer Overrun exploit gets stopped at the gate, as NTP uses port UDP/123 and there’s no access allowed for that sort of traffic NO PORT SCANNING OF MISCONFIGURED HOSTS
  3. The default Network ACLs (stateless) are to ALLOW everything By adding a explicit DENY rule for Klingon.org we block all traffic from that source IP address Klingon.com
  4. Domain resolves to cloudfront not to the origin, but only for web traffic Resolving ftp will give the ELB’s ip addresses allowing it to be attacked.
  5. Non-cacheable content, or non web traffic can benefit from additional layers of security controlling access. There’s A LOT of high quality commercial offerings in the marketplace, Firewalls, IPS/IDS, WAF, UTMs, SIEMs tools. A multi layer strategy is required as there’s no silver bullet
  6. Also scrub out the badness Scale to absorb large attacks ALB can isolate different backend services
  7. Separate out services to ensure that there’s no collateral damage between servers hosting different types of applications (Best Practice, one service, one endpoint) Here our malicious character has failed to find the origin using a DNS request for www.buildabeer.com, so instead he makes a DNS request for mail.buildabeer.com. The applications live on the same servers and as CDNs don’t generally handle mail traffic, the request resolves to the server IP addresses. Slpit out the services t protect cross contamination. 1 application, 1 set of IPs/ELBs. Customerize your security