Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.com<br />
Amazon Web Services<br />Amazon CloudFront<br />
Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++...
Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />Cu...
0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<b...
Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from cor...
ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG...
Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
Currently<br /><ul><li>EC2 on-demand and reserved
EBS
CloudWatch
Linux/Unix and Windows
US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
Outbound Internet
Elastic IPs
Upcoming SlideShare
Loading in …5
×

Security in the AWS Cloud - Steve Riley

1,446 views
1,368 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,446
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Security in the AWS Cloud - Steve Riley

  1. 1. Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.com<br />
  2. 2. Amazon Web Services<br />Amazon CloudFront<br />
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9. Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++<br />++<br />++<br />
  10. 10. Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />…<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />…<br />AWS firewall<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  11. 11. 0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />
  12. 12. Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from corpnet<br />SSH/RDP management<br />from corpnet, vendor<br />SSH/RDP management<br />from corpnet<br />
  13. 13.
  14. 14. ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  15. 15. Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  16. 16. Currently<br /><ul><li>EC2 on-demand and reserved
  17. 17. EBS
  18. 18. CloudWatch
  19. 19. Linux/Unix and Windows
  20. 20. US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
  21. 21. Outbound Internet
  22. 22. Elastic IPs
  23. 23. Elastic Load Balancing
  24. 24. Autoscaling
  25. 25. DevPay
  26. 26. Inter-subnet security groups</li></ul>Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  27. 27. <ul><li>Read
  28. 28. Write
  29. 29. Full
  30. 30. Read
  31. 31. Write
  32. 32. Full</li></ul>“Key” = name of object<br />
  33. 33.
  34. 34.
  35. 35. Compliance<br />Sarbanes-Oxley Act<br />Ongoing<br />HIPAA<br />Current customer deployments<br />Whitepaper describes the specifics<br />SAS 70 type II<br />Complete<br />Physical security, access controls, change management, operations<br />
  36. 36.
  37. 37. Thank you very much!<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.com<br />

×