AWS Summit 2013 Barcelona
Oct 24 – Barcelona, Spain

AWS CLOUD SECURITY
Bill Shinn
AWS Principal Security Solutions Archit...
SECURITY IS UNIVERSAL
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
AWS GOV CLOUD
ITAR COMPLIANT
SECURITY IS VISIBLE
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
AWS API + CLOUDFORMATION
ENVIRONMENT ARCHITECTURE DEFINITION
AND CHANGE DETECTION
SECURITY IS TRANSPARENT
SOC 1

SOC 2

ITAR

SOC 3

FIPS

PCI DSS L1

FedRAMP

ISO 27001

HIPAA
SECURITY IS FAMILIAR
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO A SPECIFIC WORK
USE AWS IAM
IDENTITY & ACCESS MANAGEMENT
CONTROL WHO CAN DO WHAT IN
YOUR AWS ACCOUNT
IAM USERS & ROLES
ACCESS TO
SERVICE APIs
NO PASSWORDS
USE SEPARATE SETS OF
CREDENTIALS
ROTATE YOUR AWS SECURITY
CREDENTIALS
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
YOUR DATA IS YOUR
MOST IMPORTANT ASSET
…
MFA DELETE PROTECTION
ENCRYPT YOUR DATA
AMAZON S3 SSE DATA AT REST
AWS CloudHSM
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
NEED TO KNOW
+
CCTV, GUARDS, MAN TRAPS,
FENCES, ETC…
…
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
CHANGES IN PRODUCTION
HAVE TO BE AUTHORIZED
DEV & TEST

PRODUCTION

ENVIRONMENT

ENVIRONMENT

AWS ACCOUNT A

AWS ACCOUNT B
DEPLOYMENT PROCESS
HAS TO BE CONSTRAINED
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
CONTINUOUS DELIVERY MODEL
CONTINUOUS DEPLOYMENT
SESSION
13:30 START-UP TRACK
REDUNDANCY & INTEGRITY
CHECKS
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
SOC CONTROL OBJECTIVES
1.
2.
3.
4.
5.
6.
7.
8.

SECURITY ORGANIZATION
AMAZON USER ACCESS
LOGICAL SECURITY
SECURE DATA HAND...
“GAME DAYS”
INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
GAME DAYS !!
INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
SECURITY IS AUDITABLE
VULNERABILITY / PENETRATION
TESTING
VULNERABILITY / PENETRATION
TESTING
LOGS
OBTAINED, RETAINED, ANALYZED
OBTAIN, RETAIN, ANALYSE
YOUR LOGS
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
TRUSTED ADVISOR
SECURITY IS SHARED
NETWORK SECURITY:
DDOS
NETWORK SECURITY:
SSL
NETWORK SECURITY:
SPOOFING
NETWORK SECURITY:
PORT SCANNING
AMAZON EC2 SECURITY:
HOST OS
SSH KEYED LOGINS VIA BASTION HOST
ALL ACCESSES LOGGED AND AUDITED
AMAZON EC2 SECURITY:
GUEST OS
CUSTOMER CONTROLLED AT ROOT LEVEL
AWS ADMINS CANNOT LOG IN
CUSTOMER-GENERATED KEYPAIRS
“If you need to SSH into your
instance, improve your deployment
process.”
AMAZON EC2 SECURITY:
STATEFUL & STATELESS FIREWALL
MANDATORY INBOUND
DEFAULT DENY MODE
SECURITY IS
UNIVERSAL
VISIBLE
TRANSPARENT
FAMILIAR
AUDITABLE
SHARED
AWS.AMAZON.COM / SECURITY
AWS.AMAZON.COM/COMPLIANCE
BLOGS.AWS.AMAZON.COM/SECURITY
AWS SECURITY WHITEPAPERS
AUDITING SECURITY CHECKLIST
SECURITY BEST PRACTICES
SECURITY PROCESSES
RISK & COMPLIANCE
AWS MARKETPLACE
SECURITY SOLUTIONS
billshin@amazon.com
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
AWS Summit Barcelona - Security Keynote
Upcoming SlideShare
Loading in...5
×

AWS Summit Barcelona - Security Keynote

552

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
552
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
69
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AWS Summit Barcelona - Security Keynote

  1. 1. AWS Summit 2013 Barcelona Oct 24 – Barcelona, Spain AWS CLOUD SECURITY Bill Shinn AWS Principal Security Solutions Architect
  2. 2. SECURITY IS UNIVERSAL
  3. 3. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  4. 4. AWS GOV CLOUD ITAR COMPLIANT
  5. 5. SECURITY IS VISIBLE
  6. 6. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  7. 7. AWS API + CLOUDFORMATION ENVIRONMENT ARCHITECTURE DEFINITION AND CHANGE DETECTION
  8. 8. SECURITY IS TRANSPARENT
  9. 9. SOC 1 SOC 2 ITAR SOC 3 FIPS PCI DSS L1 FedRAMP ISO 27001 HIPAA
  10. 10. SECURITY IS FAMILIAR
  11. 11. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  12. 12. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  13. 13. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  14. 14. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  15. 15. LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO A SPECIFIC WORK
  16. 16. USE AWS IAM IDENTITY & ACCESS MANAGEMENT
  17. 17. CONTROL WHO CAN DO WHAT IN YOUR AWS ACCOUNT
  18. 18. IAM USERS & ROLES
  19. 19. ACCESS TO SERVICE APIs
  20. 20. NO PASSWORDS
  21. 21. USE SEPARATE SETS OF CREDENTIALS
  22. 22. ROTATE YOUR AWS SECURITY CREDENTIALS
  23. 23. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  24. 24. YOUR DATA IS YOUR MOST IMPORTANT ASSET
  25. 25.
  26. 26. MFA DELETE PROTECTION
  27. 27. ENCRYPT YOUR DATA AMAZON S3 SSE DATA AT REST AWS CloudHSM
  28. 28. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  29. 29. NEED TO KNOW + CCTV, GUARDS, MAN TRAPS, FENCES, ETC…
  30. 30.
  31. 31. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  32. 32. CHANGES IN PRODUCTION HAVE TO BE AUTHORIZED
  33. 33. DEV & TEST PRODUCTION ENVIRONMENT ENVIRONMENT AWS ACCOUNT A AWS ACCOUNT B
  34. 34. DEPLOYMENT PROCESS HAS TO BE CONSTRAINED
  35. 35. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  36. 36. CONTINUOUS DELIVERY MODEL
  37. 37. CONTINUOUS DEPLOYMENT SESSION 13:30 START-UP TRACK
  38. 38. REDUNDANCY & INTEGRITY CHECKS
  39. 39. USE MULTIPLE AZs AMAZON S3 AMAZON DYNAMODB AMAZON RDS MULTI-AZ AMAZON EBS SNAPSHOTS
  40. 40. SOC CONTROL OBJECTIVES 1. 2. 3. 4. 5. 6. 7. 8. SECURITY ORGANIZATION AMAZON USER ACCESS LOGICAL SECURITY SECURE DATA HANDLING PHYSICAL SECURITY AND ENV. SAFEGUARDS CHANGE MANAGEMENT DATA INTEGRITY, AVAILABILITY AND REDUNDANCY INCIDENT HANDLING
  41. 41. “GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS. MEASURE SPEED OF DETECTION AND EXECUTION.
  42. 42. GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS. MEASURE SPEED OF DETECTION AND EXECUTION.
  43. 43. SECURITY IS AUDITABLE
  44. 44. VULNERABILITY / PENETRATION TESTING
  45. 45. VULNERABILITY / PENETRATION TESTING
  46. 46. LOGS OBTAINED, RETAINED, ANALYZED
  47. 47. OBTAIN, RETAIN, ANALYSE YOUR LOGS
  48. 48. PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS
  49. 49. TRUSTED ADVISOR
  50. 50. SECURITY IS SHARED
  51. 51. NETWORK SECURITY: DDOS
  52. 52. NETWORK SECURITY: SSL
  53. 53. NETWORK SECURITY: SPOOFING
  54. 54. NETWORK SECURITY: PORT SCANNING
  55. 55. AMAZON EC2 SECURITY: HOST OS SSH KEYED LOGINS VIA BASTION HOST ALL ACCESSES LOGGED AND AUDITED
  56. 56. AMAZON EC2 SECURITY: GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL AWS ADMINS CANNOT LOG IN CUSTOMER-GENERATED KEYPAIRS
  57. 57. “If you need to SSH into your instance, improve your deployment process.”
  58. 58. AMAZON EC2 SECURITY: STATEFUL & STATELESS FIREWALL MANDATORY INBOUND DEFAULT DENY MODE
  59. 59. SECURITY IS UNIVERSAL VISIBLE TRANSPARENT FAMILIAR AUDITABLE SHARED
  60. 60. AWS.AMAZON.COM / SECURITY AWS.AMAZON.COM/COMPLIANCE BLOGS.AWS.AMAZON.COM/SECURITY
  61. 61. AWS SECURITY WHITEPAPERS AUDITING SECURITY CHECKLIST SECURITY BEST PRACTICES SECURITY PROCESSES RISK & COMPLIANCE
  62. 62. AWS MARKETPLACE SECURITY SOLUTIONS
  63. 63. billshin@amazon.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×