AWS Webcast - Security Best Practices on AWS

1,370 views
1,197 views

Published on

Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability, and the flexibility to enable customers to build a wide range of applications. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features.

In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Join this webcast to learn more.

Published in: Technology, Business
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,370
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
77
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

AWS Webcast - Security Best Practices on AWS

  1. 1. Security Best Practices on AWS Understanding AWS Security, the Shared Responsibility Model, and some security best practices © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Cloud Security is: © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  3. 3. Every Customer Has Access to the Same Security Capabilities And gets to choose what’s right for their business needs • • • • • • • • Governments Financial Sector Pharmaceuticals Entertainment Start-ups Social Media Home Users Retail © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  4. 4. Visible Cloud Security This Or This? © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  5. 5. Auditable Cloud Security © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  6. 6. Transparent Cloud Security http://aws.amazon.com/compliance/ © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  7. 7. ISO 27001 Certification Covers the AWS Information Security Management System Follows ISO 27002 best practice guidance Includes all Regions Certification in the standard requires: • • • • Systematic evaluation of information security risks Evaluate the impact of company threats and vulnerabilities Design and implement comprehensive information security controls Adopt an overarching management process to ensure that the information security controls meet the information security needs on an ongoing basis © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  8. 8. Service Organization Controls American Institute of Certified Public Accountants report What it contains Who uses it SOC 1 Attests that the AWS internal controls for financial reporting are appropriately designed and the controls are operating effectively User auditors & users’ controller’s office. Shared under NDA by AWS. SOC 2 Expanded evaluation of controls to include AICPA Trust Services Principles Management, regulators & others. Shared under NDA by AWS. SOC 3 Summary of SOC 2 and provides AICPA SysTrust Security Seal. Management, regulators & others. Publicly available. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  9. 9. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services • EC2, EBS, VPC, ELB, DirectConnect, S3, Glacier, RDS, DynamoDB, SimpleDB, EMR, RedShift, CloudHSM, and IAM Use services normally, no special configuration Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) • can support forensic investigations Certified in all regions © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  10. 10. FedRAMP (FISMA) Moderate U.S. Civilian Government Agency Specific FedRAMP Approval To Operate (ATO) FISMA Moderate (NIST 800-53) • Much more stringent than other commercial standards • 205 high-level controls spanning 18 domains • Access Control, Awareness & Training, Audit & Accountability, Security Assessment & Authorization, Configuration Management, Contingency Planning, ID & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environment Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisition, System & Communications Protections, System & Information Integrity, Program Management © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  11. 11. Shared Assessments SIG Standard Information Gathering (“SIG”) Questionnaire shared under NDA • www.sharedassessments.org Robust, easy to use set of questions to gather and assess • Information Technology • Operating and Security Risks (and corresponding controls) Based on referenced industry standards • Including, but not limited to, FFIEC, ISO, COBIT and PCI Excel format with AWS provided answers Updated periodically to stay current © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  12. 12. Additional Initiatives U.S. Health Insurance Portability and Accountability Act (HIPAA) • AWS enables covered entities and their business associates subject to the U.S. HIPAA to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers. Cloud Security Alliance (CSA) Questionnaire • Answers in the Risk and Compliance Whitepaper Motion Picture Association of America (MPAA) • Answers in the Risk and Compliance Whitepaper • Best practices for storing, processing and delivering protected media & content © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  13. 13. Security & Compliance Control Objectives Control Objective 1: Control Objective 2: Control Objective 3: Control Objective 4: Control Objective 5: Safeguards Control Objective 6: Control Objective 7: Control Objective 8: Security Organization Amazon User Access Logical Security Secure Data Handling Physical Security and Environmental Change Management Data Integrity, Availability and Redundancy Incident Handling © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  14. 14. Security & Compliance Control Objectives (cont’d) Control Objective 1: Security Organization • Who we are • Proper control & access within the organization Control Objective 2: Amazon User Access • How we vet our staff • Minimization of access © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  15. 15. Security & Compliance Control Objectives (cont’d) Control Objective 3: Logical Security • • • • Our staff start with no system access Need-based access grants Rigorous system separation System access grants regularly evaluated & automatically revoked © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  16. 16. Security & Compliance Control Objectives (cont’d) Control Objective 4: Secure Data Handling • Storage media destroyed before being permitted outside our datacenters • Media destruction consistent with US Dept. of Defense Directive 5220.22 Control Objective 5: Physical Security and Environmental Safeguards • Keeping our facilities safe • Maintaining the physical operating parameters of our datacenters © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  17. 17. Security & Compliance Control Objectives (cont’d) Control Objective 6: Change Management • Continuous operation Control Objective 7: Data Integrity, Availability and Redundancy • Ensuring your data remains safe, intact, & available Control Objective 8: Incident Handling • Process & procedures for mitigating and managing potential issues © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  18. 18. Shared Responsibility AWS • • • • • Customer Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure • Choice of Guest OS • Application Configuration Options • Account Management Flexibility • Security Groups • Network ACLs • Network Configuration Control © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  19. 19. You Decide Where Applications and Data Reside © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  20. 20. Network Security © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  21. 21. Amazon EC2 Security Host operating system (AWS controlled) • • Individual SSH keyed logins via bastion host for AWS admins All accesses logged and audited Guest operating system (Customer controlled) • • AWS admins cannot log in Customer-generated keypairs Stateful firewall • • Mandatory inbound firewall, default deny mode Customer controls configuration via Security Groups Signed API calls • Require customer’s secret AWS key © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  22. 22. Customer 1 Customer 2 … Customer n Hypervisor Virtual interfaces Customer 1 Security groups Customer 2 Security groups … Customer n Security groups Firewall Physical interfaces © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  23. 23. Tiering Security Groups © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  24. 24. Web (HTTP) Tiering Security Groups Firewall Dynamically created rules based on Security Group membership Effectively create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32 Web Server 22 Firewall 808 0 App Server 22 Firewall 330 6 DB Server 22 Firewall Bastion Host © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  25. 25. Amazon VPC Architecture Customer’s isolated AWS resources NA T Internet Subnets Secure VPN connection over the Internet Customer’s network Router AWS Direct Connect – Dedicated Path/Bandwi dth Amazon Web Services cloud © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  26. 26. Amazon VPC Network Security Controls © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  27. 27. VPC - Dedicated Instances Option to ensure physical hosts are not shared with other customers $2/hr flat fee per region + small hourly charge Can identify specific Instances as dedicated Optionally configure entire VPC as dedicated © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  28. 28. AWS Deployment Models Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Commercial Cloud   Virtual Private Cloud (VPC)     AWS GovCloud (US)     Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads Public-facing apps, web sites, dev, test, etc. Datacenter extension, TIC environment, email, FISMA low and Moderate   US Persons Compliant and Government Specific Apps © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  29. 29. The Importance of Access Control One of customers’ top considerations when moving to the cloud CONTROL Why do we want control? • • • • Appropriate access to do appropriate actions I want to implement security best practices I want to be at least as secure as on premise I must comply with certain industry specific security regulations © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  30. 30. AWS Identity and Access Management (IAM) • • • • • • Users and Groups within Accounts Unique security credentials • Access keys • AWS Management Console Login/Password • Enforce password complexity • Optional MFA device Policies control access to AWS APIs All API calls must be signed by secret key Resource level integration into many Services • EC2: tags control access to resources • S3: policies on objects and buckets Not for Operating Systems or Applications • Use LDAP, Active Directory/ADFS, etc... © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  31. 31. Authentication Methods CLI • Access + Secret Keys for REST calls • SSH Keys for access to EC2 instances API • Access + Secret Keys • Optional multifactor authentication Web UI • Username + Password • Optional multifactor authentication © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  32. 32. Multi-Factor Authentication (MFA) Extra level of security Works with • AWS root account • IAM users xxxxxxxxxxxxxxxxxxxxxxxxxxx Multiple form factors • Virtual MFA on your phone • Hardware MFA key fobs No additional cost! • Except for the cost of the hardware key fob © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  33. 33. AWS CloudHSM Secure Key Storage • • • Dedicated access to tamper-resistant HSM appliances (SafeNet® Luna SA) Designed to comply with Common Criteria EAL4+ and NIST FIPS 140-2 You retain full control of your keys and cryptographic operations Contractual and Regulatory Compliance • Helps comply with the most stringent regulatory and contractual requirements for key protection. Reliable and Durable Key Storage • Available in multiple AZs and Regions Simple and Secure Connectivity • • Connected to your VPC Improved Application Performance between EC2 and HSM © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  34. 34. Premium Support Trusted Advisor Security Checks • • • Security Group Rules (Hosts & Ports) IAM Use S3 Policies Fault Tolerance Checks • • • Snapshots Multi-AZ VPN Tunnel Redundancy © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  35. 35. Enable Root Account MFA! If you don’t see: Go to: http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5 R80UD/Securing-access-to-AWS-using-MFA-Part-1 © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  36. 36. AWS Security, Compliance, & Architecture Resources http://aws.amazon.com/security/ Security whitepaper Security best practices Security bulletins Customer security testing process http://aws.amazon.com/compliance/ Risk and compliance whitepaper http://aws.amazon.com/architecture/ Reference Architectures Whitepapers Webinars http://blogs.aws.amazon.com/security/ Stay up to date on security and compliance in AWS Feedback is always welcome! © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  37. 37. Thank You!!! awsmax@amazon.com Any questions? © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

×