© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Our customers have different viewpoints on security
PR
Keep out of the news!
CEO
Protect shareholder
value
CI(S)O
Preserve...
Security is always our number one priority at AWS
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY...
SECURITY IS SHARED
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
WHAT
WE DO
WHAT YOU
HAVE TO DO
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
MORE VISIBILITY
CAN YOU MAP YOUR
NETWORK?
WHAT IS IN YOUR
ENVIRONMENT RIGHT NOW?
TRUSTED ADVISOR
MORE AUDITABILITY
SECURITY CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. ...
AWS CLOUDTRAIL
You are making
API calls...
On a growing set of
services …
CloudTrail is
continuously
recording API
calls…
And delivering
...
Security analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to...
‣  CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣  Typically, delivers an event within 15
minut...
Amazon CloudWatch Logs can monitor your system,
application and custom log files from Amazon EC2
instances and other sourc...
MORE CONTROL
Defense in Depth
Multi level security
•  Physical security of the data centers
•  Network security
•  System security
•  D...
AWS Security Delivers More Control & Granularity
Choose what’s right for your business needs
AWS
CloudHSM
Defense in depth...
AWS EMPLOYEE ACCESS
‣  Staff vetting
‣  No logical access to customer instances
‣  Control-plane access limited and monito...
MORE CONTROL OF YOUR
NETWORK
Create your own private, isolated section of the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private Cloud
•...
Segregate your VPC into subnets to create your architecture
Web App
DBWeb
Each subnet has directional network access control lists
App
DBWeb
Web
Deny all traffic
Allow
Each EC2 instance has five stateful security group firewalls
App
DBWeb
Web
Port 443
Port
443
Control which subnets can route to the Internet or on-premise
App
DBWeb
Web
PUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
You can securely share resources between VPCs
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPC...
You can connect in private to your existing datacentres
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Webs...
Build solutions that can absorb attacks and scale out
Amazon S3
Distributed
attackers
Customers
Customers
Route53
Sydney r...
MORE CONTROL
OF YOUR DATA
YOUR DATA STAYS
WHERE YOU PUT IT
AWS	
  Region	
  
US-WEST (N. California)
 EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH ...
You can stay onshore in Australia if you need to
AWS Sydney Region
Multiple availability
zones
MFA DELETE PROTECTION
YOU CAN ENCRYPT ALL OF YOUR DATA
CHOOSE WHAT’S RIGHT FOR YOU
Automated – AWS manages encryption
Enabled – user manages enc...
ENCRYPT YOUR SENSITIVE DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
Managed and monitored by AWS, but
you control the keys
Increase performance for applications
that use HSMs for key storage...
CONTROL WHO CAN DO WHAT WITH YOUR
AWS ACCOUNT
Control access and segregate duties everywhere
With	
  AWS	
  IAM	
  you	
  get	
  to	
  control	
  who	
  can	
  do	
  
w...
AWS IAM: Recent innovations
Securely control access to AWS services and resources
•  Delegation
–  Roles for Amazon EC2
– ...
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS TO S3 AND
GLACIER
You get to do all of this in
DEVELOPMENT
TESTING
PRODUCTION
Expand your skills with AWS
Certification
aws.amazon.com/certification
Exams
Validate your proven
technical expertise with...
Thank you
Stephen Quigg
Principal Security Solutions Architect – Asia Pacific
Amazon Web Services
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Understanding AWS Security
Upcoming SlideShare
Loading in …5
×

Understanding AWS Security

659 views
504 views

Published on

AWS Summit 2014 Melbourne - Breakout 3

The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Presenter: Stephen Quigg, Solutions Architect, APAC, Amazon Web Services

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
659
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Understanding AWS Security

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS security Stephen Quigg, Solutions Architect, Amazon Web Services, APAC
  2. 2. Our customers have different viewpoints on security PR Keep out of the news! CEO Protect shareholder value CI(S)O Preserve the confidentiality, integrity and availability of data
  3. 3. Security is always our number one priority at AWS PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM SECURITY Comprehensive Security Capabilities to Support Virtually Any Workload
  4. 4. SECURITY IS SHARED
  5. 5. WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
  6. 6. WHAT WE DO WHAT YOU HAVE TO DO
  7. 7. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  8. 8. AWS SECURITY OFFERS MORE VISIBILITY AUDITABILITY CONTROL
  9. 9. MORE VISIBILITY
  10. 10. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  11. 11. TRUSTED ADVISOR
  12. 12. MORE AUDITABILITY
  13. 13. SECURITY CONTROL OBJECTIVES 1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING
  14. 14. AWS CLOUDTRAIL
  15. 15. You are making API calls... On a growing set of services … CloudTrail is continuously recording API calls… And delivering log files to you
  16. 16. Security analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track changes to AWS resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot operational issues Quickly identify the most recent changes made to resources in your environment. Compliance and audit aid Easier to demonstrate compliance with internal policies and regulatory standards.
  17. 17. ‣  CloudTrail records API calls and delivers a log file to your S3 bucket. ‣  Typically, delivers an event within 15 minutes of the API call. ‣  Log files are delivered approximately every 5 minutes. ‣  Multiple partners offer integrated solutions to analyze log files, including Splunk, SumoLogic and Loggly
  18. 18. Amazon CloudWatch Logs can monitor your system, application and custom log files from Amazon EC2 instances and other sources, for example: Monitor your web server http log files and use CloudWatch Metrics filters to identify 404 errors and count the number of occurrences within a specified time period CloudWatch Alarms can then notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation Now monitor everything with CloudWatch logs
  19. 19. MORE CONTROL
  20. 20. Defense in Depth Multi level security •  Physical security of the data centers •  Network security •  System security •  Data security DATA
  21. 21. AWS Security Delivers More Control & Granularity Choose what’s right for your business needs AWS CloudHSM Defense in depth Rapid scale for security Automated checks with AWS Trusted Advisor Fine grained access controls Server side encryption Multi-factor authentication Dedicated instances Direct connection, Storage Gateway HSM-based key storage AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway
  22. 22. AWS EMPLOYEE ACCESS ‣  Staff vetting ‣  No logical access to customer instances ‣  Control-plane access limited and monitored Bastion hosts, Least privileged model, Zoned data center access ‣  Access based on strict business needs ‣  Separate PAMS
  23. 23. MORE CONTROL OF YOUR NETWORK
  24. 24. Create your own private, isolated section of the AWS cloud AvailabilityZoneA AvailabilityZoneB AWS Virtual Private Cloud •  Provision a logically isolated section of the AWS cloud •  You choose a private IP range for your VPC •  Segment this into subnets to deploy your compute instances AWS network security •  AWS network will prevent spoofing and other common layer 2 attacks •  You cannot sniff anything but your own EC2 host network interface •  Control all external routing and connectivity
  25. 25. Segregate your VPC into subnets to create your architecture Web App DBWeb
  26. 26. Each subnet has directional network access control lists App DBWeb Web Deny all traffic Allow
  27. 27. Each EC2 instance has five stateful security group firewalls App DBWeb Web Port 443 Port 443
  28. 28. Control which subnets can route to the Internet or on-premise App DBWeb Web PUBLIC PRIVATE PRIVATE REPLICATE ON-PREM
  29. 29. You can securely share resources between VPCs Digital WebsitesBig Data Analytics Enterprise Apps Route traffic between VPCs in private and peer specific subnets between each VPC Even between AWS accounts Common Services AWS VPC Peering
  30. 30. You can connect in private to your existing datacentres YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES Digital Websites Big Data Analytics Dev and Test Enterprise Apps AWS Internet VPN
  31. 31. Build solutions that can absorb attacks and scale out Amazon S3 Distributed attackers Customers Customers Route53 Sydney region CloudFront Your VPC WAFWAF WAFWAF ELB ELB ELB ELB App App App App Auto Scaling Auto Scaling Auto Scaling Auto Scaling
  32. 32. MORE CONTROL OF YOUR DATA
  33. 33. YOUR DATA STAYS WHERE YOU PUT IT
  34. 34. AWS  Region   US-WEST (N. California) EU-WEST (Ireland) ASIA PAC (Tokyo) ASIA PAC (Singapore) US-WEST (Oregon) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) GOV CLOUD ASIA PAC (Sydney) It’s not just having services in a couple of regions
  35. 35. You can stay onshore in Australia if you need to AWS Sydney Region Multiple availability zones
  36. 36. MFA DELETE PROTECTION
  37. 37. YOU CAN ENCRYPT ALL OF YOUR DATA CHOOSE WHAT’S RIGHT FOR YOU Automated – AWS manages encryption Enabled – user manages encryption using AWS Client-side – user manages encryption their own way
  38. 38. ENCRYPT YOUR SENSITIVE DATA AWS CLOUDHSM AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT AMAZON RDS
  39. 39. Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM You can store your encryption keys in AWS CloudHSM
  40. 40. CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT
  41. 41. Control access and segregate duties everywhere With  AWS  IAM  you  get  to  control  who  can  do   what  in  your  AWS  environment  and  from  where     Fine-­‐grained  control  of  your  AWS  cloud  with  two-­‐ factor  authen<ca<on     Integrated  with  your  exis<ng  corporate  directory   using  SAML  2.0  and  single  sign-­‐on   AWS account owner Network management Security management Server management Storage management
  42. 42. AWS IAM: Recent innovations Securely control access to AWS services and resources •  Delegation –  Roles for Amazon EC2 –  Cross-account access •  Powerful integrated permissions –  Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation –  Access control policy variables –  Policy Simulator –  Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk •  Federation –  Web Identity Federation –  AD and Shibboleth examples –  Partner integrations •  Strong authentication –  MFA-protected API access –  Password policies •  Enhanced documentation and videos
  43. 43. PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS TO S3 AND GLACIER
  44. 44. You get to do all of this in DEVELOPMENT TESTING PRODUCTION
  45. 45. Expand your skills with AWS Certification aws.amazon.com/certification Exams Validate your proven technical expertise with the AWS platform On-Demand Resources aws.amazon.com/training/ self-paced-labs Videos & Labs Get hands-on practice working with AWS technologies in a live environment aws.amazon.com/training Instructor-Led Courses Training Classes Expand your technical expertise to design, deploy, and operate scalable, efficient applications on AWS
  46. 46. Thank you Stephen Quigg Principal Security Solutions Architect – Asia Pacific Amazon Web Services
  47. 47. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

×