AWS Security: A Practitioner's Perspective

AWS Security:A Practitioner’s Perspective Jason Chan chan@netﬂix.com San Francisco AWS Users Group April 17, 2012

Jason Chan• Cloud Security Architect @ Netﬂix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netﬂix

Agenda• Goals and non-goals• AWS on one slide• Netﬂix in the cloud• AWS security: Overview• AWS security: Gotchas• AWS security: Recommendations• Takeaways

Non-Goals

Non-Goals• Primer on general cloud security issues

Non-Goals• Primer on general cloud security issues• AWS how-to

Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security

Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security• Info on designing for high-availability

AWS Overview

AWS on a Slide

AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things

Netﬂix in the Cloud

Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests

Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11

Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11Datacenter(Capacity(

Netﬂix Deployed on AWS 2009 2009 2010 2010 2010 2011Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Conﬁg& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES

AWS Security Overview Shared ResponsibilityAWS Credentials and IdentiﬁersServices, Actions, and Resources Controlling Network TrafﬁcAWS Security-Related Services

SharedResponsibility

YOU SharedResponsibility

YOU SharedResponsibility AWS

YOU SharedResponsibility AWS http://aws.amazon.com/security/

AWS Credentials and Identiﬁers

AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifierCanonical User ID Used for S3 permissioning

AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic

AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security

AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2

AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html

AWS Services, Actions, and Resources

AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address

AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent.

AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpeciﬁcProducts.html

Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }

Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html

Controlling Network Trafﬁc in AWSApp Server TCP 3306 DB Server

Controlling Network Trafﬁc in AWS App Server TCP 3306 DB Server Cisco Conﬁgurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306

Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app

Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL

AWS Security-Related Services• Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS)• Virtual Private Cloud (VPC)

AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances

AWS Limits

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests

AWS Limits• “Because the cloud is inﬁnite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests• NOTE: Track limits and inspect error messages

EC2 IP Addresses

EC2 IP Addresses• Each instance has two IPs - private and public

EC2 IP Addresses• Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...

EC2 IP Addresses• Name resolution depends on client location

EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70

EC2 IP Addresses

EC2 IP Addresses• Both public and private IPs are dynamic

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet trafﬁc, the public IP is used

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet trafﬁc, the public IP is used• NOTE: Trafﬁc to the public IP/EIP:

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet trafﬁc, the public IP is used• NOTE: Trafﬁc to the public IP/EIP: • Incurs regional data transfer costs

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet trafﬁc, the public IP is used• NOTE: Trafﬁc to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region

EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet trafﬁc, the public IP is used• NOTE: Trafﬁc to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info

Elastic Load Balancers• Service availability and trafﬁc balancing across EC2 Internet instances• Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.

Elastic Load Balancers

Elastic Load Balancers• ELB intercepts and forwards trafﬁc

Elastic Load Balancers• ELB intercepts and forwards trafﬁc• Trafﬁc loses source IP

Elastic Load Balancers• ELB intercepts and forwards trafﬁc• Trafﬁc loses source IP • Client IP is accessible via X-Forwarded For

Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB

Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet

Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases

Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases• NOTE:VPC ELBs can use security groups for limiting access

S3 Policies and Object Ownership

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle• Access control can be applied via bucket policy, bucket ACL, and object ACLs

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner

S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a ﬁle• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner• Use “x-amz-acl” header on write to ﬁx permissions

AWS Resource Logging

AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible

AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, ﬁle store, databases, etc. are publicly addressable

AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, ﬁle store, databases, etc. are publicly addressable• Preventing access is generally possible through policy conﬁguration

AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, ﬁle store, databases, etc. are publicly addressable• Preventing access is generally possible through policy conﬁguration• NOTE: AWS provides no capability for logging or auditing resource access

Delivering Credentials to EC2 Instances

Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)

Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials

Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difﬁcult with scale and automation

Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difﬁcult with scale and automation• Some ideas:

Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difﬁcult with scale and automation• Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html

AWS SecurityRecommendationsSystematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security

Systematic Approach to AWS Security

Systematic Approach to AWS Security• Understand shared responsibility model

Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS

Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services

Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security

Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security• Secure AWS operations

Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gapshttps://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html

AWS Management

AWS Management• No longer any reason to not use IAM

AWS Management• No longer any reason to not use IAM• Enable:

AWS Management• No longer any reason to not use IAM• Enable: • IAM

AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)

AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model

AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model• Consider using separate top-level accounts for compartmentalization

AWS Security Features and Services

AWS Security Features and Services• Understand security features, limitations, and options of the features you use

AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning

AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination

AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination• Consider VPC based on use cases and requirements

AWS Resource Security

AWS Resource Security• Review access requirements for AWS resources

AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues

AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately

AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security

AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport

Secure AWSOperations

Secure AWS Operations• Understand security group/ACL differences

Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements

Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements• Actively manage and monitor accounts and credentials

OtherRecommendations

Other Recommendations• Tools like boto are useful for security monitoring and analysis

Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on:

Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/

Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr

Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html

Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30

Takeaways

Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model

Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer

Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use

Thanks!Questions? chan@netﬂix.com

Backup Slides

Cloud and Platform Engineering EngineeringTools •  Orchestra*on,.build.and.deployment. CloudSolu0ons •  Monitoring,.consul*ng,.Simian.Army. CORE •  24/7.site.reliability.Pla5ormEngineering •  Core.shared.components.and.libraries. Security •  Applica*on,.engineering,.and.opera*onal. CloudDatabase •  Cassandra,.SDB,.RDS. Engineering CloudPerformance •  Tes*ng,.op*miza*on,.cost. CloudArchitecture •  Overall.design.paFerns.

Netflix PaaS• Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to• Supports multiple AWS thousands of instances accounts • Monitoring for millions of• One-click deployment and metrics load balancing across three datacenters • Base server and client• Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix

Security Monkeyhttp://techblog.netﬂix.com/2011/07/netﬂix-simian-army.html

Security Monkey http://techblog.netﬂix.com/2011/07/netﬂix-simian-army.html• Centralized framework for cloud security monitoring and analysis

Security Monkey http://techblog.netﬂix.com/2011/07/netﬂix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools

Security Monkey• Certiﬁcate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (ﬁrewall, user, S3, etc.)

References• http://www.slideshare.net/netﬂix• http://techblog.netﬂix.com• https://cloudsecurityalliance.org/

http://bitly.com	12
http://irq.tumblr.com	11
http://www.linkedin.com	4
http://us-w1.rockmelt.com	1
http://tweetedtimes.com	1
http://www.twylah.com	1

AWS Security: A Practitioner's Perspective

by Jason Chan

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 30

Statistics

AWS Security: A Practitioner’s Perspective Presentation Transcript