• Like

Cloud Security with Amazon Web Services

  • 2,346 views
Uploaded on

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara. …

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara.

Session Abstract: Moving to the cloud raises lots of questions, mostly about security. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. In this session, we'll discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,346
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
169
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securityin theAWS Cloud
    Steve Rileysteriley@amazon.com@steveriley@awscloud
    http://stvrly.wordpress.comhttp://aws.typepad.com
  • 2. Amazon Web Services: 4 regions
    Amazon CloudFront: 16 edge locations
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. http://status.aws.amazon.com/
  • 9.
  • 10.
  • 11. Amazon S3
    Amazon SimpleDB
    Amazon RDS (multi AZ)
    Amazon EBS
    Amazon RDS (one AZ)
    Amazon EC2
    ++
    ++
    ++
  • 12. 0
    /
    0
    /
    0
    /
    0
    /
    0
    /
    0
    /
    0
    /
    0
    /
    0
    /
    0
    0
    /
    /
    0
    /
    0
    /
    0
    /
    0
    0
    /
    /
    zzz
    null
    zzz
  • 13. DoD 5220.22-M and NIST 800-88
  • 14. Customer 1
    Customer 2
    Customern

    Customer only
    SSH, ID/pw, X.509
    Root/admin
    Customer 1virtual interfaces
    Customer 2virtual interfaces
    Customernvirtual interfaces

    Customer only
    Inbound flows
    Default deny
    Hypervisor layer
    Customer 1securitygroups
    Customer 2securitygroups
    Customernsecurity groups

    AWS firewall
    AWS admins only
    SSH via bastions
    Audits reviewed
    Physical interfaces
  • 15. DDoS attacks
    MITM attacks
    IP spoofing
    Packet sniffing
    Port scanning
  • 16.
    Customer 1
    Customer 2
    Customern
    Customer only
    SSH, ID/pw, X.509
    Root/admin control
    You

    Customer 1virtual interfaces
    Customer 2virtual interfaces
    Customernvirtual interfaces
    Customer only
    Inbound flows
    Default deny
    Hypervisor layer

    Customer 1securitygroups
    Customer 2securitygroups
    Customernsecurity groups
    AWS firewall
    AWS
    AWS admins only
    SSH via bastions
    Audits reviewed
    Physical interfaces
  • 17. Web tier
    Application tier
    Database tier
    HTTP/HTTPS
    from Internet
    SSH/RDP management
    from corpnet
    SSH/RDP management
    from corpnet, vendor
    SSH/RDP management
    from corpnet
  • 18.
  • 19. ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0
    ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0
    ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet
    ec2-authorize AppSG -P prot-p AppPortRange -o WebSG
    ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
    ec2-authorize DBSG-P prot -p DBPortRange-o AppSG
    ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet
    ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
  • 20. ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0
    . . .
    ec2-authorize WebSG -P tcp -p 80 -o InspSG
    ec2-authorize WebSG -P tcp -p 443 -o InspSG
    ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet
    ec2-authorize AppSG -P prot-p AppPortRange -o WebSG
    ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
    ec2-authorize DBSG-P prot -p DBPortRange-o AppSG
    ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet
    ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
  • 21. Your VPC
    AmazonWeb Services
    Cloud
    IPsec tunnel mode
    128-bit AES, SHA-1, PFS, BGP
    Your corporate network
  • 22. Currently
    Upcoming
    Your VPC
    AmazonWeb Services
    Cloud
    Your corporate network
  • 34. Things to know
    • “Key” = name of object
    • 41. 99.999999999% annual durability
    • 42. Versioning support
  • Bucket policies
    • Choice of 25 operations on objects, buckets, and bucket sub-resources
    • 43. Know your JSON
  • 44.
  • http://aws.amazon.com/iam/
  • 49. IAM details
    Preview beta includes:
    Amazon EC2, S3, VPC, SQS, SNS, RDS, SimpleDB, Auto Scaling, ELB
    Configured via API calls
    Add users, define groups and hierarchies, set permissions, enable API calls, assign MFAs
    Future:
    User login to console, user management console
    No additional charge
  • 50. http://aws.amazon.com/mfa/
  • 51.
  • 52. *:*
  • 53. Compliance
    HIPAA
    Current customer deployments
    Whitepaper describes the specifics
    SAS 70 type II
    Multiple audits
    Simplified process to get your copy
    FISMA moderate Authority to Operate
    ISO 27001/27002
  • 54. SAS 70 Type II controls
  • 55. aws-security@amazon.com
    https://aws.amazon.com/security/aws-pgp-public-key/
  • 56. http://aws.amazon.com/security/
  • 57. Thank you very much!
    Steve Rileysteriley@amazon.com@steveriley@awscloud
    http://stvrly.wordpress.comhttp://aws.typepad.com