Your SlideShare is downloading. ×
0
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Cloud Security with Amazon Web Services
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security with Amazon Web Services

2,401

Published on

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara. …

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara.

Session Abstract: Moving to the cloud raises lots of questions, mostly about security. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. In this session, we'll discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,401
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
169
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.comhttp://aws.typepad.com<br />
  • 2. Amazon Web Services: 4 regions<br />Amazon CloudFront: 16 edge locations<br />
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. http://status.aws.amazon.com/<br />
  • 9.
  • 10.
  • 11. Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++<br />++<br />++<br />
  • 12. 0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />zzz<br />null<br />zzz<br />
  • 13. DoD 5220.22-M and NIST 800-88<br />
  • 14. Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />…<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />…<br />AWS firewall<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  • 15. DDoS attacks<br />MITM attacks<br />IP spoofing<br />Packet sniffing<br />Port scanning<br />
  • 16. …<br />Customer 1<br />Customer 2<br />Customern<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />You<br />…<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />…<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />AWS firewall<br />AWS<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  • 17. Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from corpnet<br />SSH/RDP management<br />from corpnet, vendor<br />SSH/RDP management<br />from corpnet<br />
  • 18.
  • 19. ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  • 20. ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0<br />. . .<br />ec2-authorize WebSG -P tcp -p 80 -o InspSG<br />ec2-authorize WebSG -P tcp -p 443 -o InspSG<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  • 21. Your VPC<br />AmazonWeb Services<br />Cloud<br />IPsec tunnel mode<br />128-bit AES, SHA-1, PFS, BGP<br />Your corporate network<br />
  • 22. Currently<br /><ul><li>EC2 on-demand and reserved
  • 23. EBS
  • 24. CloudWatch
  • 25. Linux/Unix and Windows
  • 26. US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
  • 27. Bidirectional Internet
  • 28. Elastic IPs
  • 29. Elastic Load Balancing
  • 30. Autoscaling
  • 31. DevPay
  • 32. Inter-subnet security groups
  • 33. Subnet ACLs</li></ul>Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  • 34. <ul><li>Open/download
  • 35. View Permissions
  • 36. Edit Permissions
  • 37. List
  • 38. Upload/delete
  • 39. View permissions
  • 40. Edit permissions</li></ul>Things to know<br /><ul><li>“Key” = name of object
  • 41. 99.999999999% annual durability
  • 42. Versioning support</li></li></ul><li>Bucket policies<br /><ul><li>Choice of 25 operations on objects, buckets, and bucket sub-resources
  • 43. Know your JSON</li></li></ul><li>
  • 44. <ul><li>AWS services
  • 45. Resources
  • 46. Source IP
  • 47. Time of day
  • 48. Use of SSL</li></li></ul><li>http://aws.amazon.com/iam/<br />
  • 49. IAM details<br />Preview beta includes:<br />Amazon EC2, S3, VPC, SQS, SNS, RDS, SimpleDB, Auto Scaling, ELB<br />Configured via API calls<br />Add users, define groups and hierarchies, set permissions, enable API calls, assign MFAs<br />Future:<br />User login to console, user management console<br />No additional charge<br />
  • 50. http://aws.amazon.com/mfa/<br />
  • 51.
  • 52. *:*<br />
  • 53. Compliance<br />HIPAA<br />Current customer deployments<br />Whitepaper describes the specifics<br />SAS 70 type II<br />Multiple audits<br />Simplified process to get your copy<br />FISMA moderate Authority to Operate<br />ISO 27001/27002<br />
  • 54. SAS 70 Type II controls<br />
  • 55. aws-security@amazon.com<br />https://aws.amazon.com/security/aws-pgp-public-key/<br />
  • 56. http://aws.amazon.com/security/<br />
  • 57. Thank you very much!<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.comhttp://aws.typepad.com<br />

×