Cloud Security with Amazon Web Services
 

Cloud Security with Amazon Web Services

on

  • 2,780 views

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara. ...

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara.

Session Abstract: Moving to the cloud raises lots of questions, mostly about security. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. In this session, we'll discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Statistics

Views

Total Views
2,780
Views on SlideShare
2,721
Embed Views
59

Actions

Likes
2
Downloads
165
Comments
0

2 Embeds 59

http://www.cloud24by7.com 57
http://webcache.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Security with Amazon Web Services Cloud Security with Amazon Web Services Presentation Transcript

    • Securityin theAWS Cloud
      Steve Rileysteriley@amazon.com@steveriley@awscloud
      http://stvrly.wordpress.comhttp://aws.typepad.com
    • Amazon Web Services: 4 regions
      Amazon CloudFront: 16 edge locations
    • http://status.aws.amazon.com/
    • Amazon S3
      Amazon SimpleDB
      Amazon RDS (multi AZ)
      Amazon EBS
      Amazon RDS (one AZ)
      Amazon EC2
      ++
      ++
      ++
    • 0
      /
      0
      /
      0
      /
      0
      /
      0
      /
      0
      /
      0
      /
      0
      /
      0
      /
      0
      0
      /
      /
      0
      /
      0
      /
      0
      /
      0
      0
      /
      /
      zzz
      null
      zzz
    • DoD 5220.22-M and NIST 800-88
    • Customer 1
      Customer 2
      Customern

      Customer only
      SSH, ID/pw, X.509
      Root/admin
      Customer 1virtual interfaces
      Customer 2virtual interfaces
      Customernvirtual interfaces

      Customer only
      Inbound flows
      Default deny
      Hypervisor layer
      Customer 1securitygroups
      Customer 2securitygroups
      Customernsecurity groups

      AWS firewall
      AWS admins only
      SSH via bastions
      Audits reviewed
      Physical interfaces
    • DDoS attacks
      MITM attacks
      IP spoofing
      Packet sniffing
      Port scanning

    • Customer 1
      Customer 2
      Customern
      Customer only
      SSH, ID/pw, X.509
      Root/admin control
      You

      Customer 1virtual interfaces
      Customer 2virtual interfaces
      Customernvirtual interfaces
      Customer only
      Inbound flows
      Default deny
      Hypervisor layer

      Customer 1securitygroups
      Customer 2securitygroups
      Customernsecurity groups
      AWS firewall
      AWS
      AWS admins only
      SSH via bastions
      Audits reviewed
      Physical interfaces
    • Web tier
      Application tier
      Database tier
      HTTP/HTTPS
      from Internet
      SSH/RDP management
      from corpnet
      SSH/RDP management
      from corpnet, vendor
      SSH/RDP management
      from corpnet
    • ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0
      ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0
      ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet
      ec2-authorize AppSG -P prot-p AppPortRange -o WebSG
      ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
      ec2-authorize DBSG-P prot -p DBPortRange-o AppSG
      ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet
      ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
    • ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0
      . . .
      ec2-authorize WebSG -P tcp -p 80 -o InspSG
      ec2-authorize WebSG -P tcp -p 443 -o InspSG
      ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet
      ec2-authorize AppSG -P prot-p AppPortRange -o WebSG
      ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
      ec2-authorize DBSG-P prot -p DBPortRange-o AppSG
      ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet
      ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
    • Your VPC
      AmazonWeb Services
      Cloud
      IPsec tunnel mode
      128-bit AES, SHA-1, PFS, BGP
      Your corporate network
    • Currently
      • EC2 on-demand and reserved
      • EBS
      • CloudWatch
      • Linux/Unix and Windows
      • US-East, EU-West
      Upcoming
      • >1 AZ, >1 router
      • Bidirectional Internet
      • Elastic IPs
      • Elastic Load Balancing
      • Autoscaling
      • DevPay
      • Inter-subnet security groups
      • Subnet ACLs
      Your VPC
      AmazonWeb Services
      Cloud
      Your corporate network
      • Open/download
      • View Permissions
      • Edit Permissions
      • List
      • Upload/delete
      • View permissions
      • Edit permissions
      Things to know
      • “Key” = name of object
      • 99.999999999% annual durability
      • Versioning support
    • Bucket policies
      • Choice of 25 operations on objects, buckets, and bucket sub-resources
      • Know your JSON
      • AWS services
      • Resources
      • Source IP
      • Time of day
      • Use of SSL
    • http://aws.amazon.com/iam/
    • IAM details
      Preview beta includes:
      Amazon EC2, S3, VPC, SQS, SNS, RDS, SimpleDB, Auto Scaling, ELB
      Configured via API calls
      Add users, define groups and hierarchies, set permissions, enable API calls, assign MFAs
      Future:
      User login to console, user management console
      No additional charge
    • http://aws.amazon.com/mfa/
    • *:*
    • Compliance
      HIPAA
      Current customer deployments
      Whitepaper describes the specifics
      SAS 70 type II
      Multiple audits
      Simplified process to get your copy
      FISMA moderate Authority to Operate
      ISO 27001/27002
    • SAS 70 Type II controls
    • aws-security@amazon.com
      https://aws.amazon.com/security/aws-pgp-public-key/
    • http://aws.amazon.com/security/
    • Thank you very much!
      Steve Rileysteriley@amazon.com@steveriley@awscloud
      http://stvrly.wordpress.comhttp://aws.typepad.com