Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.comhttp://aws...
Amazon Web Services: 4 regions<br />Amazon CloudFront: 16 edge locations<br />
http://status.aws.amazon.com/<br />
Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++...
0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<b...
DoD 5220.22-M and NIST 800-88<br />
Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin<br />Customer 1...
DDoS attacks<br />MITM attacks<br />IP spoofing<br />Packet sniffing<br />Port scanning<br />
…<br />Customer 1<br />Customer 2<br />Customern<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />Yo...
Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from cor...
ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG...
ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0<br />. . .<br />ec2-authorize WebSG -P tcp -p 80 -o InspSG<br />ec2-auth...
Your VPC<br />AmazonWeb Services<br />Cloud<br />IPsec tunnel mode<br />128-bit AES, SHA-1, PFS, BGP<br />Your corporate n...
Currently<br /><ul><li>EC2 on-demand and reserved
EBS
CloudWatch
Linux/Unix and Windows
US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
Bidirectional Internet
Elastic IPs
Elastic Load Balancing
Autoscaling
DevPay
Inter-subnet security groups
Subnet ACLs</li></ul>Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
<ul><li>Open/download
View Permissions
Edit Permissions
Upcoming SlideShare
Loading in...5
×

Cloud Security with Amazon Web Services

2,434

Published on

Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara.

Session Abstract: Moving to the cloud raises lots of questions, mostly about security. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. In this session, we'll discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,434
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
170
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud Security with Amazon Web Services

  1. 1. Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.comhttp://aws.typepad.com<br />
  2. 2. Amazon Web Services: 4 regions<br />Amazon CloudFront: 16 edge locations<br />
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8. http://status.aws.amazon.com/<br />
  9. 9.
  10. 10.
  11. 11. Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++<br />++<br />++<br />
  12. 12. 0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />zzz<br />null<br />zzz<br />
  13. 13. DoD 5220.22-M and NIST 800-88<br />
  14. 14. Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />…<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />…<br />AWS firewall<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  15. 15. DDoS attacks<br />MITM attacks<br />IP spoofing<br />Packet sniffing<br />Port scanning<br />
  16. 16. …<br />Customer 1<br />Customer 2<br />Customern<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />You<br />…<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />…<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />AWS firewall<br />AWS<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  17. 17. Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from corpnet<br />SSH/RDP management<br />from corpnet, vendor<br />SSH/RDP management<br />from corpnet<br />
  18. 18.
  19. 19. ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  20. 20. ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0<br />. . .<br />ec2-authorize WebSG -P tcp -p 80 -o InspSG<br />ec2-authorize WebSG -P tcp -p 443 -o InspSG<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  21. 21. Your VPC<br />AmazonWeb Services<br />Cloud<br />IPsec tunnel mode<br />128-bit AES, SHA-1, PFS, BGP<br />Your corporate network<br />
  22. 22. Currently<br /><ul><li>EC2 on-demand and reserved
  23. 23. EBS
  24. 24. CloudWatch
  25. 25. Linux/Unix and Windows
  26. 26. US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
  27. 27. Bidirectional Internet
  28. 28. Elastic IPs
  29. 29. Elastic Load Balancing
  30. 30. Autoscaling
  31. 31. DevPay
  32. 32. Inter-subnet security groups
  33. 33. Subnet ACLs</li></ul>Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  34. 34. <ul><li>Open/download
  35. 35. View Permissions
  36. 36. Edit Permissions
  37. 37. List
  38. 38. Upload/delete
  39. 39. View permissions
  40. 40. Edit permissions</li></ul>Things to know<br /><ul><li>“Key” = name of object
  41. 41. 99.999999999% annual durability
  42. 42. Versioning support</li></li></ul><li>Bucket policies<br /><ul><li>Choice of 25 operations on objects, buckets, and bucket sub-resources
  43. 43. Know your JSON</li></li></ul><li>
  44. 44. <ul><li>AWS services
  45. 45. Resources
  46. 46. Source IP
  47. 47. Time of day
  48. 48. Use of SSL</li></li></ul><li>http://aws.amazon.com/iam/<br />
  49. 49. IAM details<br />Preview beta includes:<br />Amazon EC2, S3, VPC, SQS, SNS, RDS, SimpleDB, Auto Scaling, ELB<br />Configured via API calls<br />Add users, define groups and hierarchies, set permissions, enable API calls, assign MFAs<br />Future:<br />User login to console, user management console<br />No additional charge<br />
  50. 50. http://aws.amazon.com/mfa/<br />
  51. 51.
  52. 52. *:*<br />
  53. 53. Compliance<br />HIPAA<br />Current customer deployments<br />Whitepaper describes the specifics<br />SAS 70 type II<br />Multiple audits<br />Simplified process to get your copy<br />FISMA moderate Authority to Operate<br />ISO 27001/27002<br />
  54. 54. SAS 70 Type II controls<br />
  55. 55. aws-security@amazon.com<br />https://aws.amazon.com/security/aws-pgp-public-key/<br />
  56. 56. http://aws.amazon.com/security/<br />
  57. 57. Thank you very much!<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.comhttp://aws.typepad.com<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×