7. Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
8. Strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations
9. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
11. AWS Assurance Programs
AWS maintains a formal control environment
• SOC 1 Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001, 27017, 27018 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Authorization
• Architect for HIPAA compliance
12. AWS Account Relationship
AWS Account
Ownership
AWS Account
Contact
Information
AWS Sales
AWS Solutions Architects
AWS Support
AWS Professional Services
AWS Consulting Partners
18. AWS CloudTrail & CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
ü Enable globally for all AWS Regions
ü Encryption & Integrity Validation
ü Archive & Forward
ü Amazon CloudWatch Logs
ü Metrics & Filters
ü Alarms & Notifications
20. AWS Global Infrastructure
13 AWS Regions
• North America (4)
• Europe (2)
• Asia Pacific (6)
• South America (1)
Each Region has at least 2 Availability Zones
• 35 Availability Zones (AZs)
56 AWS Edge Locations
• North America (21)
• Europe (16)
• Asia Pacific (17)
• South America (2)
Availability
Zone A
Availability
Zone B
Availability
Zone C
21. VPC Public Subnet 10.10.1.0/24
VPC Public Subnet
10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud
22. Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
26. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
30. Cryptographic Services
Amazon
CloudHSM
ü Deep integration with AWS Services
ü CloudTrail
ü AWS SDK for application encryption
ü Dedicated HSM
ü Integrate with on-premises HSMs
ü Hybrid Architectures
AWS
KMS
32. AWS Config & Config Rules
AWS
Config
Amazon
Config
Rules
ü Record configuration changes
continuously
ü Time-series view of resource
changes
ü Archive & Compare
ü Enforce best practices
ü Automatically roll-back unwanted
changes
ü Trigger additional workflow
45. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices