SlideShare a Scribd company logo
1 of 14
AWS Shared Security
    Larry Pizette
Dimensions of Shared Responsibility & Control
1. Operation within the Service: The functions the
   customer controls and configurations they choose
   (e.g., in EC2)
2. Security Configurability: The tools AWS gives
   customers to configure their security stance
   (e.g., access policies, security groups)
3. Security Features Which Span Services: Some
   security configuration features are global, others
   service-specific (e.g., IAM)
4. Layered Security Controls: How customers can
   integrate their existing controls into AWS
   (e.g., Active Directory, Drupal user management)
1. Operation within the Service

 Customers may choose the controls they implement
 and specific configurations/operations
 Example: EC2 instances
     Manage root/administrative access to guest OS
     Install software
     Start and stop services
     Manage EC2 key pairs
 Example: Relational Database Service
   Administration of RDBMS but not OS
 Example: DynamoDB
   Fully managed service
   Integrates with IAM
2. Security Configurability
  AWS services provide rich security controls tailored to
  each service – customers choose which to implement
  Example VPC responsibility and control options
   Configure security groups
   Control network ACLs
   Configure network routing
  Example S3 responsibility and control options
   Rich support for IAM policies
   Service specific access controls
   Logging
  Example RDS responsibility and control options
   Configure database security groups
   Database username and password management
3. Security Features Which Span Services

 Some Security Features are global, others service-
 specific. Choosing which is right for your application
 is critical.
 Broader potential impact to other services
   Example: Identity and Access Management can provide
    access to many other services
   Example: EC2 can be used to access many services
    (See EC2 IAM roles)
 Narrower potential impact to other services
   Example: S3 provides a critical and foundational service
    for many other AWS services, but impact of the security
    configuration is limited to the service itself
4. Layered Security Controls
 How customers can integrate their existing controls
 into AWS (typically implemented within EC2
 instances)
 Examples
     Active Directory or ADFS within EC2
     Encrypted file system on Elastic Block Storage (EBS)
     OS-level firewalls (e.g., RHEL, Windows) or IDS systems
     Virtual appliances (e.g., Checkpoint, Sophos, Xceedium)
     Application level security
     Installing X.509 certificates in Web servers
Types of Access Credentials Used on AWS
 Amazon Access Keys (for APIs)
   REST/Query Protocol requests (e.g., Java SDK)
 Usernames and Passwords for interactive scenarios
   Management console
 X.509 Certificates
   SOAP access to some services
 Amazon EC2 Key Pairs
   Access to running EC2 instances
 Amazon CloudFront Key Pairs
   Create signed urls to access private CloudFront content
   Public key, private key, key pair ID
EC2 Security Groups (SGs)
 SGs specify the allowed inbound network traffic by
 port, protocol, and originating IP addresses
 SGs are applied before traffic gets to guest OS
 EC2 instances can be assigned to Security Groups

   Customer 1        Customer 2            …       Customer n


                              Hypervisor

                             Virtual Interfaces
    Customer 1
  Security Groups
                      Customer 2
                    Security Groups        …        Customer n
                                                  Security Groups

                                Firewall
        Physical Interfaces
MySQL RDS Security
 Database Security Group
   Acts like a firewall controlling network access
   DB Security Group to allow access from EC2 Instances
    with specific EC2 Security Group/VPC Security Group
    membership or IP ranges
   Same rules apply to all DB Instances associated with
    DB Security Group
 Keys to Access RDS APIs
   X.509 certificates or AWS Access keys
 Database username and password
S3 Security

 Encryption in-transit
   HTTPS option to protect data in transit
 Encryption at rest
   Server side: AWS AES-256 bit encryption option
   Client side: Encrypt your data before it gets to AWS
 Access control
   Predefined “Canned”
   Custom configured
Amazon Virtual Private Cloud (VPC)

 Create a logically isolated environment in Amazon’s highly scalable
 infrastructure
 Specify your private IP address range into one or more public or private
 subnets
 Control inbound and outbound access to and from individual subnets
 using stateless Network Access Control Lists
 Protect your instances with stateful filters for inbound and outbound
 traffic using Security Groups
 Attach an Elastic IP address to any instance in your VPC so it can be
 reached directly from the Internet
 Bridge your VPC and your onsite IT infrastructure with an industry
 standard encrypted VPN connection
VPC V1
VPC V2
Thank you!

More Related Content

What's hot

Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...😸 Richard Spindler
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C.
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C. AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C.
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C. Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAmazon Web Services
 
AWS - Security and Compliance Overview
AWS - Security and Compliance OverviewAWS - Security and Compliance Overview
AWS - Security and Compliance OverviewRightScale
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processeswhite paper
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
Amazon AWS Shared Security Model
Amazon AWS Shared Security Model Amazon AWS Shared Security Model
Amazon AWS Shared Security Model James Mascarenhas
 
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Amazon Web Services
 

What's hot (20)

Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C.
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C. AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C.
AWS Shared Responsibility Model - AWS Symposium 2014 - Washington D.C.
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
AWS - Security and Compliance Overview
AWS - Security and Compliance OverviewAWS - Security and Compliance Overview
AWS - Security and Compliance Overview
 
Security & Compliance (Part 2)
Security & Compliance (Part 2)Security & Compliance (Part 2)
Security & Compliance (Part 2)
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
Amazon AWS Shared Security Model
Amazon AWS Shared Security Model Amazon AWS Shared Security Model
Amazon AWS Shared Security Model
 
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
 
Shared Responsibility Deep Dive
Shared Responsibility Deep DiveShared Responsibility Deep Dive
Shared Responsibility Deep Dive
 

Viewers also liked

Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Shared Responsibility In Action
Shared Responsibility In ActionShared Responsibility In Action
Shared Responsibility In ActionMark Nunnikhoven
 
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012Amazon Web Services
 
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012Amazon Web Services
 
AWS 101 Lunch and Learn Jan 2013
AWS 101 Lunch and Learn Jan 2013AWS 101 Lunch and Learn Jan 2013
AWS 101 Lunch and Learn Jan 2013Amazon Web Services
 
AWS Summit Auckland 2014 | Desktops in the Cloud
 AWS Summit Auckland 2014 | Desktops in the Cloud  AWS Summit Auckland 2014 | Desktops in the Cloud
AWS Summit Auckland 2014 | Desktops in the Cloud Amazon Web Services
 
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012Amazon Web Services
 
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012Amazon Web Services
 
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...Amazon Web Services
 
Benchmarking and Performance on AWS - AWS India Summit 2012
Benchmarking and Performance on AWS - AWS India Summit 2012Benchmarking and Performance on AWS - AWS India Summit 2012
Benchmarking and Performance on AWS - AWS India Summit 2012Amazon Web Services
 
Cloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud itCloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud itSecludIT
 
Deployer son propre SOC !
Deployer son propre SOC ! Deployer son propre SOC !
Deployer son propre SOC ! SecludIT
 
The real cost of ignoring network security.
The real cost of ignoring network security.The real cost of ignoring network security.
The real cost of ignoring network security.SecludIT
 
Microservices docker-security
Microservices docker-securityMicroservices docker-security
Microservices docker-securitySergio Loureiro
 
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …Amazon Web Services
 

Viewers also liked (20)

AWS Security
AWS SecurityAWS Security
AWS Security
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Shared Responsibility In Action
Shared Responsibility In ActionShared Responsibility In Action
Shared Responsibility In Action
 
Seclud it polesc_sjuly7
Seclud it polesc_sjuly7Seclud it polesc_sjuly7
Seclud it polesc_sjuly7
 
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012
CPN211 My Datacenter Has Walls That Move - AWS re: Invent 2012
 
Jz 101 t
Jz 101 tJz 101 t
Jz 101 t
 
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012
AWS Partner Presentation-Sonian-AWS Cloud Storage for the Enterprise 2012
 
AWS 101 Lunch and Learn Jan 2013
AWS 101 Lunch and Learn Jan 2013AWS 101 Lunch and Learn Jan 2013
AWS 101 Lunch and Learn Jan 2013
 
AWS Summit Auckland 2014 | Desktops in the Cloud
 AWS Summit Auckland 2014 | Desktops in the Cloud  AWS Summit Auckland 2014 | Desktops in the Cloud
AWS Summit Auckland 2014 | Desktops in the Cloud
 
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012
ARC201 AWS Database Tier Architecture Best Practices - AWS re: Invent 2012
 
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012
CPN301 The Best Amazon EC2 Features You Never Knew About - AWS re: Invent 2012
 
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...
AWS Customer Presentation – What's Up Interactive – AWS Cloud Storage for the...
 
Benchmarking and Performance on AWS - AWS India Summit 2012
Benchmarking and Performance on AWS - AWS India Summit 2012Benchmarking and Performance on AWS - AWS India Summit 2012
Benchmarking and Performance on AWS - AWS India Summit 2012
 
Cloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud itCloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud it
 
Deployer son propre SOC !
Deployer son propre SOC ! Deployer son propre SOC !
Deployer son propre SOC !
 
The real cost of ignoring network security.
The real cost of ignoring network security.The real cost of ignoring network security.
The real cost of ignoring network security.
 
Microservices docker-security
Microservices docker-securityMicroservices docker-security
Microservices docker-security
 
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …
CPN102 Your First Week with Amazon Elastic Compute Cloud - AWS re: Invent …
 
Amazon EFS
Amazon EFSAmazon EFS
Amazon EFS
 

Similar to In Depth: AWS Shared Security Model

APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAmazon Web Services
 
Amazon Web Services Federation Integration Governance Workshop with Layer 7
Amazon Web Services Federation Integration Governance Workshop with Layer 7Amazon Web Services Federation Integration Governance Workshop with Layer 7
Amazon Web Services Federation Integration Governance Workshop with Layer 7CA API Management
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSAmazon Web Services
 
16h30 aws gru security deck
16h30   aws gru security deck16h30   aws gru security deck
16h30 aws gru security deckinfolive
 
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaSecurity and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaAmazon Web Services
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesIan Massingham
 
Security Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackSecurity Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackIan Massingham
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayAmazon Web Services
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리Amazon Web Services Korea
 

Similar to In Depth: AWS Shared Security Model (20)

APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 
Amazon Web Services Federation Integration Governance Workshop with Layer 7
Amazon Web Services Federation Integration Governance Workshop with Layer 7Amazon Web Services Federation Integration Governance Workshop with Layer 7
Amazon Web Services Federation Integration Governance Workshop with Layer 7
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
16h30 aws gru security deck
16h30   aws gru security deck16h30   aws gru security deck
16h30 aws gru security deck
 
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaSecurity and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Security & Compliance (Part 1)
Security & Compliance (Part 1)Security & Compliance (Part 1)
Security & Compliance (Part 1)
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Security best practices
Security best practices Security best practices
Security best practices
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management TrackSecurity Best Practices: AWS AWSome Day Management Track
Security Best Practices: AWS AWSome Day Management Track
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Brief Security Overview
Brief Security OverviewBrief Security Overview
Brief Security Overview
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlay
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
9 Security Best Practices
9 Security Best Practices9 Security Best Practices
9 Security Best Practices
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Recently uploaded (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

In Depth: AWS Shared Security Model

  • 1. AWS Shared Security Larry Pizette
  • 2. Dimensions of Shared Responsibility & Control 1. Operation within the Service: The functions the customer controls and configurations they choose (e.g., in EC2) 2. Security Configurability: The tools AWS gives customers to configure their security stance (e.g., access policies, security groups) 3. Security Features Which Span Services: Some security configuration features are global, others service-specific (e.g., IAM) 4. Layered Security Controls: How customers can integrate their existing controls into AWS (e.g., Active Directory, Drupal user management)
  • 3. 1. Operation within the Service Customers may choose the controls they implement and specific configurations/operations Example: EC2 instances  Manage root/administrative access to guest OS  Install software  Start and stop services  Manage EC2 key pairs Example: Relational Database Service  Administration of RDBMS but not OS Example: DynamoDB  Fully managed service  Integrates with IAM
  • 4. 2. Security Configurability AWS services provide rich security controls tailored to each service – customers choose which to implement Example VPC responsibility and control options  Configure security groups  Control network ACLs  Configure network routing Example S3 responsibility and control options  Rich support for IAM policies  Service specific access controls  Logging Example RDS responsibility and control options  Configure database security groups  Database username and password management
  • 5. 3. Security Features Which Span Services Some Security Features are global, others service- specific. Choosing which is right for your application is critical. Broader potential impact to other services  Example: Identity and Access Management can provide access to many other services  Example: EC2 can be used to access many services (See EC2 IAM roles) Narrower potential impact to other services  Example: S3 provides a critical and foundational service for many other AWS services, but impact of the security configuration is limited to the service itself
  • 6. 4. Layered Security Controls How customers can integrate their existing controls into AWS (typically implemented within EC2 instances) Examples  Active Directory or ADFS within EC2  Encrypted file system on Elastic Block Storage (EBS)  OS-level firewalls (e.g., RHEL, Windows) or IDS systems  Virtual appliances (e.g., Checkpoint, Sophos, Xceedium)  Application level security  Installing X.509 certificates in Web servers
  • 7. Types of Access Credentials Used on AWS Amazon Access Keys (for APIs)  REST/Query Protocol requests (e.g., Java SDK) Usernames and Passwords for interactive scenarios  Management console X.509 Certificates  SOAP access to some services Amazon EC2 Key Pairs  Access to running EC2 instances Amazon CloudFront Key Pairs  Create signed urls to access private CloudFront content  Public key, private key, key pair ID
  • 8. EC2 Security Groups (SGs) SGs specify the allowed inbound network traffic by port, protocol, and originating IP addresses SGs are applied before traffic gets to guest OS EC2 instances can be assigned to Security Groups Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
  • 9. MySQL RDS Security Database Security Group  Acts like a firewall controlling network access  DB Security Group to allow access from EC2 Instances with specific EC2 Security Group/VPC Security Group membership or IP ranges  Same rules apply to all DB Instances associated with DB Security Group Keys to Access RDS APIs  X.509 certificates or AWS Access keys Database username and password
  • 10. S3 Security Encryption in-transit  HTTPS option to protect data in transit Encryption at rest  Server side: AWS AES-256 bit encryption option  Client side: Encrypt your data before it gets to AWS Access control  Predefined “Canned”  Custom configured
  • 11. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection