Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security in the AWS Cloud - Steve Riley

1,565 views

Published on

Published in: Technology
  • Be the first to comment

Security in the AWS Cloud - Steve Riley

  1. 1. Securityin theAWS Cloud<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.com<br />
  2. 2. Amazon Web Services<br />Amazon CloudFront<br />
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9. Amazon S3<br />Amazon SimpleDB<br />Amazon RDS (multi AZ)<br />Amazon EBS<br />Amazon RDS (one AZ)<br />Amazon EC2<br />++<br />++<br />++<br />
  10. 10. Customer 1<br />Customer 2<br />Customern<br />…<br />Customer only<br />SSH, ID/pw, X.509<br />Root/admin control<br />Customer 1virtual interfaces<br />Customer 2virtual interfaces<br />Customernvirtual interfaces<br />…<br />Customer only<br />Inbound flows<br />Default deny<br />Hypervisor layer<br />Customer 1securitygroups<br />Customer 2securitygroups<br />Customernsecurity groups<br />…<br />AWS firewall<br />AWS admins only<br />SSH via bastions<br />Audits reviewed<br />Physical interfaces<br />
  11. 11. 0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />0<br />/<br />0<br />/<br />0<br />/<br />0<br />0<br />/<br />/<br />
  12. 12. Web tier<br />Application tier<br />Database tier<br />HTTP/HTTPS<br />from Internet<br />SSH/RDP management<br />from corpnet<br />SSH/RDP management<br />from corpnet, vendor<br />SSH/RDP management<br />from corpnet<br />
  13. 13.
  14. 14. ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0<br />ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0<br />ec2-authorize WebSG-P tcp-p 22|3389-s CorpNet<br />ec2-authorize AppSG -P prot-p AppPortRange -o WebSG<br />ec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG-P prot -p DBPortRange-o AppSG<br />ec2-authorize DBSG -P tcp -p 22|3389 -s CorpNet<br />ec2-authorize DBSG -P tcp -p 22|3389 -s Vendor<br />
  15. 15. Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  16. 16. Currently<br /><ul><li>EC2 on-demand and reserved
  17. 17. EBS
  18. 18. CloudWatch
  19. 19. Linux/Unix and Windows
  20. 20. US-East, EU-West</li></ul>Upcoming<br /><ul><li>>1 AZ, >1 router
  21. 21. Outbound Internet
  22. 22. Elastic IPs
  23. 23. Elastic Load Balancing
  24. 24. Autoscaling
  25. 25. DevPay
  26. 26. Inter-subnet security groups</li></ul>Your VPC<br />AmazonWeb Services<br />Cloud<br />Your corporate network<br />
  27. 27. <ul><li>Read
  28. 28. Write
  29. 29. Full
  30. 30. Read
  31. 31. Write
  32. 32. Full</li></ul>“Key” = name of object<br />
  33. 33.
  34. 34.
  35. 35. Compliance<br />Sarbanes-Oxley Act<br />Ongoing<br />HIPAA<br />Current customer deployments<br />Whitepaper describes the specifics<br />SAS 70 type II<br />Complete<br />Physical security, access controls, change management, operations<br />
  36. 36.
  37. 37. Thank you very much!<br />Steve Rileysteriley@amazon.com@steveriley@awscloud<br />http://stvrly.wordpress.com<br />

×