Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWSome Day Online 2020_Module 4: Secure your cloud applications

1,809 views

Published on

This module covers how AWS approaches securing the cloud, along with the AWS Shared Responsibility Model, AWS Access Control and Management, AWS Security Compliance Programs, and resources available to you in better understanding AWS Cloud security options.

AWSome Day Online 2020_Module 4: Secure your cloud applications

  1. 1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 4: Secure your cloud applications Navjot Singh Technical Trainer AWS
  2. 2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security is our top priority Designed for security Constantly monitored Highly automated Highly available Highly accredited
  4. 4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security of the cloud • Hosts, network, software, facilities • Protection of the AWS global infrastructure is top priority • Availability of third-party audit reports Foundation services Compute Storage Database Network AWS global infrastructure RegionsAvailability zones Edge locations AWS
  5. 5. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the cloud Considerations • What you should store • Which AWS services you should use • Which region to store in • In what content format and structure • Who has access Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity)
  6. 6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS shared responsibility model Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity) Foundation services Compute Storage Database Network AWS global infrastructure RegionsAvailability zones Edge locations AWS
  7. 7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security, identity, and compliance products AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF
  8. 8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage authentication and authorization
  9. 9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) Temporary privileges that an entity can assume GROUP ROLEIAM USER Collection of users with identical permissions A person or application that interacts with AWS Securely control access to AWS resources
  10. 10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication: Who are you? $ aws IAM GROUPIAM USER IAM AWS CLI AWS SDKS AWS Management Console
  11. 11. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorization: What can you do? IAM policies Full access Read only $ aws AWS CLI Amazon S3 BucketIAM USER, GROUP OR ROLE
  12. 12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM roles • IAM users, applications, and services may assume IAM roles • Roles uses an IAM policy for permissionsIAM ROLE
  13. 13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket
  14. 14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket
  15. 15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM Role IAM Policy
  16. 16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket Assume IAM Role IAM Policy
  17. 17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket Assume IAM Role IAM Policy
  18. 18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best practices • Delete access keys for the AWS account root user • Activate multi-factor authentication (MFA) • Only give IAM users permissions they need • Use roles for applications • Rotate credentials regularly • Remove unnecessary users and credentials • Monitor activity in your AWS account
  20. 20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access your security and compliance
  21. 21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges of threat assessment • Expensive • Complex • Time-consuming • Difficult to track IT changes
  22. 22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon Inspector? Automated security assessment as a service • Assesses applications for vulnerabilities • Produces a detailed list of security findings • Leverages security best practices
  23. 23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Inspector findings
  24. 24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediation recommendation
  25. 25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect your infrastructure from Distributed Denial of Service (DDoS) attacks
  26. 26. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DDoS? DDoS DDoSDDoS
  27. 27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. DDoS mitigation challenges Manual Degraded performance Limited bandwidth Involves rearchitecting Time- consuming Expensive Complex
  28. 28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is AWS Shield? • A managed DDoS protection service • Always-on detection and mitigations • Seamless integration and deployment • Cost-efficient and customizable protection DDoS DDoSDDoS
  29. 29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard and AWS Shield Advanced AWS Shield Standard (Included) • Quick detection • Inline attack mitigation AWS Shield Advanced (Optional) • Enhanced detection • Advanced attack mitigation • Visibility and attack notification • DDoS cost protection • Specialized support
  30. 30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS security compliance
  31. 31. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assurance programs
  32. 32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. How AWS helps customers achieve compliance Sharing information • Industry certifications • Security and control practices • Compliance reports directly under NDA Assurance program • Certifications/attestations • Laws, regulations, and privacy • Alignments/frameworks
  33. 33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer responsibility Review – Design – Identify – Verify
  35. 35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×