SlideShare a Scribd company logo

Best Practices for Security at Scale

Amazon Web Services
Amazon Web Services

This presentation showcases the "best of the best" practices for operating securely at scale on AWS, taken from real customer examples, incorporating practical examples found in the Center for Internet Security’s CIS AWS Foundation and CIS AWS Three-Tier Web Architecture benchmarks. Come learn how to "Just Turn It On!"

1 of 30
© 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Best Practices for Security at Scale “Best of the Best” Tips for Security in the Cloud Phil Rodrigues Security Solutions Architect Amazon Web Services Level 200
Agenda • Sources of Best Practices • A Bad Day • Best of the Best Practices – Identity and Access Management – Logging and Monitoring – Infrastructure Security – Data Protection • Click, Script, Commit • Tools and Automation
Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely following the Security Perspective Core Capabilities: • Identity and Access Management • Logging and Monitoring (Detect) • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
CIS Benchmarks: What, Why, Check, Fix
A is for “Andy” and B is for “Bill” Andy follows best practices Bill does NOT follow best practices :-) :-(
Bill’sBadDay S3 Bucket “Website Images” Web Server InstanceInternet Internet Gateway Bill S3 Bucket “Data Backup” Internal Data Service AWS Account
S3 Bucket “Data Backup” Internal Data ServiceBad Person S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway 1 2 3 4 5 Bill’sBadDay Bill 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup
S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill’sBadDay Bill No web application protection 2 One account 3 No segmentation 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Andy have a great day! :-) Andy S3 Bucket “Data Backup” Internal Data Service
Best of the Best Practices: Identity and Access Mgmt 1) Use multiple AWS accounts to reduce blast radius 2) Use limited roles and grant temporary security credentials 3) Federate to an existing identity service AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Production Staging Temporary Security Credentials IAM IAM MFA token AWS Directory Service IAM Roles AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users.
S3 Bucket “Website Images” Internet Internet Gateway 1 Andy Web Server Instance S3 Bucket “Data Backup” Internal Data Service Temporary Security Credentials IAM MFA token AWS Directory Service IdentityandAccessManagement AWS Account AWS AccountAWS Account
Best of the Best Practices: Logging and Monitoring 4) Turn on logging in all accounts, for all services, in all regions 5) Use the AWS platform’s built-in monitoring and alerting features 6) Use a separate AWS account to fetch and store copies of all logs AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Config Amazon CloudWatch AWS CloudTrail CloudWatch Alarms Production Security The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.
Temporary Security Credentials IAM S3 Bucket “Website Images” S3 Bucket “Database Backup” MFA token Internet AWS Account AWS Account Internet Gateway 2Andy AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service LoggingandMonitoring Web Server Instance Internal Data Service
Best of the Best Practices: Infrastructure Security 7) Create a threat prevention layer using AWS edge services 8) Create network zones with Virtual Private Clouds (VPCs) and security groups 9) Manage vulnerabilities through patching and scanning Use the 70 worldwide points of presence in the AWS edge network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS WAFAWS Shield Amazon CloudFront AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Security Group Amazon Inspector
InfrastructureSecurity AWS WAF AWS Shield S3 Bucket “Website Images” Amazon CloudFront Internet Internet Gateway 3 Andy Web Server Instance Security Group Security Group Amazon Inspector S3 Bucket “Data Backup” Internal Data Service Temporary Security Credentials IAM MFA token AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service AWS Account AWS Account
Best of the Best Practices: Data Protection 10) Encrypt data at rest (with occasional exceptions) 11) Use server-side encryption with provider managed keys 12) Encrypt data in transit (with no exceptions) AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS KMS Data Encryption Key AWS KMS Amazon S3 Amazon CloudFront Internet Gateway SSL / TLS / HTTPS Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.
AWS WAF AWS KMS AWS Shield S3 Bucket “Website Images” Amazon CloudFront AWS KMS Data Encryption Key Internet Internet Gateway Andy Amazon Inspector S3 Bucket “Data Backup” DataProtection Security Group Web Server Instance Internal Data Service Temporary Security Credentials IAM MFA token AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service AWS Account AWS Account 4 Security Group Security Group
AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Web Server Instance AWS KMS Data Encryption Key Internet AWS Account AWS Account Security Group Security Group Internet Gateway Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service S3 Bucket “Data Backup” Internal Data Service BestPractices
Now its time to move from the WHAT HOW to the
Three Speeds Crawl ? Run
Three Speeds Crawl Walk Run
64-bit Mario Three Levels 8-bit Mario ?
Three Levels 64-bit Mario8-bit Mario 16-bit Mario
Three Stages Zero ? Hero
Three Stages Zero Pro Hero
Three Stages Click Script Commit
Three Stages of Cloud Security Maturity Stage One “Click” Manual Best Practices Static Workloads Release 1x per month Stage Two “Script” Automated Controls Evolving Workloads Release 1-10x per month Stage Three “Commit” Continuous Security Agile Workloads Release 10-100x per month … DevSecOps?
Tools and Automation Amazon Inspector Amazon CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
Prepare your Umbrella Before it Rains
Resources AWS Security Best Practices White Paper http://bit.ly/AWSBest CIS AWS Security Foundations Benchmark http://bit.ly/AWSCIS CIS AWS Three-Tier Web Architecture Benchmark http://bit.ly/AWSCIS3T https://aws.amazon.com/summits/sydney/on-demand-17/security-cloud/
© 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!

Recommended

Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAmazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS SecurityAmazon Web Services
 
Information Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerInformation Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerEast Midlands Cyber Security Forum
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 

Recommended

Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAmazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS SecurityAmazon Web Services
 
Information Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerInformation Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerEast Midlands Cyber Security Forum
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...😸 Richard Spindler
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayAWS Germany
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Amazon Web Services
 
AWS and the ASD Essential Eight
AWS and the ASD Essential EightAWS and the ASD Essential Eight
AWS and the ASD Essential EightAmazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...Amazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAmazon Web Services
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_EssentialsAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS Amazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 

More Related Content

What's hot

Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...😸 Richard Spindler
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayAWS Germany
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Amazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...Amazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS Amazon Web Services
 

What's hot (20)

Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web Day
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...
 
AWS and the ASD Essential Eight
AWS and the ASD Essential EightAWS and the ASD Essential Eight
AWS and the ASD Essential Eight
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - Keynote
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS
 

Similar to Best Practices for Security at Scale

Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Amazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
 
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Autodesk
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security SuperheroAmazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Amazon Web Services
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...Amazon Web Services Korea
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Amazon Web Services
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 

Similar to Best Practices for Security at Scale (20)

Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman Shakeel
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
 
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Best Practices for Security at Scale

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Best Practices for Security at Scale “Best of the Best” Tips for Security in the Cloud Phil Rodrigues Security Solutions Architect Amazon Web Services Level 200
  • 2. Agenda • Sources of Best Practices • A Bad Day • Best of the Best Practices – Identity and Access Management – Logging and Monitoring – Infrastructure Security – Data Protection • Click, Script, Commit • Tools and Automation
  • 3. Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely following the Security Perspective Core Capabilities: • Identity and Access Management • Logging and Monitoring (Detect) • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
  • 4. CIS Benchmarks: What, Why, Check, Fix
  • 5. A is for “Andy” and B is for “Bill” Andy follows best practices Bill does NOT follow best practices :-) :-(
  • 7. S3 Bucket “Data Backup” Internal Data ServiceBad Person S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway 1 2 3 4 5 Bill’sBadDay Bill 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup
  • 8. S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill’sBadDay Bill No web application protection 2 One account 3 No segmentation 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Andy have a great day! :-) Andy S3 Bucket “Data Backup” Internal Data Service
  • 9. Best of the Best Practices: Identity and Access Mgmt 1) Use multiple AWS accounts to reduce blast radius 2) Use limited roles and grant temporary security credentials 3) Federate to an existing identity service AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Production Staging Temporary Security Credentials IAM IAM MFA token AWS Directory Service IAM Roles AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users.
  • 10. S3 Bucket “Website Images” Internet Internet Gateway 1 Andy Web Server Instance S3 Bucket “Data Backup” Internal Data Service Temporary Security Credentials IAM MFA token AWS Directory Service IdentityandAccessManagement AWS Account AWS AccountAWS Account
  • 11. Best of the Best Practices: Logging and Monitoring 4) Turn on logging in all accounts, for all services, in all regions 5) Use the AWS platform’s built-in monitoring and alerting features 6) Use a separate AWS account to fetch and store copies of all logs AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Config Amazon CloudWatch AWS CloudTrail CloudWatch Alarms Production Security The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.
  • 12. Temporary Security Credentials IAM S3 Bucket “Website Images” S3 Bucket “Database Backup” MFA token Internet AWS Account AWS Account Internet Gateway 2Andy AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service LoggingandMonitoring Web Server Instance Internal Data Service
  • 13. Best of the Best Practices: Infrastructure Security 7) Create a threat prevention layer using AWS edge services 8) Create network zones with Virtual Private Clouds (VPCs) and security groups 9) Manage vulnerabilities through patching and scanning Use the 70 worldwide points of presence in the AWS edge network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS WAFAWS Shield Amazon CloudFront AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Security Group Amazon Inspector
  • 14. InfrastructureSecurity AWS WAF AWS Shield S3 Bucket “Website Images” Amazon CloudFront Internet Internet Gateway 3 Andy Web Server Instance Security Group Security Group Amazon Inspector S3 Bucket “Data Backup” Internal Data Service Temporary Security Credentials IAM MFA token AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service AWS Account AWS Account
  • 15. Best of the Best Practices: Data Protection 10) Encrypt data at rest (with occasional exceptions) 11) Use server-side encryption with provider managed keys 12) Encrypt data in transit (with no exceptions) AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS KMS Data Encryption Key AWS KMS Amazon S3 Amazon CloudFront Internet Gateway SSL / TLS / HTTPS Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.
  • 16. AWS WAF AWS KMS AWS Shield S3 Bucket “Website Images” Amazon CloudFront AWS KMS Data Encryption Key Internet Internet Gateway Andy Amazon Inspector S3 Bucket “Data Backup” DataProtection Security Group Web Server Instance Internal Data Service Temporary Security Credentials IAM MFA token AWS Config Amazon CloudWatch AWS CloudTrail AWS Directory Service AWS Account AWS Account 4 Security Group Security Group
  • 17. AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Web Server Instance AWS KMS Data Encryption Key Internet AWS Account AWS Account Security Group Security Group Internet Gateway Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service S3 Bucket “Data Backup” Internal Data Service BestPractices
  • 18. Now its time to move from the WHAT HOW to the
  • 22. Three Levels 64-bit Mario8-bit Mario 16-bit Mario
  • 26. Three Stages of Cloud Security Maturity Stage One “Click” Manual Best Practices Static Workloads Release 1x per month Stage Two “Script” Automated Controls Evolving Workloads Release 1-10x per month Stage Three “Commit” Continuous Security Agile Workloads Release 10-100x per month … DevSecOps?
  • 27. Tools and Automation Amazon Inspector Amazon CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
  • 29. Resources AWS Security Best Practices White Paper http://bit.ly/AWSBest CIS AWS Security Foundations Benchmark http://bit.ly/AWSCIS CIS AWS Three-Tier Web Architecture Benchmark http://bit.ly/AWSCIS3T https://aws.amazon.com/summits/sydney/on-demand-17/security-cloud/
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!