This document provides an overview of security best practices on AWS. It recommends taking a prescriptive approach to understand AWS security practices, build strong compliance foundations, integrate identity and access management, enable detective controls, establish network security, implement data protection, optimize change management, and automate security functions. The document highlights several native AWS security services and how they can help strengthen a customer's security posture.
8. Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
• Automate functions to reduce human access to near-zero
Distributed Embedded
9. Strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned from
1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations
11. GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
Get assurance from independent sources
12. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
EC2 Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Customers control their own security policy
14. AWS Identity and Access Management
IAM Users IAM Groups IAM Roles IAM Policies
• Granular access control for least privileges
• Manage hierarchies of AWS Accounts with
AWS Organizations
• Federate with your existing directory services
• Role-based access and segregation of duties
• Achieve just-in-time access using automation
• Create rich mobile applications without giving
end-users long-term access keys
16. AWS CloudTrail and Amazon CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
• Enable Globally for All AWS Regions
• Encryption and Integrity Validation
of Log Files
• Archive and Forward
• Read by every industry-standard
logging and SIEM platform
• Amazon CloudWatch Logs
• Metrics and Filters
• Alarms and Notifications
• Trigger automated actions
• Integrate with your existing ticketing
systems
18. AWS Global Infrastructure
16 Regions – 42 Availability Zones – 74 Edge Locations
Region & Number of Availability
Zones
AWS GovCloud (2) EU
Ireland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California
(3)
Asia Pacific
US East Singapore (2)
N. Virginia (5), Ohio
(3)
Sydney (3), Tokyo
(3),
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3)
Announced Regions
Paris, Ningxia, Stockholm
Availability
Zone A
Availability
Zone B
Availability
Zone C
Each region has at least two Availability Zones
19. AWS Regions in Europe
EU (Ireland) Region EU (Frankfurt) Region
EC2 Availability Zones: 3 EC2 Availability Zones: 2
EU (London) Region EU (Paris) Region
EC2 Availability Zones: 2 Announced – launching 2017
EU (Stockholm) Region
Announced – launching 2018
AWS Edge Locations for CloudFront CDN and Route53 DNS
Amsterdam, The Netherlands (2); Berlin, Germany; Dublin, Ireland; Frankfurt, Germany
(5); London, England (4); Madrid, Spain; Marseille, France; Milan, Italy; Munich,
Germany; Paris, France (2); Prague, Czech Republic; Stockholm, Sweden; Vienna,
Austria; Warsaw, Poland; Zurich, Switzerland
20. Choose an AWS Region and AWS will not
replicate it elsewhere unless you choose to
do so
Control format, accuracy and encryption any
way that you choose
Control who can access content, it’s lifecycle
and disposal
We publish GDPR resources on our website
to help you meet your own compliance
Customers retain full ownership and control of their content
You are in full control of privacy
21. Your own isolated infrastructure with Amazon VPC
10.10.1.0/24
10.20.0.0/16
10.20.1.0/24
10.20.30.0/24
Amazon Virtual Private Cloud comes with granular security controls
Customer
Premises
VPC fully supports IPv6
22. Internet access is always optional
10.10.1.0/24 10.10.2.0/24
0.0.0.0/0
0.0.0.0/0
Public IP: 54.2.0.12
NAT Gateway
Destination Target Status
10.10.0.0/16 local Active
0.0.0.0/0 NAT-Gateway ID012471 Active
Everything not destined for
my VPC goes to the Internet
via the NAT Gateway
23. VPC Flow Logs give you network insight
• Agentless
• From full VPC logging to a single NIC
• Logged to Amazon CloudWatch Logs so you
can create alarms when metrics are breached
• Create your own network dashboards
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
24. Block layer 7 attacks with AWS WAF
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning
25. AWS Shield detects and blocks DDoS
Advanced mitigation techniques
Deterministic
filtering
Traffic prioritization
based on scoring
Advanced routing
policies
27. Use AWS Cryptographic Services
Amazon
CloudHSM
• Deep integration with AWS Services
• CloudTrail
• AWS SDK for application encryption
• Dedicated HSM
• Integrate with on-premises HSMs
• Hybrid Architectures
AWS
KMS
… or you can always use your own
32. AWS CloudFormation – Infrastructure as Code
Template StackAWS
CloudFormation
• Orchestrate changes across AWS
Services
• Use as foundation to Service Catalog
products
• Use with source code repositories to
manage infrastructure changes
• JSON-based text file describing
infrastructure
• Resources created from a
template can be updated
• Updates can be restricted
33. Evolving the Practice of Security Architecture
Static position papers,
architecture diagrams, and
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice
Security architecture should not be a separate function!
34. Evolving the Practice of Security Architecture
Security becomes a core part of the ’maker’ team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are living
audit/compliance artifacts and
evidence in a closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins
37. Easy Access To AWS Security Training
Security Fundamentals on AWS
(Free online course)
Security Operations on AWS
(3-day class)
Details at aws.amazon.com/training