Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Started with AWS Security


Published on

AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.

Published in: Engineering
  • Be the first to comment

Getting Started with AWS Security

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bill Shinn Principal Security Solutions Architect April 19th, 2016 Getting Started with AWS Security
  2. 2. Prescriptive Approach Understand AWS Security Practice Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  3. 3. Understand AWS Security Practice
  4. 4. Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
  5. 5. AND Move Fast Stay Secure
  6. 6. Making life easier Choosing security does not mean giving up on convenience or introducing complexity
  7. 7. Security ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security a stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  8. 8. Strengthen your security posture Get native functionality and tools Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
  9. 9. IMPROVED SECURITY WHILE SAVING $2 MILLION Unified Cost & Security Management from CloudCheckr Case Study Problem Statement Business Outcomes Security threats and lack of clarity around AWS costs, resources Improved security posture Greater visibility through change monitoring Saved $2 million WWW.CLOUDCHECKR.COM CloudCheckr gives us total visibility and control over our AWS investment. Patrick Neville, Manager of Systems Operations
  10. 10. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  11. 11. Security Training Security Fundamentals on AWS (Free online course) Security Operations on AWS (3-day class) Details at
  12. 12. Build Strong Compliance Foundations
  13. 13. AWS Assurance Programs AWS maintains a formal control environment • SOC 1 Type II • SOC 2 Type II and public SOC 3 report • ISO 27001, 27017, 27018 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance
  14. 14. AWS Account Relationship AWS Account Ownership AWS Account Contact Information AWS Sales AWS Solutions Architects AWS Support AWS Professional Services AWS Consulting Partners
  15. 15. AWS Trusted Advisor AWS Trusted Advisor
  16. 16. Integrate Identity & Access Management
  17. 17. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  18. 18. Account Governance – New Accounts InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Baseline Requirements Actions & Conditions Map Enterprise Roles
  19. 19. Enable Detective Controls
  20. 20. AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch  Enable globally for all AWS Regions  Encryption & Integrity Validation  Archive & Forward  Amazon CloudWatch Logs  Metrics & Filters  Alarms & Notifications
  21. 21. LOCKED UP ENVIRONMENT & REGAINED CONTROL Unified Cost & Security Management from CloudCheckr Case Study Problem Statement Business Outcomes Wanted to protect their AWS environment and secure 100s of AWS accounts Proactively discovered vulnerable areas Enabled real-time responsiveness to security issues Empowered improved end user security WWW.CLOUDCHECKR.COM But HOW did they do it? By deploying CloudCheckr’s security module capabilities: • Continuous Best Practice Checks • CloudTrail/log intelligence monitoring • Security activity alerting and reporting • Perimeter Assessments Large Enterprise Chip-Maker
  22. 22. Establish Network Security
  23. 23. AWS Global Footprint 12 Regions (10 Public, China Region and GovCloud Region) Canada, Ohio, India, UK and another China Region planned for 2016 and beyond 32 Availability zones (adding 11 more in 2016 across new Regions) 55+ Edge locations Region Edge location
  24. 24. VPC Public Subnet VPC Public Subnet VPC CIDR VPC Private Subnet VPC Private Subnet VPC Private Subnet VPC Private Subnet AZ A AZ B Public ELB Internal ELB RDS Master Autoscaling Web Tier Autoscaling Application Tier Internet Gateway RDS Standby Snapshots Multi-AZ RDS Data Tier Existing Datacenter Virtual Private Gateway Customer Gateway VPN Connection Direct Connect Network Partner Location Administrators & Corporate Users Amazon Virtual Private Cloud
  25. 25. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  26. 26. Security Groups
  27. 27. Security Groups
  28. 28. Security Groups
  29. 29. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  30. 30. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  31. 31. VPC Flow Logs – CloudWatch Alarms
  32. 32. Implement Data Protection
  33. 33. Cryptographic Services Amazon CloudHSM  Deep integration with AWS Services  CloudTrail  AWS SDK for application encryption  Dedicated HSM  Integrate with on-premises HSMs  Hybrid Architectures AWS KMS
  34. 34. Optimize Change Management
  35. 35. AWS Config & Config Rules AWS Config Amazon Config Rules  Record configuration changes continuously  Time-series view of resource changes  Archive & Compare  Enforce best practices  Automatically roll-back unwanted changes  Trigger additional workflow
  36. 36. AWS Config
  37. 37. AWS Config
  38. 38. AWS Config Rules – Tenancy Enforcement Example
  39. 39. AWS Config Rules – Tenancy Enforcement Example
  40. 40. AWS Config Rules – Tenancy Enforcement Example
  41. 41. AWS Config Partners
  42. 42. ENTERPRISE GRADE MONITORING Unified Cost & Security Management from CloudCheckr Lack of clarity around AWS costs, resources and security threats Cross-functional business accountability AWS cost predictability Improved security posture WWW.CLOUDCHECKR.C Automated best practice checks covering Security, availability, cost and usage What cloud users need… CloudCheckr provides… Automation that allows users to receive alerts and delegate remediation to CloudCheckr Granular visibility to understand, deconstruct, and optimize cloud costs Comprehensive visibility & control on security, availability, cost and usage with 375+ out-of-the-box best practice policy checks Automated reports, generated and updated daily, listing all additions, deletions, or modifications over the past 24 hours Over 100 out of the box alerts with endless customization opportunities Understand/Audit costs in the cloud Remediation and self-healing of security vulnerabilities Actionable security and activity alerts Simplified monitoring of changes in a cloud environment » » » » »
  43. 43. AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation  Orchestrate changes across AWS Services  Use as foundation to Service Catalog products  Use with source code repositories to manage infrastructure changes  JSON-based text file describing infrastructure  Resources created from a template  Can be updated  Updates can be restrictured
  44. 44. Change Sets – Create Change Set
  45. 45. Change Sets
  46. 46. Change Sets
  47. 47. Automate Security Functions
  48. 48. Evolving the Practice of Security Architecture Security architecture as a separate function can no longer exist Static position papers, architecture diagrams & documents UI-dependent consoles and technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
  49. 49. Evolving the Practice of Security Architecture Security architecture can now be part of the ‘maker’ team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice AWS CodeCommit AWS CodePipeline Jenkins
  50. 50. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  51. 51. Prescriptive Approach – Get Started! Understand AWS Security Approach Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  52. 52. Thank you!