Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting started with aws security toronto rs


Published on

AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Getting started with aws security toronto rs

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rahul Sareen Sr. Consultant, AWS Professional Services September 28th, 2016 Getting Started with AWS Security
  2. 2. Prescriptive Approach Understand AWS Security Practice Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  3. 3. Understand AWS Security Practice
  4. 4. Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
  5. 5. AND Move Fast Stay Secure
  6. 6. Making life easier Choosing security does not mean giving up on convenience or introducing complexity
  7. 7. Security ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security a stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  8. 8. Strengthen your security posture Get native functionality and tools Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
  9. 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  10. 10. Security Training Security Fundamentals on AWS (Free online course) Security Operations on AWS (3-day class) Details at
  11. 11. Build Strong Compliance Foundations
  12. 12. AWS Assurance Programs AWS maintains a formal control environment • SOC 1 Type II • SOC 2 Type II and public SOC 3 report • ISO 27001, 27017, 27018 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance
  13. 13. AWS Account Relationship AWS Account Ownership AWS Account Contact Information AWS Sales AWS Solutions Architects AWS Support AWS Professional Services AWS Consulting Partners
  14. 14. AWS Trusted Advisor AWS Trusted Advisor
  15. 15. Integrate Identity & Access Management
  16. 16. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  17. 17. Account Governance – New Accounts InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Baseline Requirements Actions & Conditions Map Enterprise Roles
  18. 18. Enable Detective Controls
  19. 19. AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch  Enable globally for all AWS Regions  Encryption & Integrity Validation  Archive & Forward  Amazon CloudWatch Logs  Metrics & Filters  Alarms & Notifications
  20. 20. Establish Network Security
  21. 21. AWS Global Footprint 13 Regions (11 Public, China Region and GovCloud Region) Canada, Ohio, UK and another China Region planned for 2016 and beyond 32+ Availability zones (adding more in 2016 across new Regions) 55+ Edge locations Region Edge location
  22. 22. VPC Public Subnet VPC Public Subnet VPC CIDR VPC Private Subnet VPC Private Subnet VPC Private Subnet VPC Private Subnet AZ A AZ B Public ELB Internal ELB RDS Master Autoscaling Web Tier Autoscaling Application Tier Internet Gateway RDS Standby Snapshots Multi-AZ RDS Data Tier Existing Datacenter Virtual Private Gateway Customer Gateway VPN Connection Direct Connect Network Partner Location Administrators & Corporate Users Amazon Virtual Private Cloud
  23. 23. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  24. 24. Security Groups
  25. 25. Security Groups
  26. 26. Security Groups
  27. 27. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  28. 28. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  29. 29. VPC Flow Logs – CloudWatch Alarms
  30. 30. Implement Data Protection
  31. 31. Cryptographic Services Amazon CloudHSM  Deep integration with AWS Services  CloudTrail  AWS SDK for application encryption  Dedicated HSM  Integrate with on-premises HSMs  Hybrid Architectures AWS KMS
  32. 32. Optimize Change Management
  33. 33. AWS Config & Config Rules AWS Config Amazon Config Rules  Record configuration changes continuously  Time-series view of resource changes  Archive & Compare  Enforce best practices  Automatically roll-back unwanted changes  Trigger additional workflow
  34. 34. AWS Config
  35. 35. AWS Config
  36. 36. AWS Config Rules – Tenancy Enforcement Example
  37. 37. AWS Config Rules – Tenancy Enforcement Example
  38. 38. AWS Config Rules – Tenancy Enforcement Example
  39. 39. AWS Config Partners
  40. 40. AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation  Orchestrate changes across AWS Services  Use as foundation to Service Catalog products  Use with source code repositories to manage infrastructure changes  JSON-based text file describing infrastructure  Resources created from a template  Can be updated  Updates can be restrictured
  41. 41. Change Sets – Create Change Set
  42. 42. Change Sets
  43. 43. Change Sets
  44. 44. Automate Security Functions
  45. 45. Evolving the Practice of Security Architecture Security architecture can now be part of the ‘maker’ team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice AWS CodeCommit AWS CodePipeline Jenkins
  46. 46. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  47. 47. Prescriptive Approach – Get Started! Understand AWS Security Approach Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  48. 48. Thank you!