Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Module 4: Secure your cloud applications - AWSome Day Online Conference 2019

740 views

Published on

This module covers how AWS approaches securing the cloud, along with the AWS Shared Responsibility Model, AWS Access Control and Management, AWS Security Compliance Programs, and resources available to you in better understanding AWS Cloud security options.

  • Be the first to comment

Module 4: Secure your cloud applications - AWSome Day Online Conference 2019

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 4: Secure your cloud applications Sander Veenstra Technical Trainer AWS
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure your infrastructure
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security is our top priority Designed for security Constantly monitored Highly automated Highly available Highly accredited
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security of the cloud • Hosts, network, software, facilities • Protection of the AWS global infrastructure is top priority • Availability of third-party audit reports Foundation services Compute Storage Database Network AWS global infrastructure RegionsAvailability Zones Edge Locations AWS
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the cloud Considerations • What you should store • Which AWS services you should use • Which Region to store in • In what content format and structure • Who has access Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity)
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS shared responsibility model Foundation services Compute Storage Database Network AWS global infrastructure RegionsAvailability Zones Edge Locations AWS Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity)
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security, identity, and compliance products AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage authentication and authorization
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) Securely control access to AWS resources A person or application that interacts with AWS Collection of users with identical permissions Temporary privileges that an entity can assume Group Role IAM user
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication: Who are you? IAM user IAM group IAM AWS CLI AWS Management Console $ aws AWS SDKs
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorization: What can you do? IAM user, group or role IAM policies Full access Read only AWS CLI Amazon S3 Bucket $ aws
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM roles • IAM users, applications, and services may assume IAM roles • Roles uses an IAM policy for permissions IAM role
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy Assume
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy Assume
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best practices • Delete access keys for the AWS account root user • Activate multi-factor authentication (MFA) • Only give IAM users permissions they need • Use roles for applications • Rotate credentials regularly • Remove unnecessary users and credentials • Monitor activity in your AWS account
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access your security and compliance
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges of threat assessment • Expensive • Complex • Time-consuming • Difficult to track IT changes
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon Inspector? Automated security assessment as a service • Assesses applications for vulnerabilities • Produces a detailed list of security findings • Leverages security best practices
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Inspector findings
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediation recommendation
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Proctect your infrastructure from Distributed Denial of Service (DDoS) attacks
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DDoS? DDoS DDoSDDoS O Legit user
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DDoS mitigation challenges Complex Limited bandwidth Involves rearchitecting Manual Degraded performance Time-consuming Expensive
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is AWS Shield? DDoS • A managed DDoS protection service • Always-on detection and mitigations • Seamless integration and deployment • Cost-efficient and customizable protection DDoSDDoS P Legit user
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard and AWS Shield Advanced AWS Shield Standard (included) • Quick detection • Inline attack mitigation AWS Shield Advanced (Optional) • Enhanced detection • Advanced attack mitigation • Visibility and attack notification • DDoS cost protection • Specialized support
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS security compliance
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assurance programs
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How AWS helps customers achieve compliance Sharing information • Industry certifications • Security and control practices • Compliance reports directly under NDA Assurance program • Certifications/attestations • Laws, regulations, and privacy • Alignments/frameworks
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer responsibility Review – Design – Identify – Verify
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×