Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Networking and Security

368 views

Published on

Networking and Security

Published in: Technology
  • Be the first to comment

Networking and Security

  1. 1. 1© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 2: Networking & Security VPC, Shared Responsibility Model, IAM
  2. 2. 2© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Networking Amazon VPC
  3. 3. 3© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Virtual Private Cloud (VPC) Provision a private, isolated virtual network on the AWS cloud. Have complete control over your virtual networking environment. Amazon VPC
  4. 4. 4© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon VPC Example Availability Zone A Virtual Private Cloud AWS Cloud Public Subnet Internet Virtual Private Cloud Availability Zone B Private Subnet Availability Zone C VPN Only Subnet DB Server DB Server App Server DB Server DB Server DB Server Web Server Web Server NAT Customer Network R
  5. 5. 5© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. VPCs and Subnets A subnet defines a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. A private subnet should be used for resources that won’t be accessible over the Internet. A public subnet should be used for resources that will be accessed over the Internet. Each subnet must reside entirely within one Availability Zone and cannot span zones.
  6. 6. 6© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in Your VPC Security groups Network access control lists (ACLs) Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Internet GatewayVPN Gateway VPC Router 10.0.0.0/16 Security Group Security Group Security Group Network ACL Network ACL Routing Table Routing Table instance instance instance instance
  7. 7. 7© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN Connections VPN Connectivity option Description AWS Hardware VPN You can create an IPsec, hardware VPN connection between your VPC and your remote network. AWS Direct Connect AWS Direct Connect provides a dedicated private connection from a remote network to your VPC. AWS VPN CloudHub You can create multiple AWS hardware VPN connections via your VPC to enable communications between various remote networks. Software VPN You can create a VPN connection to your remote network by using an Amazon EC2 instance in your VPC that’s running a software VPN appliance.
  8. 8. 8© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Create a VPC Availability Zone 1 AWS Region
  9. 9. 9© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Add two subnets in different AZ for HA and FT Availability Zone 1 AWS Region Availability Zone 2
  10. 10. 10© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Add an internet gateway Availability Zone 1 AWS Region Availability Zone 2 Internet gateway
  11. 11. 11© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. And then modify the routing table to add the IGW Availability Zone 1 AWS Region Availability Zone 2 Internet gateway
  12. 12. 12© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Create VPC network and Subnets
  13. 13. 13© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Security, Identity, and Access Management
  14. 14. 14© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility – AWS AWS Client-side Data Encryption and Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity and Access Management Operating System, Network and Firewall Configuration Customer Data Customer Foundation Services Compute Storage Database Network AWS Global Infrastructure Regions Availability Zones Edge Locations
  15. 15. 15© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Certifications and Accreditations ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more …
  16. 16. 16© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) AWS IAM 3 Manage federated users and their permissions 2 Manage AWS IAM roles and their permissions 1 Manage AWS IAM users and their access
  17. 17. 17© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication Authentication AWS Management Console  User Name and Password IAM User
  18. 18. 18© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication Access Key ID: AKIAIOSFODNN7EXAMPLE Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Java Python .NET AWS SDK & APIAWS CLI Authentication AWS CLI or SDK API  Access Key and Secret Key IAM User
  19. 19. 19© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM User Management - Groups User C DevOps Group User A AWS Account TestDev Group User BUser A
  20. 20. 20© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authorization Authorization Policies:  Are JSON documents to describe permissions.  Are assigned to Users, Groups or Roles. IAM User IAM Group IAM Roles
  21. 21. 21© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Elements { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1453690971587", "Action": [ "ec2:Describe*", "ec2:StartInstances", "ec2:StopInstances” ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "54.64.34.65/32” } } }, { "Sid": "Stmt1453690998327", "Action": [ "s3:GetObject*” ], "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket*” } ] } IAM Policy
  22. 22. 22© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group Assigned Assigned IAM Policy
  23. 23. 23© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy
  24. 24. 24© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Roles An IAM role uses a policy. An IAM role has no associated credentials. IAM users, applications, and services may assume IAM roles. IAM Roles
  25. 25. 25© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy IAM User Assumed Assumed AWS Resources
  26. 26. 26© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Access to AWS Resources Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. AWS credentials are required:  Option 1: Store AWS Credentials on the Amazon EC2 instance.  Option 2: Securely distribute AWS credentials to AWS Services and Applications. IAM Roles
  27. 27. 27© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Roles - Instance Profiles Amazon EC2 App & EC2 MetaData Service http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename Amazon S3 1 2 3 4 Create Instance SelectIAMRole ApplicationinteractswithS3
  28. 28. 28© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM Authentication and Authorization Authentication  AWS Management Console • User Name and Password  AWS CLI or SDK API • Access Key and Secret Key Authorization  Policies IAM User IAM Group IAM Roles
  29. 29. 29© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and Access Management demos

×