Customers using AWS benefit from over 1,800 security and compliance controls built into the AWS platform and operations. In this session, you will learn how to take advantage of the advanced security features of the AWS platform to gain the visibility, agility, and control needed to be more secure in the cloud than in legacy environments. We'll take a look at several reference architectures for common workloads and highlight the innovative ways customers are using AWS to manage security more efficiently. After attending this session, you will be familiar with the shared security responsibility model and how you can inherit controls from the rich compliance and accreditation programs maintained by AWS.
2. Agenda
• Built-in AWS controls you
inherit
• Framework to help you adopt
cloud security best practices
• AWS services to automate your
security at scale
• Incident response reference
architecture example
8. AWS Security Controls
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Your own
accreditation
Your own
certifications
Your own
external auditsCustomerAWS
Customer scope
and effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
9. Cloud Adoption Framework
• Helps you adapt
existing practices
or introduce new
practices for cloud
computing
10. The Security Journey to the Cloud
Security in the cloud is familiar.
Ability to perform actions faster, at a larger scale and lower
cost, does not invalidate well-established principles of
information security.
12. Scaling to >1 million users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
13. Security already built in…
Security groups are
virtual firewalls
that control the
traffic for one or
more resources
AWS Identity and
Access Management
(IAM) securely
controls access to
AWS services and
resources for your
users.
14. Identity and Access Management
AWS
Organizations AWS Identity
and Access
Management
(IAM)
AWS Security Token
Service (AWS STS)
19. Infrastructure Security – AWS Config Rules
• Amazon CloudTrail should be enabled…
Is it?
• All EBS volumes encrypted…
Are they?
• All security groups should not have unrestricted access
to port 22.
Do they?
23. Data Protection – Encryption
Encryption In-Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At-Rest
Object
Database
Filesystem
Disk
24. Data Protection –
AWS Certificate Manager (ACM)
• Easily provision,
manage, and
deploy TLS
certificates
• Use with Amazon
Elastic Load
Balancer (ELB) or
Amazon CloudFront
distribution
25. Data Protection – AWS Certificate Manager
Request a
certificate
1. Add domain
names
2. Review &
request
3. Validation
26. Data Protection – AWS Key Management
Service (KMS)
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
Customer Master Keys
40. Scaling to >1 million users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
41. Scaling to >1 million users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
AWS
WAF
AWS
Shield
AWS
Organizations
AWS
CloudTrail
AWS
Config
VPC Flow Logs
Amazon
Inspector
AWS
OpsWorks
43. AWS Marketplace Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity & Access
Control
Configuration &
Vulnerability Analysis
Data Protection
44. Summary
o Integrated security & compliance
o Global resilience, visibility, & control
o Maintain your privacy & data ownership
o Agility through security automation
o Security innovation at scale
o Broad security partner & marketplace solutions