Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Architectures on AWS

276 views

Published on

Security Architectures on AWS

  • Be the first to comment

Security Architectures on AWS

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chris Johnson, Solutions Architect April, 2018 Security Architectures on AWS
  2. 2. What we’ll cover today … • Initial considerations before you deploy • Walk through AWS Shared Responsibility Model • Practical advice on AWS security controls to deploy • Practical advice on AWS security audit tooling
  3. 3. But first … (Initial considerations before you deploy)
  4. 4. Ask yourself some questions: 1. How will your service will be accessed (public or private)? 2. What sort of data are you handling? 3. Are there any regulations you need to be compliant with? 4. Are there any compliance assessments you need to plan for? 5. Who will be administering the application? 6. Who needs to audit the platform (internal or external)?
  5. 5. Answers will lead you to where you put your data Availability Zone A Availability Zone B Availability Zone C Each region has at least two Availability Zones
  6. 6. Answers will lead you to AWS Artifact
  7. 7. • Integration with AWS Services • Identity Federation • Granular Permissions Model • Multi-factor Authentication • Identity information for assurance Answers will lead you to Identity and Access Management
  8. 8. Ok - so who manages what? (The AWS Shared Responsibility Model)
  9. 9. Does one model work for all AWS Services? Infrastructure Services Container Services Abstracted Services
  10. 10. Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Management Protocols API Calls
  11. 11. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Management Protocols API Calls
  12. 12. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls AWS Shared Responsibility Model: forAbstracted Services
  13. 13. What should I consider for my Application? (Practical advice on AWS Security Controls to deploy)
  14. 14. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Malformed Packet Requests u SYN/ACK or UDP Flood u Reflection Attacks u DNS Floods u Shuffle Sharding (Forced Data Distribution and Isolation) u Anycast Striping (Ability to advertise IP Scopes from any/all Regions) myapp.com Amazon S3 bucket Route 53 1 www.myapp.com media.myapp.com
  15. 15. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Content Caching u Origin Acceleration u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Cloudfront 2 www.myapp.com media.myapp.com
  16. 16. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Path Based Routing u HTTP/HTTPS Only u SSL/TLS Offload u AWS WAF Integration (Layer-7 Inspection) u DDoS Shield and Shield Advanced Integration myapp.com Amazon S3 bucket Application Load Balancer 3 www.myapp.com media.myapp.com
  17. 17. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u AWS Macie Integration u Static HTTP Web Server u Origin for Cloudfront (use Custom Header for locking down) u No HTTPS capability (use Cloudfront) u Object and Bucket Level Logging myapp.com Amazon S3 bucket S3 Bucket 4 www.myapp.com media.myapp.com
  18. 18. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u RouteTable – Decides which networks can be routed to/from u NACL – Stateless – Rule Based, Order-Priority [Default OPEN] u SG – Stateful – Evaluatative [Default CLOSED] u VPC FlowLogs – Layer 2/3 Logging in a VPC myapp.com Amazon S3 bucket VPC Controls 5 www.myapp.com media.myapp.com
  19. 19. Availability Zone #1 security group security group root volume data volume Application Load Balancer Amazon S3 Bucket Origin logs Amazon EBS snapshot CloudFront distribution EC2 instance web app server Amazon Route 53 u Amazon Inspector u CVE / Best Practices u CIS Benchmarks / Network Behavioral Monitoring u AWS Systems Manager Integration – Privileged Command Execution u AWS Systems Manager Integration – Cloudwatch Logging myapp.com Amazon S3 bucket Amazon Inspector 5 www.myapp.com media.myapp.com
  20. 20. How do I ensure it is all working as planned? (Practical advice on AWS Security audit tooling)
  21. 21. Myapp Production Account Myapp Dev Account Myapp Sandbox Account Myapp Audit Account myapp Billing Account CloudTrail Bucket Config Bucket Amazon ES Amazon QuickSight Amazon Athena u CloudTrail (Athena or ElasticSearch) u Config (Aggregator) u Guard Duty u VPC FlowLogs u CloudTrail u Config (incl. Config Rules) u Guard Duty u VPC Flow Logs u Inspector Amazon GuardDuty Multi-Account View Local-Account View
  22. 22. Shall we have a look at this in action? (Demo time!)
  23. 23. Thank you, any questions?

×