SlideShare a Scribd company logo

State of the Union : Security

Amazon Web Services
Amazon Web Services
1 of 31
Download to read offline
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. State of the Union: Security Amy Tung Manager, Territory BD Rebeker Choi Manager, Solutions Architecture
Agenda 1) Introduction 2) Protect Amazon S3 Access Points AWS Managed Rules for AWS WAF Amazon VPC Ingress Routing 3) Detect and Respond AWS IAM Analyzer 4) In the CICD pipeline Amazon CodeGuru
AWS services that enhance security investigations AWS Security Hub AWS Organizations AWS Control Tower AWS Trusted Advisor AWS Systems Manager AWS Config AWS Service Catalog AWS Well- Architected Tool AWS CloudFormation AWS OpsWorks Snapshot Archive Amazon S3 Glacier AWS IoT Device Defender Amazon VPC AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink Amazon Cloud Directory Resource Access manager AWS Directory Service KMSIAM AWS Single Sign-On AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS CloudHSM AWS Certificate Manager Amazon Cognito Identify Protect Detect Respond Recover Investigate Automate AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Step Functions AWS Security Hub AWS Systems Manager AWS CloudTrail Personal Health Dashboard NEW NEW NEW
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
S3 Access Points SIMPLIFIED CONTROL FOR SHARED BUCKETS ACCESSED BY MANY TEAMS DECENTRALIZED TEAMS DATA LAKES CROSS-ACCOUNT DATA EXCHANGE my-bucket.s3.amazonaws.com { } finance { } accounting { } sales
Announcing S3 Access Points How Access Points Work my-bucket.s3.amazonaws.com finance accounting sales { }{ }{ }
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
AWS Managed Rules for AWS WAF help you spend less time writing firewall rules and more time building applications
AWS Managed Rules for AWS WAF • Quickly get started and protect your web application or APIs against common threats • Select from many rule types: • the Open Web Application Security Project (OWASP) Top 10 security risks • threats specific to Content Management Systems (CMS), • emerging Common Vulnerabilities and Exposures (CVE), etc.. • Rules are automatically updated as new issues emerge NOW available in all regions
What’s new? 1) Removed the limit of ten rules per web ACL; with the introduction of the WAF Capacity Unit (WCU). Why ? The switch to WCUs allows the creation of hundreds of rules. Each rule added to a web access control list (ACL) consumes capacity based on the type of rule being deployed, and each web ACL has a defined WCU limit. 2) The new AWS WAF supports AWS CloudFormation, allowing you to create and update your web ACL and rules to use CloudFormation templates. 3) No additional charge for using AWS Managed Rules. Each set of managed rules is counted as a single rule. You will not be charged for the individual rules inside AWS Managed Rules.
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
Amazon VPC Ingress Routing Amazon VPC ingress routing routes inbound and outbound traffic through third party or AWS services ⁄ Pass all inline traffic through a single appliance ⁄ Inline traffic inspection helps you screen and secure your traffic before it reaches your workload ⁄ Helps you extend your capabilities with third-party solutions in AWS Marketplace
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
Is the access intended? Amazon API Gateway Amazon Simple Queue Service Amazon CloudWatch AWS Key Management Service AWS Lambda Amazon Simple Storage Service AWS Identity and Access Management
IAM Access Analyzer AWS Identity and Access Management Access Analyzer Uses automated reasoning, a form of mathematical logic & inference, to determine all access paths Identify resources with public or cross-account access in your AWS account Resolve or archive findings based on your security requirements Analyze access continuously Remediate broad access The highest levels of security assurance New!
How to get started IAM Roles S3 Buckets Lambda Functions KMS Keys SQS Queues Who has access to what Who has access to what
Benefits of IAM Access Analyzer Continuously monitor impact of policy changes on access to your resources Quickly analyze thousands of resource policies across your account Available at no cost!!
AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
What’s on Developer’s mind? How can we improve code quality? Are we giving lowest latency to our customers? Are our infrastructure costs just bloating?
Amazon CodeGuru New machine learning service to automate code reviews, with the aim of improving code quality and application performance AVAILABLE IN PREVIEW TODAY
Pull Request-based Code Review Process 1. Developer creates a branch. 2. He/she makes code changes. 3. He/she creates a Pull Request. 4. Code reviewers provide comments. Developer provides responses. 5. The code changes are merged after approval. Pull Request Approval Merge Code Review Branch Make changes locally
Pull Request-based Code Review Process Flags critical defects and reliability issues in source code. Pull Request Approval Merge Code Review Branch Make changes locally Amazon CodeGuru Reviewer Amazon CodeGuru Reviewer augments human code review process and does not replace it
Amazon CodeGuru Reviewer, e.g. concurrency issue
Amazon CodeGuru code reviews AWS BEST PRACTICES CONCURRENCY ISSUES RESOURCE LEAKS IDENTIFY CORRECT INPUT VALIDATION Correct use of AWS APIs Incorrect use results in performance (e.g., polling) or correctness and completeness (e.g., pagination) issues. Correct implementation of concurrency constructs. Incorrect use results in correctness (e.g., missing synchronization) or performance issues (e.g., excessive synchronization) and hence impact availability. Correct resource handling Incorrect handling (e.g., not releasing database connection) results in slowdown and impacts availability. Leakage of Personally Identifiable Information Leakage of sensitive information (e.g., logging of credit card number) leads to compliance issues.
CodeGuru profiler: how does it work? Configure app and install agent CodeGuru profiling Code profile LATENCY AND CPU UTLIZATION MOST EXPENSIVE LINE OF CODE
Customer case LOWER COST INCREASE IN CPU UTILIZATION PRIME DAY 2017 VS 2018 Optimization of the ‘most expensive line of code’ identified by CodeGuru Prime Day improvements with CodeGuru
Summary GA status Available regions AWS IAM Access Analyzer generally available all commercial AWS regions Amazon CodeGuru public preview US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) S3 Access Point generally available all commercial AWS regions AWS Managed Rules for AWS WAF generally available all commercial AWS regions Amazon VPC Ingress Routing generally available all commercial AWS regions
What’s next? • Explore the use case and contact your AWS account manager • Architecture review
Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amy Tung amytung@amazon.com Rebeker Choi rebeker@amazon.com

Recommended

Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_EssentialsAmazon Web Services
 
State of the Union: Networking
State of the Union: NetworkingState of the Union: Networking
State of the Union: NetworkingAmazon Web Services
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)Scott Arveseth
 

Recommended

Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_EssentialsAmazon Web Services
 
State of the Union: Networking
State of the Union: NetworkingState of the Union: Networking
State of the Union: NetworkingAmazon Web Services
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)Scott Arveseth
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambdaVIJAY REDDY
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Lambda Function Security
Lambda Function SecurityLambda Function Security
Lambda Function SecurityAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS SecurityAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS SecurityAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By DesignAmazon Web Services
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF ResponseAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Amazon Web Services
 

More Related Content

What's hot

Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambdaVIJAY REDDY
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS SecurityAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF ResponseAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 

What's hot (20)

Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Lambda Function Security
Lambda Function SecurityLambda Function Security
Lambda Function Security
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF Response
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 

Similar to State of the Union : Security

Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Amazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Amazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
 
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar Series
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar SeriesDeep Dive on Serverless Web Applications - AWS May 2016 Webinar Series
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar SeriesAmazon Web Services
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 

Similar to State of the Union : Security (20)

Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar Series
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar SeriesDeep Dive on Serverless Web Applications - AWS May 2016 Webinar Series
Deep Dive on Serverless Web Applications - AWS May 2016 Webinar Series
 
Getting Started on AWS
Getting Started on AWSGetting Started on AWS
Getting Started on AWS
 
Technical Track
Technical TrackTechnical Track
Technical Track
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
AWSome Day | Tech Track
AWSome Day | Tech TrackAWSome Day | Tech Track
AWSome Day | Tech Track
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS (2).pdf
AWS (2).pdfAWS (2).pdf
AWS (2).pdf
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

State of the Union : Security

  • 1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. State of the Union: Security Amy Tung Manager, Territory BD Rebeker Choi Manager, Solutions Architecture
  • 2. Agenda 1) Introduction 2) Protect Amazon S3 Access Points AWS Managed Rules for AWS WAF Amazon VPC Ingress Routing 3) Detect and Respond AWS IAM Analyzer 4) In the CICD pipeline Amazon CodeGuru
  • 3. AWS services that enhance security investigations AWS Security Hub AWS Organizations AWS Control Tower AWS Trusted Advisor AWS Systems Manager AWS Config AWS Service Catalog AWS Well- Architected Tool AWS CloudFormation AWS OpsWorks Snapshot Archive Amazon S3 Glacier AWS IoT Device Defender Amazon VPC AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink Amazon Cloud Directory Resource Access manager AWS Directory Service KMSIAM AWS Single Sign-On AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS CloudHSM AWS Certificate Manager Amazon Cognito Identify Protect Detect Respond Recover Investigate Automate AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Step Functions AWS Security Hub AWS Systems Manager AWS CloudTrail Personal Health Dashboard NEW NEW NEW
  • 4. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 5. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 6. S3 Access Points SIMPLIFIED CONTROL FOR SHARED BUCKETS ACCESSED BY MANY TEAMS DECENTRALIZED TEAMS DATA LAKES CROSS-ACCOUNT DATA EXCHANGE my-bucket.s3.amazonaws.com { } finance { } accounting { } sales
  • 7. Announcing S3 Access Points How Access Points Work my-bucket.s3.amazonaws.com finance accounting sales { }{ }{ }
  • 8. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 9. AWS Managed Rules for AWS WAF help you spend less time writing firewall rules and more time building applications
  • 10. AWS Managed Rules for AWS WAF • Quickly get started and protect your web application or APIs against common threats • Select from many rule types: • the Open Web Application Security Project (OWASP) Top 10 security risks • threats specific to Content Management Systems (CMS), • emerging Common Vulnerabilities and Exposures (CVE), etc.. • Rules are automatically updated as new issues emerge NOW available in all regions
  • 11.
  • 12. What’s new? 1) Removed the limit of ten rules per web ACL; with the introduction of the WAF Capacity Unit (WCU). Why ? The switch to WCUs allows the creation of hundreds of rules. Each rule added to a web access control list (ACL) consumes capacity based on the type of rule being deployed, and each web ACL has a defined WCU limit. 2) The new AWS WAF supports AWS CloudFormation, allowing you to create and update your web ACL and rules to use CloudFormation templates. 3) No additional charge for using AWS Managed Rules. Each set of managed rules is counted as a single rule. You will not be charged for the individual rules inside AWS Managed Rules.
  • 13. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 14. Amazon VPC Ingress Routing Amazon VPC ingress routing routes inbound and outbound traffic through third party or AWS services ⁄ Pass all inline traffic through a single appliance ⁄ Inline traffic inspection helps you screen and secure your traffic before it reaches your workload ⁄ Helps you extend your capabilities with third-party solutions in AWS Marketplace
  • 15. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 16. Is the access intended? Amazon API Gateway Amazon Simple Queue Service Amazon CloudWatch AWS Key Management Service AWS Lambda Amazon Simple Storage Service AWS Identity and Access Management
  • 17. IAM Access Analyzer AWS Identity and Access Management Access Analyzer Uses automated reasoning, a form of mathematical logic & inference, to determine all access paths Identify resources with public or cross-account access in your AWS account Resolve or archive findings based on your security requirements Analyze access continuously Remediate broad access The highest levels of security assurance New!
  • 18. How to get started IAM Roles S3 Buckets Lambda Functions KMS Keys SQS Queues Who has access to what Who has access to what
  • 19. Benefits of IAM Access Analyzer Continuously monitor impact of policy changes on access to your resources Quickly analyze thousands of resource policies across your account Available at no cost!!
  • 20. AWS services that enhance security investigations Identify Protect Detect Respond Recover Investigate Automate
  • 21. What’s on Developer’s mind? How can we improve code quality? Are we giving lowest latency to our customers? Are our infrastructure costs just bloating?
  • 22. Amazon CodeGuru New machine learning service to automate code reviews, with the aim of improving code quality and application performance AVAILABLE IN PREVIEW TODAY
  • 23. Pull Request-based Code Review Process 1. Developer creates a branch. 2. He/she makes code changes. 3. He/she creates a Pull Request. 4. Code reviewers provide comments. Developer provides responses. 5. The code changes are merged after approval. Pull Request Approval Merge Code Review Branch Make changes locally
  • 24. Pull Request-based Code Review Process Flags critical defects and reliability issues in source code. Pull Request Approval Merge Code Review Branch Make changes locally Amazon CodeGuru Reviewer Amazon CodeGuru Reviewer augments human code review process and does not replace it
  • 25. Amazon CodeGuru Reviewer, e.g. concurrency issue
  • 26. Amazon CodeGuru code reviews AWS BEST PRACTICES CONCURRENCY ISSUES RESOURCE LEAKS IDENTIFY CORRECT INPUT VALIDATION Correct use of AWS APIs Incorrect use results in performance (e.g., polling) or correctness and completeness (e.g., pagination) issues. Correct implementation of concurrency constructs. Incorrect use results in correctness (e.g., missing synchronization) or performance issues (e.g., excessive synchronization) and hence impact availability. Correct resource handling Incorrect handling (e.g., not releasing database connection) results in slowdown and impacts availability. Leakage of Personally Identifiable Information Leakage of sensitive information (e.g., logging of credit card number) leads to compliance issues.
  • 27. CodeGuru profiler: how does it work? Configure app and install agent CodeGuru profiling Code profile LATENCY AND CPU UTLIZATION MOST EXPENSIVE LINE OF CODE
  • 28. Customer case LOWER COST INCREASE IN CPU UTILIZATION PRIME DAY 2017 VS 2018 Optimization of the ‘most expensive line of code’ identified by CodeGuru Prime Day improvements with CodeGuru
  • 29. Summary GA status Available regions AWS IAM Access Analyzer generally available all commercial AWS regions Amazon CodeGuru public preview US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) S3 Access Point generally available all commercial AWS regions AWS Managed Rules for AWS WAF generally available all commercial AWS regions Amazon VPC Ingress Routing generally available all commercial AWS regions
  • 30. What’s next? • Explore the use case and contact your AWS account manager • Architecture review
  • 31. Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amy Tung amytung@amazon.com Rebeker Choi rebeker@amazon.com