SlideShare a Scribd company logo

Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017

Amazon Web Services
Amazon Web Services

AWS provides a killer feature for security operations teams: Access Advisor. In this session, we discuss how Access Advisor shows the services to which an IAM policy grants access and provides a timestamp for the last time that the role authenticated against that service. At Netflix, we use this valuable data to automatically remove permissions that are no longer used. By continually removing excess permissions, we can achieve a balance of empowering developers and maintaining a best-practice, secure environment.

1 of 62
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Using Access Advisor to Strike the Balance Between Security and Usability Patrick Kelley + Travis McPeak, Netflix Security S I D 3 1 6 N o v e m b e r 2 9 , 2 0 1 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Le t me te ll you a story ab ou t a big bad hacker...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patrick Kelley ● Netflix for five years ● Security Monkey ● CloudAux ● PolicyUniverse ● Aardvark ● Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Travis McPeak ● Netflix for one year ● Previously: IBM, Symantec, HP, Initech, Death Star ● Bandit ● Aardvark ● Repokid ● OWASP Bay Area
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right Getting Permissions Just Right: ● Developers Happy ● Security Happy ● Attackers… not so much
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assigning the correct permissions is hard 3,200 unique permissions 100+ services
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption Problem scope
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Problem scope Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption
Possible solutions The way
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Creation Access Profiling Accommodate New Features & Permissions Cleanup Service permission lifecycle
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aardvark Aardvark is Access Advisor !
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid It’s been 90 days, you going to use those permissions?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A role is born
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The great balancing act
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Role childhood
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" "arn:aws:s3:::my_bucket_name" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Young role
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mature role
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retired role
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works • Update • Schedule • Repo • Rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Permissions over time
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ● Wanna chat? • https://gitter.im/netflix-repokid/Lobby ● Twitter ● @MonkeySecurity ● @travismcpeak ● Contribute • https://github.com/Netflix-Skunkworks/aardvark • https://github.com/Netflix/repokid Thanks!

Recommended

The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedAmazon Web Services
 

Recommended

The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedAmazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Amazon Web Services
 
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified EngineersENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified EngineersAmazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Amazon Web Services
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationAmazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...Amazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsAmazon Web Services
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityAmazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017Amazon Web Services
 

More Related Content

What's hot

SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Amazon Web Services
 
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified EngineersENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified EngineersAmazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Amazon Web Services
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationAmazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...Amazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsAmazon Web Services
 

What's hot (20)

SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
Amazon Macie: Data Visibility Powered by Machine Learning for Security and Co...
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
 
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified EngineersENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated Workload
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
LFS305_Automated Policy Enforcement for Real-Time Operations, Security, and C...
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security AnalyticsNET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
 

Similar to Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017

The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityAmazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017Amazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017Amazon Web Services
 
SRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the EdgeSRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the EdgeAmazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureAmazon Web Services
 
Devoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWSDevoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWSAdrian Hornsby
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemAmazon Web Services
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemAmazon Web Services
 
10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWSAdrian Hornsby
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のことYukitaka Ohmura
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityAmazon Web Services
 
遷移到 AWS 雲端旅程的方法與工具
遷移到 AWS 雲端旅程的方法與工具遷移到 AWS 雲端旅程的方法與工具
遷移到 AWS 雲端旅程的方法與工具Amazon Web Services
 
Serverless in Action on AWS
Serverless in Action on AWSServerless in Action on AWS
Serverless in Action on AWSAdrian Hornsby
 
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...Amazon Web Services
 
DVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationDVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationAmazon Web Services
 
Launch Applications the Amazon Way - AWS Online Tech Talks
Launch Applications the Amazon Way - AWS Online Tech TalksLaunch Applications the Amazon Way - AWS Online Tech Talks
Launch Applications the Amazon Way - AWS Online Tech TalksAmazon Web Services
 
Conversation and Memory - ALX401-R - re:Invent 2017
Conversation and Memory - ALX401-R - re:Invent 2017Conversation and Memory - ALX401-R - re:Invent 2017
Conversation and Memory - ALX401-R - re:Invent 2017Amazon Web Services
 
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017Amazon Web Services
 
CON208_Building Microservices on AWS
CON208_Building Microservices on AWSCON208_Building Microservices on AWS
CON208_Building Microservices on AWSAmazon Web Services
 
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osakaサーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka崇之 清水
 

Similar to Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017 (20)

The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information Security
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
 
SRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the EdgeSRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the Edge
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
 
Devoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWSDevoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWS
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade Security
 
遷移到 AWS 雲端旅程的方法與工具
遷移到 AWS 雲端旅程的方法與工具遷移到 AWS 雲端旅程的方法與工具
遷移到 AWS 雲端旅程的方法與工具
 
Serverless in Action on AWS
Serverless in Action on AWSServerless in Action on AWS
Serverless in Action on AWS
 
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...
Technological Accelerants for Organizational Transformation - DVC303 - re:Inv...
 
DVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationDVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational Transformation
 
Launch Applications the Amazon Way - AWS Online Tech Talks
Launch Applications the Amazon Way - AWS Online Tech TalksLaunch Applications the Amazon Way - AWS Online Tech Talks
Launch Applications the Amazon Way - AWS Online Tech Talks
 
Conversation and Memory - ALX401-R - re:Invent 2017
Conversation and Memory - ALX401-R - re:Invent 2017Conversation and Memory - ALX401-R - re:Invent 2017
Conversation and Memory - ALX401-R - re:Invent 2017
 
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017
Best Practices for Orchestrating AWS Lambda Workloads - SRV335 - re:Invent 2017
 
CON208_Building Microservices on AWS
CON208_Building Microservices on AWSCON208_Building Microservices on AWS
CON208_Building Microservices on AWS
 
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osakaサーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka
サーバレスアプリケーションの入門と実践 - AWS Cloud Roadshow 2017 Osaka
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Using Access Advisor to Strike the Balance Between Security and Usability Patrick Kelley + Travis McPeak, Netflix Security S I D 3 1 6 N o v e m b e r 2 9 , 2 0 1 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Le t me te ll you a story ab ou t a big bad hacker...
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patrick Kelley ● Netflix for five years ● Security Monkey ● CloudAux ● PolicyUniverse ● Aardvark ● Repokid
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Travis McPeak ● Netflix for one year ● Previously: IBM, Symantec, HP, Initech, Death Star ● Bandit ● Aardvark ● Repokid ● OWASP Bay Area
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right Getting Permissions Just Right: ● Developers Happy ● Security Happy ● Attackers… not so much
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assigning the correct permissions is hard 3,200 unique permissions 100+ services
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption Problem scope
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Problem scope Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Creation Access Profiling Accommodate New Features & Permissions Cleanup Service permission lifecycle
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aardvark Aardvark is Access Advisor !
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid It’s been 90 days, you going to use those permissions?
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A role is born
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The great balancing act
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Role childhood
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" "arn:aws:s3:::my_bucket_name" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Young role
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mature role
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retired role
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works • Update • Schedule • Repo • Rollback
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  • 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  • 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  • 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  • 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  • 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  • 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  • 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  • 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  • 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  • 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  • 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Permissions over time
  • 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  • 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  • 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  • 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  • 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  • 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ● Wanna chat? • https://gitter.im/netflix-repokid/Lobby ● Twitter ● @MonkeySecurity ● @travismcpeak ● Contribute • https://github.com/Netflix-Skunkworks/aardvark • https://github.com/Netflix/repokid Thanks!