Os clientes que usam a AWS se beneficiam de mais de 1.800 controles de segurança e conformidade incorporados na plataforma da AWS. Nesta sessão, você aprenderá a tirar proveito dos recursos de segurança avançados da plataforma AWS para obter visibilidade, agilidade e controle necessários para ser mais seguro na nuvem do que em ambientes legados. Vamos dar uma olhada em várias arquiteturas de referência para cargas de trabalho comuns e destacar as maneiras inovadoras que os clientes estão usando a AWS para gerenciar a segurança de forma mais eficiente. Depois de participar desta sessão, você estará familiarizado com o modelo de responsabilidade de segurança compartilhado e como você pode herdar controles dos programas de certificação e acreditação mantidos pela AWS.
https://aws.amazon.com/pt/security/
47. “A AWS permitiu a nossa empresa
automatizar o uso da infraestrutura, e
conhecer o real custo de infra para a Rede”
• Redecard é a 6a maior adquirente do
mundo e 2a maior empresa de
captura de transações de cartões do
Brasil.
• Atualmente possuimos 18 milhões de
transações capturadas por dia e
estamos focando em melhorar os
serviços de canais digitais utilizando a
AWS.
“Além do valor da
automação e identificação
do custo da infraestrutura
conseguimos atender
melhor o Time to Market e
redução do lead time dos
produtos”
- Marcos Rodrigues,
Coordenador de Cloud e
Devops REDE
48. O Desafio
• Escalar o ambiente de forma ágil e com segurança
• Manter monitoração de segurança em tempo real
• Atender os picos de uso
• Manter o sistema em compliance check.
50. Ainda não tem o App oficial do
AWS Summit São Paulo?
http://amzn.to/2rOcsVy
Não deixe de avaliar as sessões no app!
Editor's Notes
Seriously… this is all about helping YOU make smarter decisions when adopting AWS and removing speedbumps from your adoption path.
AWS has over 1,800 security and compliance controls that we continually monitor and validate for you!
[picture of a shredded hard drive]
We have a set of very clear rules, they're implement across our data centers, on how to dispose things like harddrives. Going back to a lot of Amazon design philosophy, simplicity is one of the most important precursors for success in implementing controls. Controls are complicated, people get confused and make mistakes. So what we have done with our data centers is make a rule that says no hard drive shall leave our facilities intact.
You benefit from an environment built for the most security sensitive organizations
You get to define the right security controls for your workload sensitivity
You always have full ownership and control of your data
We don’t just create these frameworks for fun. We spend countless hours/days/weeks/months working with customers like all of you to understand how they are adopting AWS. We look to understand what has worked for them, and what didn’t. We then distil that information down to stories and epics that you can then use to gain the agility of the cloud.
Identity and Access Management: NOT AWS IAM enables you to create multiple access control mechanisms and manage the permissions for each of these.
Detective Controls: provides you the capability for native logging and visibility into the service
Infrastructure Security: provides you with the ability to shape your security controls to fit your requirements
Data Protection: capability for maintaining visibility and control over data
Incident Response: capability to respond, manage, reduce harm, and restore operations during and after an incident
AWS Organizations allows for policy-based management for multiple AWS accounts
AWS IAM securely controls access to AWS services and resources for your users.
AWS STS allows you to federate your existing identity provider with AWS IAM.
AWS CloudTrail tracks user activity and API usage
AWS Config allows you to view AWS resource inventory and configuration history and drive change notifications
Amazon CloudWatch provides monitoring for AWS cloud resources and the applications you run on AWS.
Amazon Inspector is an automated security assessment service to help improve the security and compliance of applications.
VPC Flow logs capture information about the IP traffic going to and from network interfaces in your VPC.
Agentless, Enable per ENI, per subnet, or per VPC
Create CloudWatch metrics from log data and alert on them as you see here
OR roll your own real time network dashboard with the Amazon Elasticsearch Service
This is where it gets more interesting! You can even push the VPC Flow Logs into Machine Learning to then be able to more easily identify what should NOT be happening!
Concentrate on what AWS Shield and WAF provide to our customers
AWS Shield is a DDoS protection service that safeguards web applications running on AWS – Standard is no additional cost
AWS WAF protects your web applications from common web exploits
AWS Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.
AWS Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.
AWS OpsWorks automates how servers are configured, deployed, and managed.
Tenancy Enforcement Example
Tenancy Enforcement Example
AWS CloudHSM is a dedicated HSM to meet corporate, contractual and regulatory compliance requirements
AWS KMS is an AWS managed service that allows you to easily create and manage keys to encrypt your data
AWS CM is a service that lets you easily provision, manage and deploy SSL certs for use with AWS
Best part… IT IS SUPER EASY!
You get the flexibility you need in a key management system while also not having to worry about availability and management of the system itself. The CMK never leave AWS’s HSA in clear text, complete integration with AWS IAM and CloudTrail for AuthZ and visibility into the use of the keys.
In a mutli-account architecture you can deploy AWS KMS within each of the environments or based upon the data classification within an account. Additionally, you can import your own key material for the CMKs to have even additional control over the keys.
Best part… is the cost! Fraction of the cost of dedicated or virtualized appliances.
Amazon CloudWatch Events delivers a near real-time stream of system events that describe AWS resource changes
Amazon Lambda lets you run code without provisioning or managing servers
Incident Response should NOT just be a manual process! Lets walk through how to quickly respond to someone disabling CloudTrail without ANY human interaction.
Incident Response should NOT just be a manual process!
Incident Response should NOT just be a manual process!
Incident Response should NOT just be a manual process!
Incident Response should NOT just be a manual process!
Incident Response should NOT just be a manual process!
Simple lambda function that logs events
Incident Response should NOT just be a manual process!
Simple lambda function that logs events
Simple lambda function that logs events
Incident Response should NOT just be a manual process!
Incident Response should NOT just be a manual process!
30 segundos para apresentar a empresa, rapidamente
Os 4 (máximo) maiores desafios do projeto, que foram resolvidos pela utilização da nuvem da AWS
Diagrama de solução, e explicar a solução, vantagens, etc