SlideShare a Scribd company logo

Security Best Practices_John Hildebrandt

H
Helen Rogers

AWS Public Sector Immersion Days. Brisbane, Perth, Melbourne. June 2017

Presentations & Public Speaking
1 of 27
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. John Hildebrandt. Principal Solutions Architect, AWS Security Best Practices
Agenda • Sources of Best Practices • A Bad Day • Best of the Best Practices • Infrastructure Security • Data Protection • Identity and Access Management • Logging and Monitoring • Tools and Automation • At Scale
Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely including the “Core Five Epics”: • Identity and Access Management • Logging and Monitoring • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
CIS Benchmarks: What, Why, Check, Fix
A is for “Andy” and B is for “Bill” Andy follows best practices Bill does NOT follow best practices :-) :-(
S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill S3 Bucket “Data Backup” Internal Data Service Bill’sBadDay
S3 Bucket “Data Backup” Internal Data ServiceBad Person S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway 1 2 3 4 5 Bill’sBadDay Bill 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup
S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill’sBadDay Bill No web application protection 2 No segmentation 3 One account 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Andy have a great day! :-) Andy S3 Bucket “Data Backup” Internal Data Service
Best of the Best Practices: Infrastructure Security 1) Create a Threat Prevention Layer using AWS Edge Services 2) Create network zones with Virtual Private Clouds (VPCs) and Security Groups 3) Manage vulnerabilities through patching and scanning Use the 70 worldwide points of presence in the AWS Edge Network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS WAFAWS Shield Amazon CloudFront AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Security Group Amazon Inspector Amazon EC2 Systems Manager
InfrastructureSecurity AWS WAF AWS Shield S3 Bucket “Website Images” Amazon CloudFront Internet AWS Account Internet Gateway 1 Andy Web Server Instance Security Group Security Group Amazon Inspector S3 Bucket “Data Backup” Internal Data Service
Best of the Best Practices: Data Protection 4) Encrypt data at rest (with the occasional exception) 5) Use server-side encryption with provider managed keys 6) Encrypt data in transit (with no exceptions) AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS KMS Data Encryption Key AWS KMS Amazon S3 Amazon CloudFront Internet Gateway SSL / TLS / HTTPS Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.
AWS WAF AWS KMS AWS Shield S3 Bucket “Website Images” Amazon CloudFront AWS KMS Data Encryption Key Internet Internet Gateway 2 Andy Amazon Inspector S3 Bucket “Data Backup” DataProtection AWS Account Web Server Instance Security Group Security Group Internal Data Service
Best of the Best Practices: Identity and Access Mgmt 7) Use multiple AWS accounts to reduce blast radius 8) Use limited roles and grant temporary security credentials 9) Federate to an existing identity service AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Production Staging Temporary Security Credentials IAM IAM MFA token AWS Directory Service IAM Roles AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. Control access to AWS resources, and manage the authentication and authorization process without needing to re-create all your corporate users as IAM users. AWS Organizations
AWS WAF AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Internet AWS Account AWS Account Internet Gateway 3 Andy Amazon Inspector AWS Directory Service S3 Bucket “Database Backup” AWS KMS AWS KMS Data Encryption Key IdentityandAccessManagement Web Server Instance Security Group Security Group Internal Data Service
Best of the Best Practices: Logging and Monitoring 10) Turn on logging in all accounts, for all services, in all regions 11) Use the AWS platform’s built-in monitoring and alerting features 12) Use a separate AWS account to fetch and store copies of all logs AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Config Amazon CloudWatch AWS CloudTrail CloudWatch Alarms Production Security The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.
AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” S3 Bucket “Database Backup” Amazon CloudFront MFA token AWS KMS Data Encryption Key Internet AWS Account AWS Account Internet Gateway 4Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service LoggingandMonitoring Web Server Instance Security Group Security Group Internal Data Service
AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Web Server Instance AWS KMS Data Encryption Key Internet AWS Account AWS Account Security Group Security Group Internet Gateway Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service S3 Bucket “Data Backup” Internal Data Service BestPractices
Tools and Automation Amazon Inspector Amazon CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
At Scale
IAM • Issue: At scale we have too many IAM Users • Solution: IAM identity federation • Benefits: • Large reduction in the number of IAM users • Benefit from existing staff account processes • Issue: IAM users are still required in some cases • Solution: Monitoring and automation around IAM users • Benefits: • Poorly configured or inactive IAM users automatically disabled and removed
CloudTrail • Issue: Impaired visibility has a negative impact on security, cost, and compliance • Solution: • Enable log sources • Automate configuration • Log integrity checking • Monitoring log events • Benefit: • Visibility of actions and activity • Alarming and automation
AWS Config • Issue: Insecure resource configurations • Solution: • AWS Config service • Automate detection and reporting • Benefit: • History of resource configuration • Near real-time identification of configuration violations • Alarming and automation of operations and security
AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM AWS Config S3 Bucket “Website Images” S3 Bucket “Data Backup” Amazon CloudFront MFA token AWS KMS Data Encryption Key Internet AWS Account AWS Account Internet Gateway Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service AutomatedConfigurationChecks Security Group Internal Data Service Web Server Instance Security Group
Prepare your umbrella before it rains
Resources AWS Security Best Practices whitepaper http://bit.ly/AWSBest CIS AWS Security Foundations Benchmark http://bit.ly/AWSCIS CIS AWS Three-Tier Web Architecture Benchmark http://bit.ly/AWSCIS3T
Thank you

Recommended

Geospatial Workloads on AWS_Herman Coomans
Geospatial Workloads on AWS_Herman CoomansGeospatial Workloads on AWS_Herman Coomans
Geospatial Workloads on AWS_Herman CoomansHelen Rogers
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtHelen Rogers
 
Aws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaAws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaHelen Rogers
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfAmazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
 
Windows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoWindows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoAmazon Web Services
 
Enterprise Cloud Adoption
Enterprise Cloud AdoptionEnterprise Cloud Adoption
Enterprise Cloud AdoptionAmazon Web Services
 
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...Amazon Web Services
 

Recommended

Geospatial Workloads on AWS_Herman Coomans
Geospatial Workloads on AWS_Herman CoomansGeospatial Workloads on AWS_Herman Coomans
Geospatial Workloads on AWS_Herman CoomansHelen Rogers
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtHelen Rogers
 
Aws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaAws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaHelen Rogers
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfAmazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
 
Windows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoWindows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoAmazon Web Services
 
Enterprise Cloud Adoption
Enterprise Cloud AdoptionEnterprise Cloud Adoption
Enterprise Cloud AdoptionAmazon Web Services
 
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...You Can't Protect What you Can't See. AWS Security Best Practices - Session S...
You Can't Protect What you Can't See. AWS Security Best Practices - Session S...Amazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Amazon Web Services
 
The Transformation Journey with Cloud Technology
The Transformation Journey with Cloud TechnologyThe Transformation Journey with Cloud Technology
The Transformation Journey with Cloud TechnologyAmazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
Career Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunbergCareer Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunbergHelen Rogers
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Accelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAccelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAmazon Web Services
 
Key Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessKey Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessAmazon Web Services
 
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Amazon Web Services
 
Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017Amazon Web Services
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...Amazon Web Services
 
AWS Workloads on AWS
AWS Workloads on AWSAWS Workloads on AWS
AWS Workloads on AWSAmazon Web Services
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAmazon Web Services
 
Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Amazon Web Services
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Amazon Web Services
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSAmazon Web Services
 
Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Amazon Web Services
 

More Related Content

What's hot

Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Amazon Web Services
 
The Transformation Journey with Cloud Technology
The Transformation Journey with Cloud TechnologyThe Transformation Journey with Cloud Technology
The Transformation Journey with Cloud TechnologyAmazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
Career Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunbergCareer Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunbergHelen Rogers
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Accelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAccelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAmazon Web Services
 
Key Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessKey Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessAmazon Web Services
 
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Amazon Web Services
 
Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017Amazon Web Services
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...Amazon Web Services
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAmazon Web Services
 
Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Amazon Web Services
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Amazon Web Services
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSAmazon Web Services
 
Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201Amazon Web Services
 

What's hot (20)

Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
 
The Transformation Journey with Cloud Technology
The Transformation Journey with Cloud TechnologyThe Transformation Journey with Cloud Technology
The Transformation Journey with Cloud Technology
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
 
Career Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunbergCareer Pathways to AWS_ FrancesGrunberg
Career Pathways to AWS_ FrancesGrunberg
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Accelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform ServicesAccelerate your Cloud Success with Platform Services
Accelerate your Cloud Success with Platform Services
 
Key Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessKey Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - Business
 
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
 
Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017Automating Compliance for Financial Institutions - AWS Summit SG 2017
Automating Compliance for Financial Institutions - AWS Summit SG 2017
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
 
AWS Workloads on AWS
AWS Workloads on AWSAWS Workloads on AWS
AWS Workloads on AWS
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
 
Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWS
 
Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201Design Patterns for Developers - Technical 201
Design Patterns for Developers - Technical 201
 

Similar to Security Best Practices_John Hildebrandt

Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Amazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...Amazon Web Services
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenBATbern
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Amazon Web Services
 

Similar to Security Best Practices_John Hildebrandt (20)

Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017Security Best Practices - Transformation Day Public Sector London 2017
Security Best Practices - Transformation Day Public Sector London 2017
 
AWS and the ASD Essential Eight
AWS and the ASD Essential EightAWS and the ASD Essential Eight
AWS and the ASD Essential Eight
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.Security Automation: Spend Less Time Securing Your Applications.
Security Automation: Spend Less Time Securing Your Applications.
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...
AWS re:Invent 2016: Automating and Scaling Infrastructure Administration with...
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassen
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 

More from Helen Rogers

AWS Cloud Adoption Framework_Liam Caskie
AWS Cloud Adoption Framework_Liam CaskieAWS Cloud Adoption Framework_Liam Caskie
AWS Cloud Adoption Framework_Liam CaskieHelen Rogers
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieHelen Rogers
 
Your First Data Lake on AWS_Simon Elisha
Your First Data Lake on AWS_Simon ElishaYour First Data Lake on AWS_Simon Elisha
Your First Data Lake on AWS_Simon ElishaHelen Rogers
 
Harnessing Artificial Intelligence_Alastair Cousins
Harnessing Artificial Intelligence_Alastair CousinsHarnessing Artificial Intelligence_Alastair Cousins
Harnessing Artificial Intelligence_Alastair CousinsHelen Rogers
 
A Public Sector Guide to AWS_ Avi Lewin
A Public Sector Guide to AWS_ Avi LewinA Public Sector Guide to AWS_ Avi Lewin
A Public Sector Guide to AWS_ Avi LewinHelen Rogers
 
AI Services_Alastair Cousins_AWS
AI Services_Alastair Cousins_AWSAI Services_Alastair Cousins_AWS
AI Services_Alastair Cousins_AWSHelen Rogers
 
Changing Landscape of Development_Stephen Liedig_AWS
Changing Landscape of Development_Stephen Liedig_AWSChanging Landscape of Development_Stephen Liedig_AWS
Changing Landscape of Development_Stephen Liedig_AWSHelen Rogers
 
IoT at the Edge_Greengrass and More_ Craig Lawton_AWS
IoT at the Edge_Greengrass and More_ Craig Lawton_AWSIoT at the Edge_Greengrass and More_ Craig Lawton_AWS
IoT at the Edge_Greengrass and More_ Craig Lawton_AWSHelen Rogers
 
Smart Cities. Brad Coughlan. AWS
Smart Cities. Brad Coughlan. AWSSmart Cities. Brad Coughlan. AWS
Smart Cities. Brad Coughlan. AWSHelen Rogers
 
The Economics of Innovation_Andrew Phillips_AWS
The Economics of Innovation_Andrew Phillips_AWSThe Economics of Innovation_Andrew Phillips_AWS
The Economics of Innovation_Andrew Phillips_AWSHelen Rogers
 

More from Helen Rogers (10)

AWS Cloud Adoption Framework_Liam Caskie
AWS Cloud Adoption Framework_Liam CaskieAWS Cloud Adoption Framework_Liam Caskie
AWS Cloud Adoption Framework_Liam Caskie
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam Caskie
 
Your First Data Lake on AWS_Simon Elisha
Your First Data Lake on AWS_Simon ElishaYour First Data Lake on AWS_Simon Elisha
Your First Data Lake on AWS_Simon Elisha
 
Harnessing Artificial Intelligence_Alastair Cousins
Harnessing Artificial Intelligence_Alastair CousinsHarnessing Artificial Intelligence_Alastair Cousins
Harnessing Artificial Intelligence_Alastair Cousins
 
A Public Sector Guide to AWS_ Avi Lewin
A Public Sector Guide to AWS_ Avi LewinA Public Sector Guide to AWS_ Avi Lewin
A Public Sector Guide to AWS_ Avi Lewin
 
AI Services_Alastair Cousins_AWS
AI Services_Alastair Cousins_AWSAI Services_Alastair Cousins_AWS
AI Services_Alastair Cousins_AWS
 
Changing Landscape of Development_Stephen Liedig_AWS
Changing Landscape of Development_Stephen Liedig_AWSChanging Landscape of Development_Stephen Liedig_AWS
Changing Landscape of Development_Stephen Liedig_AWS
 
IoT at the Edge_Greengrass and More_ Craig Lawton_AWS
IoT at the Edge_Greengrass and More_ Craig Lawton_AWSIoT at the Edge_Greengrass and More_ Craig Lawton_AWS
IoT at the Edge_Greengrass and More_ Craig Lawton_AWS
 
Smart Cities. Brad Coughlan. AWS
Smart Cities. Brad Coughlan. AWSSmart Cities. Brad Coughlan. AWS
Smart Cities. Brad Coughlan. AWS
 
The Economics of Innovation_Andrew Phillips_AWS
The Economics of Innovation_Andrew Phillips_AWSThe Economics of Innovation_Andrew Phillips_AWS
The Economics of Innovation_Andrew Phillips_AWS
 

Recently uploaded

Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)Basil Achie
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 

Recently uploaded (20)

Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 

Security Best Practices_John Hildebrandt

  • 1.
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. John Hildebrandt. Principal Solutions Architect, AWS Security Best Practices
  • 3. Agenda • Sources of Best Practices • A Bad Day • Best of the Best Practices • Infrastructure Security • Data Protection • Identity and Access Management • Logging and Monitoring • Tools and Automation • At Scale
  • 4. Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Center for Internet Security (CIS) Benchmarks How to move to the cloud securely including the “Core Five Epics”: • Identity and Access Management • Logging and Monitoring • Infrastructure Security • Data Protection • Incident Response Whitepaper with 44 best practices including: • Identity and Access Management (10 best practices) • Logging and Monitoring (4) • Infrastructure Security (15) • Data Protection (15) 148 detailed recommendations for configuration and auditing covering: • “AWS Foundations” with 52 checks aligned to AWS Best Practices • “AWS Three-Tier Web Architecture” with 96 checks for web applications
  • 5. CIS Benchmarks: What, Why, Check, Fix
  • 6. A is for “Andy” and B is for “Bill” Andy follows best practices Bill does NOT follow best practices :-) :-(
  • 7. S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill S3 Bucket “Data Backup” Internal Data Service Bill’sBadDay
  • 8. S3 Bucket “Data Backup” Internal Data ServiceBad Person S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway 1 2 3 4 5 Bill’sBadDay Bill 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup
  • 9. S3 Bucket “Website Images” Web Server InstanceInternet AWS Account Internet Gateway Bill’sBadDay Bill No web application protection 2 No segmentation 3 One account 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Andy have a great day! :-) Andy S3 Bucket “Data Backup” Internal Data Service
  • 10. Best of the Best Practices: Infrastructure Security 1) Create a Threat Prevention Layer using AWS Edge Services 2) Create network zones with Virtual Private Clouds (VPCs) and Security Groups 3) Manage vulnerabilities through patching and scanning Use the 70 worldwide points of presence in the AWS Edge Network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS WAFAWS Shield Amazon CloudFront AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Security Group Amazon Inspector Amazon EC2 Systems Manager
  • 11. InfrastructureSecurity AWS WAF AWS Shield S3 Bucket “Website Images” Amazon CloudFront Internet AWS Account Internet Gateway 1 Andy Web Server Instance Security Group Security Group Amazon Inspector S3 Bucket “Data Backup” Internal Data Service
  • 12. Best of the Best Practices: Data Protection 4) Encrypt data at rest (with the occasional exception) 5) Use server-side encryption with provider managed keys 6) Encrypt data in transit (with no exceptions) AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS KMS Data Encryption Key AWS KMS Amazon S3 Amazon CloudFront Internet Gateway SSL / TLS / HTTPS Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.
  • 13. AWS WAF AWS KMS AWS Shield S3 Bucket “Website Images” Amazon CloudFront AWS KMS Data Encryption Key Internet Internet Gateway 2 Andy Amazon Inspector S3 Bucket “Data Backup” DataProtection AWS Account Web Server Instance Security Group Security Group Internal Data Service
  • 14. Best of the Best Practices: Identity and Access Mgmt 7) Use multiple AWS accounts to reduce blast radius 8) Use limited roles and grant temporary security credentials 9) Federate to an existing identity service AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark Production Staging Temporary Security Credentials IAM IAM MFA token AWS Directory Service IAM Roles AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. Control access to AWS resources, and manage the authentication and authorization process without needing to re-create all your corporate users as IAM users. AWS Organizations
  • 15. AWS WAF AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Internet AWS Account AWS Account Internet Gateway 3 Andy Amazon Inspector AWS Directory Service S3 Bucket “Database Backup” AWS KMS AWS KMS Data Encryption Key IdentityandAccessManagement Web Server Instance Security Group Security Group Internal Data Service
  • 16. Best of the Best Practices: Logging and Monitoring 10) Turn on logging in all accounts, for all services, in all regions 11) Use the AWS platform’s built-in monitoring and alerting features 12) Use a separate AWS account to fetch and store copies of all logs AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Best Practices Paper CIS Web-Tier Benchmark CIS Foundation Benchmark AWS Config Amazon CloudWatch AWS CloudTrail CloudWatch Alarms Production Security The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.
  • 17. AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” S3 Bucket “Database Backup” Amazon CloudFront MFA token AWS KMS Data Encryption Key Internet AWS Account AWS Account Internet Gateway 4Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service LoggingandMonitoring Web Server Instance Security Group Security Group Internal Data Service
  • 18. AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM S3 Bucket “Website Images” Amazon CloudFront MFA token Web Server Instance AWS KMS Data Encryption Key Internet AWS Account AWS Account Security Group Security Group Internet Gateway Andy AWS Config Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service S3 Bucket “Data Backup” Internal Data Service BestPractices
  • 19. Tools and Automation Amazon Inspector Amazon CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
  • 21. IAM • Issue: At scale we have too many IAM Users • Solution: IAM identity federation • Benefits: • Large reduction in the number of IAM users • Benefit from existing staff account processes • Issue: IAM users are still required in some cases • Solution: Monitoring and automation around IAM users • Benefits: • Poorly configured or inactive IAM users automatically disabled and removed
  • 22. CloudTrail • Issue: Impaired visibility has a negative impact on security, cost, and compliance • Solution: • Enable log sources • Automate configuration • Log integrity checking • Monitoring log events • Benefit: • Visibility of actions and activity • Alarming and automation
  • 23. AWS Config • Issue: Insecure resource configurations • Solution: • AWS Config service • Automate detection and reporting • Benefit: • History of resource configuration • Near real-time identification of configuration violations • Alarming and automation of operations and security
  • 24. AWS WAF AWS KMS AWS Shield Temporary Security Credentials IAM AWS Config S3 Bucket “Website Images” S3 Bucket “Data Backup” Amazon CloudFront MFA token AWS KMS Data Encryption Key Internet AWS Account AWS Account Internet Gateway Amazon CloudWatch AWS CloudTrail Amazon Inspector AWS Directory Service AutomatedConfigurationChecks Security Group Internal Data Service Web Server Instance Security Group
  • 26. Resources AWS Security Best Practices whitepaper http://bit.ly/AWSBest CIS AWS Security Foundations Benchmark http://bit.ly/AWSCIS CIS AWS Three-Tier Web Architecture Benchmark http://bit.ly/AWSCIS3T