Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seguranca de Ponta a Ponta na AWS


Published on

Seguranca de Ponta a Ponta na AWS
Angelo Carvalho
Arquiteto de Soluções

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Seguranca de Ponta a Ponta na AWS

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Angelo Carvalho Arquiteto de Soluções 22 de Setembro de 2016 Segurança de Ponta a Ponta na AWS
  2. 2. Prescriptive Approach Understand AWS Security Practice Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  3. 3. Understand AWS Security Practice
  4. 4. Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
  5. 5. AND Move Fast Stay Secure
  6. 6. Making life easier Choosing security does not mean giving up on convenience or introducing complexity
  7. 7. Security ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security a stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  8. 8. Strengthen your security posture Get native functionality and tools Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
  9. 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  10. 10. Build Strong Compliance Foundations
  11. 11. AWS Assurance Programs AWS maintains a formal control environment • SOC 1 Type II • SOC 2 Type II and public SOC 3 report • ISO 27001, 27017, 27018 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance
  12. 12. AWS Account Relationship AWS Account Ownership AWS Account Contact Information AWS Sales AWS Solutions Architects AWS Support AWS Professional Services AWS Consulting Partners
  13. 13. AWS Trusted Advisor AWS Trusted Advisor
  14. 14. Integrate Identity & Access Management
  15. 15. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  16. 16. Account Governance – New Accounts InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Baseline Requirements Actions & Conditions Map Enterprise Roles
  17. 17. Enable Detective Controls
  18. 18. AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch ü Enable globally for all AWS Regions ü Encryption & Integrity Validation ü Archive & Forward ü Amazon CloudWatch Logs ü Metrics & Filters ü Alarms & Notifications
  19. 19. Establish Network Security
  20. 20. AWS Global Infrastructure 13 AWS Regions • North America (4) • Europe (2) • Asia Pacific (6) • South America (1) Each Region has at least 2 Availability Zones • 35 Availability Zones (AZs) 56 AWS Edge Locations • North America (21) • Europe (16) • Asia Pacific (17) • South America (2) Availability Zone A Availability Zone B Availability Zone C
  21. 21. VPC Public Subnet VPC Public Subnet VPC CIDR VPC Private Subnet VPC Private Subnet VPC Private Subnet VPC Private Subnet AZ A AZ B Public ELB Internal ELB RDS Master Autoscaling Web Tier Autoscaling Application Tier Internet Gateway RDS Standby Snapshots Multi-AZ RDS Data Tier Existing Datacenter Virtual Private Gateway Customer Gateway VPN Connection Direct Connect Network Partner Location Administrators & Corporate Users Amazon Virtual Private Cloud
  22. 22. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  23. 23. Security Groups
  24. 24. Security Groups
  25. 25. Security Groups
  26. 26. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  27. 27. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  28. 28. VPC Flow Logs – CloudWatch Alarms
  29. 29. Implement Data Protection
  30. 30. Cryptographic Services Amazon CloudHSM ü Deep integration with AWS Services ü CloudTrail ü AWS SDK for application encryption ü Dedicated HSM ü Integrate with on-premises HSMs ü Hybrid Architectures AWS KMS
  31. 31. Optimize Change Management
  32. 32. AWS Config & Config Rules AWS Config Amazon Config Rules ü Record configuration changes continuously ü Time-series view of resource changes ü Archive & Compare ü Enforce best practices ü Automatically roll-back unwanted changes ü Trigger additional workflow
  33. 33. AWS Config – VPC Example
  34. 34. AWS Config – VPC Example
  35. 35. AWS Config Rules – Tenancy Enforcement Example
  36. 36. AWS Config Rules – Tenancy Enforcement Example
  37. 37. AWS Config Rules – Tenancy Enforcement Example
  38. 38. AWS Config Partners
  39. 39. Automate Security Functions
  40. 40. AWS WAF: Web Application Firewall
  41. 41. AWS WAF in action AWS Management ConsoleAdmins Developers AWS API Web app in CloudFront Define rules Deploy protection AWS WAF
  42. 42. AWS WAF Partner integrations • Alert Logic, Trend Micro, and Imperva integrating with AWS WAF • Offer additional detection and threat intelligence • Dynamically modify rulesets of AWS WAF for increased protection
  43. 43. AWS WAF Security Automations
  44. 44. Rate-Based Blacklisting with AWS WAF and AWS Lambda
  45. 45. Amazon Inspector • Vulnerability Assessment Service • Built from the ground up to support Dev/Ops Model • Automatable via API’s • AWS Context Aware • Static & Dynamic Telemetry • Integrated with CI/CD tools • On-Demand Pricing model • CVE & CIS Rules Packages • AWS AppSec Best Practices
  46. 46. Prioritized findings
  47. 47. Detailed remediation recommendations
  48. 48. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  49. 49. Prescriptive Approach – Get Started! Understand AWS Security Approach Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  50. 50. Security Training Security Fundamentals on AWS (Free online course) Security Operations on AWS (3-day class) Details at
  51. 51. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL
  52. 52. Obrigado!