What are the security solutions in the AWS cloud? From account security and auditing to patch management and encryption: keeping data secure in the cloud.
2. Managed Cloud Services for AWS
September 17,
2019
2
WHO AM I
Andrej Maya
Cloud Solutions Architect
andrej.maya@t-systems.com
+ 49 151 54237130
PU Public Cloud – Chapter AWS
@andrejmaya
linkedin.com/in/andrejmaya/
3. Managed Cloud Services for AWS
September 17,
2019
3
T-Systems manages Security in the Cloud
Managed portion of T-Systems depending on services booked and agreements made.
4. Managed Cloud Services for AWS
September 17,
2019
4
Security and compliance monitoring
Detail view
Cloud use
Reports
Customers
Compliance monitoring – policy as code
(based on configuration/inventory scan)
Security – intelligent threat detection
(event-driven)
Near real-time alerts
Prequalified
recommendation
for mitigation
Threat & compliance analytics
Pre-Assessment & Security Incident Management
(Containment, Forensics, Recovery)
Telekom
Operations
24x7
Network
(VPC flow logs)
Firewall
(WAF logs)
Threat detection
(Guard Duty logs)
Content Distribution
(CloudFront logs)
Load Balancer
(ELB access logs)
API calls
(CloudTrail)
Patch level
EC2
Public accessibility
of services
Service Port
Configuration
Security Group
Configuration
Encryption
Settings
Customer
Compliance Rules
…
5. Security and compliance monitoring
Example – compliance analytics
The screenshot shows the dashboard available to Telekom operations team as part of the managed service
6. Security and compliance monitoring
Example – threats and logins overview
Threats-
Found
Logins
The screenshot shows the dashboard available to Telekom operations team as part of the managed service
7. Security and compliance monitoring
Example – unusual network traffic
Detect and report
suspicious actions
Detect anomalies in
VPC traffic per regions
The screenshot shows the dashboard available to Telekom operations team as part of the managed service
8. Managed Cloud Services for AWS
September 17,
2019
8
Security as a central pillar for good architecture in the “AWS Well-
Architected Framework”
Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html
Operational Excellence
Security
Reliability
Performance efficiency
Cost Optimization
✓ Implement a strong identity foundation
✓ Enable traceability
✓ Apply security at all layers
✓ Automate security best practices
✓ Protect data in transit and at rest
✓ Keep people away from data
✓ Prepare for security events
9. SECURITY: BEST PRACTICES AND RELEVANT AWS SERVICES
9
Identity and
Access
Management
Detective Controls
AWS Config
Infrastructure
Protection
Data Protection
Incident Response
IAM AWS Organizations
MFA tokenTemporary security
credential
AWS CloudWatch AWS CloudTrail
AWS VPC AWS WAFAWS Shield AWS Inspector
AWS Macie AWS KMS AWS EBS AWS S3
IAM AWS CloudFormation
AWS GuardDuty
10. Managed Cloud Services for AWS
September 17,
2019
10
Don‘t be the company from the news
CapitalOne:https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html
Public EBS: : https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
12. Managed Cloud Services for AWS
September 17,
2019
12
Encryption - Concepts/terminology
• Data encryption in transit → IPSec/VPN,
TLS (AWS Certificate Manager)
• Data encryption at rest
• Client-side → encrypt before
submitting data to AWS, AWS
encryption SDK in different
programming languages, service
clients etc.
• Server-side → AWS encrypts the
data after it is received by the
service
13. Managed Cloud Services for AWS
September 17,
2019
13
Enterprise data encryption requirements example
• Different data classes (internal, confidential)
• Key rotation on regular basis
• Least privileges principal
• A dedicated role group for key admins
• MFA must be implemented for critical KMS API
calls
• KMS key activities must be logged
• The deletion of keys must be alarmed
14. Managed Cloud Services for AWS
September 17,
2019
14
AWS CloudHSM
• Dedicated HSM in VPC →
CloudHSM service (FIPS 140-2
L 3)
• Custom key store provides
more flexibility with CloudHSM
but is more complex to
manage