AWS re:Invent re:Cap 행사에서 발표된 강연 자료입니다. 아마존 웹서비스의 양승도 솔루션스 아키텍트가 발표한 내용입니다. 새로 발표된 AWS의 보안 및 접근권한 관리 관련 서비스를 이용해 아키텍처를 구축하는 방법에 대해 초점이 맞춰져 있습니다. 내용 요약: AWS 클라우드의 인프라는 현존하는 클라우드 컴퓨팅 환경 중 가장 유연하고 안전하게 작동할 수 있도록 설계되어 고도의 확장성과 안정성을 지닌 플랫폼으로 기능하고 있으며, 고객들은 이를 활용해 애플리케이션과 데이터를 빠르고 안전하게 배포할 수 있습니다. 이번 세션에서는 현존하는 AWS의 보안 및 컴플라이언스 도구들 외에 이번 re:Invent에서 추가된 AWS Key Management Service, AWS Config, 그리고 AWS Service Catalog를 활용해 커스텀 키 관리 및 암호화, 리소스 사용의 가시성 확보와 감사, 표준화된 리소스 할당을 가능하게 하는 법에 대해 알아보겠습니다.

1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
December 8, 2014 | Korea
양승도 솔루션스 아키텍트
re:

2. JOB ZERO

3. Job Zero
Network Security
Physical Security
Platform Security
People & Procedures

4. SHARED

5. constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949

6. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Customers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

7. FAMILIAR

8. familiar

9. VISIBILITY

10. VISIBILITY
RIGHT NOW?

13. Visible

14. You are making API calls...
On a growing set of services around the world…
AWS CloudTrail is continuously recording API calls…
And delivering log files to you
AWS CLOUDTRAIL
Redshift
AWS CloudFormation
AWS Elastic Beanstalk

15. Use cases enabled by CloudTrail

16. AUDITABILITY

22. Changing Recording Continuous Change
Resource
s
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config

24. Integrated Support from Our Partner Ecosystem

29. CONTROL

30. First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules

31. Encryption & Best Practices with AWS
Managed key encryption Key storage with AWS CloudHSM Customer-supplied key encryption DIY on Amazon EC2 Create, store, & retrieve keys securely Rotate keys regularly Securely audit access to keys Partner enablement of crypto

32. DIY
AWS Marketplace Partner Solution
AWS CloudHSM
AWS Key Management Service
Where are keys generated and stored
Your network or in AWS
Your network or in AWS
In AWS, on an HSM that you control
AWS
Where keys are used
Your network or your EC2 instance
Your network or your EC2 instance
AWS or your applications
AWS services or your applications
How to control key use
Config files, Vendor-specific management
Vendor-specific management
Customer code + Safenet APIs
Policy you define; enforced in AWS
Responsibility for Performance/Scale
You
You
You
AWS
Integration with AWS services?
Limited
Limited
Limited
Yes
Pricing model
Variable
Per hour/per year
Per hour
Per key/usage

41. How AWS Services Integrate with AWS Key
Management Service
• Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
• Benefits of envelope encryption:
• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master
keys than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS

42. AWS Key Management Service Reference Architecture
Application or AWS Service
+
Data Key Encrypted Data Key
Encrypted Data
Master Key(s) in Customer’s Account
AWS Key Management Service
1.Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account.
2.Client request is authenticated based on whether they have access to use the master key.
3.A new data encryption key is created and a copy of it is encrypted under the master key.
4.Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data and then deleted as soon as is practical.
5.Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be decrypted.

43. Nasdaq is a great example of security excellence in the cloud

44. Nasdaq Use Case Requirement
Replace on-premises data warehouse while keeping
equivalent schemas and data
Only one year of capacity remaining
4-8 billion rows of new information stored daily stock trading
Must cost less than existing system
Must satisfy multiple security and regulatory audits
Must perform similarly to legacy warehouse under
concurrent query load
AWS’s ability to satisfy multiple security and regulatory audits was critical to Nasdaq’s migrating its data warehouse to AWS

45. Nasdaq Data Warehouse Implementation
Pull data from numerous sources, validate data, and securely load into Redshift

46. AWS CloudTrail to monitor and audit environment
Network isolation with Amazon VPC and AWS Direct Connect
Encryption in flight using TLS and Amazon Redshift JDBC connections
Encryption at rest with Amazon S3 (client-side, AES-256) with Amazon Redshift cluster encryption enabled and AWS CloudHSM
Nasdaq Security Best Practices
AWS CloudHSM integration was critical to Nasdaq adoption of AWS

47. AGILITY

50. Agility
Self-service
Time to market
IT
Developers
Control
Visibility
Compliance

52. Use a personalized portal to find & launch services
IT
Developers
Create custom services
and grant access to developers

53. Providing Developers fast provisioning
Create and manage Portfolio
Add custom products and services
Grant access to developers

54. Achieving self-service with IT approval
Find and launch services
Automate provisioning
Manage AWS resources

55. Creates portfolio
Adds constraints and grant access
1
4
5
Administrator
Portfolio
Users
Browse Products
6
Launch Products
AWS CloudFormation template
Creates product
3
Authors template
2
ProductX
ProductY
ProductZ
7
Deploys stacks
Notifications
Notifications
8
8

56. Simple Security Controls

58. BETTER OFF IN AWS