AWS Security: A Practitioner's Perspective

AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner’s Perspective Jason Chan chan@netflix.com San Francisco AWS Users Group April 17, 2012
Jason Chan • Cloud Security Architect @ Netflix • Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners • Some presentations at: • http://www.slideshare.net/netflix
Agenda • Goals and non-goals • AWS on one slide • Netflix in the cloud • AWS security: Overview • AWS security: Gotchas • AWS security: Recommendations • Takeaways
Non-Goals
Non-Goals • Primer on general cloud security issues
Non-Goals • Primer on general cloud security issues • AWS how-to
Non-Goals • Primer on general cloud security issues • AWS how-to • Comprehensive guide to AWS security
Non-Goals • Primer on general cloud security issues • AWS how-to • Comprehensive guide to AWS security • Info on designing for high-availability
AWS Overview
AWS on a Slide
AWS on a Slide
AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
Netflix in the Cloud
Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests
Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11 Datacenter( Capacity(
Netflix Deployed on AWS 2009 2009 2010 2010 2010 2011 Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Config& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
AWS Security Overview Shared Responsibility AWS Credentials and Identifiers Services, Actions, and Resources Controlling Network Traffic AWS Security-Related Services
Shared Responsibility
YOU Shared Responsibility
YOU Shared Responsibility
YOU Shared Responsibility AWS
YOU Shared Responsibility AWS
YOU Shared Responsibility AWS http://aws.amazon.com/security/
AWS Credentials and Identifiers
AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning
AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic
AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security
AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2
AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2 http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
AWS Services, Actions, and Resources
AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent.
AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
Policies - Example { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }
Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html
Controlling Network Traffic in AWS App Server TCP 3306 DB Server
Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configuration permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configuration permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app
Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account Membership EC2 Security Y Y N Y N Y N Group VPC Security Y Y Y N Y N Y Group DB Security Y Y N Y Y Y Y Group VPC Network N Y Y N Y N/A N/A ACL
AWS Security-Related Services • Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS) • Virtual Private Cloud (VPC)
AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances
AWS Limits
AWS Limits • “Because the cloud is infinite if your requirements are moderate”
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS)
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling • NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling • NOTE: http://aws.amazon.com/contact-us/ for limit increase requests • NOTE: Track limits and inspect error messages
EC2 IP Addresses
EC2 IP Addresses • Each instance has two IPs - private and public
EC2 IP Addresses • Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...
EC2 IP Addresses • Name resolution depends on client location
EC2 IP Addresses • Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
EC2 IP Addresses • Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
EC2 IP Addresses
EC2 IP Addresses • Both public and private IPs are dynamic
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP:
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region
EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info
Elastic Load Balancers • Service availability and traffic balancing across EC2 Internet instances • Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.
Elastic Load Balancers
Elastic Load Balancers • ELB intercepts and forwards traffic
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet • Without additional (non security group) filtering, ELBs should only be used for public use cases
Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet • Without additional (non security group) filtering, ELBs should only be used for public use cases • NOTE:VPC ELBs can use security groups for limiting access
S3 Policies and Object Ownership
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner
S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner • Use “x-amz-acl” header on write to fix permissions
AWS Resource Logging
AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible
AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable
AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable • Preventing access is generally possible through policy configuration
AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable • Preventing access is generally possible through policy configuration • NOTE: AWS provides no capability for logging or auditing resource access
Delivering Credentials to EC2 Instances
Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials
Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation
Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation • Some ideas:
Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation • Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html
AWS Security Recommendations Systematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security
Systematic Approach to AWS Security
Systematic Approach to AWS Security • Understand shared responsibility model
Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS
Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services
Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services • AWS resource security
Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services • AWS resource security • Secure AWS operations
Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gaps https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
AWS Management
AWS Management • No longer any reason to not use IAM
AWS Management • No longer any reason to not use IAM • Enable:
AWS Management • No longer any reason to not use IAM • Enable: • IAM
AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts)
AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts) • Create groups and assign permissions appropriate for organizational model
AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts) • Create groups and assign permissions appropriate for organizational model • Consider using separate top-level accounts for compartmentalization
AWS Security Features and Services
AWS Security Features and Services • Understand security features, limitations, and options of the features you use
AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning
AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination
AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination • Consider VPC based on use cases and requirements
AWS Resource Security
AWS Resource Security • Review access requirements for AWS resources
AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues
AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately
AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately • Use policy conditions to enhance security
AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately • Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport
Secure AWS Operations
Secure AWS Operations • Understand security group/ACL differences
Secure AWS Operations • Understand security group/ACL differences • Design and implement according to architectural requirements
Secure AWS Operations • Understand security group/ACL differences • Design and implement according to architectural requirements • Actively manage and monitor accounts and credentials
Other Recommendations
Other Recommendations • Tools like boto are useful for security monitoring and analysis
Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on:
Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/
Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr
Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html
Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30
Takeaways
Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model
Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model • The cloud operating model requires you to understand the security responsibilities of both provider and consumer
Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model • The cloud operating model requires you to understand the security responsibilities of both provider and consumer • Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
Thanks! Questions? chan@netflix.com
Backup Slides
Cloud and Platform Engineering Engineering'Tools' •  Orchestra*on,.build.and.deployment. Cloud'Solu0ons' •  Monitoring,.consul*ng,.Simian.Army. CORE'' •  24/7.site.reliability. Pla5orm'Engineering' •  Core.shared.components.and.libraries. Security' •  Applica*on,.engineering,.and.opera*onal. Cloud'Database' •  Cassandra,.SDB,.RDS. Engineering' Cloud'Performance' •  Tes*ng,.op*miza*on,.cost. Cloud'Architecture' •  Overall.design.paFerns.
Netflix PaaS • Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to • Supports multiple AWS thousands of instances accounts • Monitoring for millions of • One-click deployment and metrics load balancing across three datacenters • Base server and client • Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix
Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html
Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html • Centralized framework for cloud security monitoring and analysis
Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html • Centralized framework for cloud security monitoring and analysis • Leverages AWS APIs and common security tools
Security Monkey • Certificate monitoring • Security group monitoring • Exposed instances/applications • Web application vulnerability scanning • Upcoming: • Policy analysis (firewall, user, S3, etc.)
References • http://www.slideshare.net/netflix • http://techblog.netflix.com • https://cloudsecurityalliance.org/

AWS Security: A Practitioner's Perspective

AWS Security: A Practitioner's Perspective

Recommended

More Related Content

Slideshows for you(20)

Viewers also liked(20)

Similar to AWS Security: A Practitioner's Perspective(20)

More from Jason Chan(7)

Recently uploaded(20)

AWS Security: A Practitioner's Perspective

Editor's Notes