This document discusses implementing mandatory access control and account separation on AWS to improve security. It recommends:
1. Using SELinux on AWS instances to enforce mandatory access control policies that cannot be changed, even by administrators.
2. Implementing the first native MAC service on AWS, Glacier Vault Lock, which sets immutable policies on vaults.
3. Structuring AWS accounts to separate resources, logging, auditing and billing into different accounts controlled by cross-account access policies and IAM roles to restrict what actions and resources each account can access.
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
"You’ve made the move to AWS and are now reaping the benefits of decreased costs and increased business agility. How can you reap those same benefits for your cloud security and compliance operations? As building cloud-native applications requires different skill sets, architectures, integrations, and processes, implementing effective, scalable, and robust security for the cloud requires rethinking everything from your security tools to your team culture.
Attend this session to learn how to start down the path toward security and compliance automation and hear how DevSecOps leaders such as Intuit and Capital One are using AWS, DevOps, and automation to transform their security operations.
Session sponsored by evident.io"
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Presenter: Stephen Quigg, Principal APAC Security Solutions Architect, Amazon Web Services
AWS provides a range of Compute Services – Amazon EC2, Amazon ECS and AWS Lambda. We will provide an intro level overview of these services and highlight suitable use cases. Amazon Elastic Compute Cloud (Amazon EC2) itself provides a broad selection of instance types to accommodate a diverse mix of workloads. Going a bit deeper on EC2 we will provide background on the Amazon EC2 instance platform, key platform features, and the concept of instance generations. We dive into the current-generation design choices of the different instance families, including the General Purpose, Compute Optimized, Storage Optimized, Memory Optimized, and GPU instance families. We also detail best practices and share performance tips for getting the most out of your Amazon EC2 instances, both from a performance and cost perspective.
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
"You’ve made the move to AWS and are now reaping the benefits of decreased costs and increased business agility. How can you reap those same benefits for your cloud security and compliance operations? As building cloud-native applications requires different skill sets, architectures, integrations, and processes, implementing effective, scalable, and robust security for the cloud requires rethinking everything from your security tools to your team culture.
Attend this session to learn how to start down the path toward security and compliance automation and hear how DevSecOps leaders such as Intuit and Capital One are using AWS, DevOps, and automation to transform their security operations.
Session sponsored by evident.io"
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Presenter: Stephen Quigg, Principal APAC Security Solutions Architect, Amazon Web Services
AWS provides a range of Compute Services – Amazon EC2, Amazon ECS and AWS Lambda. We will provide an intro level overview of these services and highlight suitable use cases. Amazon Elastic Compute Cloud (Amazon EC2) itself provides a broad selection of instance types to accommodate a diverse mix of workloads. Going a bit deeper on EC2 we will provide background on the Amazon EC2 instance platform, key platform features, and the concept of instance generations. We dive into the current-generation design choices of the different instance families, including the General Purpose, Compute Optimized, Storage Optimized, Memory Optimized, and GPU instance families. We also detail best practices and share performance tips for getting the most out of your Amazon EC2 instances, both from a performance and cost perspective.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”. That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
AWS provides all sorts of security features and capabilities, and these features generate tons of data to be sifted and analyzed. In this session, hear what we are doing to support ingestion, processing, and storage of data at scale to support our Security Science and DevSecOps programs. We've had a lot of experience understanding what is and is not possible for crunching security data using big data environments. In fact, we've discovered it's much easier to develop the tools and processes necessary to support applications than you might think.
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
Cloud computing offers many advantages, such as the ability to scale your web applications or website on demand. But how do you scale your security and compliance infrastructure along with the business? Join this session to understand best practices for scaling your security resources as you grow from zero to millions of users. Specifically, you learn the following:
How to scale your security and compliance infrastructure to keep up with a rapidly expanding threat base.
The security implications of scaling for numbers of users and numbers of applications, and how to satisfy both needs.
How agile development with integrated security testing and validation leads to a secure environment.
Best practices and design patterns of a continuous delivery pipeline and the appropriate security-focused testing for each.
The necessity of treating your security as code, just as you would do with infrastructure.
The services covered in this session include AWS IAM, Auto Scaling, Amazon Inspector, AWS WAF, and Amazon Cognito.
This session is for IT pros working with compliance managers to deliver solutions that lower costs and still meet compliance demands. You will learn how to move large scale data stores to the cloud, while remaining compliant with existing regulations. Services mentioned: S3, Glacier and the Vault Lock feature, Snowball, ingestion services.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
This session will highlight the breadth and depth of services that make up the AWS platform. Participants will learn about the AWS Global Infrastructure, Networking, Compute, Storage, Database, Application Services, and Deployment & Administration. This session is designed for technical decision-makers to come away with a top-level understanding of AWS building block cloud services.
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
An organisation’s security controls are defined in part as a result of a need to comply with external industry regulatory requirements, and in part as a result of the organisation’s own risk appetite and culture. In this session we discuss our recommendations for producing a highly-secure AWS baseline environment, comprising multiple AWS accounts to enforce separation of duty, and each configured with a set of base controls for implementing access control, log capture and aggregation, and attack mitigation. We then map common sets of security controls to this architecture, and show how such an architecture can meet the requirements of various external standards.
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
"This session brings together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. We'll discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You'll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility.
This session helps security and compliance experts see what's technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We map the Security Rule's Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers."
This webinar will introduce the AWS Shared Security Model. We will examine how to use the inherent security of the AWS environment, coupled with the security tools and features AWS makes available, to create a resilient environment with the security you need.
Learning Objectives:
• Understand the security measures AWS puts in place to secure the environment where your data lives
• Understand the tools AWS offers to help you create a resilient environment with the security you need
• Consider actions when moving a sensitive workload to AWS • Security benefits you can expect by deploying in the AWS Cloud
Who Should Attend:
- Prospects and customers with a security background
- Who are interested in using AWS to manage security-sensitive workloads
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.
Migrate your Data Warehouse to Amazon Redshift - September Webinar SeriesAmazon Web Services
You can gain substantially more business insights and save costs by migrating your on-premise data warehouse to Amazon Redshift, a fast, petabyte-scale data warehouse that makes it simple and cost-effective to analyze big data for a fraction of the cost of traditional data warehouses. This webinar will cover the key benefits of migrating to Amazon Redshift, migration strategies, and tools and resources that can help you in the process.
Learning Objectives:
• Understand how Amazon Redshift can deliver a richer, faster analytics at much lower costs.
• Learn key factors to consider before migrating and how to put together a migration plan.
• Learn best practices and tools for migrating schema, data, ETL and SQL queries.
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
Many organizations struggle daily with the question - "Where do we stand with our AWS security practices?" With the recent release of the Center for Internet Security's CIS AWS Foundations Benchmark, organizations now have an industry-accepted set of security configuration best practices. These benchmarks, in combination with 3rd party security solutions that support them, can form the foundation for security operations at organizations of all sizes through continuous monitoring and auditing.
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.
Who should attend: InfoSec and IT management.
Session sponsored by Alert Logic."
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”. That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
AWS provides all sorts of security features and capabilities, and these features generate tons of data to be sifted and analyzed. In this session, hear what we are doing to support ingestion, processing, and storage of data at scale to support our Security Science and DevSecOps programs. We've had a lot of experience understanding what is and is not possible for crunching security data using big data environments. In fact, we've discovered it's much easier to develop the tools and processes necessary to support applications than you might think.
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
Cloud computing offers many advantages, such as the ability to scale your web applications or website on demand. But how do you scale your security and compliance infrastructure along with the business? Join this session to understand best practices for scaling your security resources as you grow from zero to millions of users. Specifically, you learn the following:
How to scale your security and compliance infrastructure to keep up with a rapidly expanding threat base.
The security implications of scaling for numbers of users and numbers of applications, and how to satisfy both needs.
How agile development with integrated security testing and validation leads to a secure environment.
Best practices and design patterns of a continuous delivery pipeline and the appropriate security-focused testing for each.
The necessity of treating your security as code, just as you would do with infrastructure.
The services covered in this session include AWS IAM, Auto Scaling, Amazon Inspector, AWS WAF, and Amazon Cognito.
This session is for IT pros working with compliance managers to deliver solutions that lower costs and still meet compliance demands. You will learn how to move large scale data stores to the cloud, while remaining compliant with existing regulations. Services mentioned: S3, Glacier and the Vault Lock feature, Snowball, ingestion services.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
This session will highlight the breadth and depth of services that make up the AWS platform. Participants will learn about the AWS Global Infrastructure, Networking, Compute, Storage, Database, Application Services, and Deployment & Administration. This session is designed for technical decision-makers to come away with a top-level understanding of AWS building block cloud services.
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
An organisation’s security controls are defined in part as a result of a need to comply with external industry regulatory requirements, and in part as a result of the organisation’s own risk appetite and culture. In this session we discuss our recommendations for producing a highly-secure AWS baseline environment, comprising multiple AWS accounts to enforce separation of duty, and each configured with a set of base controls for implementing access control, log capture and aggregation, and attack mitigation. We then map common sets of security controls to this architecture, and show how such an architecture can meet the requirements of various external standards.
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
"This session brings together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. We'll discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You'll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility.
This session helps security and compliance experts see what's technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We map the Security Rule's Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers."
This webinar will introduce the AWS Shared Security Model. We will examine how to use the inherent security of the AWS environment, coupled with the security tools and features AWS makes available, to create a resilient environment with the security you need.
Learning Objectives:
• Understand the security measures AWS puts in place to secure the environment where your data lives
• Understand the tools AWS offers to help you create a resilient environment with the security you need
• Consider actions when moving a sensitive workload to AWS • Security benefits you can expect by deploying in the AWS Cloud
Who Should Attend:
- Prospects and customers with a security background
- Who are interested in using AWS to manage security-sensitive workloads
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.
Migrate your Data Warehouse to Amazon Redshift - September Webinar SeriesAmazon Web Services
You can gain substantially more business insights and save costs by migrating your on-premise data warehouse to Amazon Redshift, a fast, petabyte-scale data warehouse that makes it simple and cost-effective to analyze big data for a fraction of the cost of traditional data warehouses. This webinar will cover the key benefits of migrating to Amazon Redshift, migration strategies, and tools and resources that can help you in the process.
Learning Objectives:
• Understand how Amazon Redshift can deliver a richer, faster analytics at much lower costs.
• Learn key factors to consider before migrating and how to put together a migration plan.
• Learn best practices and tools for migrating schema, data, ETL and SQL queries.
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
Many organizations struggle daily with the question - "Where do we stand with our AWS security practices?" With the recent release of the Center for Internet Security's CIS AWS Foundations Benchmark, organizations now have an industry-accepted set of security configuration best practices. These benchmarks, in combination with 3rd party security solutions that support them, can form the foundation for security operations at organizations of all sizes through continuous monitoring and auditing.
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.
Who should attend: InfoSec and IT management.
Session sponsored by Alert Logic."
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
This session shows how AWS Mobile Hub can help to reduce the complexity of building mobile apps.
View webinar on demand: https://www.brighttalk.com/webcast/9019/195087
We built event-driven user interfaces for decades. What about bringing the same approach to mobile, web, and IoT backend applications? You have to understand how data flows and what is the propagation of changes, using reactive programming techniques. You can focus on the core functionalities to build and the relationships among the resources you use. Your application behaves similarly to a “spreadsheet”, where depending resources are updated automatically when something “happens”, and is decomposed into scalable microservices without having to manage the infrastructure. The resulting architecture is efficient and cost effective to run on AWS and managing availability, scalability and security becomes part of the implementation itself.
Women in Technology: Supporting Diversity in a Technical WorkplaceAmazon Web Services
Diversity in the technical workforce is a valuable asset for all companies, because it encourages different types of thinking and taps into the full potential of your team. Come learn from one AWS organization how a fast-moving, fast-growing team has put in place a "diversity circle" for personal and professional development. This program provides a peer mentoring group that builds skills and establishes informal networking support. The host and active participants of this two-year program will share tips and best practices for running a diversity peer mentoring group that spans engineering, product management, and operations.
A dive deep into the AWS IoT service that was announced at AWS re:Invent in October. We will cover the components of the AWS IoT platform, demonstrate the AWS IoT Console and command line experience and the client-side SDKs that AWS provides to help developers build rich applications for their devices, whilst removing the heavy lifting associated with creating a scalable, secure and reliable set of cloud services to support these applications.
DevOps en Amazon: Un vistazo a nuestras herramientas y procesosAmazon Web Services
(Diapositivas de presentación son en inglés.)
Mientras equipos de desarrollo transicionan a arquitecturas basadas en la nube y adoptan procesos más ágiles, las herramientas que necesitan para ayudarles en sus ciclos de desarrollo cambiarán. En esta sesión, os llevaremos por la transición que Amazon hizo a una arquitectura orientada a servicios hace más de una década. Compartiermos las lecciones aprendidas, los procesos que adoptamos y las herramientas que construimos para incrementar la agilidad y la fiabilidad. También os introduciremos a AWS CodeCommit, AWS CodePipeline, y AWS CodeDeploy, tres servicios que han nacido de la propia experiencia interna de DevOps en Amazon.
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Amazon Web Services
-Learn how to use AWS services to protect highly classified information
-Learn about compliance and governance with AWS -Learn how to use AWS CloudTrail to gain visibility into your AWS account activity
Webinar: Securely Configuring and Mining AWS CloudTrailAaron Klein
CloudTrail provides a rich audit trail of the activity in your AWS Environment. In order to maintain compliance with one of the many auditing standards, you need to implement continuous monitoring and demonstrate the ability to provide evidence when needed. Having access to CloudTrail is just the first step. Once you have verified CloudTrail is enabled and configured properly, you will need to ingest the CloudTrail files, parse them, and turn them into actionable information.
Webinar topics include:
- Setting up tamper resistant archives for CloudTrail
- Implementing a centralized bucket for CloudTrail across your organizations
- Securely configuring CloudTrail across hundreds of AWS accounts
YouTube Link: https://www.youtube.com/watch?v=_mk_qf0U4hI
Shared Responsibility and Setting Up Secure Account StructuresAmazon Web Services
In addition to discussing the AWS Shared Responsibility Model in detail for Infrastructure, Container and Abstract Services, we present a reference architecture for a secure, multi-account enterprise structure, including Mandatory Access Control for logging and separation assurance for different groups and functions within an organisation.
Back Up SQL Server to Amazon S3 with Microsoft Tools and File Gateway (STG380...Amazon Web Services
A widespread method to protect databases, particularly for DBAs, is to dump a database and its logs to a file share, often redundantly consuming both production and backup storage capacity, for a backup. What if that file share really lived on Amazon S3? It can. This session describes a backup architecture using File Gateway and native SQL Server and PowerShell commands deployed by AWS customer Direct Supply. Attend this session to learn how you can reduce on-premises storage while simplifying backup, recovery, and even migration of Microsoft SQL Server to AWS.
(MBL305) You Have Data from the Devices, Now What?: Getting the Value of the IoTAmazon Web Services
We are collecting tons of sensor data from billions of devices. How do you get the value from your IoT data sources? In this session, we will explore different strategies for collecting and ingesting data, understanding its frequency, and leveraging the potential of the cloud to analyze and predict trends and behavior to get most out of your deployed devices.
A comprehensive list of all the announcements made during AWS re:Invent 2019.
Also sharing the details of what the services are meant for and the planned GA for each.
Feel free to reach out over LinkedIn: https://www.linkedin.com/in/kaushikmohanraj/
#AWS #Cloud #reINvent
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
In this workshop, we present best practices for establishing an AWS Landing Zone. We provide a demonstration of the automated AWS Landing Zone solution, and we show you how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes. You have the opportunity to modify the code for custom deployments. Leave the workshop with an understanding of the mechanism to update the AWS Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Amazon Web Services
As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session focuses on Amazon S3 best practices and using AWS CloudTrail Data Events to help better protect data residing within Amazon S3. The session includes a demonstration to show how CloudTrail, in combination with other AWS services, can help with Amazon S3 governance and compliance requirements.
Next-Generation Security Operations with AWS | AWS Public Sector Summit 2016Amazon Web Services
With the upswell of cloud adoption, many traditional infrastructure paradigms are shifting. Security is no different. The cloud service provider industry is discovering new ways to tackle security, including automation, bottomless logging, scalable analysis clusters, and pluggable security tools. This session presents a case study in extending a traditional infrastructure operation into AWS. We provide a practical look into the technical challenges and benefits of operating in this new paradigm, explore incident response automation (Alexa integration), and provide various examples of shifting an on-premises security operation to a scalable, hybrid model. Through lessons learned and analysis, we show why your data is safer in the cloud than in that rack you can touch in your data
Migrating from the data center to the cloud requires users to rethink much of what they do to secure their applications. CloudCheckr COO Aaron Klein will highlight effective strategies and tools that AWS users can employ to improve their security posture. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, users need to adapt their security architecture to face both compliance and security threats. Specific emphasis will be placed upon leveraging native AWS services and the talk will include concrete steps that users can begin employing immediately. Session sponsored by CloudCheckr.
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
The AWS Landing Zone solution provides a consolidated collection of AWS best practices, prescriptive guidance, and templates for automatically configuring and securing AWS multi-accounts, networks, and core services. In this workshop, you will learn the Landing Zone solution design. With your laptop, you will go through demonstrations of AWS Landing Zone deployment, automated new account creation using the built-in account vending machine, and Landing Zone customization for additional services. You will leave the workshop with an understanding of the AWS Landing Zone solution mechanisms, CI/CD deployment pipeline, and Landing Zone extension methods. This workshop is intended for architects, IT administrators, and engineers of consulting and technology partners as well as customers who will design, deploy, extend, or operate AWS Landing Zones. We encourage you to attend the full AWS Landing Zone track including SEC303; search for #awslandingzone in the session catalog.
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
In this workshop, we present best practices for establishing an AWS Landing Zone. You will see a demonstration of the automated AWS Landing Zone solution and how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes, as well as experience how to modify the code for custom deployments. You will leave the workshop with an understanding of the mechanism to update the Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.
Similar to Account Separation and Mandatory Access Control (20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
Unveiling the Secrets How Does Generative AI Work.pdfSam H
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
Skye Residences | Extended Stay Residences Near Toronto Airport
Account Separation and Mandatory Access Control
1. Account Separation and
Mandatory Access Control on
AWS
Dave Walker
Specialist Solutions Architect, Security and Compliance
16/03/16
2. Mandatory Access Control?
• Contrast with Discretionary Access Control
– u/g/o / rwx file permissions
– Under the control of the file owner
• MAC is a function of core system policy
– Immutable to all system users; sometimes also invisible to them
– …including root
• Epitomised in SELinux, descended from Orange Book B1
systems
– Sometimes extended to do multilevel / cross-domain security
3. Mandatory Access Control?
• SELinux on AWS
– RHEL, Ubuntu, SuSE, etc AMIs…
– (Don’t forget FreeBSD and other Community AMIs)
• First native MAC service on AWS: Glacier Vault Lock
– Set a Policy and fix it in place
– Even the account owner can’t change it, until its time lock expires
– Designed to meet SEC “Books and Records” requirements (Rule 17a-
4(f))
• Also FINRA Rule 4511, CFTC Regulation 1.31
• How can we make more services behave similarly?
– Cross-account access gets us close!
4. S3 Subtleties
• Versioning
• MFA Delete
– Put these together, and you get something which looks a lot like an
append-only object store
– …consider evidential integrity and weight
– Consider adding lifecycle policies to rotate into Vault-Locked Glacier
• Good for long-term log retention
5. S3 Subtleties
• CloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow
Logs
– Make them write-only for production / resource accounts
• No means to read or list bucket contents
– Make them read-only for audit accounts
• Though audit user activities may need to be written to logs too
– Potentially to a different log location
• Create a separate Logging account and apply cross-account
sharing:
6. S3 Subtleties
• S3 write-only cross-account sharing
– Share write-only (no reading or listing of contents) from owner
account via bucket policy
– Writer accounts have IAM permissions to write
7. S3 Subtleties: Log Bucket Policy, Part 1
• (Actual policy won’t fit here, but…):
– Start with the cross-account bucket policy for writing CloudTrail logs, at
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sha
ring-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1
– Add the Sid + Effect + Principal + Action + Resource aggregate objects
from the bucket policy for Config, at
http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-
policy.html , applying the same principles
– Add s3:GetBucketLocation permissions, to handle cross-Region logs
• (we want to log from all Regions to 1 bucket)
– Add the following for CloudWatch Logs:
8. S3 Subtleties: Log Bucket Policy, Part 2{
"Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below",
"Effect": "Allow",
"Principal": ]
"AWS": "arn:aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action":[
"s3: PutObject",
"S3: GetBucketLocation"
],
"Resource":"arn: aws: s3:::myorg-logbucket/<optionalprefix>/AWSLogs/*"
},
{
"Sid":"Control to require full control grant on write",
"Effect":"Deny",
"Principal":[
"AWS":"arn: aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myorg-logbucket/<optional prefix>/AWSLogs/*",
"Condition": {
"StringNotEquals": {
"s3:"bucket-owner-full-control"
}
}}
9. S3 Subtleties: Log Bucket Policy, Part 3
• Audit users (in another account) will need read-only access to your log
bucket; see
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing
-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)
• Good to do via a Role which has to be explicitly assumed;
again, see the URL above
10. S3 Subtleties: Log Bucket Policy and IAM
• Point CloudTrail and Config in other accounts to our log
bucket for writing, when setting these accounts up
• IAM policy to add to each log-generating account to allow
cross-account writing:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”Cross-account Write",
"Effect": "Allow",
"Action": [
"s3:PutObject”,
”s3:GetBucketLocation”
],
"Resource": [
"arn:aws:s3:::myorg-logbucket"
]
}
]}
11. Detailed Billing: Sample Records
ItemDescription
UsageStar
tDate
UsageEn
dDate
UsageQua
ntity
Currenc
yCode
CostBef
oreTax
Cre
dits
TaxAm
ount
TaxT
ype
TotalCo
st
$0.000 per GB - regional data transfer under the
monthly global free tier
01.04.14
00:00
30.04.14
23:59
0.0000067
5 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.05 per GB-month of provisioned storage - US
West (Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.
554USD 0.56 0.0
0.0000
00 None
0.5600
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5910.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SQS Requests per month
are free
01.04.14
00:00
30.04.14
23:594153.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.00 per GB - EU (Ireland) data transfer from US
West (Northern California)
01.04.14
00:00
30.04.14
23:59
0.0000329
2 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:590.02311019USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5988.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:593.3E-7 USD 0.00 0.0
0.0000
00 None
0.0000
00
12. Linked Accounts
• Consolidate daily Detailed Billing logs into one bucket, for all
accounts
• Now put it all together…
13. The Base Account Structure
AWS Account
Root Account • No Access Keys
• MFA Enabled
• Raise Alert on Login
IAM Master • No Access Keys
• MFA Enabled
• Raise Alert on Login
Define IAM Policies
Enable IAM Managers (User or
Role)
• Have Passwd Policy
• Enforce Passwd
Rotation
• Have Acct Questions
set up
• Have Info eMail set
up
IAM Manager • No Access Keys
• MFA Enabled
Create IAM
Users/Groups/Roles
Use Pre-Defined Policies
14. The Larger Picture
BILLING
S3 Holder
CloudTrail
Config
CW Logs
S3 Holder
BILL
CloudTrail
IAMUser
IAM User
Assum
e
Role
IAM User
Assum
e
Role
IAM User
Assum
e
Role
Resources
IAM ROLE
IAM ROLE
IAM ROLE
Backup Data
Backup
S3 Holder
Audit
Display
Rights
STS
{
"Version": "2012-10-17",
"Statement": [ {
"Sid": ”STS-Only",
"Effect": "Allow",
"Action": [ "sts:AssumeRole" ],
"Resource": [ "*" ] }
]
}
15. There’s One More Account to Consider…
• (…and it won’t fit on the diagram)
• Service Catalogue
– Also has cross-account capability
– Repository for CloudFormation templates, golden AMIs…
– …add latest database backups and other necessary datasets, and
you have an Intellectual Property Holding Account
• Something to copy cross-Region for DR
• See http://aws.amazon.com/servicecatalog/faqs/ for cross-account access
16. Raising Alerts
• Raise (through CloudTrail, watched by a Lambda function triggered on
bucket writes) an Alert (through, eg, SNS) if:
– Any account’s root user logs in
– Any IAM-Master account logs in
– Billing/CloudTrail accounts have another S3 Bucket created
– IAM-User generates any new AWS resource
– IAM-User generates any CloudTrail events other than assume-role
and console login
– IAM-User logs in to any Resource Accounts (besides IAM-Manager)
– Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)
17. Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notifications
API
calls
from
most
services Monitoring
data from
AWS
services
Custom
metrics
18. Also:
• Federate from IAM-User to another IdP
• Filter on LDAP DN elements; ou=, dc=
• Result: no PII in IAM!
– See page 20 of https://d0.awsstatic.com/whitepapers/aws-whitepaper-
single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf
• Set account and contact details to an email alias and a PABX
hunt group, and arrange with your AM to have your billing
invoiced to your company accounts
• …no PII in your AWS account
– unless you explicitly need to process PII in your AWS environment
19. Other Resources
• Re:Invent 2015: “Wrangling Security Events in
the Cloud” (SEC308)
– https://www.youtube.com/watch?v=uc1Q0XCcCv4
– Further ways to enable service configuration immutability
• Essentially, “config-correcting Lambda functions”
20.
21. Account Separation and
Mandatory Access Control on
AWS
Dave Walker
Specialised Solutions Architect, Security and Compliance
28/01/16
Editor's Notes
aka "how to manage your logging buckets, continued".
If you share your versioned, MFA-delete bucket write-only across accounts from a dedicated Audit acct to Production, Staging, etc, then the policy on the bucket and the contents are both invisible and immutable to the account it's being shared with, even its root user - and having spent about half my working life in a multilevel, cross-domain, modified Bell-LaPadula world, this amounts to Mandatory Access Control.
You can also set SELinux up in properly constrained Enforcing Mode on EC2 - you could set up user-data at instance launch time to call a script to generate keys and then go into Enforcing mode, if you need to simulate TPM functionality. There may be better ways of doing this, as CloudHSM can be called from Java as well as PKCS#11 - get creative!