Submit Search
Upload
AWS Security by Design
•
18 likes
•
3,151 views
Amazon Web Services
Follow
AWS Security by Design
Read less
Read more
Report
Share
Report
Share
1 of 61
Download now
Download to read offline
Recommended
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
AWS Security Hub
AWS Security Hub
Crishantha Nanayakkara
Fundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
Amazon Web Services
AWS Technical Essentials Day
AWS Technical Essentials Day
Amazon Web Services
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
Recommended
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
AWS Security Hub
AWS Security Hub
Crishantha Nanayakkara
Fundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
Amazon Web Services
AWS Technical Essentials Day
AWS Technical Essentials Day
Amazon Web Services
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
Deep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk Through
Kaushik Mohanraj
AWS Security Strategy
AWS Security Strategy
Teri Radichel
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
Setting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
Intro to AWS: Security
Intro to AWS: Security
Amazon Web Services
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
Amazon Web Services
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
AWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Amazon Web Services
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
AWS Security Hub
AWS Security Hub
Amazon Web Services
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Amazon Web Services
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
More Related Content
What's hot
Deep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk Through
Kaushik Mohanraj
AWS Security Strategy
AWS Security Strategy
Teri Radichel
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
Setting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
Intro to AWS: Security
Intro to AWS: Security
Amazon Web Services
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
Introduction to AWS Security
Introduction to AWS Security
Amazon Web Services
AWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
Amazon Web Services
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
AWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Amazon Web Services
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
AWS Security Hub
AWS Security Hub
Amazon Web Services
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
What's hot
(20)
Deep dive into AWS IAM
Deep dive into AWS IAM
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk Through
AWS Security Strategy
AWS Security Strategy
Amazon GuardDuty Lab
Amazon GuardDuty Lab
Setting Up a Landing Zone
Setting Up a Landing Zone
Intro to AWS: Security
Intro to AWS: Security
AWS Secrets Manager
AWS Secrets Manager
Introduction to AWS Security
Introduction to AWS Security
AWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
AWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
AWS Security Hub
AWS Security Hub
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Similar to AWS Security by Design
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Amazon Web Services
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
Amazon Web Services
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Amazon Web Services
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
Amazon Web Services
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
Amazon Web Services
Mitigating techniques
Mitigating techniques
Richard Harvey
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Amazon Web Services
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
A Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
Amazon Web Services
A Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Amazon Web Services
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
Amazon Web Services
Similar to AWS Security by Design
(20)
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
How AI is disrupting the world
How AI is disrupting the world
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
Mitigating techniques
Mitigating techniques
Securing Your Customers Data From Day One
Securing Your Customers Data From Day One
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
A Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
A Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
More from Amazon Web Services
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
Open banking as a service
Open banking as a service
Amazon Web Services
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
Computer Vision con AWS
Computer Vision con AWS
Amazon Web Services
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
Tools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
Building a web application without servers
Building a web application without servers
Amazon Web Services
Fundraising Essentials
Fundraising Essentials
Amazon Web Services
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
More from Amazon Web Services
(20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Open banking as a service
Open banking as a service
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Computer Vision con AWS
Computer Vision con AWS
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Tools for building your MVP on AWS
Tools for building your MVP on AWS
How to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Building a web application without servers
Building a web application without servers
Fundraising Essentials
Fundraising Essentials
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
AWS Security by Design
1.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Shafreen Sayyed Solutions Architect, Amazon Web Services AWS Security by Design 10th May 2018
2.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Security by Design Principles • Implement a segregated account environment • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data (in transit and at rest) • Prepare for security events
3.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. An Expansive Ecosystem Products integrated with AWS platform and easy to test
4.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Implement a segregated account environment
5.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security AWS Organizations Organization Accounts Shared Services Organization Master Account Billing Tooling Amazon CloudFormation StackSets Sandbox Direct Conn. Account Internal Audit External Data centre Logging Prod Shared Services AWS Organizations (Outline Multi-Account Structure)
6.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Implement a strong identity foundation
7.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Identity Access Management (IAM) Ensure only authorized and authenticated users are able to access resources: • Define users, groups, services and roles • Protect AWS credentials • Use fine grained authorization/access control
8.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Define access Users Groups Services Roles • Think carefully • SAML 2.0 • Define a management policy • Logically group users • Apply group policies • Least privilege access • Be granular • Use roles for instances and functions • Avoid using API keys in code
9.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Protecting AWS credentials • Establish Least-privileged Users access • Enable MFA on the root account • Consider federation • Set a password policy • MFA for users and/or certain operations (s3 delete) • Avoid storing API Keys in source control • Use temporary credentials via AWS STS
10.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Fine grained access control • Establish least privilege principle • Users have no permissions • Groups have permission to assume a Role • Roles have permissions to do necessary stuff, according to least privileges • Use AWS Organizations to centrally manage access
11.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty • A Threat Detection Service Re-Imagined for the Cloud • Continuously monitors and protects AWS Accounts along with the applications and services running within them • Detects known threats as well as unknown threats (Zero-Days) • Makes Use of Artificial Intelligence / Machine Learning • Integrated threat intelligence • Operates on CloudTrail, VPC FlowLogs & DNS • Detailed & Actionable Findings, Emitted as CloudWatch Events and Console Reports
12.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Detecting Known Threats Threat Intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer-provided threat intel (STIX) • Known malware-infected hosts • Anonymising Proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets
13.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Detecting Unknown Threats Anomaly Detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine Learning Classifiers
14.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. What can the service detect? RDP Brute Force RAT Installed Exfiltrate temp IAM creds over DNS Probe api with temp creds Attempt to compromise account Malicious or Suspicious IP Unusual Ports DNS Exfiltration RDP Brute Force Unusual Traffic VolumeConnect to Blacklisted Site Recon Anonymizing Proxy Temp credentials Used off-instance Unusual ISP Caller Bitcoin Activity Unusual Instance Launch https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html#actual-types
15.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. GuardDuty Partners
16.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources AWS IAM - https://aws.amazon.com/iam/ AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS Organizations - https://aws.amazon.com/organizations/ https://www.youtube.com/watch?v=ZKpkF17d0Oo&feature=youtu.be AWS Git-Secrets- https://github.com/awslabs/git-secrets AWS Multi-account strategy - https://www.youtube.com/watch?v=71fD8Oenwxc AWS GuardDuty Finding types - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding- types.html#actual-types https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guar dduty_filter-findings
17.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Enable traceability
18.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Detective controls Identifying a potential security threat is essential for legal compliance assurance, key areas in this are: • Capture and analyze logs • Integrate auditing controls with notifications and workflow / Use your logs
19.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail AWS Config Amazon CloudWatch Logs VPC Flow Logs ELB logs API Endpoint Logs Amazon Redshift Logs ... (If it doesn’t move, watch it ‘til it moves – then log it!) If it moves…log it!
20.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Different log categories AWS infrastructure logs AWS CloudTrail Amazon VPC Flow Logs … AWS service logs Amazon S3 Elastic Load Balancing Amazon CloudFront AWS Lambda (sometimes) AWS Elastic Beanstalk … Host-based logs Messages Security NGINX/Apache/ Syslog etc Performance Monitoring … Security-related events
21.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Multiple levels of automation Self managed AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch Alerts AWS CloudTrail -> Amazon SNS -> AWS Lambda Compliance validation AWS Config Rules Host-based compliance checking Amazon Inspector Active change remediation Amazon CloudWatch Events
22.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Trusted Advisor checks your account
23.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources AWS Config – https://aws.amazon.com/config/ AWS Config Rules – https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by- aws-config.html Amazon Inspector - https://aws.amazon.com/inspector/ Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/ Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/ Amazon Athena – https://aws.amazon.com/athena/ Amazon Glacier – https://aws.amazon.com/glacier/ AWS Lambda – https://aws.amazon.com/lambda/
24.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Apply Security at all layers
25.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Defence-in-depth
26.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Infrastructure protection Protect network and host level boundaries System security config and management Enforce service-level protection
27.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Protect network and host level boundaries VPC considerations: • Subnets to separate workloads • Use NACLs to prevent access between subnets • Use route tables to deny internet access from protected subnets • Use Security groups to grant access to and from other security groups Limit what you run in public subnets: • ELBs , ALBs and NLBs • Bastion hosts • Try and avoid where possible having a system directly accessible from the internet External connectivity for management: • Use VPN gateways to your on premise systems • Direct Connect
28.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS Shield For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
29.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
30.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
31.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS WAF – Layer 7 application protection Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning Managed WAF rules available on AWS Marketplace
32.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. The Artifact Service
33.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Systems Manager Capabilities Run Command Maintenance Windows Inventory State Manager Parameter Store Patch Manager Automation Configuration, Administration Update and Track Shared Capabilities
34.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. System security config and management • OS based firewalls • Remove unnecessary packages from OS • Remove direct access to machines – System manager • Amazon Inspector to scan OS and applications for CVE (Common Vulnerabilities Exposure) • Don’t forget Security Groups
35.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/vpc/ AWS Direct Connect – https://aws.amazon.com/directconnect/ Amazon Inspector - https://aws.amazon.com/inspector/ AWS KMS - https://aws.amazon.com/kms/ AWS System Manager - https://aws.amazon.com/systems-manager/ AWS WAF – https://aws.amazon.com/waf/ AWS Shield - https://aws.amazon.com/shield/ AWS Artifact - https://aws.amazon.com/waf/
36.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Automate security best practices
37.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Ensure best practice • Template everything (CloudFormation, Terraform, etc) • Utilise CI/CD pipelines • Set custom AWS Config rules s3-bucket-public-write-prohibited s3-bucket-public-read-prohibited • Amazon Inspector to detect known vulnerabilities • Automate response to non compliant infrastructure
38.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. The Event Response Automation Playbook… CloudWatch Events event Adversary (or Intern) Your environment Lambda Responder
39.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. “Only allow EC2 instances launched from approved AMIs and with appropriate subnets and Security Groups” Example:
40.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. ImageId=ami-f9dd458a SubnetId=subnet-a8aa4ef0 SecurityGroups=[ GroupId=sg-45533823 ] EC2
41.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Events event { "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "pending" ] }, "source": [ "aws.ec2" ] }
42.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Responder # check if the AMI is approved # check if AMI is used in correct subnet # check if AMI was launched with approved security group
43.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Amazon DynamoDB { "ami": "ami-0d77397e", "region": "eu-west-1", "security_groups": [ "sg-cc9a3aaa" ], "subnets": [ "subnet-ac3d7cda", "subnet-2f9c1677" ] }, { "ami": "ami-f9dd458a", "region": "eu-west-1", "security_groups": [ "sg-ee9a3a88" ], "subnets": [ "subnet-ad3d7cdb", "subnet-2e9c1676" ] }
44.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. { 'Time': int(time.time()), 'Source': 'auto.responder.level1', 'Resources': [ str(instance_id) ], 'DetailType': 'activeResponse', 'Detail': { 'instance': instance_id, 'actionsRequested': 'instanceTermination' } } Event
45.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Event events { "detail-type": [ "activeResponse" ], "source": [ "auto.responder.level1" ] }
46.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. L2 responder ec2.terminate_instances
47.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/ AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/ Inspector - https://aws.amazon.com/inspector/ AWS CloudFormation - https://aws.amazon.com/cloudformation/ AWS SAM - https://github.com/awslabs/serverless-application-model AWS Pipeline - https://aws.amazon.com/codepipeline/ AWS KMS - https://aws.amazon.com/kms/ Terraform - https://www.terraform.io/
48.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Protect data – At Rest In Transit In Use (?)
49.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
50.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
51.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Data In-Transit AWS endpoints are HTTPS, but what can you do? • VPN connectivity to VPC • TLS application communication • ELB/ALB or CloudFront, with ACM
52.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Data At-Rest Inbuilt encryption • S3: select KMS key on upload • EBS and RDS snapshots: automatically encrypt data at rest • DynamoDB: encrypt backups Bring your own Key Encrypt data locally before uploading SSE-C (server side encryption with customer key)
53.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service (AWS KMS) • Managed service that simplifies creation, control, rotation, deletion, and use of AES256 encryption keys in your applications • Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail, and Amazon Elastic Transcoder • Integrated with AWS client-side encryption • AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with AWS CloudTrail to provide auditable logs of key usage for regulatory and compliance activities • Available in all commercial regions except China
54.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
55.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources AWS KMS - https://aws.amazon.com/kms/ https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation- program/documents/security-policies/140sp3139.pdf AWS KMS Crypto Details - https://d0.awsstatic.com/whitepapers/KMS-Cryptographic- Details.pdf https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation- program/documents/security-policies/140sp3139.pdf https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3139 Amazon Macie – https://aws.amazon.com/macie/ AWS Cloud HSM – https://aws.amazon.com/cloudhsm/ Amazon EBS – https://aws.amazon.com/ebs/ S2n - https://github.com/awslabs/s2n Mitigating DDoS Attacks on AWS - https://www.youtube.com/watch?v=w9fSW6qMktA
56.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Prepare for security events
57.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Incident response “Even with a mature preventative and detective solution in place, you should consider a mitigation plan”
58.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Clean room • Use Tags to quickly determine impact and escalate • Get the right people access and on the call • Use Cloud API’s to automate and isolate instances • CloudFormation – recreate clean / update environments easily for production or investigation purposes
59.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Resources AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/ Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security- Pillar.pdf AWS_CIS_Foundation_Benchmark - https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchm ark.pdf AWS Crypto Intro - https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html AWS Re:Invent Security Track - https://aws.amazon.com/blogs/security/videos- and-slide-decks-from-the-aws-reinvent-2017-security-compliance-identity-track
60.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Summing up Enforce separation of duties and least privilege accounts Federate users; enforce using IAM policies Ensure security logs are separated from troubleshooting logs Storage for logs is cheap; the consequences of missing something through not logging, may not be Alerting is good, automating your security response is better Use managed services and built-in reporting to offload and automate See the big picture: what info do you need and which tool can provide you that
61.
© 2018, Amazon
Web Services, Inc. or its affiliates. All rights reserved. Thank You!
Download now