SlideShare a Scribd company logo

AWS Security Checklist

Amazon Web Services
Amazon Web Services

This AWS Security Checklist webinar will help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. This security focused checklist builds on recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment. Learning Objectives: * Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way * Assess your existing organisational use of AWS and to ensure it meets security best practices * Develop AWS usage policies or validate that existing policies are being followed

Technology
1 of 44
Download to read offline
Dr. Andrew Kane, Solutions Architect drandrewkane AWS Security Checklist
Learning Objectives 1. Evaluate AWS services to meet Info Security objectives …and make sure future deployments are safe 2. Assess your existing use of AWS services …and make sure they meet Security Best Practice 3. Develop AWS usage policies …or validate exsiting policies are being followed
Agenda Existing AWS Checklists CIS Benchmarks General AWS Account Setup AWS Security Services
Existing AWS Checklists
Developers and system architects To help customers assess their application’s use of specific services and features before they launch Enterprise architects To assist enterprises in identifying key items to think about as they build a cloud migration and operational strategy Operational Checklists Basic Operations Checklist Enterprise Operations Checklist Auditing Security Checklist Risk & compliance teams an external auditors To assist customers when they evaluate the security controls required by their specific industry of governing body like the AICPA, NIST, ISO, PCI SCC, etc
Enterprise Operations Checklist AWS API Credentias Identity Federation EC2 Instance Credentials Network Access Data Access Logging & Monitoring
Auditing Security Checklist AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client and Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content CustomersAWS Responsible for security ‘in’ the Cloud Responsible for security ‘of’ the Cloud } }
Auditing Security Checklist Governance Understand AWS Usage Identify Assets Define AWS Boundaries Assess Policies Identify & Review Risks Documentation & Inventory Evaluate Risks Add AWS to Risk Assessment IT Security & Program Policy Service Provider Oversight
Auditing Security Checklist Network Management Network Security Controls Physical Links Granting / Revoking Access Environment Isolation DDoS Layered Defence Malicious Code Controls
Auditing Security Checklist Encryption Controls AWS Console Access AWS API Access IPsec Tunnels SSL Key Management Protect PINs at Rest Logging and Monitoring Centralised Log Storage Review Policies for “Adequacy” Review Network Logs Review IAM Credential Reports Aggregate from Multiple Sources Intrusion Detection & Response
Security Checklist - General 1 Protect your root account 2 Protect your CloudTrail and Billing S3 Bucket 3 Activate CloudTrail in all Regions 4 Create administration IAM roles with minimal privileges 5 Evaluate AWS Security Token Service (STS) and Roles 6 Familiarise yourself with AWS Detailed Billing reports 7 Regularly monitor your monthly spend
Security Checklist – EC2 / VPC / EBS 1 Only use encrypted EBS volumes 2 Activation your VPC Flow Logs 3 Protect your EC2 key-pairs 4 Leverage IAM roles for EC2 5 Clearly structure your Security Groups
Security Checklist – S3 1 Don't create any public-access S3 buckets 2 Encrypt sensitive data using server-side encryption (SSE) 3 Encrypt inbound and outbound S3 traffic 4 Familiarise yourself with Versioning and Lifecycle Policies 5 Activate S3 Logging and analyse logs regularly
CIS Benchmarks
CIS Benchmarks IAM Logging Monitoring Networking
General AWS Account Setup
AWS Account Root Account • No Access Keys • MFA Enabled • Raise Alert on Login IAM Master • No Access Keys • MFA Enabled • Raise Alert on Login • Define IAM Policies • Enable IAM Managers (User or Role) • Have a Password Policy • Enforce Password Rotation • Have Account Questions set up • Use an email distribution list with at least 3 members who check it regularly in case of leavers / holidays etc. IAM Manager • No Access Keys • MFA Enabled • Create IAM Users/Groups/Roles • Use Pre-Defined Policies Account Base IAM Structure
Multi-Account Structure CLOUDTRAIL A/C S3 Holder BILL CloudTrail IAMUser A/C IAM User Assume Role IAM User Assume Role IAM User Assume Role RESOURCE A/C IAM ROLE IAM ROLE IAM ROLE Backup Data BACKUP A/C S3 Holder AUDIT A/C Display Rights STS BILLING A/C S3 Holder
AWS Security Services
Deep Set of Cloud Security Tools Encryption Key Management Service CloudHSM Server-side Encryption Networking Virtual Private Cloud Web Application Firewall Compliance ConfigCloudTrail & Inspector Service Catalog Identity IAM Active Directory Integration SAML Federation
CENTRALIZED AUDITING STORE FOR PLATFORM EVENTS AWS CLOUDTRAIL
AWS CloudTrail CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources, for example VPC security groups and NACLs • Compliance – log and understand AWS API call history • Prove that you did not: • Use the wrong region • Use services you don’t want • Troubleshoot operational issues – quickly identify the most recent changes to your environment
CHANGE MANAGEMENT TOOL FOR TRACKING CONTINUOUS CHANGES THROUGHOUT AWS RESOURCES AWS CONFIG
Continuous ChangeRecordingChanging Resources History Stream Snapshot (ex. 2014-11-05) AWS Config AWS Config
AWS Config
AWS Config - Rules …or create your own custom rules
SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND ACTIVITY AMAZON INSPECTOR
Scanning Engine Active Monitoring Embedded Rules Fully automated Amazon Inspector - Features
VPC FEATURE TO RECORD TRAFFIC FLOW AWS VIRTUAL PRIVATE CLOUD FLOW LOGS
AWS VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject • Enable per Elastic Network Interface (ENI), subnet or per VPC • Create CloudWatch metrics from log data • Logged to CloudWatch Logs • Alarm on those metrics • Agentless
AWS VPC Flow Logs
COLLECT AND TRACK METRICS, LOGS, ALARMS AND EVENTS AMAZON CLOUDWATCH
Logs→ Metrics→ Alerts/Actions AWS Config CloudWatch / CloudWatch Logs CloudWatch alarms AWS CloudTrail Amazon EC2 OS logs Amazon Flow Logs Amazon SNS email notification HTTP/S notification SMS notifications Mobile push notificationsAnd more… Or your preferred SIEM / Log aggregator
MANAGED DDOS PROTECTION SERVICE AWS SHIELD
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
AWS KEY MANAGEMENT SERVICE (KMS) SIMPLIFIED MANAGED KEY MANAGEMENT
AWS Key Management Service
Integration with AWS Key Management Service Two-tiered key hierarchy using envelope encryption • Unique data key encrypt customer data • AWS KMS master keys encrypt data keys Benefits of envelope encryption: • Limits risk of a compromised data key • Better performance for encrypting large data • Easier to manage a small number of master keys than millions of data keys Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
Wrapping Up
Security Checklist Flywheel AWS Account Setup CIS Benchmarks Enterprise Operations Checklist Security Checklist AWS Security Services Auditing Security Checklist
Thank you!
Online Resources Background Information AWS Operations Checklist AWS Auditing Security Checklist AWS Security Checklist CIS AWS Foundations AWS Security Services AWS ConfigAWS Cloudtrail AWS ShieldAmazon Inspector Amazon CloudWatch AWS VPC Flow Logs AWS KMS

Recommended

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 

Recommended

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksAmazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)Prof. Jacques Folon (Ph.D)
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 

More Related Content

What's hot

Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksAmazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

What's hot (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Iam presentation
Iam presentationIam presentation
Iam presentation
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Introducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech TalksIntroducing AWS Firewall Manager - AWS Online Tech Talks
Introducing AWS Firewall Manager - AWS Online Tech Talks
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 

Similar to AWS Security Checklist

AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 Amazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS SecurityAmazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenBATbern
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtHelen Rogers
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 

Similar to AWS Security Checklist (20)

AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassen
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

AWS Security Checklist

  • 1. Dr. Andrew Kane, Solutions Architect drandrewkane AWS Security Checklist
  • 2. Learning Objectives 1. Evaluate AWS services to meet Info Security objectives …and make sure future deployments are safe 2. Assess your existing use of AWS services …and make sure they meet Security Best Practice 3. Develop AWS usage policies …or validate exsiting policies are being followed
  • 3. Agenda Existing AWS Checklists CIS Benchmarks General AWS Account Setup AWS Security Services
  • 5. Developers and system architects To help customers assess their application’s use of specific services and features before they launch Enterprise architects To assist enterprises in identifying key items to think about as they build a cloud migration and operational strategy Operational Checklists Basic Operations Checklist Enterprise Operations Checklist Auditing Security Checklist Risk & compliance teams an external auditors To assist customers when they evaluate the security controls required by their specific industry of governing body like the AICPA, NIST, ISO, PCI SCC, etc
  • 6. Enterprise Operations Checklist AWS API Credentias Identity Federation EC2 Instance Credentials Network Access Data Access Logging & Monitoring
  • 7. Auditing Security Checklist AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client and Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content CustomersAWS Responsible for security ‘in’ the Cloud Responsible for security ‘of’ the Cloud } }
  • 8. Auditing Security Checklist Governance Understand AWS Usage Identify Assets Define AWS Boundaries Assess Policies Identify & Review Risks Documentation & Inventory Evaluate Risks Add AWS to Risk Assessment IT Security & Program Policy Service Provider Oversight
  • 9. Auditing Security Checklist Network Management Network Security Controls Physical Links Granting / Revoking Access Environment Isolation DDoS Layered Defence Malicious Code Controls
  • 10. Auditing Security Checklist Encryption Controls AWS Console Access AWS API Access IPsec Tunnels SSL Key Management Protect PINs at Rest Logging and Monitoring Centralised Log Storage Review Policies for “Adequacy” Review Network Logs Review IAM Credential Reports Aggregate from Multiple Sources Intrusion Detection & Response
  • 11. Security Checklist - General 1 Protect your root account 2 Protect your CloudTrail and Billing S3 Bucket 3 Activate CloudTrail in all Regions 4 Create administration IAM roles with minimal privileges 5 Evaluate AWS Security Token Service (STS) and Roles 6 Familiarise yourself with AWS Detailed Billing reports 7 Regularly monitor your monthly spend
  • 12. Security Checklist – EC2 / VPC / EBS 1 Only use encrypted EBS volumes 2 Activation your VPC Flow Logs 3 Protect your EC2 key-pairs 4 Leverage IAM roles for EC2 5 Clearly structure your Security Groups
  • 13. Security Checklist – S3 1 Don't create any public-access S3 buckets 2 Encrypt sensitive data using server-side encryption (SSE) 3 Encrypt inbound and outbound S3 traffic 4 Familiarise yourself with Versioning and Lifecycle Policies 5 Activate S3 Logging and analyse logs regularly
  • 16.
  • 18. AWS Account Root Account • No Access Keys • MFA Enabled • Raise Alert on Login IAM Master • No Access Keys • MFA Enabled • Raise Alert on Login • Define IAM Policies • Enable IAM Managers (User or Role) • Have a Password Policy • Enforce Password Rotation • Have Account Questions set up • Use an email distribution list with at least 3 members who check it regularly in case of leavers / holidays etc. IAM Manager • No Access Keys • MFA Enabled • Create IAM Users/Groups/Roles • Use Pre-Defined Policies Account Base IAM Structure
  • 19. Multi-Account Structure CLOUDTRAIL A/C S3 Holder BILL CloudTrail IAMUser A/C IAM User Assume Role IAM User Assume Role IAM User Assume Role RESOURCE A/C IAM ROLE IAM ROLE IAM ROLE Backup Data BACKUP A/C S3 Holder AUDIT A/C Display Rights STS BILLING A/C S3 Holder
  • 21. Deep Set of Cloud Security Tools Encryption Key Management Service CloudHSM Server-side Encryption Networking Virtual Private Cloud Web Application Firewall Compliance ConfigCloudTrail & Inspector Service Catalog Identity IAM Active Directory Integration SAML Federation
  • 22. CENTRALIZED AUDITING STORE FOR PLATFORM EVENTS AWS CLOUDTRAIL
  • 23. AWS CloudTrail CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources, for example VPC security groups and NACLs • Compliance – log and understand AWS API call history • Prove that you did not: • Use the wrong region • Use services you don’t want • Troubleshoot operational issues – quickly identify the most recent changes to your environment
  • 24. CHANGE MANAGEMENT TOOL FOR TRACKING CONTINUOUS CHANGES THROUGHOUT AWS RESOURCES AWS CONFIG
  • 27. AWS Config - Rules …or create your own custom rules
  • 28. SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND ACTIVITY AMAZON INSPECTOR
  • 29. Scanning Engine Active Monitoring Embedded Rules Fully automated Amazon Inspector - Features
  • 30. VPC FEATURE TO RECORD TRAFFIC FLOW AWS VIRTUAL PRIVATE CLOUD FLOW LOGS
  • 31. AWS VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject • Enable per Elastic Network Interface (ENI), subnet or per VPC • Create CloudWatch metrics from log data • Logged to CloudWatch Logs • Alarm on those metrics • Agentless
  • 32. AWS VPC Flow Logs
  • 33. COLLECT AND TRACK METRICS, LOGS, ALARMS AND EVENTS AMAZON CLOUDWATCH
  • 34. Logs→ Metrics→ Alerts/Actions AWS Config CloudWatch / CloudWatch Logs CloudWatch alarms AWS CloudTrail Amazon EC2 OS logs Amazon Flow Logs Amazon SNS email notification HTTP/S notification SMS notifications Mobile push notificationsAnd more… Or your preferred SIEM / Log aggregator
  • 35. MANAGED DDOS PROTECTION SERVICE AWS SHIELD
  • 36. AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
  • 37. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 38. AWS KEY MANAGEMENT SERVICE (KMS) SIMPLIFIED MANAGED KEY MANAGEMENT
  • 40. Integration with AWS Key Management Service Two-tiered key hierarchy using envelope encryption • Unique data key encrypt customer data • AWS KMS master keys encrypt data keys Benefits of envelope encryption: • Limits risk of a compromised data key • Better performance for encrypting large data • Easier to manage a small number of master keys than millions of data keys Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
  • 42. Security Checklist Flywheel AWS Account Setup CIS Benchmarks Enterprise Operations Checklist Security Checklist AWS Security Services Auditing Security Checklist
  • 44. Online Resources Background Information AWS Operations Checklist AWS Auditing Security Checklist AWS Security Checklist CIS AWS Foundations AWS Security Services AWS ConfigAWS Cloudtrail AWS ShieldAmazon Inspector Amazon CloudWatch AWS VPC Flow Logs AWS KMS