This document outlines the security and compliance capabilities of Amazon Web Services (AWS), highlighting its global infrastructure with 18 regions and 49 availability zones. It details various services and tools for data protection, identity access control, and compliance measures, emphasizing customers' control over their content and privacy. Additionally, it presents AWS’s commitment to maintaining secure cloud environments through independent audits and advanced security features.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leandro Bennaton
LATAM Compliance Strategist
Jan/2018
AWS – Security &
Compliance
SBIF - REGULATION

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
externalización de servicios Cloud Computing
SBIF
Capítulo 20-7
27/12/2017

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits
all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
AWS Security is Job Zero

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18 Regions – 49 Availability Zones – +101 Edge Locations
AWS Global Infrastructure
Worldwide
Global Standardization

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18 Regions – 49 Availability Zones – +101 Edge Locations
AWS Global Infrastructure
Availability
Zone A
Availability
Zone B
Availability
Zone C
AZ
DataCenter 1
DataCenter 2
DataCenter n

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Freedom of choice
Microsoft Windows Server 2016, 2012, 2008, and 2003
Red Hat Enterprise Linux
Amazon Linux
SUSE Linux
Ubuntu
OS Database
Microsoft SQL Server
Oracle
Amazon Aurora
PostgreSQL
MySQL
MariaDB
Amazon DynamoDB
Databases
SQL, NoSQL,
Caching
Compute

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your
Datacenter
Fully Featured
Compute
Resource &
Deployment
Management
Common Controls
for Security &
Access
Integrated
Networking
Data Integration &
Life Cycle
Management
Flexible hybrid options
AWS Different forms of implementation
Amazon Web
Services

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Different forms of implementation
Your
Datacenter
Amazon Web
Services
Comcast’s IT strategy focuses on combining its own data centers and AWS
as the cornerstone of its next-generation TV service, X1. This has allowed
them to rapidly scale interactive, on-demand content to millions of viewers.
Data Integration
Network Integration
Integrated Identity & Access
Resource & Deployment Management
Devices & Edge Systems

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IaaS – Infrastructure as a service
AWS
CloudTrail
Amazon
CloudWatch
Amazon
Inspector
Amazon
SNS
AWS Artifact
AWS KMS
AWS IAM
Amazon
VPC
AWS Shield AWS WAF
AWS
CloudFormatio
n
AWS
Service Catalog
AWS
Organizations
AWS
Config
AWS Trusted
Advisor

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Program
Independent audits
recognized worldwide
Worldwide
Global Standardization
Secure Infrastructure

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS a deep set of cloud security tools
Virtual Private Cloud
Isolated cloud resources
Web Application Firewall
Filter Malicious Web Traffic
Shield
DDoS protection
Networking
Key Management Service
Manage creation and control of
encryption keys
CloudHSM
Hardware-based key storage
Server-Side Encryption
Flexible data encryption options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to allow on-
prem identity integration
Directory Service
Host and manage Microsoft
Active Directory
Organizations
Manage settings for multiple
accounts
Identity & Management
Direct Connect
Dedicated connection, your Datacenter
and AWS
Certificate Manager
Provision, manage, and deploy
SSL/TSL certificates

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS a deep set of cloud security tools
Service Catalog
Create and use
standardized products
Config
Track resource inventory
and changes
CloudTrail
Track user activity and
API usage
CloudWatch
Monitor resources and
applications
Artifact
Self-service for AWS’
compliance reports
Compliance
Inspector
Analyze application
security
Macie
Machine learning service to help customers prevent data loss
in AWS
GuardDuty
Intelligent Threat Detection in the AWS Cloud
Cognito
User Sign Up & Sign In

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability Analysis
Data Protection
AWS Marketplace

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You are in control of privacy
You retain full ownership and control of your content
 Choose the AWS Sao Paulo Region and AWS will not
replicate it elsewhere unless you choose to do so.
 Control format, accuracy, and encryption any way that
you choose.
 Control who can access content.
 Control content lifecycle and disposal.

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption Data at Transit and Rest
EBS
Volume Encryption
EBS Encryption Filesystem Tools AWS Marketplace/Partner
Object Encryption
S3 Server Side
Encryption (SSE)
S3 SSE w/ Customer
Provided Keys Client-Side Encryption
Database Encryption
Redshift
Encryption
RDS
PostgreSQL
KMS
RDS MYSQL
KMS
RDS ORACLE
TDE/HSM
RDS MSSQL
TDE
AWS Whitepaper Securing Data at Rest with Encryption
End-to-end SSL/TLS

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You get to control who can do what in your
AWS environment when and from where
Fine-grained control of your AWS cloud with
multi-factor authentication
Integrate with an existing Active Directory
using federation and single sign-on
AWS account owner
Network
management
Security
management
Server
management
Storage
management
Control access and segregate duties everywhere

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OR
Move
Fast
Stay
Secure

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AND
Move
Fast
Stay
Secure

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS – Capital One DEVSECOPS

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Reference architecture
https://aws.amazon.com/architecture/

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://example.com
AWS Edge Locations
AWS
WAF
Amazon
Route 53
Amazon
CloudFront
AWS Shield Advanced
CloudTrail
us-east-1a
us-east-1bProxies
NAT
RDS
DB
DMZSubnet
PrivateSubnet
PrivateSubnet
Proxies
Bastion
RDS
DB
AWS
Config
CloudWatch Alarms
Archive
Logs
Bucket
S3
Lifecycle
Policies
to Glacier
PrivateSubnet
PrivateSubnet
AWS Account
Virtual Private Cloud (VPC)
Cyber Security
Well-Architected via a NIST High Quick Start
High availability with multi-AZ deployments - fault tolerance solution
Failover occurs automatically in response to the most important failure scenarios

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Worldwide | N. America | LATAM | UK/IR | EMEA | APAC | Japan | China
Leandro Bennaton
LATAM Compliance Strategist
bennaton@amazon.com