AWS Security Deep Dive Summary

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introduction - broad security & identity portfolio • SEGMENTATION • Identify and sort workloads by classification • PROTECT • What are we protecting? • Identity, boundaries, data • IDENTIFICATION • Threat detection and remediation

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Today Jump account Your cloud team Dev account Prod account Data science account Security account Cross-account trusts Cross-account resource access You

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations AWS Organizations • Centrally govern your environment • Manage billing • Automate account creation • Create groups (organizational units) to reflect business needs • Apply “Service Control Policies” to a unit to control the behavior of those accounts • Control access, compliance, and security

10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP fine grained permission control { "Version": "2012-10-17", "Statement": [ { "Sid": ”security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }

11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP fine grained permission control { "Version": "2012-10-17", "Statement": [ { "Sid": "security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }

14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP fine grained permission control { "Version": "2012-10-17", "Statement": [ { "Sid": “security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1”] } } }

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Resource Access Manager § AWS Resource Access Manager (RAM) helps securely share AWS resources with any AWS account or within AWS Organizations § Accessed from Console, CLI, or API § Resource shares can be tagged and you can reference the tags in IAM policies to create a tag-based permission system; you can add and remove accounts and resources from a resource share at any time

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads (the subject) Principle Resources Actions Conditions

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads (the subject) Principle Resources Actions Conditions

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)

21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity access management policies Role Endpoints Amazon S3 bucket with objects Bucket policy VPCe policy IAM policy

23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – user policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”s3:listAllMyBuckets”, ”s3:PutObject”, ”s3:GetObject”, ”s3:DeleteObject” ], "Resource": "arn:aws:s3:::2x2demo/*" } ] }

28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – resource policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }

34. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity access management policies Role Endpoints Amazon S3 bucket with objects Bucket policy VPCe policy IAM policy

36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – endpoint policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }

41. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity access management policies Role Endpoints Amazon S3 bucket with objects Bucket policy VPCe policy IAM policy Key policy Server side encryption

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Key Management Service (AWS KMS) • Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications • FIPS-2 validated hardware security models to protect your keys • Integrated with AWS server-side encryption • Amazon S3, Amazon EBS, Amazon RDS, Amazon Aurora, Amazon Redshift, WorkMail, Amazon WorkSpaces, CloudTrail, Amazon Elastic Transcoder CodeCommit (using default service keys only), Amazon SES, import/export Snowball, AWS DMS, and several other services • Integrated with AWS client-side encryption • AWS SDKs, AWS Encryption SDK, Amazon S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities

43. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity access management policies Role Endpoints Amazon S3 bucket with objects Bucket policy VPCe policy IAM policy Key policy Server side encryption SCP policy

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Cognito § Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps; your users can sign in directly with a user name and password or through a third party such as Facebook, Amazon, or Google § Amazon Cognito offers user pools and identity pools § User pools are user directories that provide sign-up and sign-in options for your app users § Identity pools provide AWS credentials to grant your users access to other AWS services

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Protect your boundaries – Amazon Cognito edition AWS LambdaUsers Amazon S3 public bucket Amazon S3 private bucket Amazon Cognito Amazon CloudFront Authorization@Edge: https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Protect your boundaries – AWS WAF edition Your security team Malicious IPs AWS Lambda Amazon S3 bucket AWS WAF Amazon CloudWatch InstancesElastic Load Balancing AWS Certified advanced networking: ISBN-13: 978-1119439837 Amazon CloudFront

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Well-Architected - security design principles Keep people away from data Implement a strong identity foundation Enable traceability Automate security best practices Protect data in transit and at rest Apply security at all layers Prepare for security events

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Log data inputs AWS CloudTrail Amazon VPC Flow Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in an Amazon VPC Monitor apps using log data, store, and access log files Log of DNS queries in an Amazon VPC when using the Amazon VPC DNS resolver CloudWatch Logs

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Machine learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T • Comprehensive view of your security state within AWS • Aggregates security findings and alerts generated by other AWS security services • Analyze security trends and identify the highest priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights AWS Security Partners Threat detection: Introducing AWS Security Hub

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Evocations/triggers Amazon CloudWatch Events AWS Config Rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules Delivers a near real-time stream of system events that describe changes in AWS resources

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule Amazon EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Elastic network adapter Elastic network adapter AWS Lambda function Amazon EBS volume

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty AWS Lambda function Amazon EBS volume Amazon EBS snapshot

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating responses based on multiple controls Amazon CloudWatch Events AWS CloudTrail AWS Config AWS Lambda function AWS APIs Detect Investigate Respond Team collaboration (Slack etc.) Amazon GuardDuty Amazon VPC Flow Logs Amazon Inspector

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Broad security & identity portfolio • AWS Identity & Access Management (IAM) • AWS Single Sign-On (SSO) • AWS Directory Service • Amazon Cloud Directory • AWS Secrets Manager • Amazon Cognito • AWS Organizations • AWS Resource Access Manager • AWS Security Hub • Amazon GuardDuty • AWS CloudTrail • AWS Config • Amazon CloudWatch • Amazon VPC Flow Logs • AWS Systems Manager • AWS Shield • AWS Web Application Firewall (AWS WAF) • Amazon Inspector • Amazon Virtual Private Cloud ( Amazon VPC) • AWS Key Management Service (AWS KMS) • AWS CloudHSM • Amazon Macie • AWS Certificate Manager (ACM) • Server-side encryption • AWS Config rules • AWS Lambda Identity Detective control Infrastructure security Incident response Data protection

AWS Security Deep Dive Summary

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security Deep Dive Summary

Similar to AWS Security Deep Dive Summary (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security Deep Dive Summary