SlideShare a Scribd company logo

AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne

Amazon Web Services
Amazon Web Services

All companies, regardless of size, should build with protection of customer data as a top priority. This session will examine how to achieve this through topics including: operating systems, services and applications control responsibilities, the automation of security baselines, the configuration of security, and the auditing of controls for AWS customer infrastructure. You'll learn key principles of how to build a secure organization and protect your customers' data. Don't wait until your first security incident before putting these best practices in place.

1 of 39
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Securing Your Customers Data From Day One Neeraj Verma, Solutions Architect@ AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data (in transit and at rest) • Prepare for security events https://aws.amazon.com/architecture/well-architected/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement a strong identity foundation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity Access Management (IAM) Ensure only authorized and authenticated users are able to access resources: • Define users, groups, services and roles • Protect AWS credentials • Use fine grained authorization/access control
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define access Users Groups Services Roles • Think carefully • SAML 2.0 (ADFS) • Define a management policy • Logically group users • Apply group policies • Least privilege access • Be granular • Use roles for instances and functions • Avoid using API keys in code
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protecting AWS credentials • Establish Less-privileged Users • Enable MFA on the root account • Consider federation • Set a password policy • MFA for users and/or certain operations (s3 delete) • Avoid storing API Keys in source control • Use temporary credentials via STS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine grained access control • Establish least privilege principle • Define clear roles for users and roles • Use AWS organizations to centrally manage access
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS IAM - https://aws.amazon.com/iam/ AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS Organizations - https://aws.amazon.com/organizations/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective controls Identifying a potential security threat is essential for legal compliance assurance, key areas in this are: • Capture and analyze logs • Integrate auditing controls with notifications and workflow / Use your logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Capture and analyze logs Asset management • Describe assets and instance programmatically • No dependency on instance based agent API driven log analysis • Collect, filter and analyze with ease • Automatically collect API calls with CloudTrail • Use CloudWatch Logs or ElasticSearch with instances
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use your logs Don’t just collect and store logs, analyze logs easily with CloudWatch Events: • Trigger notifications • Automate responses with Lambda • Integrate events with ticketing systems
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detect change • Use native tools such as AWS Config to detect change in your environment and trigger CloudWatch Events • Collect output from Amazon Inspector to ensure compliance • Use Amazon GuardDuty to constantly monitor and intelligently detect threats and take action
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Change management
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS Config – https://aws.amazon.com/config/ AWS Config Rules – https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws- config.html Amazon Inspector - https://aws.amazon.com/inspector/ Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/ Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/ Amazon Athena – https://aws.amazon.com/athena/ Amazon Glacier – https://aws.amazon.com/glacier/ AWS Lambda – https://aws.amazon.com/lambda/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Defense-in-depth
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure protection Protect network and host level boundaries System security config and management Enforce service-level protection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect network and host level boundaries VPC considerations: • Subnets to separate workloads • Use NACL’s to prevent access between subnets • Use route tables to deny internet access from protected subnets • Use Security groups to grant access to and from other security groups Limit what you run in public subnets: • ELB/ALB and NLB’s • Bastion hosts • Try and avoid where possible having a system directly accessible from the internet External connectivity for management: • Use VPN gateways to your on premise systems • Direct Connect
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. System security config and management OS based firewalls CVE vulnerability scanners Virus scanners Remove unnecessary tools from OS Remove direct access to machines – use EC2 system manager Amazon Inspector to scan OS and applications
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enforce service-level protection • Use least privilege IAM policies • Use fined grained controls within policies • Look at service level permission (such as S3 bucket policies) • Use KMS and define admin and user access policies
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/vpc/ AWS Direct Connect – https://aws.amazon.com/directconnect/ Amazon Inspector - https://aws.amazon.com/inspector/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate security best practices
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ensure best practice • Template everything (CloudFormation, Terraform, etc etc) • Utilise CI/CD pipelines • Set custom AWS Config rules • Amazon Inspector to detect vulnerabilities • Automate response to non compliant infrastructure
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Immutable infrastructure
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security as code
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/ AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/ Inspector - https://aws.amazon.com/inspector/ AWS CloudFormation - https://aws.amazon.com/cloudformation/ AWS SAM - https://github.com/awslabs/serverless-application-model AWS Pipeline - https://aws.amazon.com/codepipeline/ AWS KMS - https://aws.amazon.com/kms/ Terraform - https://www.terraform.io/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect data (in transit and at rest)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification Start of by classifying data based on sensitivity: • Public data = unencrypted, non-sensitive, available to everyone • Critical data = encrypted, not directly accessible from the internet, requires authorization and authentication Use resource tags to help define the policy: • “DataClassification=CRITICAL” • Integrate access with IAM policies Amazon Macie: Macie can automatically discover, classify and protect sensitive data through machine learning
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encrypt your data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit AWS endpoints are HTTPS, but what can you do? • VPN connectivity to VPC • TLS application communication • ELB or CloudFront with ACM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at rest Inbuilt encryption • S3: select KMS key on upload • EBS and RDS snapshots: automatically encrypt data at rest • DynamoDB: encrypt backups Bring your own Key Encrypt data locally before uploading SSE-C (server side encryption with customer key)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption and tokenization Tokens allow you to represent data (credit card number) as a token. Generate and Retrieve encrypted data from a toke store such as CloudHSM or encrypt and store data in DynamoDB. CloudHSM is PCI-DSS and FIPS compliant
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS KMS - https://aws.amazon.com/kms/ Amazon Macie – https://aws.amazon.com/macie/ AWS Cloud HSM – https://aws.amazon.com/cloudhsm/ Amazon EBS – https://aws.amazon.com/ebs/ S2n - https://github.com/awslabs/s2n
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident response “Even with a mature preventative and detective solution in place, you should consider a mitigation plan”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Clean room • Use Tags to quickly determine impact and escalate • Get the right people access and on the call • Use Cloud API’s to automate and isolate instances • CloudFormation – recreate clean / update environments easily for production or investigation purposes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/ Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security- Pillar.pdf
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thanks!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions? @abbyfuller

Recommended

Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Amazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
Richard Harvey
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
Amazon Web Services
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
Amazon Web Services
 

Recommended

Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Amazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
Richard Harvey
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
Amazon Web Services
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
Amazon Web Services
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
VIJAY REDDY
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
Amazon Web Services
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF Response
Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep DiveAmazon Web Services
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Amazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Amazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Amazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
Amazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
Amazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Amazon Web Services
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Amazon Web Services
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Amazon Web Services
 

More Related Content

What's hot

AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
Amazon Web Services
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
VIJAY REDDY
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
Amazon Web Services
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF Response
Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Amazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Amazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Amazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
Amazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
Amazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Amazon Web Services
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Amazon Web Services
 

What's hot (20)

AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF Response
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
 

Similar to AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne

How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Amazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
Amazon Web Services
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
Richard Harvey
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Amazon Web Services
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Amazon Web Services
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Amazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and Encryption
Richard Harvey
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
Amazon Web Services
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Amazon Web Services
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
Amazon Web Services
 

Similar to AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne (20)

How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and Encryption
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Securing Your Customers Data From Day One Neeraj Verma, Solutions Architect@ AWS
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data (in transit and at rest) • Prepare for security events https://aws.amazon.com/architecture/well-architected/
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement a strong identity foundation
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity Access Management (IAM) Ensure only authorized and authenticated users are able to access resources: • Define users, groups, services and roles • Protect AWS credentials • Use fine grained authorization/access control
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define access Users Groups Services Roles • Think carefully • SAML 2.0 (ADFS) • Define a management policy • Logically group users • Apply group policies • Least privilege access • Be granular • Use roles for instances and functions • Avoid using API keys in code
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protecting AWS credentials • Establish Less-privileged Users • Enable MFA on the root account • Consider federation • Set a password policy • MFA for users and/or certain operations (s3 delete) • Avoid storing API Keys in source control • Use temporary credentials via STS
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine grained access control • Establish least privilege principle • Define clear roles for users and roles • Use AWS organizations to centrally manage access
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS IAM - https://aws.amazon.com/iam/ AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS Organizations - https://aws.amazon.com/organizations/
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective controls Identifying a potential security threat is essential for legal compliance assurance, key areas in this are: • Capture and analyze logs • Integrate auditing controls with notifications and workflow / Use your logs
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Capture and analyze logs Asset management • Describe assets and instance programmatically • No dependency on instance based agent API driven log analysis • Collect, filter and analyze with ease • Automatically collect API calls with CloudTrail • Use CloudWatch Logs or ElasticSearch with instances
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use your logs Don’t just collect and store logs, analyze logs easily with CloudWatch Events: • Trigger notifications • Automate responses with Lambda • Integrate events with ticketing systems
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detect change • Use native tools such as AWS Config to detect change in your environment and trigger CloudWatch Events • Collect output from Amazon Inspector to ensure compliance • Use Amazon GuardDuty to constantly monitor and intelligently detect threats and take action
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Change management
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS Config – https://aws.amazon.com/config/ AWS Config Rules – https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws- config.html Amazon Inspector - https://aws.amazon.com/inspector/ Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/ Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/ Amazon Athena – https://aws.amazon.com/athena/ Amazon Glacier – https://aws.amazon.com/glacier/ AWS Lambda – https://aws.amazon.com/lambda/
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Defense-in-depth
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure protection Protect network and host level boundaries System security config and management Enforce service-level protection
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect network and host level boundaries VPC considerations: • Subnets to separate workloads • Use NACL’s to prevent access between subnets • Use route tables to deny internet access from protected subnets • Use Security groups to grant access to and from other security groups Limit what you run in public subnets: • ELB/ALB and NLB’s • Bastion hosts • Try and avoid where possible having a system directly accessible from the internet External connectivity for management: • Use VPN gateways to your on premise systems • Direct Connect
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. System security config and management OS based firewalls CVE vulnerability scanners Virus scanners Remove unnecessary tools from OS Remove direct access to machines – use EC2 system manager Amazon Inspector to scan OS and applications
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enforce service-level protection • Use least privilege IAM policies • Use fined grained controls within policies • Look at service level permission (such as S3 bucket policies) • Use KMS and define admin and user access policies
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/vpc/ AWS Direct Connect – https://aws.amazon.com/directconnect/ Amazon Inspector - https://aws.amazon.com/inspector/
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate security best practices
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ensure best practice • Template everything (CloudFormation, Terraform, etc etc) • Utilise CI/CD pipelines • Set custom AWS Config rules • Amazon Inspector to detect vulnerabilities • Automate response to non compliant infrastructure
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Immutable infrastructure
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security as code
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/ AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/ Inspector - https://aws.amazon.com/inspector/ AWS CloudFormation - https://aws.amazon.com/cloudformation/ AWS SAM - https://github.com/awslabs/serverless-application-model AWS Pipeline - https://aws.amazon.com/codepipeline/ AWS KMS - https://aws.amazon.com/kms/ Terraform - https://www.terraform.io/
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect data (in transit and at rest)
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification Start of by classifying data based on sensitivity: • Public data = unencrypted, non-sensitive, available to everyone • Critical data = encrypted, not directly accessible from the internet, requires authorization and authentication Use resource tags to help define the policy: • “DataClassification=CRITICAL” • Integrate access with IAM policies Amazon Macie: Macie can automatically discover, classify and protect sensitive data through machine learning
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encrypt your data
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit AWS endpoints are HTTPS, but what can you do? • VPN connectivity to VPC • TLS application communication • ELB or CloudFront with ACM
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at rest Inbuilt encryption • S3: select KMS key on upload • EBS and RDS snapshots: automatically encrypt data at rest • DynamoDB: encrypt backups Bring your own Key Encrypt data locally before uploading SSE-C (server side encryption with customer key)
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption and tokenization Tokens allow you to represent data (credit card number) as a token. Generate and Retrieve encrypted data from a toke store such as CloudHSM or encrypt and store data in DynamoDB. CloudHSM is PCI-DSS and FIPS compliant
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS KMS - https://aws.amazon.com/kms/ Amazon Macie – https://aws.amazon.com/macie/ AWS Cloud HSM – https://aws.amazon.com/cloudhsm/ Amazon EBS – https://aws.amazon.com/ebs/ S2n - https://github.com/awslabs/s2n
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident response “Even with a mature preventative and detective solution in place, you should consider a mitigation plan”
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Clean room • Use Tags to quickly determine impact and escalate • Get the right people access and on the call • Use Cloud API’s to automate and isolate instances • CloudFormation – recreate clean / update environments easily for production or investigation purposes
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/ Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security- Pillar.pdf
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thanks!
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions? @abbyfuller