1. The document provides a practical approach for achieving security operations (SecOps) excellence in AWS through controlling, monitoring, and fixing security issues.
2. It discusses establishing guardrails through identity and access management (IAM), infrastructure as code (Code*), and AWS Config as part of the control phase. The monitor phase involves visibility tools like CloudTrail, CloudWatch, and VPC flow logs. The fix phase deals with exceptions through automation with Lambda.
3. A demonstration is provided of an event flow showing how security controls would be enhanced from standard to active monitoring in response to a detected anomaly.
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, we cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. We conclude by presenting an enterprise-ready landing-zone framework and providing the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.
View these slides if you're you new to cloud computing and would like to learn more about Amazon Web Services (AWS), if you intend to implement a project and would like to discover the basics of the AWS cloud or if you are a business looking to evaluate cloud computing.
In the webinar based on these slides, we answered the following questions:
• What is Cloud Computing with AWS and what benefits can it deliver?
• Who is using AWS and what are they using it for?
• How can I use AWS Services to run my workloads?
View the webinar recording on YouTube here: http://youtu.be/QROD20r6-sQ
1) The document discusses initial considerations for deploying applications on AWS such as how the service will be accessed, what data is being handled, and compliance needs.
2) It then covers the AWS shared responsibility model and who manages what between AWS and the customer for different types of AWS services.
3) Practical advice is provided on security controls to deploy on AWS, including using Route 53, CloudFront, S3 buckets, application load balancers, and VPC components.
4) The document concludes by recommending several AWS security audit tools including CloudTrail, Config, GuardDuty, and VPC flow logs to ensure deployments are working as planned.
영상 다시보기: https://youtu.be/aoQOqhVtdGo
기존 온-프레미스 환경에서 운영 중인 서버들을 AWS 클라우드로 옮겨오기 위한 방법은 무엇일까요? 본 세션에서는 리눅스 서버, 윈도우 서버 그리고 VMWare 등에서 운영되는 기존 서버의 클라우드 이전 방법을 소개합니다. 이를 통해 AWS의 기업 고객이 대량 마이그레이션을 진행했는지 고객 사례도 함께 공유합니다. 뿐만 아니라 VMware on AWS 및 AWS Outpost 같은 하이브리드 옵션을 통해 클라우드 도입을 가속화 하는 신규 서비스 동향도 살펴봅니다.
온디맨드 다시보기: https://www.youtube.com/watch?v=LMBSWl9Uo-4
2021년 1분기에 서울 리전에 출시 예정인 AWS Control Tower는 모범 사례를 기반으로 고객의 다중 AWS 계정 환경을 자동으로 구성해 줍니다. 본 세션에서는 AWS Control Tower를 활용하여 고객의 조직에서 필요로 하는 다중 AWS 계정 구조을 설계 및 구현하고, 각 계정에 포함해야 하는 기본 가드레일을 정의 및 생성하고, 거버넌스 체계를 구현하는 방법에 대해서 다룹니다.
AWS offers a variety of data migration services and tools to help you easily and rapidly move everything from gigabytes to petabytes of data. We can provide guidance and methodologies to help you find the right service or tool to fit your requirements, and we share examples of customers who have used these options in their cloud journey.
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, we cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. We conclude by presenting an enterprise-ready landing-zone framework and providing the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.
View these slides if you're you new to cloud computing and would like to learn more about Amazon Web Services (AWS), if you intend to implement a project and would like to discover the basics of the AWS cloud or if you are a business looking to evaluate cloud computing.
In the webinar based on these slides, we answered the following questions:
• What is Cloud Computing with AWS and what benefits can it deliver?
• Who is using AWS and what are they using it for?
• How can I use AWS Services to run my workloads?
View the webinar recording on YouTube here: http://youtu.be/QROD20r6-sQ
1) The document discusses initial considerations for deploying applications on AWS such as how the service will be accessed, what data is being handled, and compliance needs.
2) It then covers the AWS shared responsibility model and who manages what between AWS and the customer for different types of AWS services.
3) Practical advice is provided on security controls to deploy on AWS, including using Route 53, CloudFront, S3 buckets, application load balancers, and VPC components.
4) The document concludes by recommending several AWS security audit tools including CloudTrail, Config, GuardDuty, and VPC flow logs to ensure deployments are working as planned.
영상 다시보기: https://youtu.be/aoQOqhVtdGo
기존 온-프레미스 환경에서 운영 중인 서버들을 AWS 클라우드로 옮겨오기 위한 방법은 무엇일까요? 본 세션에서는 리눅스 서버, 윈도우 서버 그리고 VMWare 등에서 운영되는 기존 서버의 클라우드 이전 방법을 소개합니다. 이를 통해 AWS의 기업 고객이 대량 마이그레이션을 진행했는지 고객 사례도 함께 공유합니다. 뿐만 아니라 VMware on AWS 및 AWS Outpost 같은 하이브리드 옵션을 통해 클라우드 도입을 가속화 하는 신규 서비스 동향도 살펴봅니다.
온디맨드 다시보기: https://www.youtube.com/watch?v=LMBSWl9Uo-4
2021년 1분기에 서울 리전에 출시 예정인 AWS Control Tower는 모범 사례를 기반으로 고객의 다중 AWS 계정 환경을 자동으로 구성해 줍니다. 본 세션에서는 AWS Control Tower를 활용하여 고객의 조직에서 필요로 하는 다중 AWS 계정 구조을 설계 및 구현하고, 각 계정에 포함해야 하는 기본 가드레일을 정의 및 생성하고, 거버넌스 체계를 구현하는 방법에 대해서 다룹니다.
AWS offers a variety of data migration services and tools to help you easily and rapidly move everything from gigabytes to petabytes of data. We can provide guidance and methodologies to help you find the right service or tool to fit your requirements, and we share examples of customers who have used these options in their cloud journey.
Webinar aws 101 a walk through the aws cloud- introduction to cloud computi...Amazon Web Services
Whether you are running applications that share photos or support critical operations of your business, you need rapid access to flexible and low cost IT resources. The term "cloud computing" refers to the on-demand delivery of IT resources via the Internet with pay-as-you-go pricing. Whether you are a start-up who wants to accelerate growth without a big upfront investment in cash or time for technology or an Enterprise looking for IT innovation, agility and resiliency while reducing costs, the AWS Cloud provides a complete set of web services at zero upfront costs which are available with a few clicks and within minutes. Join this webinar to learn more about the benefits of Cloud Computing and:
- The history of AWS and how a global online retailer got into cloud computing
- The concepts of utility computing and elasticity and why these are important to a cost-effective, scalable and reliable IT architecture
- The AWS service portfolio and the global footprint on which it is delivered
- The value proposition of the AWS Cloud
- Use cases to help you relate cloud based infrastructure to your own needs
- Busting the myths around cloud computing
- No prior experience is necessary, so join us for an overview of the AWS cloud services, and a discussion on how cloud computing can help accelerate innovation in your company.
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Amazon Web Services
When migrating a large number of workloads to AWS, tracking progress across the various applications and services involved can distract your team from core migration activities. In this session, learn how AWS Migration Hub provides a single place to discover your existing servers and track the status of each application migration. It provides you with better visibility into your application portfolio and streamlines migration tracking, at no additional cost beyond the services you use.
This document provides an overview of AWS security services and best practices. It discusses how AWS is responsible for security of the cloud, while customers control security in the cloud by choosing configurations and access controls. It also summarizes key AWS security services like CloudTrail, IAM, encryption, VPC networking, and compliance tools to help customers securely build applications on AWS.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
AWS Security Hub provides a single place to manage security alerts and compliance checks across AWS accounts and services. It integrates findings from AWS services like GuardDuty, Inspector, and Macie as well as many third-party security products. These findings are normalized into a standard format and prioritized. Security Hub also allows users to check compliance with the CIS Benchmark security standard through automated configuration and compliance checks.
Amazon Web Services (AWS) delivers a set of services that together form a reliable, scalable, and inexpensive computing platform 'in the cloud'. These pay-as-you-use cloud computing services include Amazon S3, Amazon EC2, Amazon DynamoDB, Amazon Glacier, Amazon Elastic MapReduce, and others. This session provides AWS best practices in the areas of choosing use cases, governing deployments, ensuring security, architecting to cloud strengths, and cost optimization.
Speaker: Andrew Mitchell, Solutions Architect, Amazon Web Services
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
The document discusses building a secure multi-account AWS environment through proper account segmentation and access management. It recommends creating dedicated accounts for organizational units (OUs), core services, logging/auditing, security tools, shared services, networking and more. The use of AWS Organizations, IAM policies, and service control policies (SCPs) to define and enforce access across accounts is also covered. Automating the deployment of baseline accounts and resources through the AWS Landing Zone solution is presented as a best practice.
CI/CD for a Docker Node.JS application using Code* services. This session will walkthrough what a solution like this would look like, what Code* services are used, how your build will work, and how deploys will work. The purpose of this session is to allow customers to see how to deploy their containerized applications in Amazon Elastic Container Service (ECS) Fargate using our CI/CD solutions. Come with your questions and pain points. We will also talk about how to use Bitbucket as your source control rather than Code Commit for the many customers already using BitBucket and Jenkins.
How can you accelerate the delivery of new, high-quality services? How can you be able to experiment and get feedback quickly from your customers? To get the most out of the agility afforded by serverless and containers, it is essential to build CI/CD pipelines that help teams iterate on code and quickly release features. In this talk, we demonstrate how developers can build effective CI/CD release workflows to manage their serverless or containerized deployments on AWS. We cover infrastructure-as-code (IaC) application models, such as AWS Serverless Application Model (AWS SAM) and new imperative IaC tools. We also demonstrate how to set up CI/CD release pipelines with AWS CodePipeline and AWS CodeBuild, and we show you how to automate safer deployments with AWS CodeDeploy.
AWS Control Tower is a new AWS service for cloud administrators to set up and govern their secure, compliant, multi-account environments on AWS.
In this session, University of York will discuss their implementation of AWS Landing Zone. We’ll also explain how AWS Control Tower automates AWS Landing Zone creation with best-practice blueprints.
The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
You may already know that you can use Amazon CloudWatch to view graphs of your AWS resources like Amazon Elastic Compute Cloud instances or Amazon Simple Storage Service. But, did you know that you can monitor your on-premises servers with Amazon CloudWatch Logs? Or, that you can integrate CloudWatch Logs with Elasticsearch for powerful visualization and analysis? This session will offer a tour of the latest monitoring and automation capabilities that we’ve added, how you can get even more done with Amazon CloudWatch.
The document describes Amazon EKS (Elastic Container Service for Kubernetes), including an overview of EKS, its architecture, features, and integration with other AWS services. Key points include: EKS manages Kubernetes control planes and nodes are launched in the customer's VPC, EKS supports networking via the AWS VPC CNI plugin, and EKS provides security and access management using IAM roles and policies.
Using AWS for Backup and Restore (backup in the cloud, backup to the cloud, a...Amazon Web Services
Companies are using AWS to create and deploy efficient, fast, and cost-effective backup and restore capabilities to protect critical IT systems without incurring the infrastructure expense of a second physical site. In this session, we will talk about cloud-based services AWS provides to enable robust backup and rapid recovery of your IT infrastructure and data.
다시보기 영상 링크: https://youtu.be/QGgQOcA3W6w
클라우드로의 마이그레이션이 증가하면서, 퍼블릭 클라우드를 목표로 한 공격도 폭증하고 있습니다. 특히, 클라우드 관리자의 자격증명을 탈취하려는 시도나 탈취된 자격증명을 이용하여 중요정보를 유출하고 대규모로 비트코인 채굴을 시도하는 행위들이 늘어가고 있습니다. AWS로의 이관을 고려하고 있거나 사용중인 고객들이라면, 이와 같이 클라우드의 특성을 활용하여 발생하고 있는 정교한 보안 위협들에 대응하기 위한 방법을 고민하셔야 합니다. 본 세션에서는 이러한 클라우드 네이티브 위협들에 효과적으로 대응하는 기능을 제공하는 GuardDuty, Inspector, Config, SecurityHub와 같은 AWS 보안 서비스들에 대한 설명을 진행합니다.
Planning datacenter migrations can involve thousands of workloads and tens of thousands of servers and are often deeply interdependent. Application discovery and dependency mapping are important early first steps in the migration process, but difficult to perform at scale due to the lack of automated tools. AWS Application Discovery Service is a new service (coming soon) that automatically identifies data center applications and dependencies, and baselines application health and performance to help plan your application migration to AWS quickly and reliably. This talk introduces the new Application Discovery Service capabilities for simplifying the planning process for data center and large scale migrations to AWS. We will discuss how you can use the AWS Application Discovery Service data service to examine the applications running your data center, their attributes, and their dependencies and then use this information to help reduce the time, cost, and risk of migrating applications to AWS.
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
AWS re:Invent에서 소개된 개발에서 운영까지 이어지는 파이프라인 전체에 대한 최신 기술을 통해, 사일로를 분리하고 협업을 향상하는 방법을 소개합니다. 거버넌스 제어를 위한 AWS Control Tower, 코드 수준에서의 위험성 사전 탐지를 위한 Amazon CodeGuru Reviewer, 더 빠르고 풍부한 기능의 앱 제작을 위한 AWS Amplify Studio, IaC를 위한 AWS Cloud Development Kit, 그리고 운영 효율성을 향상 시키는 Amazon CloudWatch의 신규 기능을 알아봅니다.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.
AWS provides cloud computing services that users can access over the Internet. It manages large data centers containing many servers that host these cloud-based services. The document explains AWS using a single diagram comparing it to a physical network. It shows how AWS has regions, availability zones, VPCs, subnets, security groups, and other boundaries/resources that allow cloud services like EC2, S3, and ELB to operate based on the core concepts of availability, scalability, elasticity, and fault tolerance. Key security features like ACLs and security groups control access within the AWS network boundaries.
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
To help prevent unexpected access to your AWS resources, it is critical to maintain strong identity and access policies. It is equally important to track and alert on changes to your AWS resources. In this tech talk, you will learn how to use AWS Identity and Access Management (IAM) to control access to your AWS resources and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation. In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We also will cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector.
Learning Objectives:
• Understand the AWS Shared Responsibility Model.
• Understand AWS account and identity management options and configuration.
• Learn the concept of infrastructure as code and change management using AWS CloudFormation.
• Learn how to audit and log your AWS service usage.
• Learn about AWS services to add automatic compliance checks to your AWS infrastructure.
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)Amazon Web Services
AWS CloudTrail, Amazon CloudWatch Events, AWS Identity & Access Management (IAM), Trusted Advisor, AWS Config Rules, other services? In this session, we will help you use existing and recently launched services to automate configuration governance so that security is embedded in the development process. We outline four easy steps (Control, Monitor, Fix, and Audit) and demonstrate how different services can be used to meet your governance needs. We will showcase real-life examples and you can take home a blog post with code examples and the full source code for scripts and tooling that AWS professional services have built using these services.
Webinar aws 101 a walk through the aws cloud- introduction to cloud computi...Amazon Web Services
Whether you are running applications that share photos or support critical operations of your business, you need rapid access to flexible and low cost IT resources. The term "cloud computing" refers to the on-demand delivery of IT resources via the Internet with pay-as-you-go pricing. Whether you are a start-up who wants to accelerate growth without a big upfront investment in cash or time for technology or an Enterprise looking for IT innovation, agility and resiliency while reducing costs, the AWS Cloud provides a complete set of web services at zero upfront costs which are available with a few clicks and within minutes. Join this webinar to learn more about the benefits of Cloud Computing and:
- The history of AWS and how a global online retailer got into cloud computing
- The concepts of utility computing and elasticity and why these are important to a cost-effective, scalable and reliable IT architecture
- The AWS service portfolio and the global footprint on which it is delivered
- The value proposition of the AWS Cloud
- Use cases to help you relate cloud based infrastructure to your own needs
- Busting the myths around cloud computing
- No prior experience is necessary, so join us for an overview of the AWS cloud services, and a discussion on how cloud computing can help accelerate innovation in your company.
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Amazon Web Services
When migrating a large number of workloads to AWS, tracking progress across the various applications and services involved can distract your team from core migration activities. In this session, learn how AWS Migration Hub provides a single place to discover your existing servers and track the status of each application migration. It provides you with better visibility into your application portfolio and streamlines migration tracking, at no additional cost beyond the services you use.
This document provides an overview of AWS security services and best practices. It discusses how AWS is responsible for security of the cloud, while customers control security in the cloud by choosing configurations and access controls. It also summarizes key AWS security services like CloudTrail, IAM, encryption, VPC networking, and compliance tools to help customers securely build applications on AWS.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
AWS Security Hub provides a single place to manage security alerts and compliance checks across AWS accounts and services. It integrates findings from AWS services like GuardDuty, Inspector, and Macie as well as many third-party security products. These findings are normalized into a standard format and prioritized. Security Hub also allows users to check compliance with the CIS Benchmark security standard through automated configuration and compliance checks.
Amazon Web Services (AWS) delivers a set of services that together form a reliable, scalable, and inexpensive computing platform 'in the cloud'. These pay-as-you-use cloud computing services include Amazon S3, Amazon EC2, Amazon DynamoDB, Amazon Glacier, Amazon Elastic MapReduce, and others. This session provides AWS best practices in the areas of choosing use cases, governing deployments, ensuring security, architecting to cloud strengths, and cost optimization.
Speaker: Andrew Mitchell, Solutions Architect, Amazon Web Services
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
The document discusses building a secure multi-account AWS environment through proper account segmentation and access management. It recommends creating dedicated accounts for organizational units (OUs), core services, logging/auditing, security tools, shared services, networking and more. The use of AWS Organizations, IAM policies, and service control policies (SCPs) to define and enforce access across accounts is also covered. Automating the deployment of baseline accounts and resources through the AWS Landing Zone solution is presented as a best practice.
CI/CD for a Docker Node.JS application using Code* services. This session will walkthrough what a solution like this would look like, what Code* services are used, how your build will work, and how deploys will work. The purpose of this session is to allow customers to see how to deploy their containerized applications in Amazon Elastic Container Service (ECS) Fargate using our CI/CD solutions. Come with your questions and pain points. We will also talk about how to use Bitbucket as your source control rather than Code Commit for the many customers already using BitBucket and Jenkins.
How can you accelerate the delivery of new, high-quality services? How can you be able to experiment and get feedback quickly from your customers? To get the most out of the agility afforded by serverless and containers, it is essential to build CI/CD pipelines that help teams iterate on code and quickly release features. In this talk, we demonstrate how developers can build effective CI/CD release workflows to manage their serverless or containerized deployments on AWS. We cover infrastructure-as-code (IaC) application models, such as AWS Serverless Application Model (AWS SAM) and new imperative IaC tools. We also demonstrate how to set up CI/CD release pipelines with AWS CodePipeline and AWS CodeBuild, and we show you how to automate safer deployments with AWS CodeDeploy.
AWS Control Tower is a new AWS service for cloud administrators to set up and govern their secure, compliant, multi-account environments on AWS.
In this session, University of York will discuss their implementation of AWS Landing Zone. We’ll also explain how AWS Control Tower automates AWS Landing Zone creation with best-practice blueprints.
The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
You may already know that you can use Amazon CloudWatch to view graphs of your AWS resources like Amazon Elastic Compute Cloud instances or Amazon Simple Storage Service. But, did you know that you can monitor your on-premises servers with Amazon CloudWatch Logs? Or, that you can integrate CloudWatch Logs with Elasticsearch for powerful visualization and analysis? This session will offer a tour of the latest monitoring and automation capabilities that we’ve added, how you can get even more done with Amazon CloudWatch.
The document describes Amazon EKS (Elastic Container Service for Kubernetes), including an overview of EKS, its architecture, features, and integration with other AWS services. Key points include: EKS manages Kubernetes control planes and nodes are launched in the customer's VPC, EKS supports networking via the AWS VPC CNI plugin, and EKS provides security and access management using IAM roles and policies.
Using AWS for Backup and Restore (backup in the cloud, backup to the cloud, a...Amazon Web Services
Companies are using AWS to create and deploy efficient, fast, and cost-effective backup and restore capabilities to protect critical IT systems without incurring the infrastructure expense of a second physical site. In this session, we will talk about cloud-based services AWS provides to enable robust backup and rapid recovery of your IT infrastructure and data.
다시보기 영상 링크: https://youtu.be/QGgQOcA3W6w
클라우드로의 마이그레이션이 증가하면서, 퍼블릭 클라우드를 목표로 한 공격도 폭증하고 있습니다. 특히, 클라우드 관리자의 자격증명을 탈취하려는 시도나 탈취된 자격증명을 이용하여 중요정보를 유출하고 대규모로 비트코인 채굴을 시도하는 행위들이 늘어가고 있습니다. AWS로의 이관을 고려하고 있거나 사용중인 고객들이라면, 이와 같이 클라우드의 특성을 활용하여 발생하고 있는 정교한 보안 위협들에 대응하기 위한 방법을 고민하셔야 합니다. 본 세션에서는 이러한 클라우드 네이티브 위협들에 효과적으로 대응하는 기능을 제공하는 GuardDuty, Inspector, Config, SecurityHub와 같은 AWS 보안 서비스들에 대한 설명을 진행합니다.
Planning datacenter migrations can involve thousands of workloads and tens of thousands of servers and are often deeply interdependent. Application discovery and dependency mapping are important early first steps in the migration process, but difficult to perform at scale due to the lack of automated tools. AWS Application Discovery Service is a new service (coming soon) that automatically identifies data center applications and dependencies, and baselines application health and performance to help plan your application migration to AWS quickly and reliably. This talk introduces the new Application Discovery Service capabilities for simplifying the planning process for data center and large scale migrations to AWS. We will discuss how you can use the AWS Application Discovery Service data service to examine the applications running your data center, their attributes, and their dependencies and then use this information to help reduce the time, cost, and risk of migrating applications to AWS.
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
AWS re:Invent에서 소개된 개발에서 운영까지 이어지는 파이프라인 전체에 대한 최신 기술을 통해, 사일로를 분리하고 협업을 향상하는 방법을 소개합니다. 거버넌스 제어를 위한 AWS Control Tower, 코드 수준에서의 위험성 사전 탐지를 위한 Amazon CodeGuru Reviewer, 더 빠르고 풍부한 기능의 앱 제작을 위한 AWS Amplify Studio, IaC를 위한 AWS Cloud Development Kit, 그리고 운영 효율성을 향상 시키는 Amazon CloudWatch의 신규 기능을 알아봅니다.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.
AWS provides cloud computing services that users can access over the Internet. It manages large data centers containing many servers that host these cloud-based services. The document explains AWS using a single diagram comparing it to a physical network. It shows how AWS has regions, availability zones, VPCs, subnets, security groups, and other boundaries/resources that allow cloud services like EC2, S3, and ELB to operate based on the core concepts of availability, scalability, elasticity, and fault tolerance. Key security features like ACLs and security groups control access within the AWS network boundaries.
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
To help prevent unexpected access to your AWS resources, it is critical to maintain strong identity and access policies. It is equally important to track and alert on changes to your AWS resources. In this tech talk, you will learn how to use AWS Identity and Access Management (IAM) to control access to your AWS resources and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation. In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We also will cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector.
Learning Objectives:
• Understand the AWS Shared Responsibility Model.
• Understand AWS account and identity management options and configuration.
• Learn the concept of infrastructure as code and change management using AWS CloudFormation.
• Learn how to audit and log your AWS service usage.
• Learn about AWS services to add automatic compliance checks to your AWS infrastructure.
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)Amazon Web Services
AWS CloudTrail, Amazon CloudWatch Events, AWS Identity & Access Management (IAM), Trusted Advisor, AWS Config Rules, other services? In this session, we will help you use existing and recently launched services to automate configuration governance so that security is embedded in the development process. We outline four easy steps (Control, Monitor, Fix, and Audit) and demonstrate how different services can be used to meet your governance needs. We will showcase real-life examples and you can take home a blog post with code examples and the full source code for scripts and tooling that AWS professional services have built using these services.
In this session, we will help you use existing and recently launched services to automate configuration governance so that security is embedded in the development process. We outline four easy steps (Control, Monitor, Fix, and Audit) and demonstrate how different services can be used to meet your governance needs.
AWS provides tools to improve your security posture, by providing ways of implementing detective and reactive controls that will detect and remediate security threats. We’ll look at the various services and the features that you can employee, such as AWS Inspector, AWS Trusted Advisor, AWS Config and Config Rules and CloudTrail. We’ll explore how they work and how they should be deployed as part of an overall security strategy.
Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Com...AWS Germany
Vortrag "Automatisierte Kontrolle und Transparenz in der AWS Cloud – Autopilot für Compliance Ihrer Cloud Ressourcen" von Philipp Behre beim AWS Cloud Web Day für Mittelstand und Großunternehmen. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1VUJZsT
This document discusses tools for governing and auditing AWS resources, including CloudTrail, AWS Config, and AWS Config Rules. CloudTrail continuously records API calls to provide visibility into account activity. Config records configuration changes and relationships between resources. Config Rules validate configurations and enforce best practices. The document provides examples of monitoring security group changes, IAM policy changes, and failed sign-ins using CloudTrail and CloudWatch Logs. It emphasizes using these tools to perform security analysis, troubleshooting, and compliance.
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Amazon Web Services
Learning Objectives:
- Reduce the complexity of governance
- Embed compliance in the development process
- Learn about AWS Management Tools
As your cloud operations evolve, complexity of governance, compliance, and risk auditing of your AWS account increases. With AWS Config and AWS CloudTrail you can automate your controls and compliance efforts so that they scale with your cloud footprint. You can discover resources that exist in your account, capture changes in configurations, and create alerts for out-of-compliance events.In this session, we will help you use AWS Config, AWS CloudTrail, and other AWS Management Tools to automate configuration governance so that compliance is embedded in the development process.
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Amazon Web Services
This session enables security operators to automate governance and implement use cases addressed by AWS services such as AWS CloudTrail, AWS Config Rules, Amazon CloudWatch Events, and Trusted Advisor. Based on the nature of vulnerabilities, internal processes, compliance regimes, and other priorities, this session discusses the service to use when. We also show how to detect, report, and fix vulnerabilities, or gain more information about attackers. We dive deep into new features and capabilities of relevant services and use an example from an AWS customer, Siemens AG, about how to best automate governance and scale. A prerequisite for this session is knowledge of security and basic software development using Java, Python, or Node.
This AWS Security Checklist webinar will help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. This security focused checklist builds on recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.
Learning Objectives:
* Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
* Assess your existing organisational use of AWS and to ensure it meets security best practices
* Develop AWS usage policies or validate that existing policies are being followed
This document outlines best practices for getting started with AWS. It recommends choosing development and testing as a first use case due to the ability to easily spin up and tear down environments. It also stresses the importance of laying out foundations such as creating an appropriate account structure, enabling consolidated billing, deciding on key management strategies, using IAM for access control, and considering security. The document provides an overview of AWS services that can be used instead of managing software yourself. It suggests using tools to optimize costs and automation, and notes various support options available from AWS.
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Amazon Web Services
This document discusses how AWS Config and CloudTrail can be used to automate governance and compliance. It provides an overview of both services and how they can be used together. Specifically, it demonstrates how CloudTrail provides visibility into API activity and configuration changes through AWS Config. It also shows how Config can be used to continuously monitor resources and define compliance rules. Lastly, it provides an example of how Config and Lambda can be used to automatically remediate issues, such as restricting insecure security group rules.
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
If you are looking for complete instructions on how to build your own Cloud governance process and control then view our recorded webinar on our youtube channel. We take you step by step on what is governance for the cloud and a focus area for security governance.
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
by Eric Rose, Sr. Security Consultant, AWS
After you have built and deployed a security infrastructure and automated key aspects of security operations, you should validate your work through an incident response simulation. In this session, you will learn about the best way to protect your logs; how and why to develop automated incident response capabilities via AWS tooling such as AWS Lambda; the importance of testing existing forensics tools to ensure efficacy in the cloud environment; and ways to test your plan early and often.
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Amazon Web Services
by Daniele Stroppa, Technical Account Manager, AWS
As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session will focus on Amazon S3 best practices and using AWS Config rules and AWS CloudTrail Data Events to help better protect data residing within S3. The session will include a demonstration of how AWS Config and CloudTrail, in combination with other AWS services, can help with S3 governance and compliance requirements.
In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments.
This document provides an overview of best practices for getting started with AWS. It recommends choosing development and testing as the first use case due to its low risk. It also recommends laying out foundations such as creating an account structure, enabling billing reports, deciding on key management strategies, using IAM groups to manage access, and assigning IAM roles to instances. Additional best practices covered include focusing on security, treating AWS services as "services not software", optimizing costs, using AWS tools and frameworks, and getting support. Resources for learning more about AWS are also provided.
Automate Best Practices and Operational Health for your AWS resourcesAmazon Web Services
- Showpad automated AWS resources and operational health using Personal Health Dashboard and Trusted Advisor
- Personal Health Dashboard provides alerts and notifications for AWS resources and allows customizing health monitoring and automating remediation actions
- Trusted Advisor checks for best practices around cost optimization, security, fault tolerance, and performance and Showpad automated actions based on its recommendations like stopping low utilization EC2 instances
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
Once you have built and deployed security infrastructure and automated key aspects of security operations you should validate your work through an Incident Response simulation. In this session we discuss the best way to protect your logs; how and why to develop automated IR capabilities via AWS tooling (e.g. Lambda); the importance of testing existing forensics tools to ensure efficacy in cloud environment; and ways to test your plan early and often.
The document provides an overview of best practices for getting started with AWS. It recommends choosing development and testing as a first use case. It also discusses laying foundations such as creating account structures, enabling billing reports, deciding on key management strategies, using IAM groups and roles, and focusing on security. The document recommends leveraging AWS services rather than software, optimizing costs, using tools and frameworks, and getting support.
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
1) The document discusses building a minimum viable product (MVP) using Amazon Web Services (AWS).
2) It provides an example of an MVP for an omni-channel messenger platform that was built from 2017 to connect ecommerce stores to customers via web chat, Facebook Messenger, WhatsApp, and other channels.
3) The founder discusses how they started with an MVP in 2017 with 200 ecommerce stores in Hong Kong and Taiwan, and have since expanded to over 5000 clients across Southeast Asia using AWS for scaling.
This document discusses pitch decks and fundraising materials. It explains that venture capitalists will typically spend only 3 minutes and 44 seconds reviewing a pitch deck. Therefore, the deck needs to tell a compelling story to grab their attention. It also provides tips on tailoring different types of decks for different purposes, such as creating a concise 1-2 page teaser, a presentation deck for pitching in-person, and a more detailed read-only or fundraising deck. The document stresses the importance of including key information like the problem, solution, product, traction, market size, plans, team, and ask.
This document discusses building serverless web applications using AWS services like API Gateway, Lambda, DynamoDB, S3 and Amplify. It provides an overview of each service and how they can work together to create a scalable, secure and cost-effective serverless application stack without having to manage servers or infrastructure. Key services covered include API Gateway for hosting APIs, Lambda for backend logic, DynamoDB for database needs, S3 for static content, and Amplify for frontend hosting and continuous deployment.
This document provides tips for fundraising from startup founders Roland Yau and Sze Lok Chan. It discusses generating competition to create urgency for investors, fundraising in parallel rather than sequentially, having a clear fundraising narrative focused on what you do and why it's compelling, and prioritizing relationships with people over firms. It also notes how the pandemic has changed fundraising, with examples of deals done virtually during this time. The tips emphasize being fully prepared before fundraising and cultivating connections with investors in advance.
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
This document discusses Amazon's machine learning services for building conversational interfaces and extracting insights from unstructured text and audio. It describes Amazon Lex for creating chatbots, Amazon Comprehend for natural language processing tasks like entity extraction and sentiment analysis, and how they can be used together for applications like intelligent call centers and content analysis. Pre-trained APIs simplify adding machine learning to apps without requiring ML expertise.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
2. Provide a practical approach for SecOps excellence
+
Show how it works in practice.
+
Get you to try it (take home toolkit)
Control Monitor Fix
Goals of session
3. In detail
1. Introduction
2. CMF: Control/Monitor/Fix
- Control: Creating the guardrails.
- IAM, Code*, AWS Config
- Monitor: Provide visibility
- Cloudtrail, Flowlogs, Syslog, Cloudwatch
- Fix: Dealing with Exceptions
- Lambda
3. In Practice (aka demo)
4. Your take home kit and actions
MSB – Minimum Security
Baseline
Pro Level – What to aim for.
4. Cloud Adoption Framework
The Security Perspective
Directive
Preventive Detective
Responsive
Control Monitor
?
Fix
Driving the right behavior Maintain and assure over time.
Get back to known good.
7. Phase 1: Control
Goal:
• Drive towards secure outcomes i.e. Build guardrails
Possible options:
• IAM
• Cloudformation
• Code*
Best practice:
• MSB: Individual users + Least privilege + use of groups.
• Pro level: Centralized deployment of controls across N accounts.
8. AWS Identity and Access Management (IAM)
§ Enables you to control who can do what in your AWS account
§ Splits into users, groups, roles, and permissions
§ Control
§ Centralized
§ Fine-grained - APIs, resources, and AWS Management Console
§ Security
§ Secure (deny) by default
Final decision =“deny”
(explicit deny)
Ye
s
Final decision =“allow”
Ye
s
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
deny?
3
No
Final decision =“deny”
(default deny)
5
§ AWS retrieves all policies associated with
the user and resource.
§ Only policies that match the action and
conditions are evaluated.
§ If a policy statement has
a deny, it trumps all other
policy statements.
§ Access is granted if
there is an explicit
allow and no deny.
• By default, an
implicit (default)
deny is returned.
9. Top 11 IAM best practices
1. Users – Create individual users.
2. Permissions – Grant least privilege.
3. Groups – Manage permissions with groups.
4. Conditions – Restrict privileged access further with conditions.
5. Auditing – Enable AWS CloudTrail to get logs of API calls.
6. Password – Configure a strong password policy.
7. Rotate – Rotate security credentials regularly.
8. MFA – Enable MFA for privileged users.
9. Sharing – Use IAM roles to share access.
10.Roles – Use IAM roles for Amazon EC2 instances.
11.Root – Reduce or remove use of root.
10. One AWS account vs. multiple AWS accounts?
Use a single AWS account when you:
§ Want simpler control of who does what in your AWS environment.
§ Have no need to isolate projects/products/teams.
§ Have no need for breaking up the cost.
Use multiple AWS accounts when you:
§ Need full isolation between projects/teams/environments.
§ Want to isolate recovery data and/or auditing data (e.g., writing your
CloudTrail logs to a different account).
§ Need a single bill, but want to break out the cost and usage.
11. Segmented AWS Account Structure
Procurement and
Finance
SOC/Auditors
Billing account
Production
accounts
User management
account
Security / Audit
account
Application Owners
Security/auditUtilityFinancial
Consolidated Billing,
Billing Alerts
Read-only access
for all accounts
Dev / Test
accounts
Operational
Logging
account
Backup / DR
account
Key management
account
Shared services
account
Domain Specific Admins
Event and State
Logging
Read-only access
to logging data
12. AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billingAutomate AWS
account creation
13. Typical Use Cases
Control the use of AWS services to help comply with corporate
security and compliance policies.
Automate the creation of AWS accounts for different resources.
• API response to trigger additional automation. (e.g. deploy
CloudFormation template)
14. What is AWS CloudFormation?
• AWS CloudFormation allows you to model,
provision, and update the full breadth of AWS
resources.
• Manage anything from a single Amazon EC2
instance to a multi-tier application.
• Integrates with other development and
management tools.
16. Elements of a Continuous Delivery Pipeline
Commit Phase: Source Control changes
• Static code analysis: Analyze the CFN templates against a set of security rules
Acceptance Phase: Dev Environment
• Dynamic analysis: Run template in sandbox / acceptance test environment.
Capacity/Integration/Staging Phases: Pre-Prod Environment
• Load, performance, Penetration and failover testing.
Production Phase: Prod Environment
• Deploy controls.
19. Phase 2: Monitor
Goals:
- Ensure effective operation over time.
- Detect anomalies/change.
Options:
• Cloudtrail, Cloudwatch*, VPC Flowlogs, Config…
Best Practice:
• MSB: Aggregate log data.
• Pro level: Analyze and act on log data as it arrives.
20. What is AWS CloudTrail?
A fully managed service that records API calls made on your AWS account.
Customers are
making API calls...
On a growing set
of services around
the world…
CloudTrail is continuously
recording API calls…
And delivering
log files to
customers
21. Alert indexer
Triage/Classification
rules
Cloudtrail
Cloudtrail
Cloudtrail
... ...
Security accountAccount 1
Account 2
Account N
Cloudtrail
aggregation
bucket
Automated configuration to enable
logging and aggregation
destination.
Log files deposited in S3 bucket
under Security Account.
SNS notifies lambda of
new events available for
processing.
Each lambda evaluates a
specific compliance item
or misuse case.
Rules engines help defin
action to take based on
asset and environment.
If dictated by rules engine,
event results in notification
via email i.e. critical
events.
Alerts preserved in
Dynamodb for reporting and
indexing of raw data.
All processing in Security
Account i.e. no external
dependencies to add new
logic, log processing, etc.
28. Goal:
• Return to ‘known good’
• ‘Don’t throw the baby out with the bathwater’…
Options:
• Lambda shines but whole AWS platform plays a role.
Best Practices:
• MSB: automate alerting and integrate with ticketing systems.
• Pro Level: Closed loop.
Fix – Correcting anomalies
30. Security Incident Response Simulations
Test and benchmark your security response to security events.
Experts from the Security, Risk and Compliance (SRC) practice can
help you assess your current state of incident response readiness,
then prepare and execute an exercise to practice that response.
Objectives:
• Assess current incident response processes and procedures
• Provide recommendations for using AWS services of incident
response
• Test the cloud incident response process via a simulated exercise
Typical effort: 15 Man Days
32. Demo – event flow
1 – Standard
2 – Enhanced
3 – Active
Auto Scaling group
security group
security group
EC2 instance
Web
server
security group
EC2 instance
App
server
Auto Scaling group
CloudWatch
Syslog
Flowlogs
CloudTrail
In standard operation, we are
observant.
Control:
- Security agent loaded in
instance.
- Logons tracked.
Monitoring:
- We gather data covering API
activity (cloudtrail), network
(Flowlogs) and also in-
instance activity (Syslog).
Fix:
- We are good J
Logon ok?
Logon is OK!
SSH
Login!
(CWECustom)
33. Demo – event flow
1 – Standard
2 – Enhanced
3 – Active
Auto Scaling group
security group
security group
EC2 instance
Web
server
security group
EC2 instance
App
server
Auto Scaling group
CloudWatch
Syslog
Flowlogs
CloudTrail
SSH
Login!
(CWECustom)
A logon event occurs. We go to
Enhanced surveillance mode.
Control:
- Dynamically add lambda
subscriptions to log feeds.
Monitor:
- In instance activity (privilege
escalation)
- Initiation of forbidden flows.
Fix:
- Alert only. Watchful but
passive.
Enhance
OS data
analysis
Network data
analysis
Subscribe to Syslog
Enable Instance level flowlogs
Subscribe to instance flowlogs
Flowlogs
Logon ok?
Logon NOT ok.
34. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
web app
server
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
OS data
analysis
Isolate Preserve Deregister
Syslog data
Root Access
CloudWatch
35. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
Anomaly
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
OS data
analysis
Isolate Preserve Deregister
Syslog data
CloudWatch
36. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
Anomaly
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
OS data
analysis
Isolate Preserve Deregister
Syslog data
CloudWatch
Block all
37. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
Anomaly
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
OS data
analysis
Isolate Deregister Preserve
Syslog data
CloudWatch
Block all Dereg
ASG/ELB
38. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
Anomaly
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
OS data
analysis
Isolate Deregister Preserve
Syslog data
CloudWatch
Logs
Block all Dereg
ASG/ELB
Amazon EBS
snapshots
39. Demo – event flow
Auto Scaling group
security group
EC2 instance
web app
server
Elastic Load
Balancing
security group
EC2 instance
web app
server
security group
EC2 instance
web app
server
security group
App
server
1 – Standard
2 – Enhanced
3 – Active
security group
EC2 instance
Anomaly
An escalation occurred and we
switched to Active i.e.
intervene and get it fixed.
Control:
- SG to isolate anomalous
instance.
- Preserve instance for both
live and offline analysis.
- Deregister application from
live use.
Monitoring:
- We continue to monitor all
activity as per previous
steps.
Fix:
- The control actions cause
ASG to be 1 instance short and
will recover to original fleet size
from ‘last known good’.
40. Demo – event flow
1 – Standard
2 – Enhanced
3 – Active
Auto Scaling group
security group
security group
EC2 instance
Web
server
security group
EC2 instance
App
server
Auto Scaling group
CloudWatch
Syslog
Flowlogs
CloudTrail
In standard operation, we are
observant.
Control:
- Security agent loaded in
instance.
- Logons tracked to TT.
Monitoring:
- We gather data covering API
activity (cloudtrail), network
(Flowlogs) and also in-
instance activity (Syslog).
Fix:
- We are BACK TO good J
41. Summary
Control:
• IAM is the foundation for everything else.
• Service catalogue as an option to standardize product distribution.
• Code*: Embed security throughout (‘Fail early’).
Monitor:
• Cloudtrail, Config, Flowlogs,…:To get visibility, you need to see – enable
logging.
• Data is good. Better if you use it. Great if used to drive automation.
Fix:
• Reduce ‘Detect-Report-Remediate’ cycles.
• Automate to gain speed + free human intellect to more added value tasks.
42. Take home kit – your turn!
#1 Demo code is published
• https://github.com/awslabs/automating-governance-sample
#2 Implementing DevSecOps using AWS Codepipeline
• https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline
#3 “what should I Control/Monitor/Fix next?”
• https://aws.amazon.com/whitepapers/aws-security-best-practices/
#4 (Optional) Come Jam with us!