DevOps on AWS: Deep Dive on Infrastructure as Code - TorontoAmazon Web Services
The document discusses infrastructure as code and AWS CloudFormation. It provides an overview of using AWS CloudFormation templates to define infrastructure in code. Templates allow infrastructure to be version controlled and treated like code. They can be used to provision AWS resources in a declarative and repeatable way. The document also covers using CloudFormation to bootstrap applications on EC2 instances through the use of the AWS::CloudFormation::Init metadata key.
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
Containers come and go rapidly, which is great for scalable or fast-evolving infrastructure. However, the short life of containers make it more challenging to monitor, leaving many with questions such as: How many containers can you run on a given Amazon EC2 instance type? Which metric should you look at to measure contention? How do you manage fleets of containers at scale? In this session, we'll present the challenges and benefits of running containers at scale, how to use quantitative performance patterns to monitor your infrastructure at this magnitude and complexity, and we'll discuss proven strategies for monitoring your containerized infrastructure on AWS and ECS.
Learning Objectives:
- Set up the infrastructure to monitor your containers running on AWS
- Understand the metrics available and what they mean
- Define a strategy to monitor your containers
1. The document demonstrates how to use various AWS services like Kinesis, Redshift, Elasticsearch to analyze streaming game log data.
2. It shows setting up an EC2 instance to generate logs, creating a Kinesis stream to ingest the logs, and building Redshift tables to run queries on the logs.
3. The document also explores loading the logs from Kinesis into Elasticsearch for search and linking Kinesis and Redshift with Kinesis Analytics for real-time SQL queries on streams.
Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources. Docker is fast becoming a core component of these architectures, but going from a single or a small number of containers to a distributed application is not trivial. In this session we will talk about some of the core architectural principles underlying the Amazon EC2 Container (ECS) and how they are designed to help you scale your applications and run them in production. We will talk about how containers can be used as the foundation for new computing primitives and how these are being used by our customers for increased agility and productivity.
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyAmazon Web Services
This document provides an overview of deploying a disaster recovery site on AWS. It discusses various disaster recovery techniques including pilot light, warm standby, and hot site approaches. It then presents several use cases for disaster recovery on AWS including backup for entry-level users, large data archive needs, on-site virtualization replication, multisite replication, knowledge worker DR sites, and mobile access to recovery capabilities. For each use case it estimates the monthly costs for running the disaster recovery solution on AWS services. The presentation emphasizes lessons from history about planning for unexpected events, testing recovery plans, and having knowledge to properly interpret system alarms or failures. It concludes by discussing how AWS could enable more automated and easy to use disaster recovery capabilities.
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
(SEC202) Closing the Gap: Moving Critical, Regulated Workloads to AWS | AWS r...Amazon Web Services
AWS provides a number of tools and processes to help you decide when and how to move audited, regulated, and critical business data to the cloud. In this session, we answer the following questions: when is it time for you to make this significant move? When will you be ready to address industry best practices for control (including third-party audits, access control configurations, incident response, data sovereignty, and encryption). We discuss how some highly regulated AWS customers have addressed the challenges that legacy regulatory requirements present to partners, vendors, and customers in migrating to the AWS Cloud. Finally, we cover general trends we're seeing in several regulated industries leveraging AWS and the trends we're seeing from the regulators themselves who audit and accept AWS control environments.
AWS Infrastructure as Code - September 2016 Webinar SeriesAmazon Web Services
AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation.
Learning Objectives:
• Learn best practices for managing your infrastructure as code using CloudFormation
• Discover new techniques for making the most of CloudFormation
• Hear about the latest product updates and new features released
Who Should Attend:
• Developers, DevOps, IT Operations, Systems Administrators, Solutions Architects
DevOps on AWS: Deep Dive on Infrastructure as Code - TorontoAmazon Web Services
The document discusses infrastructure as code and AWS CloudFormation. It provides an overview of using AWS CloudFormation templates to define infrastructure in code. Templates allow infrastructure to be version controlled and treated like code. They can be used to provision AWS resources in a declarative and repeatable way. The document also covers using CloudFormation to bootstrap applications on EC2 instances through the use of the AWS::CloudFormation::Init metadata key.
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
Containers come and go rapidly, which is great for scalable or fast-evolving infrastructure. However, the short life of containers make it more challenging to monitor, leaving many with questions such as: How many containers can you run on a given Amazon EC2 instance type? Which metric should you look at to measure contention? How do you manage fleets of containers at scale? In this session, we'll present the challenges and benefits of running containers at scale, how to use quantitative performance patterns to monitor your infrastructure at this magnitude and complexity, and we'll discuss proven strategies for monitoring your containerized infrastructure on AWS and ECS.
Learning Objectives:
- Set up the infrastructure to monitor your containers running on AWS
- Understand the metrics available and what they mean
- Define a strategy to monitor your containers
1. The document demonstrates how to use various AWS services like Kinesis, Redshift, Elasticsearch to analyze streaming game log data.
2. It shows setting up an EC2 instance to generate logs, creating a Kinesis stream to ingest the logs, and building Redshift tables to run queries on the logs.
3. The document also explores loading the logs from Kinesis into Elasticsearch for search and linking Kinesis and Redshift with Kinesis Analytics for real-time SQL queries on streams.
Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources. Docker is fast becoming a core component of these architectures, but going from a single or a small number of containers to a distributed application is not trivial. In this session we will talk about some of the core architectural principles underlying the Amazon EC2 Container (ECS) and how they are designed to help you scale your applications and run them in production. We will talk about how containers can be used as the foundation for new computing primitives and how these are being used by our customers for increased agility and productivity.
Deploying a Disaster Recovery Site on AWS: Minimal Cost with Maximum EfficiencyAmazon Web Services
This document provides an overview of deploying a disaster recovery site on AWS. It discusses various disaster recovery techniques including pilot light, warm standby, and hot site approaches. It then presents several use cases for disaster recovery on AWS including backup for entry-level users, large data archive needs, on-site virtualization replication, multisite replication, knowledge worker DR sites, and mobile access to recovery capabilities. For each use case it estimates the monthly costs for running the disaster recovery solution on AWS services. The presentation emphasizes lessons from history about planning for unexpected events, testing recovery plans, and having knowledge to properly interpret system alarms or failures. It concludes by discussing how AWS could enable more automated and easy to use disaster recovery capabilities.
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
(SEC202) Closing the Gap: Moving Critical, Regulated Workloads to AWS | AWS r...Amazon Web Services
AWS provides a number of tools and processes to help you decide when and how to move audited, regulated, and critical business data to the cloud. In this session, we answer the following questions: when is it time for you to make this significant move? When will you be ready to address industry best practices for control (including third-party audits, access control configurations, incident response, data sovereignty, and encryption). We discuss how some highly regulated AWS customers have addressed the challenges that legacy regulatory requirements present to partners, vendors, and customers in migrating to the AWS Cloud. Finally, we cover general trends we're seeing in several regulated industries leveraging AWS and the trends we're seeing from the regulators themselves who audit and accept AWS control environments.
AWS Infrastructure as Code - September 2016 Webinar SeriesAmazon Web Services
AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation.
Learning Objectives:
• Learn best practices for managing your infrastructure as code using CloudFormation
• Discover new techniques for making the most of CloudFormation
• Hear about the latest product updates and new features released
Who Should Attend:
• Developers, DevOps, IT Operations, Systems Administrators, Solutions Architects
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
Serverless architectures can eliminate the need to provision and manage servers required to process files or streaming data in real time. In this session, we will cover the fundamentals of using AWS Lambda to process data from sources such as Amazon DynamoDB Streams, Amazon Kinesis, and Amazon S3. We will walk through sample use cases for real-time data processing and discuss best practices on using these services together. We will then demonstrate run a live demonstration on how to set up a real-time stream processing solution using just Amazon Kinesis and AWS Lambda, all without the need to run or manage servers.
Learning Objectives:
• Learn the fundamentals of using AWS Lambda with various AWS data sources
• Understand best practices of using AWS Lambda with Amazon Kinesis
Who Should Attend:
• Developers
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...Amazon Web Services
Enterprises trying to deploy infrastructure to the cloud and independent software companies trying to deliver a service have similar problems to solve. They need to know how to create an environment in AWS that enforces least-privilege access between components while also allowing administration and change management. Amazon Elastic Cloud Compute (EC2) and Identity and Access Management (IAM), coupled with services like AWS Security Token Service (STS), offer the necessary building blocks. In this session, we walk through some of the mechanisms available to control access in an Amazon Virtual Private Cloud (VPC). Next, we focus on using IAM and STS to create a least-privilege access model. Finally, we discuss auditing strategies to catch common mistakes and discuss techniques to audit and maintain your infrastructure.
DevOps for the Enterprise: Automated Testing and Monitoring Amazon Web Services
This document summarizes an episode of a DevOps webinar series about enabling business agility through automated testing and monitoring. It discusses using AWS CloudFormation to automatically create test environments and AWS OpsWorks for automated deployments. This allows for on-demand test environments. It also discusses using CloudWatch alarms to monitor for failures, simulating extreme situations for crisis preparation, and replaying network activity and failures to test systems. The importance of validation, debriefing, and testing assumptions in a production-like environment is emphasized.
This document discusses encryption options available in AWS. It begins by describing the cryptographic concepts of keys, algorithms, and data, as well as encryption in transit versus encryption at rest. It then provides details on encryption options for network infrastructure, VPC gateways, regions, availability zones, and elastic instances. Encryption at rest options for S3, EBS, Redshift, RDS, and other services are also covered. The document concludes by discussing the AWS Key Management Service and how various SafeNet products integrate with AWS services to provide encryption.
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
This document summarizes a talk on building AWS partner applications using IAM roles. It discusses using the AssumeRole API to access AWS resources across accounts with temporary credentials instead of long-term access keys. It also covers using an external ID parameter to prevent confused deputy attacks by verifying the account being accessed belongs to the user. The document provides code samples and recommends architectures that use least privilege and isolate privileged instances.
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...Amazon Web Services
Sivakanth Mundru presented on Amazon Web Services CloudTrail. CloudTrail continuously records API calls made on AWS services and delivers log files to customers. The number of supported services has grown from 7 to over 30. CloudTrail logs can be used to determine who made a call, when, what action was performed, which resources were involved, and from/to where. It also records client errors, server errors, and authorization failures. Customers can aggregate logs across regions and accounts.
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaAmazon Web Services
The document discusses introducing VPC support for AWS Lambda functions. It provides an overview of AWS Lambda and how it works, including being able to run code in response to events. It then discusses how Lambda functions can now access resources within a VPC, such as databases and data warehouses. It provides details on the new VPC configuration option and demonstrates accessing an ElastiCache cache behind a VPC from a Lambda function. It also includes best practices and things to remember when configuring Lambda functions for VPC access.
This document discusses implementing mandatory access control (MAC) on AWS accounts to improve security and compliance. It recommends:
1) Using SELinux on AWS instances to enforce immutable system policies even for root users.
2) Configuring Glacier Vault Lock for long-term log retention, which sets immutable access policies even account owners can't change.
3) Implementing cross-account access controls and write-only bucket policies to segregate access and logging for production, audit, and logging accounts.
4) Centralizing logs from multiple accounts in a single S3 bucket using cross-account policies and IAM roles to enforce separation of duties.
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014Amazon Web Services
Do you have multiple AWS accounts that you want to share resources across? Considering an AWS partner offering that requires access to your AWS account? Delegation is your friend! Come learn how you can easily and securely delegate access to users in other AWS accounts, 3rd parties, or even other AWS services using delegation options available in AWS Identity and Access Management (IAM).
With AWS, you can choose the right storage service like including Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Storage (Amazon EBS) for the right use case. This session shows the range of AWS choices—from object storage to block storage—that are available to you. The sessions will also include specifics about real-world deployments from customers who are using Amazon S3, Amazon EBS, Amazon Glacier, and AWS Storage Gateway.
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as:
Organizational governance
Asset inventory and control
Logical access controls
Operating system configuration
Database security
Applications security configurations
This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."
This document provides an overview of AWS Identity and Access Management (IAM) access control policies, including:
- The goals of understanding the IAM policy language, common tasks, and doing a lab demonstration.
- An explanation of the basic components of a IAM policy including statements, actions, resources, principals, and conditions.
- Examples of specifying principals, actions, resources, and conditions in policy statements.
- Details on policy variables and resource-based policies attached directly to AWS services like S3 buckets.
- An invitation to ask questions and move to the lab portion of the demonstration.
"AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation.
If you are new to AWS CloudFormation, get up to speed for this session by completing the Working with CloudFormation lab in the self-paced Labs Lounge.
"
- SmartNews uses stream processing to deliver news quickly as the lifetime of news articles is very short. Kinesis Streams play an important role in processing user activity streams and metrics in near real-time.
- Data is ingested using Kinesis Producer and Consumer Libraries and processed using Spark Streaming to generate metrics for ranking articles. Metrics are stored in DynamoDB.
- An ETL workflow is used to transform log data and perform machine learning tasks to cluster users. PipelineDB is also used for real-time analytics on streams.
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Amazon Web Services
This document provides an overview of mastering access control policies in AWS. It discusses goals of understanding how to secure AWS resources and learn the policy language. It then covers key aspects of identity and access management (IAM) including why IAM is important, how it provides granular control, and the anatomy of the policy language. Specific examples are given for policy elements like principal, action, resource, and conditions. It also demonstrates how to use policy variables and provides examples of locking down access to Amazon EC2 instances and DynamoDB tables.
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
AWS Config is a new cross-resource service that allows you to discover new resources, how they're configured, and how these configurations changed over time. The service defines and captures relationships an dependencies between resources, helping you determine if a change to one resource affects other resources.
This document provides an agenda and overview for a workshop on connecting to AWS IoT. It discusses AWS IoT features like protocols, security, device shadows, and the AWS IoT button. It also provides steps to configure an IoT button and connect a device using the AWS IoT SDK, including creating certificates and policies. Examples are shown for subscribing to button presses with MQTT, invoking a Lambda function from a button press, and updating a device shadow to control simulated GPIOs on a device.
This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.
AWS DevDay San Francisco, June 21, 2016.
Presenter: Rameez Loladia
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
Serverless architectures can eliminate the need to provision and manage servers required to process files or streaming data in real time. In this session, we will cover the fundamentals of using AWS Lambda to process data from sources such as Amazon DynamoDB Streams, Amazon Kinesis, and Amazon S3. We will walk through sample use cases for real-time data processing and discuss best practices on using these services together. We will then demonstrate run a live demonstration on how to set up a real-time stream processing solution using just Amazon Kinesis and AWS Lambda, all without the need to run or manage servers.
Learning Objectives:
• Learn the fundamentals of using AWS Lambda with various AWS data sources
• Understand best practices of using AWS Lambda with Amazon Kinesis
Who Should Attend:
• Developers
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...Amazon Web Services
Enterprises trying to deploy infrastructure to the cloud and independent software companies trying to deliver a service have similar problems to solve. They need to know how to create an environment in AWS that enforces least-privilege access between components while also allowing administration and change management. Amazon Elastic Cloud Compute (EC2) and Identity and Access Management (IAM), coupled with services like AWS Security Token Service (STS), offer the necessary building blocks. In this session, we walk through some of the mechanisms available to control access in an Amazon Virtual Private Cloud (VPC). Next, we focus on using IAM and STS to create a least-privilege access model. Finally, we discuss auditing strategies to catch common mistakes and discuss techniques to audit and maintain your infrastructure.
DevOps for the Enterprise: Automated Testing and Monitoring Amazon Web Services
This document summarizes an episode of a DevOps webinar series about enabling business agility through automated testing and monitoring. It discusses using AWS CloudFormation to automatically create test environments and AWS OpsWorks for automated deployments. This allows for on-demand test environments. It also discusses using CloudWatch alarms to monitor for failures, simulating extreme situations for crisis preparation, and replaying network activity and failures to test systems. The importance of validation, debriefing, and testing assumptions in a production-like environment is emphasized.
This document discusses encryption options available in AWS. It begins by describing the cryptographic concepts of keys, algorithms, and data, as well as encryption in transit versus encryption at rest. It then provides details on encryption options for network infrastructure, VPC gateways, regions, availability zones, and elastic instances. Encryption at rest options for S3, EBS, Redshift, RDS, and other services are also covered. The document concludes by discussing the AWS Key Management Service and how various SafeNet products integrate with AWS services to provide encryption.
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
This document summarizes a talk on building AWS partner applications using IAM roles. It discusses using the AssumeRole API to access AWS resources across accounts with temporary credentials instead of long-term access keys. It also covers using an external ID parameter to prevent confused deputy attacks by verifying the account being accessed belongs to the user. The document provides code samples and recommends architectures that use least privilege and isolate privileged instances.
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...Amazon Web Services
Sivakanth Mundru presented on Amazon Web Services CloudTrail. CloudTrail continuously records API calls made on AWS services and delivers log files to customers. The number of supported services has grown from 7 to over 30. CloudTrail logs can be used to determine who made a call, when, what action was performed, which resources were involved, and from/to where. It also records client errors, server errors, and authorization failures. Customers can aggregate logs across regions and accounts.
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaAmazon Web Services
The document discusses introducing VPC support for AWS Lambda functions. It provides an overview of AWS Lambda and how it works, including being able to run code in response to events. It then discusses how Lambda functions can now access resources within a VPC, such as databases and data warehouses. It provides details on the new VPC configuration option and demonstrates accessing an ElastiCache cache behind a VPC from a Lambda function. It also includes best practices and things to remember when configuring Lambda functions for VPC access.
This document discusses implementing mandatory access control (MAC) on AWS accounts to improve security and compliance. It recommends:
1) Using SELinux on AWS instances to enforce immutable system policies even for root users.
2) Configuring Glacier Vault Lock for long-term log retention, which sets immutable access policies even account owners can't change.
3) Implementing cross-account access controls and write-only bucket policies to segregate access and logging for production, audit, and logging accounts.
4) Centralizing logs from multiple accounts in a single S3 bucket using cross-account policies and IAM roles to enforce separation of duties.
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014Amazon Web Services
Do you have multiple AWS accounts that you want to share resources across? Considering an AWS partner offering that requires access to your AWS account? Delegation is your friend! Come learn how you can easily and securely delegate access to users in other AWS accounts, 3rd parties, or even other AWS services using delegation options available in AWS Identity and Access Management (IAM).
With AWS, you can choose the right storage service like including Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Storage (Amazon EBS) for the right use case. This session shows the range of AWS choices—from object storage to block storage—that are available to you. The sessions will also include specifics about real-world deployments from customers who are using Amazon S3, Amazon EBS, Amazon Glacier, and AWS Storage Gateway.
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
"No matter how you use AWS resources, you can design your AWS account to deliver a reliably secure and controlled environment. This session will focus on ""Secure by Design"" principles and show how you can configure the AWS environment to provide the reliable operation of security controls, such as:
Organizational governance
Asset inventory and control
Logical access controls
Operating system configuration
Database security
Applications security configurations
This session will focus on using AWS security features to architect securing and auditing the architecture capabilities of AWS cloud services such as AWS Identity and Access Management (IAM), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block Storage (EBS), Amazon S3, Amazon Virtual Private Cloud (VPC), Amazon Machine Images (AMIs), and AWS CloudFormation templates. The session will include demonstrations with the governance perspective in mind and discuss how AWS technology can be used to create a secure and auditable environment."
This document provides an overview of AWS Identity and Access Management (IAM) access control policies, including:
- The goals of understanding the IAM policy language, common tasks, and doing a lab demonstration.
- An explanation of the basic components of a IAM policy including statements, actions, resources, principals, and conditions.
- Examples of specifying principals, actions, resources, and conditions in policy statements.
- Details on policy variables and resource-based policies attached directly to AWS services like S3 buckets.
- An invitation to ask questions and move to the lab portion of the demonstration.
"AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation.
If you are new to AWS CloudFormation, get up to speed for this session by completing the Working with CloudFormation lab in the self-paced Labs Lounge.
"
- SmartNews uses stream processing to deliver news quickly as the lifetime of news articles is very short. Kinesis Streams play an important role in processing user activity streams and metrics in near real-time.
- Data is ingested using Kinesis Producer and Consumer Libraries and processed using Spark Streaming to generate metrics for ranking articles. Metrics are stored in DynamoDB.
- An ETL workflow is used to transform log data and perform machine learning tasks to cluster users. PipelineDB is also used for real-time analytics on streams.
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Amazon Web Services
This document provides an overview of mastering access control policies in AWS. It discusses goals of understanding how to secure AWS resources and learn the policy language. It then covers key aspects of identity and access management (IAM) including why IAM is important, how it provides granular control, and the anatomy of the policy language. Specific examples are given for policy elements like principal, action, resource, and conditions. It also demonstrates how to use policy variables and provides examples of locking down access to Amazon EC2 instances and DynamoDB tables.
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
AWS Config is a new cross-resource service that allows you to discover new resources, how they're configured, and how these configurations changed over time. The service defines and captures relationships an dependencies between resources, helping you determine if a change to one resource affects other resources.
This document provides an agenda and overview for a workshop on connecting to AWS IoT. It discusses AWS IoT features like protocols, security, device shadows, and the AWS IoT button. It also provides steps to configure an IoT button and connect a device using the AWS IoT SDK, including creating certificates and policies. Examples are shown for subscribing to button presses with MQTT, invoking a Lambda function from a button press, and updating a device shadow to control simulated GPIOs on a device.
This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.
AWS DevDay San Francisco, June 21, 2016.
Presenter: Rameez Loladia
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions.
Learning Objectives:
• Common IoT Thing Management Issues
• Learn about AWS IoT Security and Access Control Mechanisms
• Build Secure interactions with the AWS Cloud
Who Should Attend:
• Technical Decision Makers, Developers, Makers
Security in the Internet Of Things.
Every IoT project must be designed with security in mind. Identity Relationship Management is a must for a successful IoT implementation.
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
AWS Summit 2013 | India - Petabyte Scale Data Warehousing at Low Cost, Abhish...Amazon Web Services
Amazon Redshift is a fast and powerful, fully managed, petabyte-scale data warehouse service in the cloud. In this session we'll give an introduction to the service and its pricing before diving into how it delivers fast query performance on data sets ranging from hundreds of gigabytes to a petabyte or more.
Amazon Aurora is a MySQL-compatible database engine that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases. The service is now in preview. Come to our session for an overview of the service and learn how Aurora delivers up to five times the performance of MySQL yet is priced at a fraction of what you'd pay for a commercial database with similar performance and availability.
This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.
IoT Security: Problems, Challenges and SolutionsLiwei Ren任力偉
As a novel computing platform in network, IoT will bring many security challenges to enterprise networks, and create new opportunities for security industry. This talk will provide a general overview of enterprise network security problems, especially the data security, caused by IoT. After that, a few existing security technologies are evaluated as necessary elements of a holistic network security that cover IoT devices. These technologies include : (a) IoT security monitoring and control; (b) FOTA for firmware vulnerability management; (c) NetFlow based big data security analysis. In the end, the practice of standard security protocols (such as OpenIoC and IODEF) will be strongly advocated for delivering effective IoT security solutions.
This document discusses security considerations for M2M and IoT systems. It notes that security must be implemented holistically across the entire architecture, including at the device, communication, and application layers. PKI is recommended for authentication. The document outlines various threats and motivations for attackers. It then describes Eurotech's Everyware IoT security elements, which include X.509 certificate management, encrypted and authenticated messaging using MQTT, tenant segregation, secure access to interfaces and consoles, a secure execution environment on devices and platforms, and remote management using VPN. Auditing and penetration testing are also performed.
The document discusses privacy and security issues related to the Internet of Things. It defines the IoT as a network of interconnected objects that can collect and process data. This introduces privacy concerns as objects can reveal personal information about individuals. There are also security concerns as objects are small and vulnerable. The document examines the data protection challenges this poses and the requirements needed to ensure privacy and security, such as privacy by design. It outlines ENISA's work supporting stakeholders in translating legal requirements into technical solutions for the IoT.
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
Only year ago we launched AWS IoT, and at re:Invent we showed how AWS IoT makes it easy to secure millions of connected devices. However, we have learned from our customers that a number of unique security challenges for the Internet of Things (IoT) exist.
Dive deep into AWS IoT end-to-end security mechanisms, MQTT and device secure communication, mutual TLS authentication, thing identity, security processes and authorization using AWS roles and policies.
More and more IoT vulnerabilities are found and showcased at security events. From connected thermostats to power plants!
Insecurity became the favorite subject for creating catchy IoT headlines: "Connected killer toaster", "Fridges changed into spamming machines","Privacy concerns around connected home".
We will explore the five challenges one has to face when building a secure IoT solution:
- hardware security: how to avoid rogue firmwares and keep your security keys safe?
- upgrade strategy: you can't secure what you can't update!
- secure transport: no security without secure transports.
- security credentials distribution: how to distribute security keys to a fleet with millions of devices?
- cloud vulnerability mitigation, how to keep your fleet of devices safe from the next Heartbleed?
Current enterprise infrastructure provides solutions for handling application security but are they really matching the IoT challenge? Could running a PKI client on a low power wireless sensor node be an option?
Despite those difficulties, we will show how a modern IoT device management standard like Lightweight M2M with DTLS is the way for building a secur-first IoT solutions. It provides a solution for upgrading your device, distributing your security keys and comes with a full range of cryptography cipher suites, from PSK algorithm for very constrained devices to high level of security using X.509 certificates.
Furthermore for adding security to your solution we will present you ready to use opensource libraries for implementing secure IoT servers and devices. The way for quickly releasing your next catchy connected product.!
Ultimately we will showcase Wakaama and Leshan, the Eclipse IoT Lightweight M2M implementation maybe your next best friend in the troubled water of Internet-Of-Things security!
Internet of Things (IoT) will enable dramatic society transformation. This seminar presents an introduction to the IoT and explains why IoT Security is important.
Then it presents security issues in wireless sensor networks that constitute a main ingredient of IoT.
Seminar given at Centre Tecnològic de Telecomunicacions de Catalunya (CTTC) on 28 January 2015.
Programming the Physical World with Device Shadows and Rules EngineAmazon Web Services
This document discusses AWS IoT Device Shadows and Rules Engine. It provides an overview of how shadows store and sync the reported and desired states of IoT devices. Rules Engine allows filtering and routing messages to other systems like S3, DynamoDB, Elasticsearch. The document includes examples of using shadows and rules to analyze data from a wind farm application. It highlights that shadows enable setting device state when offline and rules help store and integrate large IoT data volumes with big data services.
Amazon Redshift is a fast, fully managed data warehousing service that allows customers to analyze petabytes of structured data, at one-tenth the cost of traditional data warehousing solutions. It provides massively parallel processing across multiple nodes, columnar data storage for efficient queries, and automatic backups and recovery. Customers have seen up to 100x performance improvements over legacy systems when using Redshift for applications like log and clickstream analytics, business intelligence reporting, and real-time analytics.
Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
This document discusses security best practices for connecting IoT devices to AWS IoT. It recommends using TLS mutual authentication with X.509 certificates to securely connect devices. AWS IoT supports MQTT and HTTP protocols. Strong identity is ensured by generating unique certificates per device. Fine-grained access control is provided by attaching authorization policies to certificates. Mobile applications can also securely access devices via AWS Cognito identity pools.
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Amazon Web Services
For businesses running entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your account to detect abnormal behavior. This session walks you through leveraging unique capabilities provided within AWS that enable you to detect and respond to changes in your environment.
This document provides best practices for security in IoT applications using AWS services. It discusses using mutual TLS for secure communication between devices and AWS IoT, generating and provisioning device certificates, revoking certificates, and implementing fine-grained authorization policies for devices, applications, and users. It also describes using Cognito for authenticating mobile users and associating them with IoT devices and policies.
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.
This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.
Learning Objectives:
Common Internet of Things security issues
AWS IoT Security and Access Control Mechanisms
Build secure interactions with the AWS Cloud
Who Should Attend:
Developers, makers
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using ThingsAmazon Web Services
AWS IoT is a new managed service that enables Internet-connected things (sensors, actuators, devices, and applications) to easily and securely interact with each other and the cloud. This talk will introduce the security and access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.
This webinar discusses authentication, authorization, and communication using AWS IoT device shadows. It provides an overview of the AWS IoT components and protocols for connecting devices and applications. It also covers creating certificates, policies for controlling data access, and demonstrates how to set up and interact with a device shadow.
The document provides an overview of AWS IoT including:
- What AWS IoT is and how it securely connects devices to AWS and applications
- Key components like the device SDK, gateway, rules engine, shadow, and registry
- Examples of how AWS IoT can be used for device management, rules processing, and integrating devices with AWS services and applications.
A Cloud Security Ghost Story Craig Baldingcraigbalding
This document provides an overview of cloud security presented by Craig Balding. Some key points include:
- Cloud computing introduces new security challenges compared to traditional IT due to multi-tenancy, elasticity, and other-service models.
- There are different service models for cloud computing including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
- Public clouds like Amazon Web Services (AWS) and Google App Engine provide IaaS and PaaS offerings, while Salesforce is an example of a SaaS provider.
- Security challenges in the cloud include visibility & control, compliance, integration with existing security tools and practices
Essential Capabilities of an IoT Cloud Platform - AWS Online Tech TalksAmazon Web Services
Learning Objectives:
- Learn what core capabilities are necessary for a successful IoT cloud platform
- Understand how the core capabilities work together
- Learn what and how standards are beginning to take shape
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
This session covers what a real-world production deployment of a fully automated deployment pipeline looks like with instances that are deployed without SSH keys. By leveraging AWS CloudFormation along with Docker and AWS CodeDeploy, we show how we achieved semi-immutable and fully immutable infrastructures, and what the challenges and remediations were.
Essential Capabilities of an IoT Cloud Platform - April 2017 AWS Online Tech ...Amazon Web Services
Learning Objectives:
• Learn what core capabilities are necessary for a successful IoT cloud platform
• Understand how the core capabilities work together
• Learn what and how standards are beginning to take shape
As with any other trend in the history of computer software, IoT is being powered by a new generation of cloud platforms. In this tech talk, we will identify and explain what to look for when evaluating an IoT cloud platform to ensure a successful deployment of IoT strategies. Learn what core capabilities are necessary to look for when choosing an IoT cloud platform.
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?
Security in IaaS, attacks, hardening, incident response, forensics and all about its automation. Despite I will talk about general concept related to AWS, Azure and GCP, I will show specific demos and threats in AWS and I will go in detail with some caveats and hazards in AWS.
Jason Chan gave a presentation on AWS security at SAINTCON 2014. He began with an overview of typical AWS setups and then focused on three main areas: shared responsibility between AWS and customers, access controls and permissions, and account segregation. For each area, he provided tips on best practices as well as potential security traps to avoid. He also discussed tools for monitoring AWS security configurations and activity, such as CloudTrail, Trusted Advisor, and the Edda service created at Netflix.
Steve Riley, Sr. Technical Program Manager at Amazon Web Services, led this session at the RightScale User Conference 2010 in Santa Clara.
Session Abstract: Moving to the cloud raises lots of questions, mostly about security. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. In this session, we'll discuss common cloud security concerns, show how AWS protects its infrastructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.
This document provides an overview of an advanced AWS IoT training session. The agenda includes recaps of AWS IoT foundations, a discussion of the device registry, security features, SDKs, and AWS IoT Button and GreenGrass. It describes components like rules engines, device shadows and gateways. Demo sessions are planned on the registry, security, SDKs and IoT Button. Pricing details are given for AWS IoT GreenGrass cores. The training aims to help attendees master advanced AWS IoT topics.
AWS는 다양한 서비스 빌딩 블록을 이용하여, 고객의 요구에 따른 다양한 사물 인터넷(IoT) 서비스를 구축할 수 있습니다. 본 온라인 세미나에서는 AWS IoT 서비스의 주요 개념과 함께 일반적인 인터넷 기기 및 스마트 홈을 위한 IoT 서비스 구현 패턴을 알아봅니다. 이를 위해 데이터 상태 관리, 데이터 분석 및 자원 관리 등의 패턴을 통해 비용 효율적이고 확장 가능한 아키텍처를 살펴봅니다.
AWS Lambda, API Gateway, DynamoDB 등 서버리스 빌딩 블록과 AWS IoT를 연계한 iRobot의 아카텍처 사례를 함께 살펴봄으로서 IoT 기반 서비스 구현 및 이전에 통찰력을 얻으실 수 있습니다.
AWS October Webinar Series - Getting Started with AWS IoTAmazon Web Services
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.
In this webinar, we will discuss how constrained devices can leverage AWS IoT to send data to the cloud and receive commands back to the device from the cloud using protocol of their choice. We will discuss how devices can securely connect using MQTT and HTTP protocols, and how developers and businesses can leverage features of AWS IoT like Thing Shadows and Rules Engine to build a real connected product.
You have already started connecting your devices to AWS IoT. You can control them from the cloud. And you can collect, store and analyse data from all your devices in the cloud. So far so good, but you now need to build an architecture that will serve millions of users and devices concurrently.
In this session, Jan will explain how you can build a real world IoT architecture that serves millions of devices. The talk will focus on user and device onboarding, device and user access management, message exchange and end user access to live and historical data stored in the cloud.
Learning objectives:
- Learn simple steps to build a real-world IoT architecture that serves millions of devices
- Understand how to onboard and manage users and IoT devices and to access live and historial data in the cloud
The document provides an overview of AWS IoT including:
- Connecting devices through SDKs and managing things in the device registry.
- Using the MQTT protocol for device communication and publishing/subscribing to topics.
- Defining rules to route messages between IoT and other AWS services like DynamoDB.
- Enabling CloudWatch Logs to debug IoT applications.
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...Amazon Web Services
Healthcare organizations are rapidly adopting container technology to drive innovation. In this session, join Horizon Blue Cross Blue Shield of New Jersey and ClearDATA to learn about how to integrate Amazon ECS into your deployment pipeline while maintaining compliance for healthcare workloads, how to harden container environments for sensitive workloads, and how to leverage AWS tooling and microservices to provide new views and analysis for data stored in on-premises data centers.
Similar to Best Practices of IoT in the Cloud (20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
1) The document discusses building a minimum viable product (MVP) using Amazon Web Services (AWS).
2) It provides an example of an MVP for an omni-channel messenger platform that was built from 2017 to connect ecommerce stores to customers via web chat, Facebook Messenger, WhatsApp, and other channels.
3) The founder discusses how they started with an MVP in 2017 with 200 ecommerce stores in Hong Kong and Taiwan, and have since expanded to over 5000 clients across Southeast Asia using AWS for scaling.
This document discusses pitch decks and fundraising materials. It explains that venture capitalists will typically spend only 3 minutes and 44 seconds reviewing a pitch deck. Therefore, the deck needs to tell a compelling story to grab their attention. It also provides tips on tailoring different types of decks for different purposes, such as creating a concise 1-2 page teaser, a presentation deck for pitching in-person, and a more detailed read-only or fundraising deck. The document stresses the importance of including key information like the problem, solution, product, traction, market size, plans, team, and ask.
This document discusses building serverless web applications using AWS services like API Gateway, Lambda, DynamoDB, S3 and Amplify. It provides an overview of each service and how they can work together to create a scalable, secure and cost-effective serverless application stack without having to manage servers or infrastructure. Key services covered include API Gateway for hosting APIs, Lambda for backend logic, DynamoDB for database needs, S3 for static content, and Amplify for frontend hosting and continuous deployment.
This document provides tips for fundraising from startup founders Roland Yau and Sze Lok Chan. It discusses generating competition to create urgency for investors, fundraising in parallel rather than sequentially, having a clear fundraising narrative focused on what you do and why it's compelling, and prioritizing relationships with people over firms. It also notes how the pandemic has changed fundraising, with examples of deals done virtually during this time. The tips emphasize being fully prepared before fundraising and cultivating connections with investors in advance.
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
This document discusses Amazon's machine learning services for building conversational interfaces and extracting insights from unstructured text and audio. It describes Amazon Lex for creating chatbots, Amazon Comprehend for natural language processing tasks like entity extraction and sentiment analysis, and how they can be used together for applications like intelligent call centers and content analysis. Pre-trained APIs simplify adding machine learning to apps without requiring ML expertise.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
29. Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the keypair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key
31. Actual Commands
$ openssl genrsa –out ThingKeypair.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
...+++
e is 65537 (0x10001)
$ openssl req -new –key ThingKeypair.pem –out Thing.csr
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:ACME
Organizational Unit Name (eg, section) []:Makers
Common Name (eg, your name or your server's hostname) []:John Smith
Email Address []:jsmith@acme.com
54. Takeaways
• Structure topics for permissions
• Make policies as restrictive as possible
• Wildcards can simplify policy management
• Rules can help with fine-grained permissions
59. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
60. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
Amazon
Cognito
61. Policy for Cognito with IoT
Cognito authenticated user identity pool role policy:
{
"Effect": "Allow",
"Action": [ "iot:Connect", "iot:Publish",
"iot:Subscribe", "iot:Receive",
"iot:GetThingShadow",
"iot:UpdateThingShadow" ],
"Resource": "*"
}
Specific policy for Joe IoT Cognito user:
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": "arn:aws:iot:…:thing/joe-sprinkler123"
}
AWS IoT
62. Overall Cognito “pairing” workflow
1. Create a Cognito identity pool
2. Customer signs in using mobile app
3. Associate their user with their devices
4. Create a scope-down policy in IoT for their user
5. Attach that policy to their Cognito user in IoT
63. Overall Cognito “pairing” workflow
1. Create a Cognito identity pool
2. Customer signs in using mobile app
3. Associate their user with their devices
4. Create a scope-down policy in IoT for their user
5. Attach that policy to their Cognito user in IoT
Important: These steps apply to authenticated Cognito users only.
(NOT to unauthenticated!)
64. Managing fine-grained permissions
• One user may need permissions to many things
• "arn:aws:iot:…:thing/sprinkler123abc"
• "arn:aws:iot:…:thing/sprinkler456def"
• …
• Listing each is tedious
65. Best practice: Thing name prefixing
• Prefix thing name with logical owner
• sensor123abc -> joe-sensor123abc
• Aspen policy supports wildcards
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor123abc"
• "arn:aws:iot:…:thing/sensor456def"
• …
• "arn:aws:iot:…:thing/joe-*"
66. Takeaways
• Application access is done through IAM roles/policies
• Cognito enables secure human control over IoT devices
• IoT scope-down policy supports fine-grained control
• Naming conventions simplify policy management
Everyone has their own predictions for how the population of Things will grow. They’re all over the place, but one thing they agree on is that the population is going to grow.
It’s our belief that over time everything that can be internet connected will be. That’s “lots” of things, even by Amazon standards.
Clear text protocols – the foundation of the internet
Security isn’t one of these protocols
Temperatures, fuel levels, vibration amounts, noise levels, etc, etc.
IoT isnt free. You must have some business goal in mind when you did this, something you wanted to achieve. In addition to protecting your data, that’s what you’re protecting, the decisions that are driven by your data.
Keep in mind the world changes. You are most likely collecting data that isn’t “valuable” to make a decision today. When that changes a year down the road you’re going to forget the security decisions you made on this data. Always assume this data will eventually be valuable.
The extent to which you protect your IoT deployment should be driven by the most expensive decision that you could make based on your IoT data, in addition to the native sensitivity of the data itself.
Even if they only gain access to eavesdrop on the data, without altering or removing any of it, they’ll still have significant insight into your business.
Total of 6 locks.
A bunch of Things talking to AWS IoT. In reality, this will be millions or billions, but I got tired of cutting and pasting.
Blue arrows are things talking to AWS IoT.
Green arrows are other clients talking to AWS IoT.
Zoom in on the service, look inside.
We have Shadows of your Things. This is our control plane representation of your thing. This is where we store the metadata associated with all the Things you’ve registered with the service.
Shadows maintain state on your things. Intermittently connected things can still be queried when disconnected, you can still set state on them, and the service will take care of propagating the changes when the Thing reconnects.
A bunch of Things talking to AWS IoT. In reality, this will be millions or billions, but I got tired of cutting and pasting.
Blue arrows are things talking to AWS IoT.
Green arrows are other clients talking to AWS IoT.
Zoom in on the service, look inside.
We have Shadows of your Things. This is our control plane representation of your thing. This is where we store the metadata associated with all the Things you’ve registered with the service.
Shadows maintain state on your things. Intermittently connected things can still be queried when disconnected, you can still set state on them, and the service will take care of propagating the changes when the Thing reconnects.
A bunch of Things talking to AWS IoT. In reality, this will be millions or billions, but I got tired of cutting and pasting.
Blue arrows are things talking to AWS IoT.
Green arrows are other clients talking to AWS IoT.
Zoom in on the service, look inside.
We have Shadows of your Things. This is our control plane representation of your thing. This is where we store the metadata associated with all the Things you’ve registered with the service.
Shadows maintain state on your things. Intermittently connected things can still be queried when disconnected, you can still set state on them, and the service will take care of propagating the changes when the Thing reconnects.
A bunch of Things talking to AWS IoT. In reality, this will be millions or billions, but I got tired of cutting and pasting.
Blue arrows are things talking to AWS IoT.
Green arrows are other clients talking to AWS IoT.
Zoom in on the service, look inside.
We have Shadows of your Things. This is our control plane representation of your thing. This is where we store the metadata associated with all the Things you’ve registered with the service.
Shadows maintain state on your things. Intermittently connected things can still be queried when disconnected, you can still set state on them, and the service will take care of propagating the changes when the Thing reconnects.
Hex gobbeldygook
This is not the result of me being a wizard. This is the result of me being able to download wireshark. Tools to intercept, alter, spoof, or otherwise fold, spindle, or mutilate MQTT messages are trivial to build.
MQTT is explicitly a lightweight protocol that does not address security. There is nothing in this message that authenticates the caller, provides any integrity, or confidentiality.
We need a mechanism outside of MQTT to help out here.
Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com.
In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites.
Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com.
Mutual auth….
Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com.
In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites.
Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com.
Mutual auth….
Anyone in this room can download the amazon.com certificate. It really is public data. Not just "not sensitive", but public. We send a copy of it to your browser every time you log in to Amazon. But that private key, that we’re going to protect very carefully. Possession of that key allows you to cryptographically prove your identity as Amazon.com.
In the AWS IoT world, everything MQTT is TLS 1.2, and with a restricted set of strong cipher suites.
Now that we’ve got TLS established and the server is authenticated, we have message integrity and confidentiality, but we have absolutely no idea who the client is. That’s why you have to sign in to your account when you go to amazon.com.
Mutual auth….
What do we need?
Certificate – identity, contains the public key
Private key – used to prove ownership of the certificate
Root CA
This is the quick and easy way to generate a cert for use with a Thing.
The private key has moved around the network.
We will forget it. That’s an important point. There is no API to download the private key again. We do not retain it.
Some hardware comes with the capability to generate a private key but that key can never leave the device.
This interaction with our service is done over TLS, this transaction is well protected, but the private key is still moving around. It’s on the disk on your laptop or whatever client you’re using, it must be handled carefully.
This is a standard mechanism used across the Internet. The CSR format is defined in PKCS#10, this is standard stuff, we didn’t make it up.
Note that the CSR includes the public key that we want to use. It does not contain the private key, it just contains cryptographic proof that we have the private key.
This means that the CSR is not a sensitive document. It can be moved across the network without concern for reducing the security of the system. A malicious attacker in possession of the CSR could at worst turn it into a valid certificate, which we’ve already said is public and can be freely distributed.
This dance is more complicated, but the end result is the same. The Thing has a cert and a private key, it’s ready to be a part of the AWS IoT ecosystem.
But, as a result of the extra complexity in this protocol, the private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key.
The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory.
Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
Fun fact: CAs are under no obligation to use any of the data included in your CSR. They can fill in anything they want to fill in.
We’re using certificates here because the librarys and software available work with certs. We don’t actually use any of the fields in the cert other than the DN (Distinguished Name), and we set that ourselves when we sign the cert.
Fortunately AWS IoT offers several different approaches for certificate registration.
One approach leverages something called an Intermediate Signing Certificate to provision device certificates locally during the manufacturing process. This way your devices can leave the factory without the factory needed to be connected to the internet, and then periodically the certs can get registered by the factory to AWS IoT – as long as it happens before the devices actually end up turning on for the first time.
This dance is more complicated, but the end result is the same. The Thing has a cert and a private key, it’s ready to be a part of the AWS IoT ecosystem.
But, as a result of the extra complexity in this protocol, the private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key.
The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory.
Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
This dance is more complicated, but the end result is the same. The Thing has a cert and a private key, it’s ready to be a part of the AWS IoT ecosystem.
But, as a result of the extra complexity in this protocol, the private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key.
The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory.
Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
This pattern of using intermediate CAs works well in the real-world. iRobot told us that this ability to have intermediate certificates deployed to their factories improves their security and logistics around manufacturing. For example, logistics are improved because internet connectivity blips between the factory and AWS IoT don’t hold up the assembly line.
In general, customers have told us about a variety of manufacturing processes and constraints that they have, so we have been adding additional provisioning processes over time to give that flexibility that they people need.
This dance is more complicated, but the end result is the same. The Thing has a cert and a private key, it’s ready to be a part of the AWS IoT ecosystem.
But, as a result of the extra complexity in this protocol, the private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key.
The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory.
Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
This dance is more complicated, but the end result is the same. The Thing has a cert and a private key, it’s ready to be a part of the AWS IoT ecosystem.
But, as a result of the extra complexity in this protocol, the private key has never moved from where it was generated. That makes it more likely that we’ll get the protocol right, that we won’t expose the private key.
The ultimate version of this protocol is one where the private key is stored in some cryptographic hardware key store on the Thing, and the private key cannot be extracted. In at least some cases, this keypair will be burned into the device in the factory.
Because we own the CA that is used for AWS IoT, and all certificate operations occur over authenticated AWS APIs, this is very amenable to automation, even at very high scale.
Fortunately hardware companies are making this easier. Earlier this month, Microchip announced a new end-to-end security solution that handles the process of provisioning these keys and securely storing them in hardware: The AWS-ECC508
This solution comes pre-configured with certificates and keys in hardware and is ready to be recognized by AWS IoT’s Just In Time Registration.
Take a look at the press release on Microchip’s website for more information.
You simply connect the chip over I2C to your host microcontroller which runs an SDK to talk to the chip. Once this is in place, there is no need to load unique keys and certificates required for authentication during the manufacturing of the device as this chip is pre-configured to be recognized as one of your product’s devices in your AWS account without any intervention.
Your business logic gets called when the device tries to connect to AWS IoT for the first time once it’s out in the field through AWS IoT’s new just-in-time registration feature, which completes the registration process and set up permissions for the device.
At the beginning of the talk I was saying how IoT devices are generally constrained for compute power and battery power. To make security easier computationally for devices, this chip offloads some of that crypto responsibility from the rest of your constrained device. The device even has strong resistance against environmental and physical tampering including countermeasures against expert intrusion attempts.
For more information, visit Microchip Technology’s website.
http://www.prnewswire.com/news-releases/microchip-releases-industrys-first-end-to-end-security-solution-for-iot-devices-connected-to-amazon-web-services-cloud-300312193.html
The level of protection that you go to depends on the threats that you face and the value of the data and the system that you’re protecting. As always, security is not an absolute, stop spending when it’s no longer worth spending.
There’s great variety in hardware capability between Things of different types, makes, etc. Some are full-fledged Linux boxes, and the techniques that have been developed over the years for desktops, laptops, and servers can be applied here.
Some are much more constrained systems, some have interesting hardware (some of which we inherited from DRM efforts). This talk can’t address all the possibilities here, but the point is that if you are concerned about software threats that originate from being on a network with potentially hostile actors, there’s a set of mechanisms that you can use to improve the protection of the private key.
Side note: It’s important that every one of your Things have a unique certificate. If they don’t, they will appear to our service to all be the same Thing. You won’t be able to differentiate between them in policy or in the data that they publish.
It’s also important that every one of your things have a unique keypair. While it is possible to put the same keypair on each thing and generate different certs for them, if you have a key exposure and need to rotate keys, your entire product line will be at risk.