SlideShare a Scribd company logo

Building Secure Architectures on AWS

Download as PPTX, PDF
M
ManojAccTest

Building Secure Architectures on AWS

Technology
1 of 80
Building Secure Architectures on AWS Manoj Fernando
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
On-premises network architecture
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
CIDR Notation 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-28) = 2 ^ 4 = 16 End – 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16
203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End – 203.0.113.7 Range – 203.0.113.0 – 203.0.113.7 203.0.113.0/29 203.0.113.8/29 Start - 203.0.113.8 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End - 203.0.113.16 Range – 203.0.113.8 - 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16 Subnet 01 Subnet 02 Network
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Connecting with the On-Premises Network • Migrating to a serverless architecture • Securing your serverless architecture • Review our architecture against Cloud Adoption Framework • Next Steps…
Modeling On-Premises architecture on AWS cloud
Shared Responsibility Model Reference : AWS
Web Server Backend Server
Setting up our private network
Web Server Backend Server 10.0.0.0/16
Divide into sub networks
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02
Setting up an Internet Gateway
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway Internet
Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target
Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local Route Table (Subnet 2) Destination Target
Setting up a Nat Gateway
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target NAT Gateway
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Securing our cloud network architecture
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target Can our web server access internet?
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
Security Groups • Who can access me? • Applied to AWS Resources • Eg: EC2 instances, Databases, Load Balancers etc… • Virtual Firewalls • You can create inbound and outbound rules in a security group • Follow the principle of Least Privilege • Security Groups are stateful • When architecting your application, list down all the resources and decide who needs talk to whom and create security groups for your resources
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0
10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0 Type Port Source Custom 4000 Web-Server-SG Backend-Server-SG Web Server Backend Server
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Migrating to Serverless Architecture
Web Server Instance Backend Server Instance www.myapp.com
New features can be developed in a serverless architecture
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
Serverless Means... Reference: AWS
API Gateway + AWS Lambda is the easiest way to create microservices
AWS Lambda Programming Model Reference: AWS
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) RouterInternet Gateway Internet MySQL DB (in RDS)
How can getUsers lambda access the Database?
IAM Roles – What I can do? • Security group – Who can access me • IAM Role – What I can do • Consider the backend server. What it can do? • It can access the database • So create an IAM role with database access permissions and attach to backend EC2 server
How can getUsers lambda access the Database? Step 01 • Run the getUsers lambda inside our VPC so that lambda executes in our private network Step 02 • Assign an IAM role for getUsers lambda to read from database
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Securing your Serverless Architecture
Securing Lambda Function • Use IAM roles per function and don’t be too permissive • Leverage principle of least privilege • Application security best practices still apply • Mandatory code reviews, static analysis • Environment variables and sensitive data via KMS and Lambda’s encryption helpers
Encrypting Environment Variables
Encrypting Environment Variables
How to secure our Identities (Authentication + Authorization)
Too many concerns… • Need to develop a reliable user directory to manage identities • Handling user data and password and protecting privacy • Prioritizing scalability of your user store • Implementing token-based authentication • Support for multiple social identities • Federation with corporate directories for B2E applications
User Pools & Federated Identities Reference: AWS
Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Serverless App Security Reference: Slideshare
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users WAF
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Connecting with On-Premises Network
Our AWS VPC On-Premises Network
Our AWS VPC On-Premises Network VPN Connection VPN Gateway Customer Gateway 10.0.0.0/16 192.168.0.0/16
VPN and AWS Direct Connect • Both allow secure connections between your corporate network and your VPC • VPN uses encrypted IPSec tunnel over the internet • Direct Connect is a dedicated line between the corporate network and your VPC • Direct Connect is not affected by uncertainties in the internet and suitable for large data transfers at high speed
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Next Steps… • Read about AWS Well Architected Framework Whitepaper • Operational Excellence • Security • Reliability • Performance Efficiency • Security Pillar Whitepaper
Thank You!

Recommended

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSAmazon Web Services
 
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS Amazon Web Services
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 

Recommended

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSAmazon Web Services
 
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS Amazon Web Services
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure NetworkingPedro Sousa
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSAmazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_awssaifam
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Web Services
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWSAmazon Web Services
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersAidan Finn
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)Amazon Web Services
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...Amazon Web Services
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWSAmazon Web Services
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 

More Related Content

What's hot

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSAmazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - OverviewSai Kesavamatham
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_awssaifam
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWSAmazon Web Services
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersAidan Finn
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)Amazon Web Services
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...Amazon Web Services
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 

What's hot (20)

Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWS
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv Loft
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
 
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
(ARC205) Creating Your Virtual Data Center: VPC Fundamentals and Connectivity...
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 

Similar to Building Secure Architectures on AWS

AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...Amazon Web Services
 
Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsChris Munns
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats CloudCheckr
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Amazon Web Services
 
AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS CloudAWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS CloudAmazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWSAmazon Web Services
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 

Similar to Building Secure Architectures on AWS (20)

AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...AWS Webinar: How to architect and deploy a multi tier share point server farm...
AWS Webinar: How to architect and deploy a multi tier share point server farm...
 
Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
 
AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS CloudAWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWS
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Building Secure Architectures on AWS

  • 1. Building Secure Architectures on AWS Manoj Fernando
  • 2. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 3. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 5. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 6. CIDR Notation 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-28) = 2 ^ 4 = 16 End – 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16
  • 7. 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End – 203.0.113.7 Range – 203.0.113.0 – 203.0.113.7 203.0.113.0/29 203.0.113.8/29 Start - 203.0.113.8 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End - 203.0.113.16 Range – 203.0.113.8 - 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16 Subnet 01 Subnet 02 Network
  • 8. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 9. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Connecting with the On-Premises Network • Migrating to a serverless architecture • Securing your serverless architecture • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 13. Setting up our private network
  • 14. Web Server Backend Server 10.0.0.0/16
  • 15. Divide into sub networks
  • 16. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
  • 17. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1
  • 18. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02
  • 19. Setting up an Internet Gateway
  • 20. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway Internet
  • 21. Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target
  • 22. Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local Route Table (Subnet 2) Destination Target
  • 23. Setting up a Nat Gateway
  • 24. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target NAT Gateway
  • 25. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 26. Securing our cloud network architecture
  • 27. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target Can our web server access internet?
  • 28. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 29. Security Groups • Who can access me? • Applied to AWS Resources • Eg: EC2 instances, Databases, Load Balancers etc… • Virtual Firewalls • You can create inbound and outbound rules in a security group • Follow the principle of Least Privilege • Security Groups are stateful • When architecting your application, list down all the resources and decide who needs talk to whom and create security groups for your resources
  • 30. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0
  • 31. 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0 Type Port Source Custom 4000 Web-Server-SG Backend-Server-SG Web Server Backend Server
  • 32. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 33. Migrating to Serverless Architecture
  • 35. New features can be developed in a serverless architecture
  • 36. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
  • 38. API Gateway + AWS Lambda is the easiest way to create microservices
  • 39. AWS Lambda Programming Model Reference: AWS
  • 40. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
  • 41. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) RouterInternet Gateway Internet MySQL DB (in RDS)
  • 42. How can getUsers lambda access the Database?
  • 43. IAM Roles – What I can do? • Security group – Who can access me • IAM Role – What I can do • Consider the backend server. What it can do? • It can access the database • So create an IAM role with database access permissions and attach to backend EC2 server
  • 44. How can getUsers lambda access the Database? Step 01 • Run the getUsers lambda inside our VPC so that lambda executes in our private network Step 02 • Assign an IAM role for getUsers lambda to read from database
  • 45. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 46. Securing your Serverless Architecture
  • 47. Securing Lambda Function • Use IAM roles per function and don’t be too permissive • Leverage principle of least privilege • Application security best practices still apply • Mandatory code reviews, static analysis • Environment variables and sensitive data via KMS and Lambda’s encryption helpers
  • 50. How to secure our Identities (Authentication + Authorization)
  • 51. Too many concerns… • Need to develop a reliable user directory to manage identities • Handling user data and password and protecting privacy • Prioritizing scalability of your user store • Implementing token-based authentication • Support for multiple social identities • Federation with corporate directories for B2E applications
  • 52. User Pools & Federated Identities Reference: AWS
  • 53. Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
  • 54. Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
  • 65. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
  • 66. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users WAF
  • 67. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
  • 68. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
  • 69. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
  • 70. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 72. Our AWS VPC On-Premises Network
  • 73. Our AWS VPC On-Premises Network VPN Connection VPN Gateway Customer Gateway 10.0.0.0/16 192.168.0.0/16
  • 74. VPN and AWS Direct Connect • Both allow secure connections between your corporate network and your VPC • VPN uses encrypted IPSec tunnel over the internet • Direct Connect is a dedicated line between the corporate network and your VPC • Direct Connect is not affected by uncertainties in the internet and suitable for large data transfers at high speed
  • 75. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 76. Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
  • 77. Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
  • 78. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 79. Next Steps… • Read about AWS Well Architected Framework Whitepaper • Operational Excellence • Security • Reliability • Performance Efficiency • Security Pillar Whitepaper