16. Web Server Backend Server
10.0.0.0/16
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
17. Web Server Backend Server
10.0.0.0/16
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
18. Web Server Backend Server
10.0.0.0/16
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
Ireland (eu-west-1)
Availability Zone - 01 Availability Zone - 02
20. Web Server Backend Server
10.0.0.0/16
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
Ireland (eu-west-1)
Availability Zone - 01 Availability Zone - 02
RouterInternet
Gateway
Internet
21. Web Server Backend Server
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
Availability Zone - 01 Availability Zone - 02
RouterInternet
Gateway
(igw)
Internet
Public Subnet Private Subnet
10.0.0.0/16 local
0.0.0.0/0 Internet-gateway-id
Route Table (Subnet 1)
Destination Target
22. Web Server Backend Server
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
Availability Zone - 01 Availability Zone - 02
RouterInternet
Gateway
(igw)
Internet
Public Subnet Private Subnet
10.0.0.0/16 local
0.0.0.0/0 Internet-gateway-id
Route Table (Subnet 1)
Destination Target
10.0.0.0/16 local
Route Table (Subnet 2)
Destination Target
27. Web Server Backend Server
10.0.0.1 10.0.1.1RouterInternet
Gateway
(igw)
Internet
Public Subnet Private Subnet
10.0.0.0/16 local
0.0.0.0/0 Internet-gateway-id
Route Table (Subnet 1)
Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-gateway-id
Route Table (Subnet 2)
Destination Target
Can our web server access internet?
29. Security Groups
• Who can access me?
• Applied to AWS Resources
• Eg: EC2 instances, Databases, Load Balancers etc…
• Virtual Firewalls
• You can create inbound and outbound rules in a security group
• Follow the principle of Least Privilege
• Security Groups are stateful
• When architecting your application, list down all the resources and
decide who needs talk to whom and create security groups for your
resources
30. Web Server Backend Server
10.0.0.1 10.0.1.1RouterInternet
Gateway
(igw)
Internet
Public Subnet Private Subnet
Web-Server-SG
Type TargetType Port Source
HTTP 80 0.0.0.0/0
HTTPS 443 0.0.0.0/0
41. Web Server Backend Server
10.0.0.0/16
10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
10.0.0.1 10.0.1.1
Ireland (eu-west-1)
RouterInternet
Gateway
Internet
MySQL DB
(in RDS)
43. IAM Roles – What I can do?
• Security group – Who can access me
• IAM Role – What I can do
• Consider the backend server. What it can do?
• It can access the database
• So create an IAM role with database access permissions and attach to
backend EC2 server
44. How can getUsers lambda access the Database?
Step 01
• Run the getUsers lambda inside our VPC so that lambda executes in
our private network
Step 02
• Assign an IAM role for getUsers lambda to read from database
45. Agenda
• On-premises network architecture
• Modeling on-premises architecture on AWS cloud
• Securing our cloud network architecture
• Migrating to a serverless architecture
• Securing your serverless architecture
• Connecting with the On-Premises Network
• Review our architecture against Cloud Adoption Framework
• Next Steps…
47. Securing Lambda Function
• Use IAM roles per function and don’t be too permissive
• Leverage principle of least privilege
• Application security best practices still apply
• Mandatory code reviews, static analysis
• Environment variables and sensitive data via KMS and Lambda’s
encryption helpers
50. How to secure our Identities
(Authentication + Authorization)
51. Too many concerns…
• Need to develop a reliable user directory to manage
identities
• Handling user data and password and protecting privacy
• Prioritizing scalability of your user store
• Implementing token-based authentication
• Support for multiple social identities
• Federation with corporate directories for B2E applications
52. User Pools & Federated Identities
Reference: AWS
53. Authentication & Authorization (API Gateway)
• API Gateway can authenticate and authorize requests to backend
• (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..)
• 3 Main Methods
1. Amazon Cognito User Pools – User Pool Authorizer
2. Amazon Cognito Federated Identities – AWS IAM Authorizer
3. Custom Identity Providers – Custom Authorizer
• Identity Providers
1. Web Identities – Eg: Google, LinkedIn, UserPools
2. Corporate Identities – Eg: Active Directory, LDAP
54. Authentication & Authorization (API Gateway)
• API Gateway can authenticate and authorize requests to backend
• (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..)
• 3 Main Methods
1. Amazon Cognito User Pools – User Pool Authorizer
2. Amazon Cognito Federated Identities – AWS IAM Authorizer
3. Custom Identity Providers – Custom Authorizer
• Identity Providers
1. Web Identities – Eg: Google, LinkedIn, UserPools
2. Corporate Identities – Eg: Active Directory, LDAP
74. VPN and AWS Direct Connect
• Both allow secure connections between your corporate network and
your VPC
• VPN uses encrypted IPSec tunnel over the internet
• Direct Connect is a dedicated line between the corporate network
and your VPC
• Direct Connect is not affected by uncertainties in the internet and
suitable for large data transfers at high speed
75. Agenda
• On-premises network architecture
• Modeling on-premises architecture on AWS cloud
• Securing our cloud network architecture
• Migrating to a serverless architecture
• Securing your serverless architecture
• Connecting with the On-Premises Network
• Review our architecture against Cloud Adoption Framework
• Next Steps…
76. Cloud Adoption Framework
1. Infrastructure Security
2. Identity and Access Management
3. Data Protection
4. Detective Control
5. Incident Response
77. Cloud Adoption Framework
1. Infrastructure Security
2. Identity and Access Management
3. Data Protection
4. Detective Control
5. Incident Response
78. Agenda
• On-premises network architecture
• Modeling on-premises architecture on AWS cloud
• Securing our cloud network architecture
• Migrating to a serverless architecture
• Securing your serverless architecture
• Connecting with the On-Premises Network
• Review our architecture against Cloud Adoption Framework
• Next Steps…
79. Next Steps…
• Read about AWS Well Architected Framework Whitepaper
• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Security Pillar Whitepaper