This document provides an overview of security on AWS. It discusses AWS regions and availability zones, the shared responsibility model for security between AWS and customers, and security features available on AWS like network security, access control, monitoring and logging, encryption, IAM, and securing data at rest. It also provides best practices for IAM configuration and using features like roles, MFA, and monitoring for security events.

1. Security on AWS(overview)
Bertram Dorn
EMEA Specialized Solutions Architect
Security and Compliance

2. Agenda: • Overview
• AWS Regions
• Availability Zones
• Shared Responsibility
• Security Features
• Best Practices for
• IAM
• Data at Rest

3. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Korea (Seul)
Region
An independent collection of AWS resources in
a defined geography
A solid foundation for meeting location-
dependent privacy and compliance
requirements

4. Example
AWS
Region
AZ
AZ
AZ AZ AZ
Transit
Transit
• Mesh
of
Availability
Zones
(AZ)
and
Transit
Centers
• Redundant paths
to
transit
centers
• Transit
centers
connect
to:
– Private
links
to
other
AWS
regions
– Private
links
to
customers
– Internet
through
peering
&
paid
transit
• Metro-­‐area
DWDM
links
between
AZs
• 82,864 fiber
strands
in
region
• AZs
<2ms
apart
&
usually
<1ms
• 25Tbps peak
inter-­‐AZs
traffic

5. AWS Global Footprint
Availability Zone
Designed as independent failure zones
Physically separated within a typical metropolitan
region

6. Example
AWS
Availability
Zone
• 1
of
30
AZs
world-­‐wide
• All
regions
have
2
or
more
AZs
• Each
AZ
is
1
or
more
DC
– No
data
center
is
in
two
AZs
– Some
AZs
have
as
many
as
6
DCs
• DCs
in
AZ
less
than
¼
ms apart
AZ
AZ
AZ AZ AZ
Transit
Transit

7. Example
AWS
Data
Center
• Single
DC
typically
over
50,000
servers
&
often
over
80,000
• Larger
DCs
undesirable
(blast
radius)
• Up
to
102Tbps
provisioned
to
a
single
DC
(inter
DC
not
intra)

8. Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized
Network/OS/App Controls
Request reports at:
aws.amazon.com/compliance/#contact
ISO
27000
ISO
9001

9. What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute

10. ©
2015,
Amazon
Web
Services,
Inc.
or
its
Affiliates.
All
rights
reserved.
Service
Breadth
&
Depth

11. Features Overview

12. ©
2015,
Amazon
Web
Services,
Inc.
or
its
Affiliates.
All
rights
reserved.
Network
Security Choose
and
combine
a
bunch
of
build
in
network
related
options:
ü Build
in
firewall
features
(Security
Groups
and
NACL’s)
ü Virtual
Private
Cloud
ü Transport
Encryption
(IPsec
and
TLS)
ü Dedicated
Network
Connection
(Direct
Connect)
ü Cypher
Suites
with
Perfect
Forward
Secrecy
ü Managed
NAT
Gateways
ü WebApplicationFilters

13. Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at
instance level
Isolate network
functions
Lockdown at
network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security
Group
Security
Group

14. ©
2015,
Amazon
Web
Services,
Inc.
or
its
Affiliates.
All
rights
reserved.
Access
Control Allow
only
authorized
administrators
and
applications
access
on
AWS
resources
ü Multi-­‐Factor-­‐Authentication
(MFA)
ü Fine
granular
access
to
AWS
object
inS3-­‐Buckets/SQS/SNS
and
others
ü API-­‐Request
Authentication
ü Geo-­‐Restrictions
ü Temporary
access
tokens
through
STS

15. ©
2015,
Amazon
Web
Services,
Inc.
or
its
Affiliates.
All
rights
reserved.
Monitoring
and
Logging Get
an
overview
about
activities
on
your
AWS
ressources
ü Asset-­‐Management
and
-­‐Configuration
with
AWS
Config
ü Compliance
Auditing
and
security
analytics
with
AWS
CloudTrail
ü Identifications
of
configuration
challenges
through
TrustedAdvisor
ü Fine
granular
logging
of
access
to
S3
objects
ü Detailed
informations about
flows
in
the
network
through
VPC-­‐FlowLogs
ü Rule
based
config checks
and
actions
with
AWS
Config Rules
ü Filter
and
monitoring
of
HTTP
access
to
applications
with
WAF
functions
in
CloudFront

16. ©
2015,
Amazon
Web
Services,
Inc.
or
its
Affiliates.
All
rights
reserved.
Encryption
Security
is
the
first
priority
for
AWS
ü Encryption
of
your
data
at
rest
with
AES256
(EBS/S3/Glacier/RDS)
ü Centralized
(by
Region)
managed
Key-­‐Management
ü IPsec
tunnels
into
AWS
with
the
VPN-­‐Gateways
ü Deicated HSM
modules
in
the
cloud
with
CloudHSM

17. IAM Overview

18. Identity and Access Management
• Users & Groups

19. Identity and Access Management
• Users & Groups
• Unique Security Credentials

20. Identity and Access Management
• Users & Groups
• Unique Security Credentials
• Temporary Security
Credentials

21. Identity and Access Management
• Users & Groups
• Unique Security Credentials
• Temporary Security
Credentials
• Policies & Permissions

22. Identity and Access Management
• Users & Groups
• Unique Security Credentials
• Temporary Security
Credentials
• Policies & Permissions
• Roles

23. Identity and Access Management
• Users & Groups
• Unique Security Credentials
• Temporary Security
Credentials
• Policies & Permissions
• Roles
• Multi-­factor Authentication

24. IAM Best Practices

25. Root Accounts Do Not Need Access Keys
Root Accounts Do Normally Not Log In

26. Best Practices
Lock away your AWS account
access keys
Create individual IAM users
Use groups to assign
permissions to IAM users
Grant least privilege
Configure a strong password
policy for your users
Enable MFA for privileged
users
Use roles for applications that
run on Amazon EC2 instances
Delegate by using roles
instead of by sharing
credentials
Rotate credentials regularly
Remove unnecessary
credentials
Use policy conditions
Keep a history of activity

27. What type of events should I monitor for?
v You can monitor any specific event recorded by CloudTrail and receive
notification from CloudWatch
v Monitor for security or network related events that are likely to have a high
blast radius
v Popular examples based on customer feedback
1. Creation, deletion and modification of security groups and VPCs
2. Changes to IAM policies or S3 bucket policies
3. Failed AWS Management Console sign-­in events
4. API calls that resulted in authorization failures
5. Launching, terminating, stopping, starting and rebooting EC2 instances
v Fully defined and pre-­built CloudFormation template to get started

28. Receive email notifications of specific API activity

29. Demo: Kibana

30. Data at Rest: Simplified

31. Securing Data at Rest
Amazon RDS Redshift
Amazon S3GlacierAmazon EBS
> AES-­256 key
> KMS integration
> Easy one-­click
encryption

32. Securing Data at Rest
Amazon S3 Glacier
> AES-­256 key
> Each object is encrypted
> Each key is encrypted with a
master key
> Master key is rotated regularly
> KMS integration

33. Amazon EBS
Securing Data at Rest
> AES-­256 key
> Performed on EC2 host
> Snapshots
> KMS integrated
> Each Volume gets it‘s DataKey
> DataKey is encrypted with
MasterKey

34. Amazon RDS
Securing Data at Rest
> AES-­256 key
> Logs, backups, and snapshots
> Read replicas
> Active and backup
> CloudHSM (Oracle TDE only)
> KMS integration

35. Redshift
Securing Data at Rest
> AES-­256 key
> Data blocks
> Metadata
> Active and backup
> CloudHSM integration
> 4-­tier encryption architecture

36. Securing Data at Rest
CloudHSM
> Hardware Security Module
> Single tenancy
> Private key material never
leaves the HSM
> AWS provisioned, customer
managed

37. Whitepaper: Encrypting Data at Rest
https://d0.awsstatic.com/whitepapers/aws-­securing-­data-­at-­rest-­with-­encryption.pdf

38. Thank You
Content Providers:
Bertram Dorn
Brian Wagner
Dave Walker