- AWS provides built-in security controls that customers don't need to manage themselves, like security groups and IAM. - The Cloud Adoption Framework helps customers adapt existing practices or introduce new practices for cloud computing across five core security capabilities: identity and access management, detective controls, infrastructure security, data protection, and incident response. - AWS services like CloudTrail, Config, Inspector, and Flow Logs provide detective controls to monitor activity and configuration changes. Services like OpsWorks, Shield, and WAF help secure infrastructure. Key Management Service, CloudHSM, and Certificate Manager help protect data. CloudWatch Events and Lambda can automate incident response.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Antonio Duma, Solutions Architect – AWS
8 Giugno 2017
Security in the Cloud: Implementing a
DevSecOps process

2. Agenda
• AWS Controls that You Don’t Need to Worry About
• Framework to Help You Adapt the Cloud Faster
• AWS Services that You Should be Using
• Security Automation to Help You Adopt DevSecOps

3. AWS Global Infrastructure
16 AWS Regions, 42 Availability Zones, 76 AWS Edge Locations

4. AWS Security Controls

5. AWS Security Controls

6. Cloud Adoption Framework
Each Perspective provides guidance for different parts of an
organization
Helps YOU adapt existing practices
or introduce new practices
for cloud computing

7. The CAF Security Perspective
5 Core Capabilities
Identity and Access Management
Detective Controls
Infrastructure Security
Data Protection
Incident Response

8. Scaling to >1 Million Users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda

9. Scaling to >1 Million Users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
AWS
WAF
AWS
Shield
AWS
Organizations
AWS
CloudTrail
AWS
Config
VPC Flow Logs
Amazon
Inspector
AWS
OpsWorks

10. VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud

11. Security Already Built In…
Security groups
are virtual
firewalls that
control the traffic
for one or more
resources
AWS IAM securely
controls access to
AWS services and
resources for your
users.

12. Identity and Access Management
AWS
Organizations AWS IAM

13. Detective Controls
AWS
CloudTrail
Amazon
CloudWatch
AWS Config
Amazon
Inspector
VPC Flow
Logs
Account Resources Network

14. Detective Controls - VPC Flow Logs

15. Detective Controls - VPC Flow Logs

16. Infrastructure Security
AWS OpsWorks
AWS Shield
AWS WAF
Resources Network
AWS Trusted
Advisor
AWS Config
Rules

17. Infrastructure Security – AWS Config Rules

18. Infrastructure Security – AWS Config Rules

19. Data Protection - Encryption
Encryption In-Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At-Rest
Object
Database
Filesystem
Disk

20. Data Protection
AWS CloudHSM AWS Key Management
Service
AWS Certificate
Manager

21. Incident Response
Amazon
CloudWatch
Amazon
Lambda

22. Incident Response – AWS CloudWatch Events

23. Incident Response – AWS CloudWatch Events

24. Incident Response – AWS CloudWatch Events

25. Incident Response – AWS CloudWatch Events

26. Incident Response – AWS CloudWatch Events

27. Incident Response – AWS CloudWatch Events

28. Incident Response – Lambda Respond
cloudtrail = boto3.client('cloudtrail')
trail_arn = event["detail"]["requestParameters"]["name"]
ct_response = cloudtrail.start_logging(Name = trail_arn)

29. Incident Response – Lambda Notify
sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic"
subject = 'EVENT: ' + event["detail"]["eventName"]
message = "What happened? " + event["detail"]["eventName"] + "n"
"What service? " + event["detail"]["eventSource"] + "n"
"Where? " + event["detail"]["awsRegion"] + "n"
"When? " + event["detail"]["eventTime"] + "n"
"Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2))
sns = boto3.client('sns')
sns_response = sns.publish(
TopicArn = sns_topic,
Message = message,
Subject = subject,
MessageStructure = 'string'
)

30. Incident Response – Amazon SNS Notification

31. Where to start?
• Pontificate?
• Checklists?
• 1-pagers? 6-pagers? Documents?
Page 3 of 433
Security as code

32. Security as code is easy with AWS
AWS provides all the APIs!
• Programmatically test environments
• Determine state of environment
at a specific point in time
• Repeatable processes
• Scalable operations

33. AWS Marketplace Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity & Access
Control
Configuration &
Vulnerability Analysis
Data Protection

34. Thank you!