AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
7. Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
8. Strengthen your security posture
Get native functionality and tools
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations
9. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
12. AWS Assurance Programs
AWS maintains a formal control environment
• SOC 1 Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001, 27017, 27018 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Authorization
• Architect for HIPAA compliance
13. AWS Account Relationship
AWS Account
Ownership
AWS Account
Contact
Information
AWS Sales
AWS Solutions Architects
AWS Support
AWS Professional Services
AWS Consulting Partners
21. AWS Global Footprint
12 Regions (10 Public, China Region
and GovCloud Region)
Canada, Ohio, India, UK and another
China Region planned for 2016 and
beyond
32 Availability zones (adding 11 more in
2016 across new Regions)
55+ Edge locations
Region
Edge location
22. VPC Public Subnet 10.10.1.0/24
VPC Public Subnet
10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud
23. Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
27. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
40. MONITORING, REPORTING, & OPTIMIZATION
Enterprise Security & Cost Management from CloudCheckr
The CloudCheckr Unified Cloud Security and Governance Platform
Leveraging AWS data – CloudTrail, Config, VPC Flow logs,
CloudWatch logs, DBR, and more metrics
Providing complete transparency – into 1 or across 1000s
of AWS accounts
Automating security, configuration, and activity monitoring
and alerting
Continuous monitoring of configurations, resources and
permissions
Active optimization, sophisticated allocation, and simplified
invoicing for enterprise cloud cost management
41. SAVING $2 MILLION WHILE IMPROVING SECURITY
CloudCheckr’s unified cost & security management platform
Case Study
Problem Statement
Business Outcomes
AWS usage started small and grew
very complex with time
Needed clarity around cost, utilization
and security
Saved $2 million USD
Total control of the Detailed Billing Report
Change monitoring for security weaknesses
WWW.CLOUDCHECKR.COM
CloudCheckr gives us total
visibility and control over
our AWS investment.
Patrick Neville, Manager of Systems Operations
42. SAVES TIME & MONEY, IMPROVES SECURITY
CloudCheckr’s unified cost & security management platform
Case Study
Problem Statement
Business Outcomes
Needed to track changes and costs
Needed to drive accountability across
all key stakeholders
Saved $2 million USD
Total control of the Detailed Billing Report
Change monitoring for security weaknesses
WWW.CLOUDCHECKR.COM
The S3 functionality alone
revealed immediate cost
savings that paid for
CloudCheckr 3x over.
Dave North, Director of DevOps
43. AWS CloudFormation – Infrastructure as Code
Template StackAWS
CloudFormation
Orchestrate changes across AWS
Services
Use as foundation to Service Catalog
products
Use with source code repositories to
manage infrastructure changes
JSON-based text file describing
infrastructure
Resources created from
a template
Can be updated
Updates can be
restrictured
48. Evolving the Practice of Security Architecture
Security architecture as a separate function can no longer
exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice
49. Evolving the Practice of Security Architecture
Security architecture can now be part of the ‘maker’ team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins
50. AWS Marketplace Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection