SlideShare a Scribd company logo

How to Implement a Well-Architected Security Solution.pdf

Amazon Web Services
Amazon Web Services

Securing your workload in alignment with best practices is necessary to protect information, systems and assets while delivering business value through risk assessments and mitigation strategies. In this tech talk, we’ll walk you through how to secure your workload using AWS Identity & Access Management, AWS CloudTrail, Amazon GuardDuty and AWS Config services.

1 of 61
Download to read offline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shafreen Sayyed AWS Solutions Architect September 2018 How to Implement a Well-Architected Security Solution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • AWS Well-Architected • Security Best Practices • Take Action • Helpful Resources
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Well-Architected
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of AWS Well-Architected Security Reliability Performance Efficiency Cost Optimization Operational Excellence https://aws.amazon.com/architecture/well-architected/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement a strong identity foundation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & Access Management • How do you manage credentials and authentication for your workload? • How do you control human access to services? • How do you control programmatic access to services?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Control AWS service use across accounts Automate AWS account creation Create groups of accounts Consolidate billing Management for multiple AWS accounts AWS Organizations
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Relationship Business Unit Account structure Environment Lifecycle Account structure Project-Based Account structure
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security AWS Organizations Organization Accounts Shared Services Organization Master Account Billing Tooling Amazon CloudFormation StackSets Sandbox Direct Conn. Account Internal Audit External Data centre Logging Prod Shared Services AWS Organizations (Outline Multi-Account Structure)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Users IAM Groups IAM Roles IAM Policies AWS Identity and Access Management • Enforce MFA • Enforce password requirements • Audit periodically • Roles grant access • Consider federation • Logically group users • Apply group policies • IAM users assume • Cross account access • AWS Services utilize • Enforce MFA condition • Least privilege • Use conditions • Use Access Advisor
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation Amazon Cognito Web and Mobile Apps Amazon Cognito Developers focus on developing their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action – AWS Account • Root account *should never* be used • Enable MFA on root user • Consider AWS Organizations • Set account security questions & contacts • Enforce password requirements • Vault privileged credentials • Audit credentials periodically
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action – credentials & authentication • NEVER store credentials or secrets in code • Enforce MFA • Consider federation to centralize • Use IAM roles for users and services • Establish least privileged IAM policies • Audit policies with IAM Access Advisor • Consider AWS Secrets Manager • Use temporary or short lived credentials
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable Traceability
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable traceability • How are you aware of security events in your workload? • How do you protect your workload from the latest security threats?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail • Customize delivery • Encryption & integrity validation • Archive • Take action with CloudWatch Events • Intelligent threat detection • Continuously analyze • AWS service integration Detection • Configuration management • Relationship tracking • Configuration tracking Amazon GuardDuty AWS Config
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch • Metrics & filters • Alarms & notifications • AWS integration • Custom integration • Monitor & store logs • Alarms & notifications • AWS integration • Custom integration Metrics & logging • Automate actions • AWS integrated • Custom integration Amazon CloudWatch Logs Amazon CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use your logs Don’t just collect and store logs; act upon them: • Trigger notifications • Automate responses • Automate remediation • Integrate with threat intelligence
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action • Customize CloudTrail configuration • Consider Amazon GuardDuty • Configure application & infrastructure logging • Centralize detection and alerting with a SIEM • Pro-actively monitor access to your sensitive data • Schedule regular reviews of news & best practices • Have situational awareness, and manage risk
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers • How do you protect your networks? • How do you protect your compute resources?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Defence-in-depth
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield standard: DDoS protection • Protection against most common network and transport layer DDoS attacks • Always-on detection • Automatic inline mitigations • No additional cost • Advanced managed service available DDoS Attack Users AWS Shield
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront www.example.com Amazon Route 53 Amazon CloudFront Edge Location AWS WAF Data Center Static Content Origin Dynamic Content Origin Amazon S3 bucket Elastic Load Balancing EC2 instance Web / App Amazon CloudFront Distribution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF (Web Application Firewall) Rate based Scanners and probes SQL injection Bots and scrapers Partner managed rules Cross-site scripting
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon VPC Amazon VPC considerations: • Consider network requirements in VPC structure • Subnets to separate layers • Use NACL’s to prevent access between subnets • Use route tables to control internet access • Use security groups to control horizontal movement
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Implement host Intrusion detection & prevention • Agent-based solution scales as instances scale • Scan and patch for vulnerabilities • Use a configuration management toolHost-based Security Host-based Security Central Monitoring and Control Host-based security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless security How do you authorize and authenticate access to your serverless API? How are you enforcing boundaries as to what AWS services your Lambda functions can access? How do you monitor dependency vulnerabilities within your serverless application? What is your strategy on input validation? Amazon API Gateway AWS Lambda Amazon DynamoDB
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action: network layer • Use Amazon CloudFront + AWS WAF with AWS Shield for internet facing applications • Use Amazon VPC and security groups to enforce segmentation • Private connectivity using VPC peering, VPN or AWS Direct Connect • Enable VPC Flow Logs • Enable Amazon GuardDuty and integrate with SIEM • Enforce service level permission e.g. S3 bucket policies
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action: host layer • Use OS based anti-malware + intrusion detection • Run CVE vulnerability scans e.g. Amazon Inspector • Scan external code you use • Harden operating systems & default configurations • Patch vulnerabilities • Maintain hardened and patched images
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate security best practices
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation Verify configuration BEFORE creation Automate your security baseline Secure by default Build in best practices
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Rules check configuration changes • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes AWS Config Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate Security Best Practices GuardDuty Amazon GuardDuty Automated threat remediation CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Immutable infrastructure Automation: Patching + Inspector AWS SAM Immutable infrastructure Infrastructure as code AWS CloudFormation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Template infrastructure e.g. AWS CloudFormation / AWS SAM • Automate build and test of new infrastructure • Configure AWS Config rules • Use Amazon Inspector to detect vulnerabilities • Automate response to non-compliant infrastructure using AWS Config
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect data in transit and at rest
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect Data in Transit and at Rest • How do you protect your data at rest? • How do you protect your data in transit?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification Start by classifying data based on sensitivity: • Public data = non-sensitive, available to everyone • Private data = requires strict controls Use resource tags to help define the policy: • “DataClassification=Private” • Integrate access with IAM policies
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encrypt Your Data HTTPS TLS s2n AWS Certificate Manager (ACM) AWS CloudHSM AWS Key Management Service (AWS KMS) Server Side Client Side Transport At Rest
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit AWS endpoints are HTTPS, What can you do? • VPN connectivity to VPC • TLS application communications • ELB with AWS Certificate Manager (ACM) • Amazon CloudFront with ACM • Amazon API Gateway with ACM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • One-click encryption with many AWS services • Centralized key management • Import your own keys • Enforced, automatic key rotation • Visibility into changes via AWS CloudTrail Encryption with AWS KMS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action • Use AWS KMS or alternative mechanism to encrypt all data at rest • Use Identity & Access Management to restrict access • Verify accessibility of data e.g. Amazon S3 and EBS snapshots • Use AWS Certificate Manager for managing certificates • Consider tokenization to substitute sensitive data • Tag data and resources with classification level • Consider data segmentation and isolation techniques • Encryption mechanisms are enforced, e.g. not allowing unencrypted protocols
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Keep People Away From Data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Keep people away from data Create mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. • Use automation to: • Manage workloads • Control data flow • Enforce business logic • Data access controls between users and data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 automated administration VPC1 Tags VPC2 IAM Run Command Amazon CloudWatch Events CloudTrail Auditing Visibility
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated infrastructure Infrastructure as code: CloudFormation Security as Code AWS Inspector AWS Systems Manager Continuous Integration & Delivery Version Control System
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use dashboards
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Remove direct access to Amazon EC2; use AWS Systems Manager • Implement fine-grained control between users and data • Use dashboards and other methods to display data instead of direct database access • Use automated infrastructure deployments e.g. AWS CloudFormation • Use automation to control data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events • How do you prepare to respond to an incident?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident response Even with a mature preventative and detective controls in place, you should consider planning
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Clean room • Plan for different scenarios • Pre-provision access to workloads for security team • Use tags to quickly determine impact and escalate • Use AWS API operations to automate and isolate instances • AWS CloudFormation – create clean environments for investigation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Prepare for different scenarios • Pre-deploy tools using automation • Pre-provision access to security or response teams • Practice responding to incidents through game days • Continuously improve your processes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Training Security Fundamentals on AWS (Free online course) Details at aws.amazon.com/training
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources https://aws.amazon.com/architecture/well-architected/ https://docs.aws.amazon.com/ https://aws.amazon.com/security/ https://aws.amazon.com/security/featured-partner-solutions/ https://aws.amazon.com/security/partner-solutions/ https://aws.amazon.com/blogs/ https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and- remediation-scenario/ https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web- application-firewall-to-automatically-block-suspicious-hosts/ https://aws.amazon.com/gameday/ https://aws.amazon.com/blogs/apn/announcing-the-security-competency-for-apn- consulting-partners/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions Infrastructure security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk & compliance Security operations & automation Consulting competency partners with demonstrated expertise Security engineering
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

Recommended

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Shared Responsibility Model and GDPR
AWS Shared Responsibility Model and GDPRAWS Shared Responsibility Model and GDPR
AWS Shared Responsibility Model and GDPRAmazon Web Services
 
Navigating GDPR Compliance on AWS
Navigating GDPR Compliance on AWS Navigating GDPR Compliance on AWS
Navigating GDPR Compliance on AWS Amazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Real-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepReal-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 

Recommended

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Shared Responsibility Model and GDPR
AWS Shared Responsibility Model and GDPRAWS Shared Responsibility Model and GDPR
AWS Shared Responsibility Model and GDPRAmazon Web Services
 
Navigating GDPR Compliance on AWS
Navigating GDPR Compliance on AWS Navigating GDPR Compliance on AWS
Navigating GDPR Compliance on AWS Amazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Real-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepReal-Time Insights Lab and Lab Prep
Real-Time Insights Lab and Lab PrepAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
Enabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdfEnabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdfAmazon Web Services
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and EncryptionRichard Harvey
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Enabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWSEnabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWSAmazon Web Services
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
AWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation OverviewAmazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale Amazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Enabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWSEnabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWSAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 

More Related Content

What's hot

Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
Enabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdfEnabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdfAmazon Web Services
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and EncryptionRichard Harvey
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Enabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWSEnabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWSAmazon Web Services
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Enabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWSEnabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWSAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksAmazon Web Services
 

What's hot (20)

Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
Enabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdfEnabling Compliance with GDPR on AWS.pdf
Enabling Compliance with GDPR on AWS.pdf
 
AWS Security and Encryption
AWS Security and EncryptionAWS Security and Encryption
AWS Security and Encryption
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Enabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWSEnabling Compliance with GDPR on AWS
Enabling Compliance with GDPR on AWS
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
AWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdf
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation Overview
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale
 
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:In...
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Enabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWSEnabling Compliance with the GDPR on AWS
Enabling Compliance with the GDPR on AWS
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
 

Similar to How to Implement a Well-Architected Security Solution.pdf

AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by designRichard Harvey
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 

Similar to How to Implement a Well-Architected Security Solution.pdf (20)

AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How to Implement a Well-Architected Security Solution.pdf

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shafreen Sayyed AWS Solutions Architect September 2018 How to Implement a Well-Architected Security Solution
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • AWS Well-Architected • Security Best Practices • Take Action • Helpful Resources
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Well-Architected
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of AWS Well-Architected Security Reliability Performance Efficiency Cost Optimization Operational Excellence https://aws.amazon.com/architecture/well-architected/
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement a strong identity foundation
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & Access Management • How do you manage credentials and authentication for your workload? • How do you control human access to services? • How do you control programmatic access to services?
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Control AWS service use across accounts Automate AWS account creation Create groups of accounts Consolidate billing Management for multiple AWS accounts AWS Organizations
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Relationship Business Unit Account structure Environment Lifecycle Account structure Project-Based Account structure
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security AWS Organizations Organization Accounts Shared Services Organization Master Account Billing Tooling Amazon CloudFormation StackSets Sandbox Direct Conn. Account Internal Audit External Data centre Logging Prod Shared Services AWS Organizations (Outline Multi-Account Structure)
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Users IAM Groups IAM Roles IAM Policies AWS Identity and Access Management • Enforce MFA • Enforce password requirements • Audit periodically • Roles grant access • Consider federation • Logically group users • Apply group policies • IAM users assume • Cross account access • AWS Services utilize • Enforce MFA condition • Least privilege • Use conditions • Use Access Advisor
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation Amazon Cognito Web and Mobile Apps Amazon Cognito Developers focus on developing their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action – AWS Account • Root account *should never* be used • Enable MFA on root user • Consider AWS Organizations • Set account security questions & contacts • Enforce password requirements • Vault privileged credentials • Audit credentials periodically
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action – credentials & authentication • NEVER store credentials or secrets in code • Enforce MFA • Consider federation to centralize • Use IAM roles for users and services • Establish least privileged IAM policies • Audit policies with IAM Access Advisor • Consider AWS Secrets Manager • Use temporary or short lived credentials
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable Traceability
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable traceability • How are you aware of security events in your workload? • How do you protect your workload from the latest security threats?
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail • Customize delivery • Encryption & integrity validation • Archive • Take action with CloudWatch Events • Intelligent threat detection • Continuously analyze • AWS service integration Detection • Configuration management • Relationship tracking • Configuration tracking Amazon GuardDuty AWS Config
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch • Metrics & filters • Alarms & notifications • AWS integration • Custom integration • Monitor & store logs • Alarms & notifications • AWS integration • Custom integration Metrics & logging • Automate actions • AWS integrated • Custom integration Amazon CloudWatch Logs Amazon CloudWatch Events
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use your logs Don’t just collect and store logs; act upon them: • Trigger notifications • Automate responses • Automate remediation • Integrate with threat intelligence
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action • Customize CloudTrail configuration • Consider Amazon GuardDuty • Configure application & infrastructure logging • Centralize detection and alerting with a SIEM • Pro-actively monitor access to your sensitive data • Schedule regular reviews of news & best practices • Have situational awareness, and manage risk
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Apply security at all layers • How do you protect your networks? • How do you protect your compute resources?
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Defence-in-depth
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield standard: DDoS protection • Protection against most common network and transport layer DDoS attacks • Always-on detection • Automatic inline mitigations • No additional cost • Advanced managed service available DDoS Attack Users AWS Shield
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront www.example.com Amazon Route 53 Amazon CloudFront Edge Location AWS WAF Data Center Static Content Origin Dynamic Content Origin Amazon S3 bucket Elastic Load Balancing EC2 instance Web / App Amazon CloudFront Distribution
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF (Web Application Firewall) Rate based Scanners and probes SQL injection Bots and scrapers Partner managed rules Cross-site scripting
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon VPC Amazon VPC considerations: • Consider network requirements in VPC structure • Subnets to separate layers • Use NACL’s to prevent access between subnets • Use route tables to control internet access • Use security groups to control horizontal movement
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Implement host Intrusion detection & prevention • Agent-based solution scales as instances scale • Scan and patch for vulnerabilities • Use a configuration management toolHost-based Security Host-based Security Central Monitoring and Control Host-based security
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless security How do you authorize and authenticate access to your serverless API? How are you enforcing boundaries as to what AWS services your Lambda functions can access? How do you monitor dependency vulnerabilities within your serverless application? What is your strategy on input validation? Amazon API Gateway AWS Lambda Amazon DynamoDB
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action: network layer • Use Amazon CloudFront + AWS WAF with AWS Shield for internet facing applications • Use Amazon VPC and security groups to enforce segmentation • Private connectivity using VPC peering, VPN or AWS Direct Connect • Enable VPC Flow Logs • Enable Amazon GuardDuty and integrate with SIEM • Enforce service level permission e.g. S3 bucket policies
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action: host layer • Use OS based anti-malware + intrusion detection • Run CVE vulnerability scans e.g. Amazon Inspector • Scan external code you use • Harden operating systems & default configurations • Patch vulnerabilities • Maintain hardened and patched images
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate security best practices
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation Verify configuration BEFORE creation Automate your security baseline Secure by default Build in best practices
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Rules check configuration changes • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes AWS Config Rules
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate Security Best Practices GuardDuty Amazon GuardDuty Automated threat remediation CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Immutable infrastructure Automation: Patching + Inspector AWS SAM Immutable infrastructure Infrastructure as code AWS CloudFormation
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Template infrastructure e.g. AWS CloudFormation / AWS SAM • Automate build and test of new infrastructure • Configure AWS Config rules • Use Amazon Inspector to detect vulnerabilities • Automate response to non-compliant infrastructure using AWS Config
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect data in transit and at rest
  • 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect Data in Transit and at Rest • How do you protect your data at rest? • How do you protect your data in transit?
  • 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification Start by classifying data based on sensitivity: • Public data = non-sensitive, available to everyone • Private data = requires strict controls Use resource tags to help define the policy: • “DataClassification=Private” • Integrate access with IAM policies
  • 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encrypt Your Data HTTPS TLS s2n AWS Certificate Manager (ACM) AWS CloudHSM AWS Key Management Service (AWS KMS) Server Side Client Side Transport At Rest
  • 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit AWS endpoints are HTTPS, What can you do? • VPN connectivity to VPC • TLS application communications • ELB with AWS Certificate Manager (ACM) • Amazon CloudFront with ACM • Amazon API Gateway with ACM
  • 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • One-click encryption with many AWS services • Centralized key management • Import your own keys • Enforced, automatic key rotation • Visibility into changes via AWS CloudTrail Encryption with AWS KMS
  • 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action • Use AWS KMS or alternative mechanism to encrypt all data at rest • Use Identity & Access Management to restrict access • Verify accessibility of data e.g. Amazon S3 and EBS snapshots • Use AWS Certificate Manager for managing certificates • Consider tokenization to substitute sensitive data • Tag data and resources with classification level • Consider data segmentation and isolation techniques • Encryption mechanisms are enforced, e.g. not allowing unencrypted protocols
  • 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Keep People Away From Data
  • 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Keep people away from data Create mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. • Use automation to: • Manage workloads • Control data flow • Enforce business logic • Data access controls between users and data
  • 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 automated administration VPC1 Tags VPC2 IAM Run Command Amazon CloudWatch Events CloudTrail Auditing Visibility
  • 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated infrastructure Infrastructure as code: CloudFormation Security as Code AWS Inspector AWS Systems Manager Continuous Integration & Delivery Version Control System
  • 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use dashboards
  • 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Remove direct access to Amazon EC2; use AWS Systems Manager • Implement fine-grained control between users and data • Use dashboards and other methods to display data instead of direct database access • Use automated infrastructure deployments e.g. AWS CloudFormation • Use automation to control data
  • 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events
  • 53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prepare for security events • How do you prepare to respond to an incident?
  • 54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident response Even with a mature preventative and detective controls in place, you should consider planning
  • 55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Clean room • Plan for different scenarios • Pre-provision access to workloads for security team • Use tags to quickly determine impact and escalate • Use AWS API operations to automate and isolate instances • AWS CloudFormation – create clean environments for investigation
  • 56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take Action • Prepare for different scenarios • Pre-deploy tools using automation • Pre-provision access to security or response teams • Practice responding to incidents through game days • Continuously improve your processes
  • 57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Training Security Fundamentals on AWS (Free online course) Details at aws.amazon.com/training
  • 58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources https://aws.amazon.com/architecture/well-architected/ https://docs.aws.amazon.com/ https://aws.amazon.com/security/ https://aws.amazon.com/security/featured-partner-solutions/ https://aws.amazon.com/security/partner-solutions/ https://aws.amazon.com/blogs/ https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and- remediation-scenario/ https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web- application-firewall-to-automatically-block-suspicious-hosts/ https://aws.amazon.com/gameday/ https://aws.amazon.com/blogs/apn/announcing-the-security-competency-for-apn- consulting-partners/
  • 59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions Infrastructure security
  • 60. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk & compliance Security operations & automation Consulting competency partners with demonstrated expertise Security engineering
  • 61. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!