SlideShare a Scribd company logo
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
How to secure your Active Directory
deployment on AWS
Vinod Madabushi
Enterprise Solutions Architect
Amazon Web Services
F N D 3 0 6
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Agenda
• Active Directory basics
• Typical deployment patterns
• Securing Active Directory on Amazon EC2
• AWS Managed Microsoft AD security
• Q&A
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
What we won’t cover in this session today
• Best practices for organizing/managing Active Directory data
• Design considerations for your Active Directory infrastructure
• Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
What is Active Directory?
Organize users, groups,
computers, and devices
for administration
Specify policies for user and
computer configurations
(group policy objects)
Control user access to
applications within the
enterprise
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Why do customers deploy Active Directory on AWS?
Support Windows
workloads running on
AWS
Reduce latency for
applications and
improve resiliency
Manage AWS services
and resources
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Choices for running Active Directory on AWS
Self-managed,
Amazon EC2
AWS-managed
Microsoft AD
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Extending on-premises AD domain to AWS on Amazon
EC2
Corporate data center
Region
AD
Domain
controllers
Remote
users/adminsAuth/
LDAP
VPN
AWS Direct Connect
Application
Availability Zone
Availability Zone
Private subnet
Private subnet
Domain
controllers
Domain
controllers
AD
AD
AD replication
Private subnet
Web servers App servers Database
Auth/LDAP
Private subnet
Web servers App servers Database
Auth/LDAP
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Using AWS Managed AD as a resource domain
Corporate data center
Region
AD
Domain
controllers
Remote
users/adminsAuth/
LDAP
VPN
AWS Direct Connect
Application
Availability Zone
Availability Zone
Private subnet
Private subnet
AWS Managed AD
One-way trust
Private subnet
Web servers App servers Database
Auth/LDAP
Private subnet
Web servers App servers Database
AWS Managed AD
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
How do customers choose between these options?
Deploy AD to
Amazon EC2
• Want to extend the existing forest/domain to AWS
• Need for domain/enterprise admin privilege
• Extend existing users, groups, OUs, and GPOs
• Single unified environment between on-premises
and AWS cloud
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
How do customers choose between these options?
Managed AD as
resource domain
• Want to minimize AD infrastructure operational
management in the cloud
• Allow delegation of cloud AD management to a
separate team while maintaining control of user
identity
• Need delineation between on-premises and AWS
environments
• Need native integration with Amazon RDS, Amazon
FSx, AWS Single Sign-On, etc.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Shared responsibility model
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Account structure framework
AWS master account
Log archive account Security accountShared services account
Domain
controllers
AD
AWS Organizations
Amazon GuardDuty (master)
Aggregate AWS
CloudTrail and
AWS Config logs
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Account security
• Place all the domain controllers in a single AWS account
• If there are multiple teams operating in a single account, consider using tag-
based policies to restrict access
• Restrict access to Amazon EC2 start/stop/terminate
• Restrict access to Amazon EBS volumes/snapshots
• Follow best practices to secure the AWS account’s root credentials
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Network security – Security groups
AWS Region
Shared services VPC
Private subnet
Availability Zone
Availability Zone
VPC 1
VPC 2
VPC 3
Domain controller 1
Domain controller 2
Domain members
Domain members
Domain members
Source Protocol Ports
VPC1
TCP
UDP
AD ports
VPC2
TCP
UDP
AD ports
VPC3
TCP
UDP
AD ports
On-
premises
DCs
TCP
UDP
Trust ports
DC1
DC2
All All
Inbound security group rules
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Active Directory ports
Port and protocol Purpose Type of traffic
TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP
TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL
TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL
TCP and UDP 88 User and computer authentication, forest level trusts Kerberos
TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password
TCP 445 Replication, user and computer authentication, group policy, trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS,
NetLogonR, SamR, SrvSvc
TCP and UDP 53 User and computer authentication, name resolution, trusts DNS
UDP 123 Windows time, trusts NTP
TCP 135 Replication RPC, EPM
UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service
TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon
TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR,
FRS
Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Network security – Other considerations
• Avoid using NACLS to filter Active Directory ports except when absolutely
necessary (ephemeral ports can be tricky)
• Place domain controllers in the private subnets
• Place domain controllers in multiple AZs for availability
• Routing table can be utilized as network control mechanism
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Internet name resolution from the DCs
AWS Region
Shared services VPC
Private subnet
Availability Zone
Availability Zone
VPC 1
VPC 2
VPC 3
Domain controller
Domain controller
Domain members
Domain members
Domain members
Public subnet
DNS server
Internet gateway
NAT gateway
DNS server
NAT gateway
Amazon Route 53 .2
resolver
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Data Security – Encryption
• Enable LDAPS in the domain controllers for secure authentication. Active
Directory Certificate Services (ADCS) can be used for this purpose.
• Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by
using AWS Key Management Service (KMS).
• Consider using a separate customer master key (CMK) for Active Directory and
restrict access appropriately.
• If you want to use AWS CloudHSM to store your CMK, consider the custom key
store.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Private subnetPrivate subnet
Encryption – Using CloudHSM
KMS default
key store
AWS KMS
KMS HSM fleet
AWS services
Custom key store
connector
Existing KMS APIsHSM VPC Active Directory VPC
Amazon EBS volume
Domain controller
CloudHSM cluster
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Logging, monitoring, and alerting
• Security logs are the best source of information for activities occurring on your
identity store. Monitor security logs for anomalies.
• Enable and monitor VPC Flow Logs for troubleshooting and security.
• Consider setting up alerting for key security events in near real time.
• Enable AWS CloudTrail logs in the AWS account and alert on key changes.
• Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2
instance from a hardware or other failure.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Other considerations
• Restrict the number of users who have access to logging in to domain controllers
• Perform AD administrative tasks from a management server
• Perform regular backups of your Active Directory environment for recovery
• Encrypt and secure your Active Directory backups
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Managed Microsoft AD security
• AWS Managed AD is single tenant. Your DCs only contain your data.
• Most management tasks are done via automation. We have a process for
operators when human touch is required.
• AWS employees don’t have access to customer’s domain admin credentials.
Those are under automated control.
• Domain controller security logs are delivered to Amazon CloudWatch Logs.
• Delegated admin access using predefined users, groups, and OUs.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
• Account security
• Centralize AWS Managed Microsoft AD in a single AWS account
• Restrict access to AWS Directory Service to limited users
• Follow best practices to secure the AWS root credentials
• Network security
• Security group limits traffic to just AD ports and between domain controllers
• Use management server for admin tasks; cannot RDP to domain controllers
AWS Managed Microsoft AD security (cont’d)
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
• DNS – Internet name resolution
• AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries
• Encryption
• EBS volumes are encrypted by default using AWS KMS
• All snapshots are encrypted and stored securely
• AWS Managed AD supports LDAPS. Refer to this documentation:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html
AWS Managed Microsoft AD security (cont’d)
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Managed Microsoft AD shared responsibility
AWS responsibility Customer responsibility
Protect hardware, software, networking, and facilities
that run AWS Managed AD
Maintain and manage Active Directory data like users,
groups, OUs, group policies, etc.
Isolation of domain controllers between customers Configure and manage Active Directory trusts
Protect enterprise/domain admin credential through
automation
Configure and manage network connectivity to AWS
Managed AD VPC/subnets
Apply updates and security patches to the domain
controllers
Providing compatible LDIF file for schema extensions
Encrypt EBS volumes Manage security groups for AWS Managed AD
Maintain availability of the directory Configure LDAPS to support applications
Monitor and manage Active Directory replication
Configure integration with RADIUS and MFA
infrastructure
Perform daily snapshots of the directory
Adding more domain controllers based on performance
requirements
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Managed AD
compliance
certifications
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Managed Microsoft AD certifications
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Vinod Madabushi
vinodmb@amazon.com

More Related Content

What's hot

Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
Amazon Web Services
 
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
AWS Snowball
AWS SnowballAWS Snowball
AWS Snowball
zekeLabs Technologies
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWS
Amazon Web Services
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
Amazon Web Services
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud
Amazon Web Services
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Amazon Web Services
 
Accelerating Your Cloud Migration Journey with MAP
Accelerating Your Cloud Migration Journey with MAPAccelerating Your Cloud Migration Journey with MAP
Accelerating Your Cloud Migration Journey with MAP
Amazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
Amazon Web Services
 
Migrating Your Databases to AWS - Tools and Services.pdf
Migrating Your Databases to AWS -  Tools and Services.pdfMigrating Your Databases to AWS -  Tools and Services.pdf
Migrating Your Databases to AWS - Tools and Services.pdf
Amazon Web Services
 
Cloud Migration: A How-To Guide
Cloud Migration: A How-To GuideCloud Migration: A How-To Guide
Cloud Migration: A How-To Guide
Amazon Web Services
 

What's hot (20)

Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
AWS Snowball
AWS SnowballAWS Snowball
AWS Snowball
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWS
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
 
Accelerating Your Cloud Migration Journey with MAP
Accelerating Your Cloud Migration Journey with MAPAccelerating Your Cloud Migration Journey with MAP
Accelerating Your Cloud Migration Journey with MAP
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Migrating Your Databases to AWS - Tools and Services.pdf
Migrating Your Databases to AWS -  Tools and Services.pdfMigrating Your Databases to AWS -  Tools and Services.pdf
Migrating Your Databases to AWS - Tools and Services.pdf
 
Cloud Migration: A How-To Guide
Cloud Migration: A How-To GuideCloud Migration: A How-To Guide
Cloud Migration: A How-To Guide
 

Similar to How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

Microsoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveMicrosoft Active Directory Deep Dive
Microsoft Active Directory Deep Dive
Amazon Web Services
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
Amazon Web Services
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
GauravSharma164138
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
Modern Workplace Conference Paris
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
Amazon Web Services
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
Amazon Web Services
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
Amazon Web Services
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
Amazon Web Services
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
Amazon Web Services
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Amazon Web Services
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Amazon Web Services
 
194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx
Amazon Web Services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS for VMware Admins
AWS for VMware AdminsAWS for VMware Admins
AWS for VMware Admins
Amazon Web Services
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019
John Varghese
 
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
Amazon Web Services
 

Similar to How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019 (20)

Microsoft Active Directory Deep Dive
Microsoft Active Directory Deep DiveMicrosoft Active Directory Deep Dive
Microsoft Active Directory Deep Dive
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
 
Oracle on AWS
Oracle on AWSOracle on AWS
Oracle on AWS
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
 
194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx194325_EdgeatScale_NoNotes.pptx
194325_EdgeatScale_NoNotes.pptx
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS for VMware Admins
AWS for VMware AdminsAWS for VMware Admins
AWS for VMware Admins
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019
 
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How to secure your Active Directory deployment on AWS Vinod Madabushi Enterprise Solutions Architect Amazon Web Services F N D 3 0 6
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda • Active Directory basics • Typical deployment patterns • Securing Active Directory on Amazon EC2 • AWS Managed Microsoft AD security • Q&A
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What we won’t cover in this session today • Best practices for organizing/managing Active Directory data • Design considerations for your Active Directory infrastructure • Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What is Active Directory? Organize users, groups, computers, and devices for administration Specify policies for user and computer configurations (group policy objects) Control user access to applications within the enterprise
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Why do customers deploy Active Directory on AWS? Support Windows workloads running on AWS Reduce latency for applications and improve resiliency Manage AWS services and resources
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Choices for running Active Directory on AWS Self-managed, Amazon EC2 AWS-managed Microsoft AD
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Extending on-premises AD domain to AWS on Amazon EC2 Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet Domain controllers Domain controllers AD AD AD replication Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database Auth/LDAP
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Using AWS Managed AD as a resource domain Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet AWS Managed AD One-way trust Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database AWS Managed AD
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Deploy AD to Amazon EC2 • Want to extend the existing forest/domain to AWS • Need for domain/enterprise admin privilege • Extend existing users, groups, OUs, and GPOs • Single unified environment between on-premises and AWS cloud
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Managed AD as resource domain • Want to minimize AD infrastructure operational management in the cloud • Allow delegation of cloud AD management to a separate team while maintaining control of user identity • Need delineation between on-premises and AWS environments • Need native integration with Amazon RDS, Amazon FSx, AWS Single Sign-On, etc.
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Shared responsibility model
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account structure framework AWS master account Log archive account Security accountShared services account Domain controllers AD AWS Organizations Amazon GuardDuty (master) Aggregate AWS CloudTrail and AWS Config logs
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account security • Place all the domain controllers in a single AWS account • If there are multiple teams operating in a single account, consider using tag- based policies to restrict access • Restrict access to Amazon EC2 start/stop/terminate • Restrict access to Amazon EBS volumes/snapshots • Follow best practices to secure the AWS account’s root credentials
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Security groups AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller 1 Domain controller 2 Domain members Domain members Domain members Source Protocol Ports VPC1 TCP UDP AD ports VPC2 TCP UDP AD ports VPC3 TCP UDP AD ports On- premises DCs TCP UDP Trust ports DC1 DC2 All All Inbound security group rules
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Active Directory ports Port and protocol Purpose Type of traffic TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL TCP and UDP 88 User and computer authentication, forest level trusts Kerberos TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password TCP 445 Replication, user and computer authentication, group policy, trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP and UDP 53 User and computer authentication, name resolution, trusts DNS UDP 123 Windows time, trusts NTP TCP 135 Replication RPC, EPM UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Other considerations • Avoid using NACLS to filter Active Directory ports except when absolutely necessary (ephemeral ports can be tricky) • Place domain controllers in the private subnets • Place domain controllers in multiple AZs for availability • Routing table can be utilized as network control mechanism
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Internet name resolution from the DCs AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller Domain controller Domain members Domain members Domain members Public subnet DNS server Internet gateway NAT gateway DNS server NAT gateway Amazon Route 53 .2 resolver
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Data Security – Encryption • Enable LDAPS in the domain controllers for secure authentication. Active Directory Certificate Services (ADCS) can be used for this purpose. • Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by using AWS Key Management Service (KMS). • Consider using a separate customer master key (CMK) for Active Directory and restrict access appropriately. • If you want to use AWS CloudHSM to store your CMK, consider the custom key store.
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Private subnetPrivate subnet Encryption – Using CloudHSM KMS default key store AWS KMS KMS HSM fleet AWS services Custom key store connector Existing KMS APIsHSM VPC Active Directory VPC Amazon EBS volume Domain controller CloudHSM cluster
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Logging, monitoring, and alerting • Security logs are the best source of information for activities occurring on your identity store. Monitor security logs for anomalies. • Enable and monitor VPC Flow Logs for troubleshooting and security. • Consider setting up alerting for key security events in near real time. • Enable AWS CloudTrail logs in the AWS account and alert on key changes. • Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2 instance from a hardware or other failure.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Other considerations • Restrict the number of users who have access to logging in to domain controllers • Perform AD administrative tasks from a management server • Perform regular backups of your Active Directory environment for recovery • Encrypt and secure your Active Directory backups
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD security • AWS Managed AD is single tenant. Your DCs only contain your data. • Most management tasks are done via automation. We have a process for operators when human touch is required. • AWS employees don’t have access to customer’s domain admin credentials. Those are under automated control. • Domain controller security logs are delivered to Amazon CloudWatch Logs. • Delegated admin access using predefined users, groups, and OUs.
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • Account security • Centralize AWS Managed Microsoft AD in a single AWS account • Restrict access to AWS Directory Service to limited users • Follow best practices to secure the AWS root credentials • Network security • Security group limits traffic to just AD ports and between domain controllers • Use management server for admin tasks; cannot RDP to domain controllers AWS Managed Microsoft AD security (cont’d)
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • DNS – Internet name resolution • AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries • Encryption • EBS volumes are encrypted by default using AWS KMS • All snapshots are encrypted and stored securely • AWS Managed AD supports LDAPS. Refer to this documentation: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html AWS Managed Microsoft AD security (cont’d)
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD shared responsibility AWS responsibility Customer responsibility Protect hardware, software, networking, and facilities that run AWS Managed AD Maintain and manage Active Directory data like users, groups, OUs, group policies, etc. Isolation of domain controllers between customers Configure and manage Active Directory trusts Protect enterprise/domain admin credential through automation Configure and manage network connectivity to AWS Managed AD VPC/subnets Apply updates and security patches to the domain controllers Providing compatible LDIF file for schema extensions Encrypt EBS volumes Manage security groups for AWS Managed AD Maintain availability of the directory Configure LDAPS to support applications Monitor and manage Active Directory replication Configure integration with RADIUS and MFA infrastructure Perform daily snapshots of the directory Adding more domain controllers based on performance requirements
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed AD compliance certifications
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD certifications
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 33. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Vinod Madabushi vinodmb@amazon.com