SlideShare a Scribd company logo

Infrastructure Security: Your Minimum Security Baseline

Amazon Web Services
Amazon Web Services

After AWS IAM and detective controls, the afternoon at AWS Security Week turns to infrastructure security, which means tuning AWS service configurations, AMI composition, and hardening other digital assets that will be deployed. You will learn how to define networking architecture (VPCs, subnets, security groups); how to develop hardened AMIs based on your requirements; the importance of defining Internet ingress and egress flows; and how to determine vulnerability management and operational maintenance cadence. Speaker: Mike Wasielewski - Sr. Solutions Architect, AWS

1 of 32
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved CAF Infrastructure Security: Your minimum security baseline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Infrastructure Security • Least Privilege • Infrastructure Security • Virtual Private Cloud (VPC) • AWS Shield / WAF • Firewall manager • Endpoint Security • AMI Build • Inspector • EC2 Systems Manager (SSM) • Quick starts • APN Solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Least privilege • Only the permissions required to perform the function • Apply at various layers (App, Endpoint, Infra) • User accounts – Only give admin if required • Security groups/NACLS – Only allow ports that are necessary to the function – Only allow connections that have a business need • EC2 instances – Only run services necessary – Do not run more than one function/service
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud (VPC) • Internet Gateway • Nat Gateway • VPN • Direct Connect • VPC peering
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud (VPC) Boundary Defense • Control inbound and outbound access to VPC, instances and subnets • Route Tables • Network Access Control List • Security Groups
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security Groups / Network ACL Comparison Security Group Network ACL Operates at the instance level Operates at the subnet level Supports allow rules only Supports allow rules and deny rules Stateful: Return traffic is automatically allowed, regardless of any rules Stateless: Return traffic must be explicitly allowed by rules We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic Applies to an instance only if the security group is specified Automatically applies to all instances in the subnets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS WAF Web traffic filtering with custom rules Malicious request blocking Active monitoring & tuning • Detect and filter malicious web requests
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS WAF: Sample requests • Add a count action to analyze details of matching requests: Client IP Country Headers HTTP Version Method URI
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Web Application Firewall (WAF) • Blue prints – WAF automation – OWASP top 10 • Create your own rules • AWS marketplace rulesets https://aws.amazon.com/answers/se curity/aws-waf-security- automations/ https://aws.amazon.com/about- aws/whats-new/2017/07/use-aws- waf-to-mitigate-owasps-top-10-web- application-vulnerabilities/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Market place rule sets • Protection against new and emerging threats • Security research teams monitor, tune, and – update rules regularly • Rule updates happen within minutes • No extra cost for updates • Unsubscribe anytime
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Shield Managed DDoS Protection • Shield Standard for All • Protect from common attack – Layer 3 & 4 – SYN/ACK – UDP Flood – Reflection • Add WAF for Layer 7 • Shield Advanced ($) – Sophisticated attacks – Access to DDoS Team – Cost protection Amazon Route 53 CloudFront users security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Firewall Manager Centrally manage AWS WAF rules across account Integrated with Managed Rules for AWS WAF Ensure compliance of rules across your organization
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Firewall Manager Set the master AWS Account Specify policy scope Create policyCreate custom RuleGroup or use Managed Rules from AWS Marketplace
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Egress Control Controlling traffic flows • In addition to Security Groups, NACLs & Routes • VPC endpoints • NAT gateways • Inline Gateways • DLP • IDS • App Filtering • Host Tools • DLP • IDS • FIM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved • VPC Endpoint: Gateway • Gateway – Access supported AWS services without going to internet • Amazon S3 • DynamoDB
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved VPC Endpoint: Interface PrivateLink • Access AWS & Partner services without going to Internet • Create private endpoints for services you provide • Marketplace has SaaS products available that use PrivateLink
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Network Address Translation (NAT) • 2 types: Gateway / Instance • Allows Instances on private subnets to communicate out to the internet
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved DDoS Response Team HTTP floods Bad bots Suspicious IPs Border network Network-layer mitigations AWS services Web-layer mitigations Customer resources DDoS Detect- ion Internet Internet- layer mitigations DDoS SSL Attacks Slowloris Malformed HTTP Large-scale attacks SYN floods Reflection attacks Suspicious sources Defense in depth DDoS response team (DRT) Sophisticated Layer 7 attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AMI Factory • Create secure baseline • Monitor compliance • Scan for vulnerabilities • Remediate & Update • Inspector, Config & SSM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Vulnerability Management Inspector • Scan AMI as part of build – CVE – Configuration • Scan / Patch Frequently • Use with SSM to automate patching • Integrates with CI/CD Tools • CVSS Scoring
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager • A set of capabilities that... • ...enable automated configuration... • ...and ongoing management of systems at scale... • ...across all of your Windows and Linux workloads... • ...running in Amazon EC2 or on-premises… • ...at no charge; only pay for AWS resources you manage
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Automate common administrative tasks  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Granular permissions to control access through AWS Identity & Access Management  Logging using AWS CloudTrail Run Command: Overview
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Provides secure storage for configuration data & secrets • Store configuration data and secure strings in hierarchies and track versions. • Control and audit access at granular levels. • Reference parameters across AWS services such as Amazon EC2, Amazon EC2 Container Service, AWS Lambda, AWS CloudFormation Parameter Store: Overview
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers  Gather detail on a variety of attributes, such as: – Installed applications & OS details – AWS components and agents – Network configuration  Inventory attributes are stored in AWS Config for auditing  Assess compliance of configurations using AWS Config Rules Inventory: Overview
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS  Control configuration details such as anti-virus settings, iptables, etc.  Define your own schedules for deployment reviews  Compare actual deployments against specified configuration policy  State Manager reapplies policies if state drift is detected  Query State Manager to view status of deployments State Manager: Overview
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automated tool that helps you simplify your Windows operating system patching process  Select the patches you want to deploy  Control timing for patch roll-outs and instance reboots  Define auto-approval rules for patches  Ability to black-list or white-list specific patches  Schedule the automatic roll out through maintenance windows Patch Manager: Overview
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Quickstart Templates • NIST 800-53 • PCI / HIPAA • Deploy in a few minutes • Best practices implemented • Great starting point • Free • https://aws.amazon.com/q uickstart/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security Partner Solutions https://aws.amazon.com/security/partner-solutions/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Summary • Ingress filtering capability: use VPC design in combination with security groups, NACLs and WAF to establish boundaries • Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC endpoints • DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks • Vulnerability & Patch management capability: use Inspector and SSM • Use SSM for: – Configuration and patch compliance – Secure privileged access to instances – Automated patch management – Software inventory & licensing compliance – Secrets vaulting
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Further Reading • https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild- and-hashicorp-packer/ • https://d0.awsstatic.com/aws-answers/AWS_Securing_EC2_Instances.pdf • https://aws.amazon.com/ec2/systems-manager/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommended

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 

Recommended

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentalsAmazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarJoseph Holbrook, Chief Learning Officer (CLO)
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 

More Related Content

What's hot

Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 

What's hot (20)

Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS 101
AWS 101AWS 101
AWS 101
 
DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS Shield
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 

Similar to Infrastructure Security: Your Minimum Security Baseline

AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAmazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Amazon Web Services
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Amazon Web Services
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Amazon Web Services
 

Similar to Infrastructure Security: Your Minimum Security Baseline (20)

AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
Orchestrate Perimeter Security Across Distributed Applications (SEC326) - AWS...
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Infrastructure Security: Your Minimum Security Baseline

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved CAF Infrastructure Security: Your minimum security baseline
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Infrastructure Security • Least Privilege • Infrastructure Security • Virtual Private Cloud (VPC) • AWS Shield / WAF • Firewall manager • Endpoint Security • AMI Build • Inspector • EC2 Systems Manager (SSM) • Quick starts • APN Solutions
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Least privilege • Only the permissions required to perform the function • Apply at various layers (App, Endpoint, Infra) • User accounts – Only give admin if required • Security groups/NACLS – Only allow ports that are necessary to the function – Only allow connections that have a business need • EC2 instances – Only run services necessary – Do not run more than one function/service
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud (VPC) • Internet Gateway • Nat Gateway • VPN • Direct Connect • VPC peering
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Virtual Private Cloud (VPC) Boundary Defense • Control inbound and outbound access to VPC, instances and subnets • Route Tables • Network Access Control List • Security Groups
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security Groups / Network ACL Comparison Security Group Network ACL Operates at the instance level Operates at the subnet level Supports allow rules only Supports allow rules and deny rules Stateful: Return traffic is automatically allowed, regardless of any rules Stateless: Return traffic must be explicitly allowed by rules We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic Applies to an instance only if the security group is specified Automatically applies to all instances in the subnets
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS WAF Web traffic filtering with custom rules Malicious request blocking Active monitoring & tuning • Detect and filter malicious web requests
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS WAF: Sample requests • Add a count action to analyze details of matching requests: Client IP Country Headers HTTP Version Method URI
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Web Application Firewall (WAF) • Blue prints – WAF automation – OWASP top 10 • Create your own rules • AWS marketplace rulesets https://aws.amazon.com/answers/se curity/aws-waf-security- automations/ https://aws.amazon.com/about- aws/whats-new/2017/07/use-aws- waf-to-mitigate-owasps-top-10-web- application-vulnerabilities/
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Market place rule sets • Protection against new and emerging threats • Security research teams monitor, tune, and – update rules regularly • Rule updates happen within minutes • No extra cost for updates • Unsubscribe anytime
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Shield Managed DDoS Protection • Shield Standard for All • Protect from common attack – Layer 3 & 4 – SYN/ACK – UDP Flood – Reflection • Add WAF for Layer 7 • Shield Advanced ($) – Sophisticated attacks – Access to DDoS Team – Cost protection Amazon Route 53 CloudFront users security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Firewall Manager Centrally manage AWS WAF rules across account Integrated with Managed Rules for AWS WAF Ensure compliance of rules across your organization
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Firewall Manager Set the master AWS Account Specify policy scope Create policyCreate custom RuleGroup or use Managed Rules from AWS Marketplace
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Egress Control Controlling traffic flows • In addition to Security Groups, NACLs & Routes • VPC endpoints • NAT gateways • Inline Gateways • DLP • IDS • App Filtering • Host Tools • DLP • IDS • FIM
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved • VPC Endpoint: Gateway • Gateway – Access supported AWS services without going to internet • Amazon S3 • DynamoDB
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved VPC Endpoint: Interface PrivateLink • Access AWS & Partner services without going to Internet • Create private endpoints for services you provide • Marketplace has SaaS products available that use PrivateLink
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Network Address Translation (NAT) • 2 types: Gateway / Instance • Allows Instances on private subnets to communicate out to the internet
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved DDoS Response Team HTTP floods Bad bots Suspicious IPs Border network Network-layer mitigations AWS services Web-layer mitigations Customer resources DDoS Detect- ion Internet Internet- layer mitigations DDoS SSL Attacks Slowloris Malformed HTTP Large-scale attacks SYN floods Reflection attacks Suspicious sources Defense in depth DDoS response team (DRT) Sophisticated Layer 7 attacks
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AMI Factory • Create secure baseline • Monitor compliance • Scan for vulnerabilities • Remediate & Update • Inspector, Config & SSM
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Vulnerability Management Inspector • Scan AMI as part of build – CVE – Configuration • Scan / Patch Frequently • Use with SSM to automate patching • Integrates with CI/CD Tools • CVSS Scoring
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager • A set of capabilities that... • ...enable automated configuration... • ...and ongoing management of systems at scale... • ...across all of your Windows and Linux workloads... • ...running in Amazon EC2 or on-premises… • ...at no charge; only pay for AWS resources you manage
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Automate common administrative tasks  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Granular permissions to control access through AWS Identity & Access Management  Logging using AWS CloudTrail Run Command: Overview
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Provides secure storage for configuration data & secrets • Store configuration data and secure strings in hierarchies and track versions. • Control and audit access at granular levels. • Reference parameters across AWS services such as Amazon EC2, Amazon EC2 Container Service, AWS Lambda, AWS CloudFormation Parameter Store: Overview
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers  Gather detail on a variety of attributes, such as: – Installed applications & OS details – AWS components and agents – Network configuration  Inventory attributes are stored in AWS Config for auditing  Assess compliance of configurations using AWS Config Rules Inventory: Overview
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS  Control configuration details such as anti-virus settings, iptables, etc.  Define your own schedules for deployment reviews  Compare actual deployments against specified configuration policy  State Manager reapplies policies if state drift is detected  Query State Manager to view status of deployments State Manager: Overview
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Automated tool that helps you simplify your Windows operating system patching process  Select the patches you want to deploy  Control timing for patch roll-outs and instance reboots  Define auto-approval rules for patches  Ability to black-list or white-list specific patches  Schedule the automatic roll out through maintenance windows Patch Manager: Overview
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Quickstart Templates • NIST 800-53 • PCI / HIPAA • Deploy in a few minutes • Best practices implemented • Great starting point • Free • https://aws.amazon.com/q uickstart/
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Security Partner Solutions https://aws.amazon.com/security/partner-solutions/
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Summary • Ingress filtering capability: use VPC design in combination with security groups, NACLs and WAF to establish boundaries • Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC endpoints • DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks • Vulnerability & Patch management capability: use Inspector and SSM • Use SSM for: – Configuration and patch compliance – Secure privileged access to instances – Automated patch management – Software inventory & licensing compliance – Secrets vaulting
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Further Reading • https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild- and-hashicorp-packer/ • https://d0.awsstatic.com/aws-answers/AWS_Securing_EC2_Instances.pdf • https://aws.amazon.com/ec2/systems-manager/
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS