The cloud enables users to run workloads in a more secure fashion than what typically can be done in a traditional datacenter. However, many customers are still not sure how to actually harden their AWS accounts and resources and make sure compliance is being enforced. When large customers have multiple accounts, ensuring consistency around governance can also be of concern. In this session we will review how to use automation, tools and techniques to harden and audit your AWS accounts and also how to leverage AWS Organizations to ensure compliance in your enterprise.
Geordie Anderson, Security Specialist Solutions Architect, Amazon Web Services
Sean Donaghy, Senior Cyber Security Advisor, Canadian Centre for Cyber Security, Communications Security Establishment, Government of Canada
Michael Davie, Security Engineer, Canadian Centre for Cyber Security, Communications Security Establishment, Government of Canada
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
Come and see first-hand how AWS Systems Manager can help you manage your servers at scale with the agility and security you need in today's dynamic cloud-enabled world.Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale.
Speaker: Andra Christie, Solutions Architect, AWS
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Organizations offers policy-based management for multiple AWS Accounts. Learn how Organizations helps you more easily manage policies for groups of accounts and automate account creation.
AWS Identity and Access Management (IAM) allows you to securely control access to AWS resources. IAM controls who can be authenticated and authorized to use resources by managing users, groups, roles, and their permissions. IAM supports single-factor, multi-factor, and two-factor authentication to verify identities. Authorization occurs after authentication and provides permissions to access resources. IAM helps create and manage users, groups, roles, and their permissions to govern access to AWS services.
Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute capacity in the cloud and makes web scale computing easier for customers. Amazon EC2 provides a wide variety of compute instances suited to every imaginable use case, from static websites to high performance supercomputing on-demand, available via highly flexible pricing options. Amazon EC2 works with Amazon Elastic Block Store (Amazon EBS) and Auto Scaling to make it easy for you to get the performance and availability you need for your applications. This session will introduce the key features and different instance types offered by Amazon EC2, demonstrate how you can get started and provide guidance on choosing the right types of instance and purchasing options.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Azure Monitor provides centralized monitoring of Azure resources and applications. It collects metrics, logs, and application performance monitoring data from Azure resources, the Azure platform, and on-premises sources. It provides visibility into resource performance and usage, enables alerting and automation of responses to issues. Azure Monitor features include dashboards for visualizing data, log analytics for querying and analyzing logs, and integration with other Azure services for additional monitoring capabilities like Application Insights.
발표영상 다시보기: https://youtu.be/eQjkwhyOOmI
대규모 데이터 레이크 구성 및 관리는 복잡하고 시간이 많이 걸리는 작업입니다. AWS Lake Formation은 수일만에 안전한 데이터 레이크를 구성할 수 있는 완전 관리 서비스입니다. 본 세션에서는 데이터 수집, 분류, 정리, 변환 및 보안을 위해 AWS Lake Formation을 통해 Amazon S3, EMR, Redshift 및 Athena와 같은 분석 도구를 쉽게 구성하는 방법을 알아봅니다. (2019년 11월 서울 리전 출시)
Secure AWS with Fortinet Security Fabric.pptxYitao Cen
The document discusses Fortinet's security solutions and partnerships on AWS, highlighting that Fortinet protects over 70% of Fortune 100 companies, has 30% of the global firewall market share, and over 630,000 customers worldwide. It provides an overview of Fortinet's cloud-native and hybrid cloud security offerings, as well as case studies demonstrating how these solutions help secure AWS environments and hybrid networks. The document also outlines Fortinet's consulting services and flexible consumption models available on AWS Marketplace to help customers design, deploy, and manage Fortinet security technologies in AWS.
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
Come and see first-hand how AWS Systems Manager can help you manage your servers at scale with the agility and security you need in today's dynamic cloud-enabled world.Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale.
Speaker: Andra Christie, Solutions Architect, AWS
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Organizations offers policy-based management for multiple AWS Accounts. Learn how Organizations helps you more easily manage policies for groups of accounts and automate account creation.
AWS Identity and Access Management (IAM) allows you to securely control access to AWS resources. IAM controls who can be authenticated and authorized to use resources by managing users, groups, roles, and their permissions. IAM supports single-factor, multi-factor, and two-factor authentication to verify identities. Authorization occurs after authentication and provides permissions to access resources. IAM helps create and manage users, groups, roles, and their permissions to govern access to AWS services.
Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute capacity in the cloud and makes web scale computing easier for customers. Amazon EC2 provides a wide variety of compute instances suited to every imaginable use case, from static websites to high performance supercomputing on-demand, available via highly flexible pricing options. Amazon EC2 works with Amazon Elastic Block Store (Amazon EBS) and Auto Scaling to make it easy for you to get the performance and availability you need for your applications. This session will introduce the key features and different instance types offered by Amazon EC2, demonstrate how you can get started and provide guidance on choosing the right types of instance and purchasing options.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Azure Monitor provides centralized monitoring of Azure resources and applications. It collects metrics, logs, and application performance monitoring data from Azure resources, the Azure platform, and on-premises sources. It provides visibility into resource performance and usage, enables alerting and automation of responses to issues. Azure Monitor features include dashboards for visualizing data, log analytics for querying and analyzing logs, and integration with other Azure services for additional monitoring capabilities like Application Insights.
발표영상 다시보기: https://youtu.be/eQjkwhyOOmI
대규모 데이터 레이크 구성 및 관리는 복잡하고 시간이 많이 걸리는 작업입니다. AWS Lake Formation은 수일만에 안전한 데이터 레이크를 구성할 수 있는 완전 관리 서비스입니다. 본 세션에서는 데이터 수집, 분류, 정리, 변환 및 보안을 위해 AWS Lake Formation을 통해 Amazon S3, EMR, Redshift 및 Athena와 같은 분석 도구를 쉽게 구성하는 방법을 알아봅니다. (2019년 11월 서울 리전 출시)
Secure AWS with Fortinet Security Fabric.pptxYitao Cen
The document discusses Fortinet's security solutions and partnerships on AWS, highlighting that Fortinet protects over 70% of Fortune 100 companies, has 30% of the global firewall market share, and over 630,000 customers worldwide. It provides an overview of Fortinet's cloud-native and hybrid cloud security offerings, as well as case studies demonstrating how these solutions help secure AWS environments and hybrid networks. The document also outlines Fortinet's consulting services and flexible consumption models available on AWS Marketplace to help customers design, deploy, and manage Fortinet security technologies in AWS.
In this session, you will learn about Amazon Macie, a new visibility security service that helps you classify and secure your sensitive and business-critical content. Macie uses machine learning to automatically discover, classify, and protect sensitive data in the AWS Cloud, and it recognizes sensitive data such as personally identifiable information (PII) and intellectual property. You also will learn about the available types of alerts (basic and predictive) and demonstrate how you can use Amazon CloudWatch Events, AWS Lambda, and Amazon SNS topics to automate remediation actions to unauthorized access and inadvertent data leaks.
The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.
Best Practices for Building a Data Lake with Amazon S3 - August 2016 Monthly ...Amazon Web Services
Uncovering new, valuable insights from big data requires organizations to collect, store, and analyze increasing volumes of data from multiple, often disparate sources at disparate points in time. This makes it difficult to handle big data with data warehouses or relational database management systems alone. A Data Lake allows you to store massive amounts of data in its original form, without the need to enforce a predefined schema, enabling a far more agile and flexible architecture, which makes it easier to gain new types of analytical insights from your data.
Learning Objectives:
• Introduce key architectural concepts to build a Data Lake using Amazon S3 as the storage layer
• Explore storage options and best practices to build your Data Lake on AWS
• Learn how AWS can help enable a Data Lake architecture
• Understand some of the key architectural considerations when building a Data Lake
• Hear some important Data Lake implementation considerations when using Amazon S3 as your Data Lake
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...Amazon Web Services
This document discusses several capabilities of Amazon EC2 Systems Manager for managing hybrid cloud environments at scale, including Automation, Inventory, and Patch Manager. It summarizes customer challenges with traditional management tools and how these capabilities address them by enabling automated configuration, inventory collection, and ongoing patching across Windows and Linux instances in AWS and on-premises. The document provides overviews and demos of how each capability works, such as using Automation to simplify AMI building, querying Inventory to understand fleet configuration, and automating patching with Patch Manager.
Adapting the capacity of your compute infrastructure to the demands of your applications is the domain of Auto Scaling. Adding and removing Amazon EC2 instances is only part of the story, though – there is more to it than first meets the eye. This session introduces the basics of how to use Auto Scaling before moving on to more advanced topics such as mixing Spot and On-Demand instances to optimize cost or strategies for blue/green deployments. If you have used Auto Scaling before, you can learn about useful new features like lifecycle hooks and step scaling policies that make Auto Scaling even more widely applicable.
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud
Can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage
Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
This document provides an overview of Oracle WebLogic and how it compares to OC4J. It discusses the key WebLogic concepts like domains, administration servers, managed servers, and clusters. It also covers the various administration tools for WebLogic like the admin console and WLST scripting. The document demonstrates how to use WLST to start NodeManager and monitor server states. It provides tips on tuning the JVM and changing WebLogic ports. The agenda concludes with a hands-on session on installing and configuring a WebLogic domain.
This document provides an overview and agenda for an AWS Systems Manager November 2020 meetup. It discusses the key capabilities of AWS Systems Manager including SSM documents, managed instances, resource groups, RUN commands, hybrid activations, patch manager, inventory, session manager, automation, parameter store, distributor, and OpsCenter/Explorer. It also includes demonstrations of creating RUN commands, hybrid activations, patching processes, state manager associations, and installing software using distributor.
Amazon RDS allows you to launch an optimally configured, secure and highly available database with just a few clicks. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you to focus on your applications and business.
Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups.
You can specify the minimum number of instances in each Auto Scaling group, and Auto Scaling ensures that your group never goes below this size.
You can specify the maximum number of instances in each Auto Scaling group, and Auto Scaling ensures that your group never goes above this size.
If you specify the desired capacity, either when you create the group or at any time thereafter, Auto Scaling ensures that your group has this many instances.
If you specify scaling policies, then Auto Scaling can launch or terminate instances as demand on your application increases or decreases
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
You may already know that you can use Amazon CloudWatch to view graphs of your AWS resources like Amazon Elastic Compute Cloud instances or Amazon Simple Storage Service. But, did you know that you can monitor your on-premises servers with Amazon CloudWatch Logs? Or, that you can integrate CloudWatch Logs with Elasticsearch for powerful visualization and analysis? This session will offer a tour of the latest monitoring and automation capabilities that we’ve added, how you can get even more done with Amazon CloudWatch.
AWS Security Hub provides a single place to manage security alerts and compliance checks across AWS accounts and services. It integrates findings from AWS services like GuardDuty, Inspector, and Macie as well as many third-party security products. These findings are normalized into a standard format and prioritized. Security Hub also allows users to check compliance with the CIS Benchmark security standard through automated configuration and compliance checks.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
Elastic Load Balancing (ALB & NLB) automatically distributes incoming application traffic across multiple Amazon EC2 instances for fault tolerance and load distribution. In this session, we go into detail on ELB configuration and day-to-day management. We also discuss its use with Auto Scaling, and we explain how to make decisions about the service and share best practices and useful tips for success. Finally, Netflix joins this session to share how it leveraged the authentication functionality on Application Load Balancer to help solve its workforce identity management at scale.
This document provides an overview of Amazon Route 53 DNS services including:
- IPv4 and IPv6 address spaces and how Route 53 resolves domain names to IP addresses using A records.
- Common DNS record types like NS, SOA, CNAME and how they work.
- Route 53 routing policies for controlling traffic like simple, weighted, latency, failover and geolocation routing.
- How alias records can simplify configuration by automatically reflecting changes to referenced resources.
- A example of setting up Route 53 with domains, record sets, Elastic Load Balancers and instances across regions.
Amazon EBS provides highly available, reliable, durable, block-level storage volumes that can be attached to a running instance
EBS as a primary storage device is recommended for data that requires frequent and granular updates for e.g. running a database or filesystems
An EBS volume behaves like a raw, unformatted, external block device that can be attached to a single EC2 instance at a time
EBS volume persists independently from the running life of an instance.
An EBS volume can be attached to any instance within the same Availability Zone, and can be used like any other physical hard drive
Understand use cases for Auto Scaling
Understand benefits and drawbacks of Auto Scaling
Determine if and where Auto Scaling a fit for existing Infrastructure
Implement Auto Scaling!
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
The cloud enables users to run workloads in a more secure fashion than what typically can be done in a traditional data-center. However, customers are still not sure how to actually harden their AWS accounts and resources and make sure compliance is being enforced. When large customers have multiple accounts, ensuring consistency around governance can also be of concern. In this session, we will review how to use automation, tools, and techniques to harden and audit your AWS account and also how to leverage AWS Organizations to ensure compliance in your enterprise.
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
Security on AWS is robust and feature rich, but how do you know what to do and how to start? This workshop covers how to start your AWS threat response automation platform using native AWS tools and OSS. We begin with how to collect and analyze all the different data sources in an AWS account. Next, we cover how to take that log data and automatically address risks identified from network intrusion, insider threats, or misconfigurations. We also cover preventative controls that can help block risk in the first place and alert you when drift occurs. Finally, we cover how to scale this all out to multiple accounts.
In this session, you will learn about Amazon Macie, a new visibility security service that helps you classify and secure your sensitive and business-critical content. Macie uses machine learning to automatically discover, classify, and protect sensitive data in the AWS Cloud, and it recognizes sensitive data such as personally identifiable information (PII) and intellectual property. You also will learn about the available types of alerts (basic and predictive) and demonstrate how you can use Amazon CloudWatch Events, AWS Lambda, and Amazon SNS topics to automate remediation actions to unauthorized access and inadvertent data leaks.
The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.
Best Practices for Building a Data Lake with Amazon S3 - August 2016 Monthly ...Amazon Web Services
Uncovering new, valuable insights from big data requires organizations to collect, store, and analyze increasing volumes of data from multiple, often disparate sources at disparate points in time. This makes it difficult to handle big data with data warehouses or relational database management systems alone. A Data Lake allows you to store massive amounts of data in its original form, without the need to enforce a predefined schema, enabling a far more agile and flexible architecture, which makes it easier to gain new types of analytical insights from your data.
Learning Objectives:
• Introduce key architectural concepts to build a Data Lake using Amazon S3 as the storage layer
• Explore storage options and best practices to build your Data Lake on AWS
• Learn how AWS can help enable a Data Lake architecture
• Understand some of the key architectural considerations when building a Data Lake
• Hear some important Data Lake implementation considerations when using Amazon S3 as your Data Lake
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...Amazon Web Services
This document discusses several capabilities of Amazon EC2 Systems Manager for managing hybrid cloud environments at scale, including Automation, Inventory, and Patch Manager. It summarizes customer challenges with traditional management tools and how these capabilities address them by enabling automated configuration, inventory collection, and ongoing patching across Windows and Linux instances in AWS and on-premises. The document provides overviews and demos of how each capability works, such as using Automation to simplify AMI building, querying Inventory to understand fleet configuration, and automating patching with Patch Manager.
Adapting the capacity of your compute infrastructure to the demands of your applications is the domain of Auto Scaling. Adding and removing Amazon EC2 instances is only part of the story, though – there is more to it than first meets the eye. This session introduces the basics of how to use Auto Scaling before moving on to more advanced topics such as mixing Spot and On-Demand instances to optimize cost or strategies for blue/green deployments. If you have used Auto Scaling before, you can learn about useful new features like lifecycle hooks and step scaling policies that make Auto Scaling even more widely applicable.
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud
Can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage
Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
This document provides an overview of Oracle WebLogic and how it compares to OC4J. It discusses the key WebLogic concepts like domains, administration servers, managed servers, and clusters. It also covers the various administration tools for WebLogic like the admin console and WLST scripting. The document demonstrates how to use WLST to start NodeManager and monitor server states. It provides tips on tuning the JVM and changing WebLogic ports. The agenda concludes with a hands-on session on installing and configuring a WebLogic domain.
This document provides an overview and agenda for an AWS Systems Manager November 2020 meetup. It discusses the key capabilities of AWS Systems Manager including SSM documents, managed instances, resource groups, RUN commands, hybrid activations, patch manager, inventory, session manager, automation, parameter store, distributor, and OpsCenter/Explorer. It also includes demonstrations of creating RUN commands, hybrid activations, patching processes, state manager associations, and installing software using distributor.
Amazon RDS allows you to launch an optimally configured, secure and highly available database with just a few clicks. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you to focus on your applications and business.
Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups.
You can specify the minimum number of instances in each Auto Scaling group, and Auto Scaling ensures that your group never goes below this size.
You can specify the maximum number of instances in each Auto Scaling group, and Auto Scaling ensures that your group never goes above this size.
If you specify the desired capacity, either when you create the group or at any time thereafter, Auto Scaling ensures that your group has this many instances.
If you specify scaling policies, then Auto Scaling can launch or terminate instances as demand on your application increases or decreases
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
You may already know that you can use Amazon CloudWatch to view graphs of your AWS resources like Amazon Elastic Compute Cloud instances or Amazon Simple Storage Service. But, did you know that you can monitor your on-premises servers with Amazon CloudWatch Logs? Or, that you can integrate CloudWatch Logs with Elasticsearch for powerful visualization and analysis? This session will offer a tour of the latest monitoring and automation capabilities that we’ve added, how you can get even more done with Amazon CloudWatch.
AWS Security Hub provides a single place to manage security alerts and compliance checks across AWS accounts and services. It integrates findings from AWS services like GuardDuty, Inspector, and Macie as well as many third-party security products. These findings are normalized into a standard format and prioritized. Security Hub also allows users to check compliance with the CIS Benchmark security standard through automated configuration and compliance checks.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
Elastic Load Balancing (ALB & NLB) automatically distributes incoming application traffic across multiple Amazon EC2 instances for fault tolerance and load distribution. In this session, we go into detail on ELB configuration and day-to-day management. We also discuss its use with Auto Scaling, and we explain how to make decisions about the service and share best practices and useful tips for success. Finally, Netflix joins this session to share how it leveraged the authentication functionality on Application Load Balancer to help solve its workforce identity management at scale.
This document provides an overview of Amazon Route 53 DNS services including:
- IPv4 and IPv6 address spaces and how Route 53 resolves domain names to IP addresses using A records.
- Common DNS record types like NS, SOA, CNAME and how they work.
- Route 53 routing policies for controlling traffic like simple, weighted, latency, failover and geolocation routing.
- How alias records can simplify configuration by automatically reflecting changes to referenced resources.
- A example of setting up Route 53 with domains, record sets, Elastic Load Balancers and instances across regions.
Amazon EBS provides highly available, reliable, durable, block-level storage volumes that can be attached to a running instance
EBS as a primary storage device is recommended for data that requires frequent and granular updates for e.g. running a database or filesystems
An EBS volume behaves like a raw, unformatted, external block device that can be attached to a single EC2 instance at a time
EBS volume persists independently from the running life of an instance.
An EBS volume can be attached to any instance within the same Availability Zone, and can be used like any other physical hard drive
Understand use cases for Auto Scaling
Understand benefits and drawbacks of Auto Scaling
Determine if and where Auto Scaling a fit for existing Infrastructure
Implement Auto Scaling!
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by U...Amazon Web Services
AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
The cloud enables users to run workloads in a more secure fashion than what typically can be done in a traditional data-center. However, customers are still not sure how to actually harden their AWS accounts and resources and make sure compliance is being enforced. When large customers have multiple accounts, ensuring consistency around governance can also be of concern. In this session, we will review how to use automation, tools, and techniques to harden and audit your AWS account and also how to leverage AWS Organizations to ensure compliance in your enterprise.
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
Security on AWS is robust and feature rich, but how do you know what to do and how to start? This workshop covers how to start your AWS threat response automation platform using native AWS tools and OSS. We begin with how to collect and analyze all the different data sources in an AWS account. Next, we cover how to take that log data and automatically address risks identified from network intrusion, insider threats, or misconfigurations. We also cover preventative controls that can help block risk in the first place and alert you when drift occurs. Finally, we cover how to scale this all out to multiple accounts.
The AWS Shared Responsibility Model in PracticeAlert Logic
This document discusses the AWS shared responsibility model and how it divides security responsibilities between AWS and customers. It provides examples of how the responsibilities are divided for different types of AWS services, including infrastructure services, container services, and abstract services. It also promotes the security tools and services available in AWS that can help customers automate security tasks, gain visibility, and protect their infrastructure, data, and applications.
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
GE has very deep security requirements for their cloud applications. In this session, hear their story on replacing on premises complex solutions with AWS native services like Amazon GuardDuty, VPC Flow logs, AWS CloudTrail, and AWS Config rules. Learn how large enterprises can accelerate their cloud adoption by meeting established security standards with AWS native services. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.
The AWS Shared Responsibility Model in PracticeAlert Logic
The document discusses security in the cloud with Amazon Web Services (AWS). It highlights that AWS provides tools to automate security, inherit global controls, and scale with visibility and control. It also discusses the shared responsibility model where AWS manages security of the cloud infrastructure and customers manage security in the cloud. Finally, it provides examples of AWS security services for identity and access management, detective controls, infrastructure security, data protection, and incident response.
This session will review how to secure your enterprise adoption of AWS at scale. At AWS security is job zero and at the heart of everything we build. This session will review the patterns of usage for AWS Identity and Access Management, AWS Key Management Service, AWS CloudTrail, AWS Config, Amazon GuardDuty AWS Systems Manager Parameter Store, Amazon EC2 Run Command, AWS Single Sign-On, AWS WAF, AWS Shield, and AWS Service Catalog to an create end-to-end security approach for your AWS cloud adoption. You will gain insight how these AWS services come together to increase your security posture in ways that are unique to AWS workloads.
This document outlines an agenda for a workshop on threat detection and remediation. It includes:
- Running a CloudFormation template to set up the initial environment.
- A presentation on threat detection and remediation that discusses why it is difficult, the importance of removing humans from data analysis and detection, and AWS security services that can help.
- A walkthrough of the workshop where participants will simulate attacks and threats in their environment and use AWS security tools like GuardDuty, Lambda, and CloudWatch Events for detection and remediation.
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
You want your current incident response (IR) runbooks to account for your AWS workloads ASAP, and eventually, you want cloud-based IR superpowers, too. In this session, we cover the basics that you must get in place, runbook updates specific to AWS, and we show you how to build initial IR capabilities that blend well with existing processes and partner offerings. We also walk through a hypothetical IR scenario for an AWS environment that uses an evolved on-premises IR runbook that accounts for the differences of an AWS environment. In this scenario, we demonstrate unique AWS platform capabilities for IR success. Go beyond updating your IR runbooks, and start your journey toward gaining cloud-based IR superpowers today!
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Amazon Web Services
With Amazon Elasticsearch Service's simplicity comes a multitude of opportunity to use it as a back end for real-time application and infrastructure monitoring. With this wealth of opportunities comes sprawl - developers in your organization are deploying Amazon Elasticsearch Service for many different workloads and many different purposes. Should you centralize into one Amazon Elasticsearch Service domain? What are the tradeoffs in scale and cost? How do you control access to the data and dashboards? How do you structure your indexes - single tenant or multi-tenant? In this session, we'll explore whether, when, and how to centralize logging across your organization to minimize cost and maximize value and learn how Autodesk has built a unified log analytics solution using Amazon Elasticsearch Service.
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
This document discusses evolving incident response processes and capabilities for AWS environments. It begins with an overview of incident response and how runbooks can help support the process. It then covers how the people, processes, and tools involved in incident response need to account for working in AWS. The presentation explores various AWS services that can empower incident response, such as GuardDuty, CloudTrail, CloudWatch, and AWS Config. It also discusses how to approach tasks like network isolation, disk capture, and data analysis in AWS. The document emphasizes that incident response in AWS allows for more automation, scalability, and self-healing capabilities compared to on-premises environments. It stresses the importance of prerequisites like roles and centralized logging when building
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
This document discusses techniques for detecting insider threats within an AWS environment. It provides an overview of several AWS security services such as CloudTrail, GuardDuty, and Config that can be used to monitor user activity and resource configurations. The document then presents a hypothetical example where GuardDuty detects suspicious EC2 instance activity and triggers automated remediation workflows using Lambda, CloudWatch, and Systems Manager to investigate and respond to potential security incidents.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and workshops. We will also provide an overview of the Security pillar of the AWS Cloud Adoption Framework (CAF) and talk about how AWS keeps humans away from data—and how you can, too.
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Amazon Web Services
Application modernization projects with AWS start with creating an AWS Landing Zone. Based on AWS best practices, AWS Landing Zones help ensure a secure, performant, highly available, and cost-efficient AWS environment. Common hybrid cloud use cases, such as cloud migration, data center extension, disaster recovery, cloud bursting, and edge computing, require data integration, operations management and monitoring, security, and networking as the foundational components of a hybrid cloud architecture. In this session, we dive deep on the networking, security, account management structure, operating management, and monitoring best practices to build your own AWS Landing Zone that can be extended into your data center. AWS partner, GreenPages, demonstrates a repeatable hybrid cloud architecture to secure, manage, and integrate your network across on-premises and multiple AWS regions using an AWS Landing Zone. AWS customer, Finch Therapeutics, then discusses how the company utilized the GreenPages hybrid cloud reference implementation to deploy, secure, and manage its hybrid cloud environment.
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Amazon Web Services
Learning Objectives:
- Learn about common architecture patterns for network design, Microsoft Active Directory, and business productivity solutions like Dynamics AX, CRM, and Microsoft SharePoint
- Explore common scenarios for legacy and custom .NET, .NET Core with Microsoft SQL deployments and migrations
- Gain insights on simplifying your IT infrastructure and managing your Microsoft workloads in a familiar environment
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
The document discusses threat detection and mitigation techniques at AWS. It describes how AWS services like GuardDuty, CloudTrail, and VPC Flow Logs can be used to detect threats. It also discusses how tools like AWS Lambda, Systems Manager, and Step Functions can help with automating response and remediation. The document provides examples of high-level workflows that leverage these services to quickly detect and respond to security incidents.
Secure & Automate AWS Deployments with Next-Generation on SecurityAmazon Web Services
Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Palo Alto Networks provides organizations with the visibility and automation needed to create and update security policies in your cloud environment in real time. Learn how you can gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Michael South, AWS Security Acceleration Business Development
Matt McLimans, Public Cloud Consultant Engineer, Palo Alto Networks
Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro
What if security became the reason to move an application to the cloud? Historically, security has been a necessary afterthought. Today, with AWS, security is moving from obligation to advantage. Here, you'll get a glimpse of tools and techniques that enterprise customers are using today to secure their AWS environments at scale.
In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments.
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Amazon Web Services
Ready to secure your network and application in near real-time using Amazon VPC Flow Logs and AWS WAF? In this advanced workshop, we incorporate advanced near real-time analytics and machine learning to fend off potential attackers and abusers through automated mitigation with your AWS WAF. Participants are expected to have laptops with access to an AWS account and be familiar with basic ANSI SQL, basic Amazon VPC, basic AWS Lambda, and basic AWS WAF. Along the way, you dive into and learn about Amazon VPC Flow Logs, AWS WAF, Amazon CloudWatch, Amazon Elasticsearch Service (Amazon ES), Amazon SageMaker, Amazon Kinesis Data Firehose, Amazon Kinesis Data Analytics, and AWS Lambda. A laptop and an AWS account are required.
Similar to Lock It Down: How to Secure Your Organization's AWS Account (20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
1) The document discusses building a minimum viable product (MVP) using Amazon Web Services (AWS).
2) It provides an example of an MVP for an omni-channel messenger platform that was built from 2017 to connect ecommerce stores to customers via web chat, Facebook Messenger, WhatsApp, and other channels.
3) The founder discusses how they started with an MVP in 2017 with 200 ecommerce stores in Hong Kong and Taiwan, and have since expanded to over 5000 clients across Southeast Asia using AWS for scaling.
This document discusses pitch decks and fundraising materials. It explains that venture capitalists will typically spend only 3 minutes and 44 seconds reviewing a pitch deck. Therefore, the deck needs to tell a compelling story to grab their attention. It also provides tips on tailoring different types of decks for different purposes, such as creating a concise 1-2 page teaser, a presentation deck for pitching in-person, and a more detailed read-only or fundraising deck. The document stresses the importance of including key information like the problem, solution, product, traction, market size, plans, team, and ask.
This document discusses building serverless web applications using AWS services like API Gateway, Lambda, DynamoDB, S3 and Amplify. It provides an overview of each service and how they can work together to create a scalable, secure and cost-effective serverless application stack without having to manage servers or infrastructure. Key services covered include API Gateway for hosting APIs, Lambda for backend logic, DynamoDB for database needs, S3 for static content, and Amplify for frontend hosting and continuous deployment.
This document provides tips for fundraising from startup founders Roland Yau and Sze Lok Chan. It discusses generating competition to create urgency for investors, fundraising in parallel rather than sequentially, having a clear fundraising narrative focused on what you do and why it's compelling, and prioritizing relationships with people over firms. It also notes how the pandemic has changed fundraising, with examples of deals done virtually during this time. The tips emphasize being fully prepared before fundraising and cultivating connections with investors in advance.
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
This document discusses Amazon's machine learning services for building conversational interfaces and extracting insights from unstructured text and audio. It describes Amazon Lex for creating chatbots, Amazon Comprehend for natural language processing tasks like entity extraction and sentiment analysis, and how they can be used together for applications like intelligent call centers and content analysis. Pre-trained APIs simplify adding machine learning to apps without requiring ML expertise.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
59. CERRID #######
PAGE 59
UNCLASSIFIED
What is the Canadian Centre for Cyber Security?
The Cyber Centre is the Government of Canada’s single unified source of expert advice, guidance,
services and support on cyber security for government, critical infrastructure owners and operations, the
private sector and the Canadian public.
3
60. CERRID #######
PAGE 60
UNCLASSIFIED
Pillars of CCCS Cloud Security Program
Advice and Guidance
• Advice &
Guidance on the
secure use of
cloud
• Examples of
secure
Infrastructure as
Code
• Consultation with
CSP clients
Assessment
• Vendor
Engagement
• Cloud Service
Provider Security
Assessment
• Supply Chain
Integrity (SCI)
• Residual Risks
Cyber Defence
• Develop
capabilities for GC
workloads in
cloud
• Leverage existing
investment in
analytics and
cyber defence
4
61. CERRID #######
PAGE 61
UNCLASSIFIED
CSP Assessment Program
Intended to assess each enterprise cloud service provider and their ability
to handle Government of Canada information:
● Unclassified to Protected A Data.
● Protected B Data.
Program utilizes:
● An Onboarding process for interested CSPs
● Tailored Cloud Security Controls Profiles for Low and Moderate levels of information
sensitivity - can be applied by both government and industry.
● A Cloud Assessment Framework/Methodology (ITSM.50.100)
Completed Assessments provide information to help departments validate
a CSP’s ability to meet the security control profile for GC information
security requirements as they procure Public cloud services.
5
62. CERRID #######
PAGE 62
UNCLASSIFIED
Cloud Advice and Guidance Publications
The CCCS will be publishing various Cloud Security Publications:
● CSP Assessment Process
● Cloud IT Risk Management Process
● Cloud Security Profiles
● Cloud Defence in Depth
● Cloud Encryption Strategies
● Monitoring of Cloud Services
● Business Continuity Planning
● Access Control (Public, Private/Community and Hybrid Cloud)
● Secure Design/Implementation/Hardening of client IaaS/PaaS
Keep an eye on our Publications page: https://www.cyber.gc.ca/en/publications
6
65. CERRID #######
PAGE 65
UNCLASSIFIED
CSE-CIC-IDS2018 Dataset
Collaborative effort between CSE, UNB, and AWS
Communications Security Establishment
● Noted lack of high-quality, public data for cybersecurity tests (still a lot of KDD 1999…)
● Drafted problem book A problem that we would like solved
● Contracted work to UNB
Canadian Institute for Cybersecurity (University of New Brunswick)
● Previous work in dataset generation (2012, 2017)
● Generated new dataset to CSE requirements
● 500 users, realistic attacks, labelled data, feature extraction
Amazon Web Services
● Provided cloud infrastructure for virtual environment
● $80k USD academic grant of AWS credit
● Free public hosting on Open Data portal
9
66. CERRID #######
PAGE 66
UNCLASSIFIED
CSE-CIC-IDS2018 Dataset
AWS Open Data Portal
https://registry.opendata.aws/cse-cic-ids2018/
Documentation
https://www.unb.ca/cic/datasets/ids-2018.html
ARN
arn:aws:s3:::cse-cic-ids2018
10
67. CERRID #######
PAGE 67
UNCLASSIFIED
Questions/More info?
Get in touch with our Contact Centre
Communiquez avec notre centre d’appel
1-833-CYBER-88 or/ou 613-949-7048
contact@cyber.gc.ca
Or check out our web site:
www.cyber.gc.ca
11
Intro
We will also have Sean Donaghy and Michael Davie
From the Canadian Centre for Cyber Security
who will present as well.
You are in the technical track.
Just want to make sure people are in the right room.
We are going to talk about awesome stuff like this.
The Management track and the Spotlight track are in other rooms.
This is an exploded view of a Nikon F3P Camera.
(CC Image) - https://www.japancamerahunter.com/2014/11/nikon-f3-p-parts-diagram/
Let’s cover a few of the AWS security basics first.
(CC image) - https://www.flickr.com/photos/vanf/5210360116
No AWS security presentation would be complete without showing the Shared Responsibility Model.
Line is the hypervisor.
Customers can choose their OS.
AWS provides the tools for customers to secure their workloads.
The line can move up.
Examples:
- Amazon Relational Database Service
- AWS Elastic Beanstalk
Examples:
- Simple Storage Service (S3).
- Lambda – customer is responsible for code sanitization.
GUI, REST API, Command Line Interface (CLI), SDK.
Stored in Simple Storage Service (S3).
No Agents. Just Turn it on.
Like Netflow.
Stored in S3.
Let’s start looking at some automation.
Center for Internet Security.
Open source package available on AWS labs.
Does a CIS Benchmark check against a specific AWS account.
Straightforward to run, command line or in a Lambda function.
Reporting options based on use case.
This is an HTML document.
Green light / red light type dashboard that could be provided to leadership.
Raw JSON format.
Could be used in a Lambda function for some automated remediation.
Or sent to a downstream SIEM server for processing.
Or a filter of only those that failed.
Can be customized depending on the needs of the downstream processor.
Everyone should be able to download the slides after.
This picture is a training exercise that the US Navy performs on ships.
They run a competition to test who can implement the most effective “soft patch”.
Using rope, gum, band-aids, and duct tape.
So let’s talk about how to deal with automated patching at scale.
(CC Image) - https://www.defense.gov/observe/photo-gallery/igphoto/2002039597/
No charge for AWS Systems Manager, you only pay for the resources you manage (eg. EC2 instances).
AWS Systems Manager works via a lightweight agent that runs on the EC2 instances, across diverse OSes.
First step is to define a patch baseline.
This can align to whatever your organization’s security posture is.
This could be everything patched up to the moment, or a specific package at a specific version.
You get a list of hosts and whether they are compliant or non-compliant to the baseline.
This is how you can perform automated patching.
Now let’s look at Run Command.
Subtle feature.
But very powerful from a security perspective.
For an analogy here, I will take you back to the 90s.
There was a movie with some dinosaurs, in some kind of park.
It was a Jurassic type of park.
(CC Image) - https://www.livescience.com/16521-image-gallery-tyrannosaurus-rex-dinosaurs.html
One of the characters in the movie basically gives a perfect example of an insider threat.
He shows how a disgruntled employee can execute some malicious code.
And then cover his tracks.
In the movie, he types a command called “White rabbit”.
(CC Image) - https://www.maxpixel.net/Freedom-White-Rabbit-Bunny-Grass-Animal-Cute-3267568
Then suddenly every gate in the park opens up and chaos ensues.
Velociraptors are terrorizing people everywhere.
(CC Image) - https://pxhere.com/en/photo/851957
This later leads to workplace safety posters like this.
Likely pinned up in the lunchroom.
(CC Image) - https://www.amazon.com/Raptor-Dinosaur-Velociraptor-Vinyl-Sticker/dp/B073ZGVTWR
Back to the real world.
Insider threat can be a problem when you have no view into what people are doing at the operating system level.
It’s a challenge to track OS commands issued, across various OSes.
Need to think about moving away from giving developers and staff direct OS access for high security environments.
If you are a security practitioner, this should interest you.
Because everything is API-based, all OS commands issued get logged by CloudTrail.
Who/what/when/from where/what was the response.
Across diverse OSes.
Now let’s take this further.
An even better option is to store CloudTrail logs in a separate central security account, limited to the security team.
Developers and administrators cannot access or alter the CloudTrail logs.
Session Manager
Session Manager
Bash shell or PowerShell
All commands logged to CloudTrail.
Access control via IAM.
This is a GuardDuty kill chain.
First create the CloudWatch rule that defines the event source.
GuardDuty detections in this case.
Then build a Lambda responder.
This is a simple 8 line Lambda function.
Drop in a specific action.
Back to the GuardDuty kill chain.
In this case, we could shut down the compromised instance.
Or disconnect it’s Elastic Network Interface.
Back in the on-premises world, the BC-era (‘before cloud’) --> host compromised --> pull RJ-45.
Move server to isolated lab.
Even use CloudFormation for tools servers.
Cloud is API-based --> Automated incident response.
Let’s talk about networking.
I’m sure we’ve all seen a data center like this.
(CC Image) - https://peterskastner.wordpress.com/2011/02/23/cisco-the-lion-king-fights-for-data-center-fabric-leadership/
Or like this. Check out the mat over the cables.
In a traditional data center, visibility and accountability can be problematic.
There are always some unknown servers in the corner
Or network cables going somewhere unknown.
(CC Image) - https://dcbureau.files.wordpress.com/2008/08/cable-mess.jpg
VPC Flow Logs give visibility and traceability.
Lambda doesn’t have to do just one thing.
If you use a ticketing service that supports and API, have Lambda open a ticket that indicates:
- What the actor was doing
- What the resource was
- What the automated action was
- Whether the action was successful or not
All documented inside the ticket.
Threat intel feeds – could be 3rd party or based on your telemetry from security edge monitoring.
Possible to do directly from S3 to Lambda, but showing SNS for a reason, which you’ll see on the next slide.
Option would be pushing IP blacklist ranges to a WAF.
Solution can be used generically to push from a central account to multiple member accounts.
How do we make sure that people only do things that we want them to do?
(CC Image) - https://commons.wikimedia.org/wiki/File:Denver_boot.jpg
AWS Config also supports centralized multi-account management.
You can have an enterprise-wide view of your compliance status.
Even better, how can we automate remediation based on what AWS Config rules discover?
Lets talk about access control.
(CC image) - https://commons.wikimedia.org/wiki/File:Nuclear_Plant_Security-_Access_Control_Gates_(9680484758).jpg
IAM Access Advisor shows
- Service permissions granted to users and roles
- When those services were last accessed
Athena is a serverless SQL service.
Solutions from Netflix:
Aardvark - PhantomJS to login to the console and scrape Access Advisor information.
Database --> REST-based API.
Repokid (repossess), uses the data from Aardvark to analyze operations vs permissions needed over time.
It will then repossess permissions and bring roles down to least privilege.
Monitoring | testing | tuning – can significantly improve security posture if used carefully.
AWS has a global network of regions.
Your workloads can run anywhere.
A common guardrail (especially for Protected B) would be to limit workloads only to run in Canada.
How do we do this?
IAM policy. Wall of text.
Lets talk about when you have to manage a whole bunch of AWS accounts.
(CC Image) - https://www.flickr.com/photos/aquamech-utah/24778841180
SCPs – blacklist or whitelist at the service level
SCPs cannot be overridden by the local account
Analogy – similar to the concept in Windows of the Domain Admin vs Local Admin, and Group Policy Objects
No cost to the Landing Zone Solution itself.
Pay for the resources you launch and use.
Member accounts are tied in to the management structure above.
Centralized logging, security access, and authentication.
Summary --> ideas covered. Repeated theme = automation.
People --> mistakes | good intentions | credentials-locations-mfa | repeatability-high stress
Leverage automation as much as possible.
Automation --> waking up | sleep-eat-coffee
Leverage automation --> things get done consistently.
One final thought --> thinking more broadly beyond just the security benefits of automation.
By-product of automation --> becomes an Employee Retention Investment.
Think --> No longer doing --> undifferentiated heavy lifting | repetitive tasks
Opportunity to --> learn new things | innovate | experiment.
Hopefully means --> work becomes more interesting | varied | meaningful.