The document discusses the security benefits of transitioning to cloud computing, highlighting the shared responsibility model between AWS and customers. It details various AWS services that enhance operational visibility, resiliency, and data protection, and emphasizes automation in threat detection and incident response. Ultimately, it argues that the cloud can offer enhanced security compared to traditional on-premises data centers.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
P U B L I C S E C T O R
S U M M I T
B O G O T A

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Security:
A Driving Force Behind Moving to the Cloud
Michael South
Americas Regional Leader,
Public Sector Security & Compliance Business Acceleration

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of
Visibility
Low degree
of Automation
Lack of
Resiliency
Defense-in-Depth
Challenges

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Four Security Benefits of the Cloud
• Increased visibility
• Increased availability and resiliency
• True Defense-in-Depth
• Ability to automate for governance and Security
Operations

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN the
Cloud
AWS is
responsible for the
security OF
the Cloud
CustomerAWS

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Control Ownership
Customer
Specific
Hybrid
Shared
Inherited
Sole Responsibility of the
customer
AWS provides partial
implementation
AWS & customer provide
their implementation
Fully inherited from AWS
Division of Responsibility Depends on
AWS Service
Container Services (PaaS)
Infrastructure Services (IaaS)
Abstracted Services (SaaS)

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Visibility

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Means of obtaining Visibility
Use of resource tags
CLI Describe
Console
Business
Intelligence
Tools
API Queries

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services that provide Operational Visibility
Track user activity
and API usage
Monitor resources
and applications
Analyze OS and
application security
Self-service for AWS’
compliance reports
Track network
activity in/out of VPC
Intelligent Threat
Detection
Discover, classify, and
protect sensitive data
Guidance to reduce
cost, increase
performance, and
improve security
Track application
access/denials
Flow logs

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
U.S. Government Compliance
Defense
Data
Healthcare
Data
Criminal
Data
Student
Data
Tax
Data
Weapons
Data
Financial
Data
Credit
Card
Data
Sensitive Data Protection
Frameworks and Processes
NIST CSF NIST RMF
Standards

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implementing NIST’s Cyber Security Framework (CSF)
1. Executive Order directs all Federal
agencies to use NIST’s CSF to manage
cyber risk
2. Amazon provides guidance on how AWS
services align to CSF
3. Customers can leverage
shared cloud services and
FedRAMP P-ATOs and
ATOs from other agencies

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Resiliency

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Infrastructure Region & Number of Availability Zones
AWS GovCloud EU
Oregon (3) Ireland (3)
Ohio (3) Frankfurt (3)
London (3)
US West Paris (3)
Oregon (3) Stockholm (3)
Northern California (3)
Asia Pacific
US East Singapore (3)
N. Virginia (6) Sydney (3)
Ohio (3) Tokyo (4)
Seoul (2)
Canada Mumbai (2)
Central (2)
China
South America Beijing (2)
São Paulo (3) Ningxia (3)
Announced Regions
Bahrain, Hong Kong, Milan, Cape Town
20Regions
60
Availability
Zones
149
Edge
Locations

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Infrastructure for US Government
Public
Public, Private,
UNCLASS,
FOUO, SBU,
PII, PHI, FTI
FedRAMP
Moderate
DoD IL2
US East & West S-C2SGovCloud
SECRET
DoD IL6
T-C2S
TS/SCI
IC M/M/M
(CNSSI 1253)
CAP
Data Centers & Services staffed by cleared U.S. Citizens Only
NIPRNet
CUI, ITAR, CJI
FedRAMP High
DoD IL4/IL5
JWICSSIPRNet

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- Regions: metropolitan area with independent “cloud”
- Isolated from other Regions (security boundary)
- Customer chooses Region - Data Stays within Region
- Regions comprised of multiple Availability Zones
AZ = 1 or more “data centers”
- AZ’s connected through redundant low-latency links
- Physically separated; Separate Low Risk Flood Plains
- Discrete UPS & Onsite backup
- Redundant connections to multiple tier-1 ISP’s
- Built for Continuous Availability
AWS Region and Availability Zone View
Availability Zone Physical Datacenter Fiber

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public Subnet Public Subnet
Auto Scaling group
Achieving High Availability in AWS
Customer data center
WEB
APP
DB DB
WEB
LB
FW
Customer Datacenter
AWS Cloud
AWS Region
VPC
Availability Zone A Availability Zone B
Web Server
App Subnet App Subnet
DB Subnet DB Subnet
DB Primary DB Secondary
Web Server
Auto Scaling group
App Server App Server
OR

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Defense in Depth

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reality of Many On-Prem Network Defenses
Hard Outer Shell
(Perimeter)
Soft and Gooey Middle
(LAN / Datacenter)WAF
Firewall
IDS/IPS
DLP
VLANs
ACLs
EPS

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS at the Perimeter
DDoS Protection
Web Application Firewall
VPN Gateway
Secure DevOps Comms
VPC
w/ Subnet ACLs
Stateless Firewall
Internet Gateway
Path to Public Internet
(Not present by default)
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
Private Fiber Between
AWS & Customer
Partner Solutions
Firewall, IDS/IPS, WAF
VPC
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS between Workloads
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 1
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 2
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC Peering
(Private network connection
between VPCs)
Internet gateway w/ VPN
(Public path to Internet)
Default
No Communications
Between VPCs
Private Link
(1-way secure comms)

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS inside the Workload
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
VPC
AWS Cloud
AWS Region
Web Security Group
App Security Group
DB Security Group
DB Server
3rd Party EPS
OS Anti-virus, Firewall,
Host Intrusion
Protection System
Security & Compliance
assessment
Event Management
and Alerting
API Logging
Operational View &
Control of ResourcesStatefull Firewall between
Each application tier
Does NOT allow peer-to-
peer communications by
default
Web
Servers
Web
Servers

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Automation

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remove Humans from the Data

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty IDS
• Reconnaissance
• Instance recon:
• Port probe / accepted comm
• Port scan (intra-VPC)
• Brute force attack (IP)
• Drop point (IP)
• Tor communications
• Account recon
• Tor API call (failed)
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Outbound DDoS
• Spambot activity
• Outbound SSH brute force
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added
• Detections in gray are signature based,
state-less findings
• Detections in blue are behavioral, state-
full findings / anomaly detections

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate with integrated services
Automated threat remediation
Event (event-
based)
Lambda
Function
Filtering rule
Other AWS &
Partner Services

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Directory Service
AWS Single Sign-On
AWS Cognito
AWS Secrets Manager
AWS Config
Amazon GuardDuty
Amazon
CloudWatch
AWS CloudTrail
VPC Flow Logs
AWS Shield
AWS Firewall Manager
AWS Web Application
Firewall (WAF)
Amazon Virtual Private
Cloud (VPC)
Amazon EC2
Systems Manager
Amazon Inspector
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications
Define, enforce, and audit user
permissions across
AWS services, actions
and resources.
Identity & access
management
Identity and access
management

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your AWS
account
AWS Config
Record and evaluate configurations of your AWS resources. Enable
compliance auditing, security analysis, resource change tracking, and
troubleshooting
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect your AWS
accounts and workloads
VPC Flow Logs
Capture information about the IP traffic going to and from network interfaces in
your VPC. Flow log data is stored using Amazon
CloudWatch Logs
Gain the visibility you need
to spot issues before they impact
the business, improve your
security posture, and reduce the
risk profile of
your environment.
Detective
control

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to
apply OS patches, create secure system images, and configure secure
operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications running
on AWS
AWS Web Application Firewall (WAF)
Protects your web applications from common web exploits ensuring
availability and security
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
AmazonVirtual Private Cloud (VPC)
Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for use
with AWS services
Server Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic data
encryption and management
services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or
managing servers so you can scale your programmed, automated
response to incidents
During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incident
response

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workloads appropriate for AWS
Web applications
and websites
Backup,
recovery
and archiving
Disaster
recovery
Development
and test
Big data
High-performance
computingEnterprise IT MobileMission critical
applications
Data center
migration
and hybrid
IoT
Security
Operations

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Improving security with the cloud
For more details, see Re:Invent 2013 presentations by NASA JPL cyber
security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4)
“Based on our experience, I believe that we can be even
more secure in the AWS cloud than in our own
datacenters.”
-Tom Soderstrom, CTO, NASA JPL

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Summary
The cloud is not only secure, but through
shared responsibility, well-architected
solutions, and best practices, it can be more
secure than the traditional on-prem
datacenter!

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon’s global initiative to accelerate cloud-learning
and to prepare for the cloud-enabled jobs of tomorrow.
Veterans, academic institutions, educators, and students
may apply to receive access to:
• Cloud career pathways that include content,
knowledge checks, and a final project
• AWS promotional credits to use AWS services in
hands-on learning
• AWS training and course content contributed by AWS
and educators from around the world
• Job board with opportunities mapped to the cloud
career learning pathways
AWS Promotional Credits
Curated, Open-source Content
Job Board
Training and Professional
Development
www.awseducate.com

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Thank you!

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
P U B L I C S E C T O R
S U M M I T
Please complete the
session survey.