SlideShare a Scribd company logo

Network Security and Access Control within AWS

Amazon Web Services
Amazon Web Services

AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.

Technology
1 of 69
Download to read offline
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Security & Access Control in AWS
AWS Account Security Day One Governance
Account Governance – New Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
Account Governance – Existing Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
AWS Identity & Access Management Overview of the Core Principles
AWS Identity & Access Management IAM Users IAM Groups IAM Roles
Policy specification basics JSON-formatted documents Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Condition You can have multiple statements and each statement is comprised of PARC.
Managing your policies
IAM policies • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies: Created and maintained by AWS • Customer managed policies: Created and maintained by you • Up to 5K per policy • Up to 5 versions of a policy so you can roll back to a prior version • You can attach 10 managed policies per user, group, or role • You can limit who can attach which managed policies • Inline policies (older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
Resource-based policies IAM policies live with: • IAM users • IAM groups • IAM roles Some services allow storing policy with resources: • S3 (bucket policy) • Amazon Glacier (vault policy) • Amazon SNS (topic policy) • Amazon SQS (queue policy) • AWS KMS (key policy) { "Statement": { "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } }
AWS CloudTrail
Introduction to AWS CloudTrail Store/ Archive Troubleshoot Monitor & Alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls
Use cases enabled by CloudTrail IT and security administrators can perform security analysis IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change DevOps engineers can troubleshoot operational issues IT Auditors can use log files as a compliance aid Security at Scale: Logging in AWS White Paper
Encrypted CloudTrail log files using SSE-KMS By default, CloudTrail encrypts log files using S3 server side encryption Additional layer of security for your log files by encrypting with your KMS key Application logic for ingesting and processing log files stays the same S3 will decrypt on your behalf if your credentials have decrypt permissions
CloudTrail log file integrity validation Validate that a log file has not been changed since CloudTrail delivered the log file to your S3 bucket Detect whether a log file was deleted or modified or unchanged Use the tool as an aid in your IT security, audit and compliance processes
AWS Config
AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
AWS Config
AWS Config
Config Rules (preview) • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
AWS Config – Rules (example – instances must be tagged with a DataClassification)
AWS Network Security – Global Networking Building a Robust Internet Architecture
us-west-2 VPC us-east-1 sa-east-1 ap-southeast-2 eu-central-1 VPCVPC VPC VPC VPC eu-west-1 ap-southeast-1 VPC VPC ap-northeast-1 VPC
us-west-2 VPCVPC Amazon CloudFront, AWS WAF and Amazon Route 53 eu-central-1 VPC
CloudFront - Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin AWS WAF
AWS Network Security - VPC Building a Trust Zone architecture
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet VPC
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end .1 VPC .1 .1 .1 .1 .1
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Public Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW VPC
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
Security Groups
Security Groups
Security Groups
Security Groups
Network Access Control Lists (NACLs) Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region VPC
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet And what if instances in a private subnet need to reach outside the VPC? They have no route to the IGW and no public IP address. VPC
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Why go outside? VPC • AWS API endpoints • Regional services • Third-party services
To NAT, or not to NAT… • Leave NAT for less bandwidth-critical connectivity • Don’t bottleneck high-bandwidth-out workloads • Run high-bandwidth components from public subnets • Goal is full-instance bandwidth out of VPC
EC2 status checks StatusCheckFailed_System StatusCheckFailed_Instance CloudWatch per-instance metrics:
Amazon CloudWatch alarm actions Instance status check fails? REBOOT System status check fails? RECOVER Instance ID Instance metadata Private IP addresses Elastic IP addresses EBS volume attachments Instance retains:
A few things to remember… • Recover action only applies to system status checks • Limited to C3, C4, M3, R3, and T2 instance types • Cannot use local instance store • Cannot be dedicated instances • Use EC2ActionsAccess AWS Identity and Access Management (IAM) role Amazon EC2 Auto Recovery
Amazon EC2 Auto Recovery Set your failed check threshold Choose 1-minute period and statistic minimum Choose recover action Metric = StatusCheckFailed_System CloudWatch Console
Amazon EC2 Auto Reboot Choose reboot action Metric = StatusCheckFailed_Instance CloudWatch Console
Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet Web Back end Web Back end AWS region Internet NAT VPC NAT Average tested recovery time: ~ 1 to 4 minutes Could be shorter or longer depending on nature of failure HA NAT with EC2 Auto Recovery + Auto Reboot
Pick a NAT, any NAT Amazon Linux NAT Amazon Machine Image (AMI)
AWS region Internal application to VPC Public-facing web app Internal company app VPN connection VPCVPC Customer network
Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B Internal customers Private Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW VPC Internal application to VPC Customer network
But apps want to leverage… Amazon S3 …as a primary data store
Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B You really don’t want to do this: Amazon S3 Internet Customer border router Customer VPN Internet VPC Customer network
Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway Intranet app Intranet app Availability Zone B So do this instead: Amazon S3 VPC VPN connection VPC Endpoints • No IGW • No NAT • No public IPs • Free • Robust access control Customer network
“Currently, we support endpoints for connections with Amazon S3 within the same region only. We'll add support for other AWS services later.” From the Amazon VPC User Guide: VPC endpoints $ aws ec2 describe-vpc-endpoint-services SERVICENAMES com.amazonaws.us-west-2.s3
Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Private subnet VPC Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW Prefix List for S3 us-west-2 VPCE
Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Public subnet VPC Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0 IGW Prefix List for S3 us-west-2 VPCE
Prefix lists aws ec2 describe-prefix-lists PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3 CIDRS 54.231.160.0/19 • Logical route destination target • Dynamically translates to service IPs • S3 IP ranges change over time • S3 prefix lists abstract change
Prefix lists … and use them in security groups!
Private subnet Controlling VPC access to Amazon S3 IAM policy on VPCE: VPC { "Statement": [ { "Sid": "vpce-restrict-to-backup-bucket", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject” ], "Effect": "Allow", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"] } ] } Backups bucket?
Private subnet Controlling VPC access to Amazon S3 S3 bucket policy: VPC From vpce-bc42a4e5? { "Statement": [ { "Sid": "bucket-restrict-to-specific-vpce", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-bc42a4e5” } } } ] }
Controlling VPC access to Amazon S3 Recap on security layers: 1. Route table association 2. VPCE policy 3. Bucket policy 4. Security groups with prefix list Private subnet VPC 1. 2. 3. 4.
Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps
Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps Private subnet Private subnet Private subnet
VPC Flow Logs
VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Log group CloudWatch alarm Source IP
VPC Flow Logs
VPC Flow Logs
https://aws.amazon.com/blogs/aws/new-amazon-elasticsearch-service/ VPC Flow Logs • Amazon Elasticsearch Service (ES) • Amazon CloudWatch Logs subscriptions • Kibana
Refreshment Break Please return to your seats at 3:10 pm

Recommended

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOpsShiva Narayanaswamy
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 

Recommended

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013
AWS Billing Deep Dive (DMG203) | AWS re:Invent 2013Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOpsShiva Narayanaswamy
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWSAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep DiveNagesh Ramamoorthy
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...Simplilearn
 
DDoS Resiliency
DDoS ResiliencyDDoS Resiliency
DDoS ResiliencyAmazon Web Services
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 

More Related Content

What's hot

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWSAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...Simplilearn
 

What's hot (20)

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep Dive
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
 

Viewers also liked

Amazon Elasticsearch Serviceを利用したAWSのログ活用
Amazon Elasticsearch Serviceを利用したAWSのログ活用Amazon Elasticsearch Serviceを利用したAWSのログ活用
Amazon Elasticsearch Serviceを利用したAWSのログ活用真司 藤本
 
Best Practices in Architecting for the Cloud Webinar - Jinesh Varia
Best Practices in Architecting for the Cloud Webinar - Jinesh VariaBest Practices in Architecting for the Cloud Webinar - Jinesh Varia
Best Practices in Architecting for the Cloud Webinar - Jinesh VariaAmazon Web Services
 
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Amazon Web Services
 
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud Amazon Web Services
 
Advanced Topics - Session 1 - Continuous Deployment Practices on AWS
Advanced Topics - Session 1 - Continuous Deployment Practices on AWSAdvanced Topics - Session 1 - Continuous Deployment Practices on AWS
Advanced Topics - Session 1 - Continuous Deployment Practices on AWSAmazon Web Services
 
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...Amazon Web Services
 
AWSome Day Jakarta - Opening Keynote
AWSome Day Jakarta - Opening KeynoteAWSome Day Jakarta - Opening Keynote
AWSome Day Jakarta - Opening KeynoteAmazon Web Services
 
AWS Summit 2013 | Auckland - Big Data Analytics
AWS Summit 2013 | Auckland - Big Data AnalyticsAWS Summit 2013 | Auckland - Big Data Analytics
AWS Summit 2013 | Auckland - Big Data AnalyticsAmazon Web Services
 
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter Kemps
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter KempsAWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter Kemps
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter KempsAmazon Web Services
 
AWS Customer Presentation - Newsweek
AWS Customer Presentation - Newsweek AWS Customer Presentation - Newsweek
AWS Customer Presentation - Newsweek Amazon Web Services
 
Scaling the Platform for Your Startup
Scaling the Platform for Your StartupScaling the Platform for Your Startup
Scaling the Platform for Your StartupAmazon Web Services
 
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...AWS Summit 2013 | India - Running High Churn Development & Test Environments,...
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...Amazon Web Services
 

Viewers also liked (20)

DDoS Resiliency
DDoS ResiliencyDDoS Resiliency
DDoS Resiliency
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
AWS Innovation at Scale
AWS Innovation at ScaleAWS Innovation at Scale
AWS Innovation at Scale
 
Amazon Elasticsearch Serviceを利用したAWSのログ活用
Amazon Elasticsearch Serviceを利用したAWSのログ活用Amazon Elasticsearch Serviceを利用したAWSのログ活用
Amazon Elasticsearch Serviceを利用したAWSのログ活用
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
 
6 rules for innovation
6 rules for innovation6 rules for innovation
6 rules for innovation
 
Best Practices in Architecting for the Cloud Webinar - Jinesh Varia
Best Practices in Architecting for the Cloud Webinar - Jinesh VariaBest Practices in Architecting for the Cloud Webinar - Jinesh Varia
Best Practices in Architecting for the Cloud Webinar - Jinesh Varia
 
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
Dole Food's Global Collaboration Platform and Web Presence on AWS (ENT209) | ...
 
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
AWS Summit Bogotá Track Avanzado: Virtual Private Cloud
 
Advanced Topics - Session 1 - Continuous Deployment Practices on AWS
Advanced Topics - Session 1 - Continuous Deployment Practices on AWSAdvanced Topics - Session 1 - Continuous Deployment Practices on AWS
Advanced Topics - Session 1 - Continuous Deployment Practices on AWS
 
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
 
AWSome Day Jakarta - Opening Keynote
AWSome Day Jakarta - Opening KeynoteAWSome Day Jakarta - Opening Keynote
AWSome Day Jakarta - Opening Keynote
 
AWS Summit 2013 | Auckland - Big Data Analytics
AWS Summit 2013 | Auckland - Big Data AnalyticsAWS Summit 2013 | Auckland - Big Data Analytics
AWS Summit 2013 | Auckland - Big Data Analytics
 
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter Kemps
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter KempsAWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter Kemps
AWS Summit 2013 | India - 0 to Production in 40 minutes, Pieter Kemps
 
AWS Customer Presentation - Newsweek
AWS Customer Presentation - Newsweek AWS Customer Presentation - Newsweek
AWS Customer Presentation - Newsweek
 
Application Portfolio Migration
Application Portfolio MigrationApplication Portfolio Migration
Application Portfolio Migration
 
Scaling the Platform for Your Startup
Scaling the Platform for Your StartupScaling the Platform for Your Startup
Scaling the Platform for Your Startup
 
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...AWS Summit 2013 | India - Running High Churn Development & Test Environments,...
AWS Summit 2013 | India - Running High Churn Development & Test Environments,...
 
Big Data in the Cloud
Big Data in the Cloud Big Data in the Cloud
Big Data in the Cloud
 
Beintoo on Amazon Web Services
Beintoo on Amazon Web ServicesBeintoo on Amazon Web Services
Beintoo on Amazon Web Services
 

Similar to Network Security and Access Control within AWS

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionAmazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Amazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...Amazon Web Services
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도Amazon Web Services Korea
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarHybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarAmazon Web Services Korea
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...Amazon Web Services Korea
 

Similar to Network Security and Access Control within AWS (20)

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman Shakeel
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarHybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
 
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 

Recently uploaded (20)

"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

Network Security and Access Control within AWS

  • 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Security & Access Control in AWS
  • 2. AWS Account Security Day One Governance
  • 3. Account Governance – New Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  • 4. Account Governance – Existing Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  • 5. AWS Identity & Access Management Overview of the Core Principles
  • 6. AWS Identity & Access Management IAM Users IAM Groups IAM Roles
  • 7. Policy specification basics JSON-formatted documents Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Condition You can have multiple statements and each statement is comprised of PARC.
  • 9. IAM policies • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies: Created and maintained by AWS • Customer managed policies: Created and maintained by you • Up to 5K per policy • Up to 5 versions of a policy so you can roll back to a prior version • You can attach 10 managed policies per user, group, or role • You can limit who can attach which managed policies • Inline policies (older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  • 10. Resource-based policies IAM policies live with: • IAM users • IAM groups • IAM roles Some services allow storing policy with resources: • S3 (bucket policy) • Amazon Glacier (vault policy) • Amazon SNS (topic policy) • Amazon SQS (queue policy) • AWS KMS (key policy) { "Statement": { "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } }
  • 12. Introduction to AWS CloudTrail Store/ Archive Troubleshoot Monitor & Alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls
  • 13. Use cases enabled by CloudTrail IT and security administrators can perform security analysis IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change DevOps engineers can troubleshoot operational issues IT Auditors can use log files as a compliance aid Security at Scale: Logging in AWS White Paper
  • 14. Encrypted CloudTrail log files using SSE-KMS By default, CloudTrail encrypts log files using S3 server side encryption Additional layer of security for your log files by encrypting with your KMS key Application logic for ingesting and processing log files stays the same S3 will decrypt on your behalf if your credentials have decrypt permissions
  • 15. CloudTrail log file integrity validation Validate that a log file has not been changed since CloudTrail delivered the log file to your S3 bucket Detect whether a log file was deleted or modified or unchanged Use the tool as an aid in your IT security, audit and compliance processes
  • 17. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  • 21. Config Rules (preview) • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  • 22. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  • 23. AWS Config – Rules (example – instances must be tagged with a DataClassification)
  • 24. AWS Network Security – Global Networking Building a Robust Internet Architecture
  • 26. us-west-2 VPCVPC Amazon CloudFront, AWS WAF and Amazon Route 53 eu-central-1 VPC
  • 27. CloudFront - Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin AWS WAF
  • 28. AWS Network Security - VPC Building a Trust Zone architecture
  • 29. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet VPC
  • 30. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end .1 VPC .1 .1 .1 .1 .1
  • 31. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Public Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW VPC
  • 32. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  • 37. Network Access Control Lists (NACLs) Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region VPC
  • 38. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet And what if instances in a private subnet need to reach outside the VPC? They have no route to the IGW and no public IP address. VPC
  • 39. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Why go outside? VPC • AWS API endpoints • Regional services • Third-party services
  • 40. To NAT, or not to NAT… • Leave NAT for less bandwidth-critical connectivity • Don’t bottleneck high-bandwidth-out workloads • Run high-bandwidth components from public subnets • Goal is full-instance bandwidth out of VPC
  • 42. Amazon CloudWatch alarm actions Instance status check fails? REBOOT System status check fails? RECOVER Instance ID Instance metadata Private IP addresses Elastic IP addresses EBS volume attachments Instance retains:
  • 43. A few things to remember… • Recover action only applies to system status checks • Limited to C3, C4, M3, R3, and T2 instance types • Cannot use local instance store • Cannot be dedicated instances • Use EC2ActionsAccess AWS Identity and Access Management (IAM) role Amazon EC2 Auto Recovery
  • 44. Amazon EC2 Auto Recovery Set your failed check threshold Choose 1-minute period and statistic minimum Choose recover action Metric = StatusCheckFailed_System CloudWatch Console
  • 45. Amazon EC2 Auto Reboot Choose reboot action Metric = StatusCheckFailed_Instance CloudWatch Console
  • 46. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet Web Back end Web Back end AWS region Internet NAT VPC NAT Average tested recovery time: ~ 1 to 4 minutes Could be shorter or longer depending on nature of failure HA NAT with EC2 Auto Recovery + Auto Reboot
  • 47. Pick a NAT, any NAT Amazon Linux NAT Amazon Machine Image (AMI)
  • 48. AWS region Internal application to VPC Public-facing web app Internal company app VPN connection VPCVPC Customer network
  • 49. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B Internal customers Private Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW VPC Internal application to VPC Customer network
  • 50. But apps want to leverage… Amazon S3 …as a primary data store
  • 51. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B You really don’t want to do this: Amazon S3 Internet Customer border router Customer VPN Internet VPC Customer network
  • 52. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway Intranet app Intranet app Availability Zone B So do this instead: Amazon S3 VPC VPN connection VPC Endpoints • No IGW • No NAT • No public IPs • Free • Robust access control Customer network
  • 53. “Currently, we support endpoints for connections with Amazon S3 within the same region only. We'll add support for other AWS services later.” From the Amazon VPC User Guide: VPC endpoints $ aws ec2 describe-vpc-endpoint-services SERVICENAMES com.amazonaws.us-west-2.s3
  • 54. Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Private subnet VPC Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW Prefix List for S3 us-west-2 VPCE
  • 55. Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Public subnet VPC Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0 IGW Prefix List for S3 us-west-2 VPCE
  • 56. Prefix lists aws ec2 describe-prefix-lists PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3 CIDRS 54.231.160.0/19 • Logical route destination target • Dynamically translates to service IPs • S3 IP ranges change over time • S3 prefix lists abstract change
  • 57. Prefix lists … and use them in security groups!
  • 58. Private subnet Controlling VPC access to Amazon S3 IAM policy on VPCE: VPC { "Statement": [ { "Sid": "vpce-restrict-to-backup-bucket", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject” ], "Effect": "Allow", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"] } ] } Backups bucket?
  • 59. Private subnet Controlling VPC access to Amazon S3 S3 bucket policy: VPC From vpce-bc42a4e5? { "Statement": [ { "Sid": "bucket-restrict-to-specific-vpce", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-bc42a4e5” } } } ] }
  • 60. Controlling VPC access to Amazon S3 Recap on security layers: 1. Route table association 2. VPCE policy 3. Bucket policy 4. Security groups with prefix list Private subnet VPC 1. 2. 3. 4.
  • 61. Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps
  • 62. Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps Private subnet Private subnet Private subnet
  • 64. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  • 65. VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Log group CloudWatch alarm Source IP
  • 68. https://aws.amazon.com/blogs/aws/new-amazon-elasticsearch-service/ VPC Flow Logs • Amazon Elasticsearch Service (ES) • Amazon CloudWatch Logs subscriptions • Kibana
  • 69. Refreshment Break Please return to your seats at 3:10 pm