This document discusses common myths about security on AWS and provides responses to address each myth. It covers general cloud security, specific service security, and data security. For each myth, it explains the security controls and shared responsibility model that AWS employs. The document seeks to alleviate concerns about security, compliance, access controls, encryption, patching, data deletion verification and isolation on AWS. It emphasizes that customers own and control their data and have robust tools for access management, monitoring and incident response.

1. 2 0 1 9

2. Principales mitos de
seguridad en AWS!
Eliminados!
M a r t i n D o m i n g u e z
S o l u t i o n s A r c h i t e c t
m p _ d o m i n g u e z
J a v i e r O l i v o
C l o u d S p e c i a l i s t M c A f e e

3. SECURITY IS
JOB ZERO

4. The three stages of cloud security curiosity
General cloud
security
Specific service
security
Data
security
New to cloud
and / or
business teams
Experienced in cloud
and / or
technology teams
Advanced in cloud
and / or
risk teams

5. Cloud security
Service security
Part 1: General cloud security
Data
security

6. Myth 01
“La nube publica no es tan segura
como mi infraestructura on-premises
y no es tan segura como mi nube
privada”

7. 01: AWS security of the cloud and in the cloud
Visible AutomatedPhysical
AWS’s global infrastructure is built to meet the requirements of the most
security-sensitive organizations in the world

8. Myth 02
“Cuando ponga mis datos en la nube
pierdo propiedad de ellos y talvez se
muevan a traves de diferentes
paises.”

9. 02: You own and control your content
Access TraceabilityOwnership
You retain ownership and control of your content, and you choose which
region that content resides in

10. Myth 03
“Soy un negocio altamente
regulado y no puedo usar la nube
por mis requerimientos de
cumplimiento legales.”

11. 03: AWS global compliance program
Countries Enterprise
agreement
Certifications
Our security assurance program meets or exceeds industry, country-
specific, and global security requirements

13. Myth 04
“Mi negocio requiere datos
personales confidenciales, no
puedo usar la nube.”

14. 04: Using encryption on AWS
AWS KMS High standardsUbiquitous
AWS encryption services are integrated into dozens of our services and
meet the strictest industry requirements

15. Myth 05
“Tengo requisitos para pruebas de
seguridad, no puedo hacer esto en
la nube.”

16. 05: Security testing on AWS
Seek approval Or use
pre-approved
Shared
responsibility
AWS permits security testing of your resources in line with our acceptable
usage policy, and we provide tools to help you

17. Cloud security
Service security
Data
security
Part 2: Specific service security

18. Myth 06
“Todos mis sistemas operativos son
parchados automáticamente en la
nube.”

19. 06: Patch management on AWS
How we help Our
responsibility
Your
responsibility
You are responsible for patching operating systems that you manage. AWS
is responsible for patching services that we manage

20. Myth 07
“No puedo usar la nube para
almacenar datos confidenciales
porque todos tendrán acceso a
ellos.”

21. 07: How to secure data in Amazon Simple Storage
Service (Amazon S3)
Notify RespondProtect
Amazon S3 and our other storage services are secure by default. Customers
control who can access their data, and AWS provides multiple tools so you
can understand how access is configured

22. Myth 08
“Escucho que las claves secretas
son robadas, la forma en que
ustedes otorgan el acceso no es
seguro.”

23. 08: How to protect AWS credentials
Amazon
GuardDuty
Multi-factor
authentication
AWS provides a number of tools to protect your identity and access
credentials and to help you detect misuse
Temporary
access

24. Myth 09
“No puedo controlar la eliminación
de mis datos y no puedo verificar
que se hayan eliminado.”

25. 09: How AWS manages data deletion
Physical ValidatedLogical
When you delete your data we take multiple steps to wipe it and eventually
destroy it. This process is validated by independent
third parties

26. Myth 10
“Los servicios serverless no son
seguros porque se comparten
entre clientes.”

27. 10: How AWS protects serverless services
Identity Limited surface
When you use AWS’s serverless services you inherit the multiple layers of
strong security controls that are built into our core services
Building
blocks

28. Cloud security
Service security
Data
security
Part 2: Specific service security

29. Myth 11
“El gobierno puede acceder a mis
datos en cualquier momento.”

30. 11: How AWS manages information requests
Notification EncryptionValid requests
Amazon does not disclose customer information unless we’re required to
do so to comply with a legally valid and binding order. Where we need to
act publicly to protect customers, we do

31. Myth 12
“Un usuario malintencionado
puede ver mis datos a través de su
acceso administrativo compartido.”

32. 12: How AWS manages administrative access
Process
controls
Technology
controls
AWS strictly controls our infrequent administrative access to services. This
process has executive oversight within AWS and is validated by
independent third parties
Automation

33. Myth 13
“Es posible pasar por alto su tecnología de
aislamiento y acceder a los datos de otra
persona.”

34. 13: How AWS secures the hypervisor
Experience
AWS has over a decade of experience securing our virtualization
technology. We provide a deep level of isolation within the cloud
Customization &
innovation
Isolation

35. Cloud security
Service security
Data
security
Part 2: Specific service security

36. Security benefits of the AWS cloud
Automate
with deeply
integrated
security
services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior
visibility and
control

37. SECURITY IS
JOB ZERO

38. ¡GRACIAS!