Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services

P U B L I C S E C T O R
S U M M I T
NEW DELHI

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Secure Your Cloud with Recommended Best Practices
Enabled by AWS Security and Governance Services
Durga Prasad Kakaraparthi
Manager, Solutions Architecture
AISPL
Kaushik Mohanty
Principal BD, AWS Service Catalog and AWS
Control Tower
AWS

S U M M I T
Agenda
AWS Shared Responsibility Model
AWS Security Best Practices
AWS Service Catalog and AWS Control Tower
Take Action

S U M M I T

S U M M I T
Security is everyone’s job

S U M M I T
Security and compliance – Shared responsibility

S U M M I T
Top best practices: Strong identity foundation
Root account should never be used
Consider AWS Organizations
Set account security questions & contacts
Centralize identities
Audit periodically

S U M M I T
Top best practices: Strong identity foundation
Never store credentials or secrets in code
Enforce MFA on everything
Use IAM roles for users and services
Establish least privileged policies
Use temporary credentials

S U M M I T
How to: Enforce MFA
User can only assume a role with MFA
MFA token
Permissions RoleUser AWS CloudPermissions
http://bit.ly/AWSWALabs

S U M M I T
Top best practices: Enable traceability
Consider Amazon GuardDuty
Configure application & infrastructure
logging
Centralize using a SIEM
Proactively monitor
Regular reviews of news & best practices

S U M M I T
How to: Enable traceability
Use AWS CloudFormation!
http://bit.ly/D3T3cT

S U M M I T
Top best practices: Network protection
Amazon CloudFront + AWS WAF
Amazon VPC and security groups
Private connectivity – VPC peering, VPN, AWS Direct Connect
Service endpoints
Enforce service level permission

S U M M I T
How to: Network protection
Bucket
Instances
Region
VPCUsers
https://amzn.to/2PbHOpz
WAF Automation
www.example.com

S U M M I T
Top best practices: Apply security at all layers
Harden operating systems & defaults
Use anti-malware + intrusion
detection
Scan infrastructure
Scan code
Patch vulnerabilities

S U M M I T
How to: Compute protection

S U M M I T
How to: Scan vulnerabilities
Scan instances with Amazon Inspector
https://amzn.to/2DT9jyg
Scan code in the pipeline
Dependency Check: http://bit.ly/2SPzUAp
Testing
OWASP Zap: http://bit.ly/2yWwzqN

S U M M I T
How to: Serverless
• Authorization and authentication – API
• Enforce boundaries – AWS services & network
• Input validation
• Protect sensitive data

S U M M I T
Top best practices: Automate security best practices
Template infra: AWS CloudFormation/AWS
SAM
Automate build and test
AWS Config rules for verification
Automate response to non-compliance
Automate response to events

S U M M I T
How to: Automate management
Automation
Patch manager
State manager
https://amzn.to/2AaOwSg
https://amzn.to/2DSTLdK
https://amzn.to/2Qihzxm

S U M M I T
How to: Automate checks
AWS Config
Rules

S U M M I T
Top best practices: Protect data
Encryption mechanisms are enforced
Verify accessibility of data (e.g. Amazon S3 & Amazon EBS)
Consider AWS Certificate Manager (ACM)
Consider tokenization to substitute sensitive data
Data segmentation and isolation

S U M M I T
How to: Classify your data
• Start classifying data based on sensitivity
• Use resource tags to help define the policy
Amazon Macie discover, classify, and protect sensitive data in AWS
IAM control: http://bit.ly/IAMctrlTAG

S U M M I T
How to: Keep people away from data
Dashboards for users
Tools for administrators

S U M M I T
Top best practices: Incident response
Prepare for different scenarios
Pre-deploy tools using automation
Pre-provision access for response teams
Practice responding through game days
Continuously improve your processes

S U M M I T
How to: Run incident response game day
1. Schedule a four to eight hour block
2. Find a prize (bribery)
3. Supply junk food and beverages
4. Pick relevant scenarios from:
https://amzn.to/2PetNro
5. Create a runbook
6. Practice
7. Have fun

S U M M I T
How to: Simple run book
Event description
[Attack Type]
[Attack Description]
Data to gather for troubleshooting
[Evaluation of current data]
Steps to troubleshoot and fix
[Contain / impact / recovery / forensics]
Urgency category
[Critical, Important, moderate, informational]
Communications and escalation

S U M M I T
DevSecOps CI/CD
pipelines
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook
DevSecOps
Hook

S U M M I T
Security & Compliance enforced by
AWS Management & Governance
Services:
Overview of AWS Service Catalog & AWS Control Tower

S U M M I T
Enable agility + governance as you secure your cloud
YOUR AWS RESOURCES ARE GROWING OVER TIME

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog: Provisioning and secure
deployment in the cloud
End usersOrganizations
Curation
Compliance
Standardization
Agility
Self-service
Time to market
SpeedSecurity
AWS Service Catalog enables organizations to
deploy and manage AWS infrastructure and
applications that reflect the organization’s security
and operational policies

Key attributes of AWS Service Catalog
Configure Consume
One-stop shop

AWS Control Tower: Easiest way to set up and govern
a multi-account environment on AWS
Automated
AWS setup
Automated landing zone
with best practice blueprints
Policy
enforcement
Prepackaged preventive
and detective guardrails
Dashboard
for oversight
Continuous visibility into
accounts and workloads

Key attributes of AWS Control Tower
Account setup
Automated secure and
scalable landing zone
Multi-account management
using AWS Organizations
Central logging and multi-
account configuration
consistency
Built-in best practices
Multi-account preventive
and detective guardrails
Easy-to-use dashboard
and notifications
Curated rules in plain
English
Account provisioning wizard
Guardrails
Landin
g Zone

S U M M I T
Take action!
CAF: aws.amazon.com/professional-services/CAF/
W-A: aws.amazon.com/well-architected
W-A Labs: http://bit.ly/AWSWALabs
AWS sec twitter: @AWSSecurityInfo
AWS sec blog: https://aws.amazon.com/blogs/security/

S U M M I T
Thank you!
S U M M I T
Durga Prasad Kakaraparthi
Manager, Solutions Architecture
AWS
Kaushik Mohanty
Principal BD, AWS Service Catalog and AWS
Control Tower
AWS

S U M M I T
Download our app to enhance
your Summit experience
Access the agenda, build your own
schedule, provide feedback easily
and more

S U M M I T
Three ways to get started:
• Scan the QR code on the screen or at
the back of your attendee badge
• Search “AWS Global Summits” in
Apple Store or Google Play
• Visit guidebook.com/app/aws

S U M M I T
Tap on the
featured guide
Tap “Download
Guide”
Tap
“Open”

S U M M I T
Summit Session Feedback
Take a quick five question survey – let us
know how we can improve.
Three ways to take the survey:
• Access the Summit app - session survey tab
• Scan the QR code
• Visit https://amzn.to/summit-session
Ballroom 1 & 2

S U M M I T
S U M M I T

Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services

Similar to Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Secure Your Data with Recommended Best Practices Enabled by AWS Security and Governance Services