AWS Organizations allows you to centrally manage multiple AWS accounts. It provides features like consolidated billing, account creation APIs, and service control policies to control access to AWS services across accounts. Service control policies can be used to whitelist or blacklist access to specific AWS APIs on a per-account basis. Organizations helps structure accounts for better security, compliance, and management of access controls and resources.
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly whatâs happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
How to use Lambda to build web, mobile, or IoT backends and voice-enabled apps, and we'll show you how to extend both AWS and third party services by triggering Lambda functions.
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Amazon Web Services
Â
(Presented by Identity Automation) Identity Automation has worked with the North Carolina Department of Public Instruction since April 2013 to provide a cloud-based identity management service for all employees, students, parents and guests of the Stateâs K12 organizations. In this session, Identity Automation will discuss how the service was used to synchronize identities with target systems, provide federation services as well as end-user self-service and to delegate administration functionality.
Rackspace provides a comprehensive set of tooling and expertise on AWS that further unlocks your ability to secure your environment efficiently and cost effectively. The dynamic environment of data, applications, and infrastructure can pose challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a scalable security solution to ensure their data is safe, secure, and stable. In this webinar, Brad Schulteis, Jarret Raim and Todd Gleason will discuss the topic of security control requirements on AWS through the lens of three common compliance scenarios: HIPAA, PCI-DSS, and generalized security compliance based on the NIST Risk Management Framework. Watch our webinar to learn how Rackspace combines AWS and security expertise with tools like AWS CloudFormation, AWS CodeCommit and AWS CodeDeploy to help customers meet their security and compliance needs.
Join us to learn:
⢠Best practices for securely operating workloads on the AWS Cloud
⢠Architecting a secure environment for dynamic workloads
⢠How to incorporate Security by Design principles to address compliance needs across 3 use cases: HIPAA, PCI-DSS and generalized security compliance based on the NIST Risk Management Framework
Who should attend: Directors and Managers of Security, IT Administers, IT Architects, and IT Security Engineers
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.Â
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
Â
"Youâve made the move to AWS and are now reaping the benefits of decreased costs and increased business agility. How can you reap those same benefits for your cloud security and compliance operations? As building cloud-native applications requires different skill sets, architectures, integrations, and processes, implementing effective, scalable, and robust security for the cloud requires rethinking everything from your security tools to your team culture. Â
Attend this session to learn how to start down the path toward security and compliance automation and hear how DevSecOps leaders such as Intuit and Capital One are using AWS, DevOps, and automation to transform their security operations.
Session sponsored by evident.io"
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help security professionals thwart cyber security incidents. Within this list of strategies, eight have been identified as essential for government agencies to implement as a security baseline starting point. This session offers customers practical guidance for meeting the ASD Essential Eight using AWS services to help them achieve compliance goals faster and more cost effectively.
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly whatâs happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
How to use Lambda to build web, mobile, or IoT backends and voice-enabled apps, and we'll show you how to extend both AWS and third party services by triggering Lambda functions.
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Amazon Web Services
Â
(Presented by Identity Automation) Identity Automation has worked with the North Carolina Department of Public Instruction since April 2013 to provide a cloud-based identity management service for all employees, students, parents and guests of the Stateâs K12 organizations. In this session, Identity Automation will discuss how the service was used to synchronize identities with target systems, provide federation services as well as end-user self-service and to delegate administration functionality.
Rackspace provides a comprehensive set of tooling and expertise on AWS that further unlocks your ability to secure your environment efficiently and cost effectively. The dynamic environment of data, applications, and infrastructure can pose challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a scalable security solution to ensure their data is safe, secure, and stable. In this webinar, Brad Schulteis, Jarret Raim and Todd Gleason will discuss the topic of security control requirements on AWS through the lens of three common compliance scenarios: HIPAA, PCI-DSS, and generalized security compliance based on the NIST Risk Management Framework. Watch our webinar to learn how Rackspace combines AWS and security expertise with tools like AWS CloudFormation, AWS CodeCommit and AWS CodeDeploy to help customers meet their security and compliance needs.
Join us to learn:
⢠Best practices for securely operating workloads on the AWS Cloud
⢠Architecting a secure environment for dynamic workloads
⢠How to incorporate Security by Design principles to address compliance needs across 3 use cases: HIPAA, PCI-DSS and generalized security compliance based on the NIST Risk Management Framework
Who should attend: Directors and Managers of Security, IT Administers, IT Architects, and IT Security Engineers
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.Â
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
Â
"Youâve made the move to AWS and are now reaping the benefits of decreased costs and increased business agility. How can you reap those same benefits for your cloud security and compliance operations? As building cloud-native applications requires different skill sets, architectures, integrations, and processes, implementing effective, scalable, and robust security for the cloud requires rethinking everything from your security tools to your team culture. Â
Attend this session to learn how to start down the path toward security and compliance automation and hear how DevSecOps leaders such as Intuit and Capital One are using AWS, DevOps, and automation to transform their security operations.
Session sponsored by evident.io"
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help security professionals thwart cyber security incidents. Within this list of strategies, eight have been identified as essential for government agencies to implement as a security baseline starting point. This session offers customers practical guidance for meeting the ASD Essential Eight using AWS services to help them achieve compliance goals faster and more cost effectively.
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Amazon Web Services
Â
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
Â
"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Timeâs objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.Â
Who should attend:Â InfoSec and IT management.
Session sponsored by Alert Logic."
Want to learn more about Compliance in the Cloud? Attend the AWS Compliance Summit, where key verticals such as Financial Services, Government and Public Sector, and Healthcare and Life Sciences will be discussed, along with customer use cases and prescriptive guidance from AWS subject matter experts.
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
Â
Many organizations struggle daily with the question - "Where do we stand with our AWS security practices?" With the recent release of the Center for Internet Security's CIS AWS Foundations Benchmark, organizations now have an industry-accepted set of security configuration best practices. These benchmarks, in combination with 3rd party security solutions that support them, can form the foundation for security operations at organizations of all sizes through continuous monitoring and auditing.
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
Â
Todayâs cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, weâll share the processes that Amazonâs engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that âTom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?â. Thatâs the level of granularity you can choose to implement if you wish. In this session, weâll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
Security must be the number one priority for any cloud provider and that's no different for AWS. Stephen Schmidt, vice president and chief information officer for AWS, will share his insights into cloud security and how AWS meets the needs of today's IT security challenges. Stephen, with his background with the FBI and his work with AWS customers in the government and space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.
Managing your identities in the cloud with AWS and Microsoft Active Directory...Amazon Web Services
Â
Identify the main options for deploying and managing Active Directory on AWS, how to extend your on-premises environment to AWS, and what are the best-practices from the field.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
Extending Datacenters to the Cloud: Connectivity Options and Considerations f...Amazon Web Services
Â
Many organizations on their journey into the cloud require consistent and highly secure connectivity between their existing data center and AWS footprints. In this session, we walk through the different architecture options for establishing this connectivity using AWS Direct Connect and VPN. With each option, we evaluate the considerations and discuss risk, performance, encryption, and cost. As we walk through these options, we try to answer some of the most common questions that typically arise from organizations that tackle design and implementation. You'll learn how to make connectivity decisions that are suitable for your workloads, and how to best prepare against business impact in the event of failure.
Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon Web Services
Â
In this session, we cover three common scenarios that include Amazon CloudWatch Logs and AWS Lambda. Learn how to build an Elasticsearch cluster from historical data using Amazon S3, Lambda, and CloudWatch Logs. Discover how to add details to CloudWatch alarm notifications using Amazon SNS and Lambda. Finally, understand how to bring Elastic Load Balancing logs to CloudWatch Logs using S3 bucket triggers from Lambda.
Speaker: Leo Zhadanovsky, Principle Solutions Architect. Amazon Web Services
Level: 300
Organizations need to apply security analytics to obtain seamless visibility and monitoring across both their on-premises and cloud environments. These challenges can be solved with comprehensive detection rules and behavioral analytics to ensure you detect potential threats.
Join FireEye and AWS to learn how Threat Analytics Platform (TAP) helped unify a major U.S. financial companyâs on-premises and cloud-based Security Operations Centers (SOCs) by providing a single, cloud-based solution for monitoring their hybrid IT environment. FireEyeâs TAP provides seamless visibility, detection and investigation across your on-premises and AWS Cloud environments ensuring actionable insight into threats targeting your company.
Join us to learn:
⢠How TAP ingests and analyzes AWS CloudTrail log files, providing visibility into both your AWS environment and the applications running on it
⢠TAP's best practices workflow to guide and inform your threat investigation
⢠How a major U.S. financial company unified their on-premises and cloud-based SOCs in to a single, cloud-based security operation
Who should attend: Directors and Managers of Security, IT Administrators, IT Architects, and IT Security Engineers
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
Â
With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and will cover solutions for account structure, user configuration, provisioning, networking and operation automation. This solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and Amazon Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Additionally, Philips will explain their cloud journey and how they have applied their guiding principles when building their landing zone.
Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Inve...Amazon Web Services
Â
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
Â
"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Timeâs objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.Â
Who should attend:Â InfoSec and IT management.
Session sponsored by Alert Logic."
Want to learn more about Compliance in the Cloud? Attend the AWS Compliance Summit, where key verticals such as Financial Services, Government and Public Sector, and Healthcare and Life Sciences will be discussed, along with customer use cases and prescriptive guidance from AWS subject matter experts.
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
Â
Many organizations struggle daily with the question - "Where do we stand with our AWS security practices?" With the recent release of the Center for Internet Security's CIS AWS Foundations Benchmark, organizations now have an industry-accepted set of security configuration best practices. These benchmarks, in combination with 3rd party security solutions that support them, can form the foundation for security operations at organizations of all sizes through continuous monitoring and auditing.
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
Â
Todayâs cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, weâll share the processes that Amazonâs engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that âTom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?â. Thatâs the level of granularity you can choose to implement if you wish. In this session, weâll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.
Speakers:
Rob Whitmore, AWS Solutions Architect
Security must be the number one priority for any cloud provider and that's no different for AWS. Stephen Schmidt, vice president and chief information officer for AWS, will share his insights into cloud security and how AWS meets the needs of today's IT security challenges. Stephen, with his background with the FBI and his work with AWS customers in the government and space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.
Managing your identities in the cloud with AWS and Microsoft Active Directory...Amazon Web Services
Â
Identify the main options for deploying and managing Active Directory on AWS, how to extend your on-premises environment to AWS, and what are the best-practices from the field.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
Extending Datacenters to the Cloud: Connectivity Options and Considerations f...Amazon Web Services
Â
Many organizations on their journey into the cloud require consistent and highly secure connectivity between their existing data center and AWS footprints. In this session, we walk through the different architecture options for establishing this connectivity using AWS Direct Connect and VPN. With each option, we evaluate the considerations and discuss risk, performance, encryption, and cost. As we walk through these options, we try to answer some of the most common questions that typically arise from organizations that tackle design and implementation. You'll learn how to make connectivity decisions that are suitable for your workloads, and how to best prepare against business impact in the event of failure.
Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon Web Services
Â
In this session, we cover three common scenarios that include Amazon CloudWatch Logs and AWS Lambda. Learn how to build an Elasticsearch cluster from historical data using Amazon S3, Lambda, and CloudWatch Logs. Discover how to add details to CloudWatch alarm notifications using Amazon SNS and Lambda. Finally, understand how to bring Elastic Load Balancing logs to CloudWatch Logs using S3 bucket triggers from Lambda.
Speaker: Leo Zhadanovsky, Principle Solutions Architect. Amazon Web Services
Level: 300
Organizations need to apply security analytics to obtain seamless visibility and monitoring across both their on-premises and cloud environments. These challenges can be solved with comprehensive detection rules and behavioral analytics to ensure you detect potential threats.
Join FireEye and AWS to learn how Threat Analytics Platform (TAP) helped unify a major U.S. financial companyâs on-premises and cloud-based Security Operations Centers (SOCs) by providing a single, cloud-based solution for monitoring their hybrid IT environment. FireEyeâs TAP provides seamless visibility, detection and investigation across your on-premises and AWS Cloud environments ensuring actionable insight into threats targeting your company.
Join us to learn:
⢠How TAP ingests and analyzes AWS CloudTrail log files, providing visibility into both your AWS environment and the applications running on it
⢠TAP's best practices workflow to guide and inform your threat investigation
⢠How a major U.S. financial company unified their on-premises and cloud-based SOCs in to a single, cloud-based security operation
Who should attend: Directors and Managers of Security, IT Administrators, IT Architects, and IT Security Engineers
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
Â
With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and will cover solutions for account structure, user configuration, provisioning, networking and operation automation. This solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and Amazon Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Additionally, Philips will explain their cloud journey and how they have applied their guiding principles when building their landing zone.
Bork is the Dutch distributor for the rewarded DINO software that is sold all over Europe. Bork is striving to be technology leader in the Netherlands.
Big Data Expo 2015 - Hortonworks Common Hadoop Use CasesBigDataExpo
Â
When evaluating Apache Hadoop organizations often identifiy dozens of use cases for Hadoop but wonder where do you start? With hundreds of customer implementations of the platform we have seen that successful organizations start small in scale and small in scope. Join us in this session as we review common deployment patterns and successful implementations that will help guide you on your journey of cost optimization and new analytics with Hadoop.
Enterprises, mid-market, and SMBs all have one thing in common: their business applications are critical. Companies of all sizes are running SAP, Oracle, Exchange, and many other business applications in the cloud to simplify infrastructure management, deploy more quickly, and lower cost. AWS offers a reliable and flexible cloud infrastructure platform that enables customers to run any type of Windows or Linux based business application, from small departmental solutions to world-wide mission-critical production ERP (remove) systems in a secure, scalable and robust environment. Come along to this session to learn how large scale systems like SAP, Oracle, Microsoft and others are being used by enterprise customers of all shapes and sizes. In this session you will discover some of the challenges and approaches that will make you successful in deploying and operating these systems on AWS. This is a must session for enterprise customers that are looking at moving material workloads into the cloud.
Speaker: Nam Je Cho, Solutions Architect, Amazon Web Services
Oracle OpenWorld - A quick take on all 22 press releases of Day #1 - #3Holger Mueller
Â
Take a look at Constellation Research Analyst Holger Mueller walking through all 22 Oracle OpenWorld pres releases - capturing Day #1 till Day #3 - and ongoing in San Francisco.
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...Amazon Web Services
Â
Organizations processing mission critical high-volume data must be able to achieve high levels of throughput and durability in data processing workflows. In this session, we will learn how DataXu is using Amazon Kinesis, Amazon S3, and Amazon EMR for its patented approach to programmatic marketing. Every second, the DataXu Marketing Cloud processes over 1 Million ad requests and makes more than 40 billion decisions to select and bid on ad impressions that are most likely to convert. In addition to addressing the scalability and availability of the platform, we will explore Amazon Kinesis producer and consumer applications that support high levels of scalability and durability in mission-critical record processing.
This is the story of a company that had 10s of customers and were facing severe scaling issues. They approached us. They had a good product predicting a few hundred customers within 6 months. VCs went to them. Infrastructure scaling was the only unknown; funding for software-defined data centers. We introduced Terraform for infrastructure creation, Chef for OS hardening, and then Packer for supporting AWS as well as VSphere. Then, after a few more weeks, when there was a need for faster response from the data center, we went into Serf to immediately trigger chef-clients and then to Consul for service monitoring.
Want to describe this journey.
Finally, we did the same exact thing in at a Fortune 500 customer to replace 15 year-old scripts. We will also cover sleek ways of dealing with provisioning in different Availability Zones across various AWS regions with Terraform.
Elasticity and security are enabling enterprises to move highly regulated workloads to the AWS Cloud. However, given the sensitivity around this protected customer data, what newly released services can be implemented to remain secure and compliant? Find out in this session for Chief Security, Risk and Compliance Officers.
Speaker: Dave Walker, Security Solutions Architect, Amazon Web Services
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
Â
As your cloud operations evolve, complexity of governance, compliance, and risk auditing of your AWS account increases. With AWS Config you can automate your controls and compliance efforts so that they scale with your cloud footprint. You can proactively audit your AWS resources, assess changes in configurations, and leverage visual dashboard to check your overall compliance status. In this session, we will help you use AWS Config and other AWS Management Tools to automate configuration governance so that compliance is embedded in the development process.
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
Â
We constantly hear about huge hacks in the media, with companies losing millions of dollars in an instant. While this problem is large for the enterprise side of the world, it is even more detrimental when it comes to the fedspace. CloudCheckr Co-Founder & CEO Aaron Newman will highlight effective strategies and tools that AWS users can employ to improve their security posture. Often times the biggest threat to security is the human, Aaron will go through ways to work around this and how you can shore up security to avoid these errors. Specific emphasis will be placed upon leveraging native AWS services and the talk will include concrete steps that users can begin employing immediately. Learn More: https://aws.amazon.com/government-education/
As the number of developers and size of your infrastructure on AWS grows, timely investments in self-service and monitoring can help you scale operations without being the bottleneck. You can standardize infrastructure configurations for commonly used products to enable your customers to self-serve infrastructure needs for their apps. Once these resources are provisioned, you can easily understand how they are connected to administer them effectively, and monitor changes to configurations and evaluate drift. In this session, we will discuss how you can achieve a sophisticated level of standardization, configuration compliance, and monitoring using a combination of AWS Service Catalog, AWS Config, and AWS CloudTrail.
Providing more control around how to manage your AWS accounts with our newly launched service - AWS Organizations. In this session we'll look at aspects affecting your account management before and after AWS Organizations, how AWS Organizations can programmatically create and manage your AWS accounts and apply organisational controls with familiar policies across these accounts to meet your business needs. We'll also cover best practices and troubleshooting tips to get you started.
Speaker: Pierre Liddle, Solutions Architect, Amazon Web Services
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
Â
As companies shift workloads into the cloud, IT organizations are required to manage an increasing number of cloud resources. AWS provides a broad set of services that help IT organizations with provisioning, tracking, auditing, configuration management, and cost management of their AWS resources. In this session, we will explore the AWS Management Tools suite of services that support the lifecycle management of AWS resources at scale and enable IT governance and compliance. The Deep Dive on AWS Management Tools session will benefit both new and experienced IT administrators, systems administrators, and developers operating infrastructure on AWS and interested in learning about the AWS resource management capabilities.
AWS Landing Zone - Architecting Security and GovernanceAkesh Patil
Â
This slide deck provides an overview of the AWS Landing Zone, which is a well-architected, multi-account AWS environment designed to be scalable and secure. It serves as a starting point for organizations to quickly launch and deploy workloads and applications on AWS.
The deck explains the key components and capabilities of the AWS Landing Zone, including:
The use of AWS Control Tower, a service that simplifies the setup and governance of a multi-account Landing Zone environment following AWS best practices.
1. The Landing Zone's objectives, such as establishing an account structure, developing a governance framework, implementing centralized identity and access management, and optimizing costs.
2. The technical foundations of the Landing Zone, including Organization Units (OUs), preventive and detective guardrails, and the integration of AWS security services like CloudTrail, Config, GuardDuty, Inspector, and Security Hub.
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)Amazon Web Services
Â
CloudCheckr Co-Founders Aaron Newman and Aaron Klein will highlight effective strategies and tools that AWS users can employ to improve their security posture. Specific emphasis will be placed upon leveraging native AWS services and the talk will include concrete steps that users can begin employing immediately. Session sponsored by CloudCheckr.
AWS Competency Partner
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Amazon Web Services
Â
You did it! You've made the decision to migrate, but governance is slowing you down. Traditionally, IT governance has required long, detailed documents and hours of work, until now. AWS and Trend Micro are helping enterprises today to seamlessly overcome, and automate, the top three barriers you face when scaling governance; Account Management, Cost Enforcement and Compliance Automation. Join this session and get a peek at the inner workings of the AWS & Trend Micro Governance @ scale solution that helps you quickly deliver high-impact controls in an automated, repeatable fashion. Learn More: https://aws.amazon.com/government-education/
by Jeff Puchalski, Application Security Engineer, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass.
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
Â
If you are looking for complete instructions on how to build your own Cloud governance process and control then view our recorded webinar on our youtube channel. We take you step by step on what is governance for the cloud and a focus area for security governance.
Similar to Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017 (20)
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Â
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, lâutilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalitĂ Server...Amazon Web Services
Â
La varietĂ e la quantitĂ di dati che si crea ogni giorno accelera sempre piĂš velocemente e rappresenta una opportunitĂ irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantitĂ di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma lâelasticitĂ del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dellâinfrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende piĂš semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilitĂ , la velocitĂ di rilascio e, in definitiva, ci ha consentito di creare applicazioni piĂš affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
Â
Lâutilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question â how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
⢠PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
⢠Scope
⢠Features
⢠Tech overview and Demo
The role of the Cloud
The Future of APIs
⢠Complying with regulation
⢠Monetizing data / APIs
⢠Business models
⢠Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica lâofferta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Â
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Â
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilitĂ del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Â
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilitĂ messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledÏ 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ⢠on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphereŽ e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilitĂ ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Â
Molte aziende oggi, costruiscono applicazioni con funzionalitĂ di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessitĂ di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalitĂ di QLDB.
Con lâascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono piĂš importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi dâuso creando API moderne con funzionalitĂ di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud⢠on AWS: i miti da sfatareAmazon Web Services
Â
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilitĂ ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno lâarchitettura e dimostreranno come sfruttare a pieno le potenzialitĂ di VMware Cloud ⢠on AWS.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o piÚ dei tuo container.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilotâ˘UiPathCommunity
Â
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalitĂ di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
đ Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
đ¨âđŤđ¨âđť Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
Â
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
Â
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
đ Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
DevOps and Testing slides at DASA ConnectKari Kakkonen
Â
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Enhancing Performance with Globus and the Science DMZGlobus
Â
ESnet has led the way in helping national facilitiesâand many other institutions in the research communityâconfigure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
Â
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Â
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Â
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
Â
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
2. What to expect from the session
⢠"Everything Starts with a Threat Model"
⢠Control Mapping
⢠Existing Multi-Account Strategies, and Multi-Account Planning
⢠Organizations
⢠Compliance and Scoping
⢠CIS Benchmarks
⢠Putting it Together
4. âEverything starts with a threat modelâ
⢠STRIDE, DREAD, others
⢠Identify:
⢠Actors
⢠Vectors
⢠âBad stuff that could happen when bad people get creativeâ
⢠Probabilities and consequences of bad stuff happening
⢠Apply technical and procedural mitigations
⢠All the way up the OSI stack, from network to application
5. Attack vectors
⢠Application-level and API-level attacks
⢠âIf it takes input, it likely has an in-band attack vectorâ
⢠âIf it has a control point, it likely has an out-of-band attack vectorâ
⢠âEven if it doesnât itself have a useful compromise, it might be a useful
propagation vectorâ
⢠A successful attack = disruption or corruption of service output, or
reduction in responsiveness to future service calls, or being a conduit
of âbad contentâ to vulnerable consumers of the service
⢠Consider the OWASP Top 10 and other application-level attacks
7. Why a Mapping of Security Controls?
⢠PCI-DSS
⢠standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-
in-time certification.
⢠SOC 1-3
⢠designed by the âbig 4â auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A
continuous-assessment certification, covering process and
implementation.
⢠ISO 27001
⢠outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires
mature processes.
8. General Headings:
⢠Infrastructure meta-security
⢠Host security
⢠Network security
⢠Logging and Auditing
⢠Resilience
⢠User Access Control and Management
⢠Cryptography and Key Management
⢠Incident Response and Forensics
⢠âAnti-Malwareâ
⢠Separation of Duty
⢠Data Lifecycle Management
⢠Geolocation
⢠Anti-DDoS
9. âCan our current Security Functions be mapped onto AWS?â
AWS Environment Management
Logging and Auditing
Asset Management
Management Access Control
Configuration Management
Configuration
Monitoring
AWS CloudTrail
AWS Config, API
AWS IAM
Web Console
AWS CloudFormation
AWS OpsWorks
CLI
API
SDKs
Amazon CloudWatch
10. âCan our current Security Functions be mapped onto AWS?â
Network
AWS to Customer Networks
Layer 2 Network Segregation
Stateless Traffic Management
IPsec VPN
Firewall/ Layer 3 Packet Filter
IDS/IPS
Managed DDoS Prevention
Internet and/or Direct Connect
Amazon VPC
Network Access Control Lists
VPC VGW, Marketplace
Security Groups
AWS CloudTrail, CloudWatch
Logs,SNS, VPC Flow Logging
Included in Amazon CloudFront
11. âCan our current Security Functions be mapped onto AWS?â
Encryption, Key Management
Data-In-Flight
Volume Encryption
Object Encryption
Key Management
Dedicated HSMs
Database Encryption
IPsec or TLS or your own
Amazon EBS Encryption
Amazon S3 Encryption (Server and Client Side)
AWS Key Management Service
AWS CloudHSM
TDE (RDS / Oracle EE)
Encrypted Amazon EBS (with KMS)
Encrypted Amazon Redshift
12. âCan our Current Security Functions be mapped onto AWS?â
Data Management
Hierarchical Storage
Deletion Protection
Versioning
Archiving
Amazon S3 Lifecycle
Amazon S3 MFA Delete
Amazon S3 Versioning
Amazon Glacier (optionally, with Vault Lock)
13. âCan our Current Security Functions be mapped onto AWS?â
Host / Instance Security
Traditional Controls
Instance Management
Incident Management
Asset Management
Instance Separation
Traditional Controls (mostly)
Delete-and-promote
More alternatives!
âWhat the API returns, is trueâ
PCI Level 1 Hypervisor
Dedicated Instances
15. The Story So Far
⢠MASCOT
⢠fully role- and identity-managed implementation from ProServe
⢠Presented at Re:Invent 2016 SAC319
(https://www.youtube.com/watch?v=pqq39mZKQXU ), SAC320
(https://www.youtube.com/watch?v=xjtSWd8z_bE )
⢠Bertram Dorn's work from 2014
⢠similar structure, but a number of differences
⢠https://youtu.be/CNSaJs7pWjA
⢠Neither covers Organizations (yet)
⢠MASCOT had some coverage for KMS
16. What Needs Segregating from What?
⢠Obvious cases first:
⢠Read access to Billing and Log records from everyone, except Auditors and
Security
⢠...and even then, access should be limited to appropriate cases
⢠consider evidential weight
⢠Prod from Dev, Test and Staging
⢠remember Knight Capital?
⢠also "bug ringfencing"
⢠Compliance in-scope from out-of-scope
⢠auditors need to see a hard scope boundary
⢠you will want to keep in-scope as small as possible
⢠use both AWS Accounts and VPCs for this
17. ⢠Less obvious cases:
⢠Look at your org chart and body of policies
⢠Consider how Separation of Duty and Need to Know operate
⢠both in and between departments
⢠Within org charts, policy, compliance scoping, and the need to
ringfence dev accounts where bugs could impact API access, lies the
answers to "how many
⢠AWS Organizations
⢠KMS CMKs
⢠AWS accounts
⢠...do I need?"
What Needs Segregating from What?
21. What do customers want to do?
Use AWS account
boundaries for
isolation.
Centrally manage
policies across
many accounts.
Delegate
permissions, but
maintain
guardrails.
See combined
view of all
charges.
22. Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billingAutomate AWS
account creation
23. Typical Use Cases
⢠Control the use of AWS services to help comply with
corporate security and compliance policies.
⢠Service Control Policies (SCPs) help you centrally control
AWS service use across multiple AWS accounts.
⢠Ensure that entities in your accounts can use only the
services that meet your corporate security and
compliance policy requirements.
24. ⢠Automate the creation of AWS accounts for different
resources.
⢠API driven AWS account creation.
⢠Use APIs to add the new account to a group and attach
service control policies.
⢠Use API response to trigger additional automation (eg
deploy CloudFormation template)
Typical Use Cases
25. ⢠Create different groups of accounts for development and
production resources.
⢠Organise groups into a hierarchy.
⢠Apply different policies to each group.
⢠Alternatively, group according to lines-of-business or
other desired dimensions.
Typical Use Cases
26. Key Features
⢠Policy framework for multiple AWS accounts.
⢠Group-based account management.
⢠Account creation and management APIs.
⢠Consolidated billing for all AWS accounts in your organization.
⢠Enable Consolidated Billing Only or All Features.
27. How is Organizations different from IAM?
⢠Create groups of AWS accounts with AWS Organizations.
⢠Use Organizations to attach SCPs to those groups to centrally control
AWS service use.
⢠Entities in the AWS accounts can only use the AWS services allowed
by both the SCP and the AWS IAM policy for the account.
28. How to get started?
⢠Revisit or create your account segmentation strategy.
⢠Decide which type of organization is right for you.
⢠Organize your AWS accounts according to it.
⢠Test & begin to apply SCPs slowly.
⢠Iterate on SCPs to achieve your desired state.
29. Pricing & Availability
⢠Available at no additional charge.
⢠Global service.
⢠Accessed through endpoint in N. Virginia region.
30. Service Control Policies (SCPs)
⢠Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed â whitelisting
- Define the list of APIs that must be blocked â blacklisting
⢠Cannot be overridden by local administrator
⢠Resultant permission on IAM user/role is the intersection between
the SCP and assigned IAM permissions
⢠Necessary but not sufficient
⢠IAM policy simulator is SCP aware
32. Best practices â AWS Organizations
1. Monitor activity in the master account using CloudTrail
2. Do not manage resources in the master account
3. Manage your organization using the principal of âLeast privilegeâ
4. Use OUs to assign controls
5. Test controls on single AWS account first
6. Only assign controls to root of organization if necessary
7. Avoid mixing âwhitelistingâ and âblacklistingâ SCPs in organization
8. Create new AWS accounts for the right reasons
33. More on SCPs
⢠Service Control Policies
⢠...which look like IAM policies
⢠(but without support for Conditions, in v1.0)
⢠Imposed by Master account on child accounts
⢠essentially concatenate with per-child-account IAM policies
⢠Allows / Denies access to specific per-service API calls, or whole services
⢠as with IAM policies, a single explicit Deny overrides any number of explicit
Allows
⢠But: they are also applied to the root user in the child account
⢠Here's where we get into Mandatory Access Control! ď
34. More on SCPs
⢠Also:
⢠you don't have to apply an SCP before you populate your account with
assets...
⢠this lends the idea of "immutable infrastructure" to other services, from
the point of view of the child accounts
⢠(including Serverless)
⢠eg:
⢠S3 websites which can't have their contents changed
⢠Lambda functions which are invoke-only "black boxes"
⢠ACM cert / key pairs which can't be deleted
⢠Prevent CloudTrail, Config ever being turned off
⢠...
35. More on SCPs
⢠In Practice:
⢠the imposer of the SCP in the Master account gets no privilege in the child
account's service, as a function of this capability
⢠this makes SCPs a neat 2-person rule mechanism, too
37. Compliance: How to work with AWS Certifications
⢠âThe magicâs in the Scopingâ
⢠If a Service isnât in scope, that doesnât necessarily mean it canât be used in a
compliant deployment
⢠âŚbut it wonât be usable for a purpose which touches sensitive data
⢠See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloudâ,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZp
dzukcJvl0e65MqqwycgpkCENmg
⢠Remember the Shared Responsibility Model
⢠âwe do our bit at AWS, but you must also do your bit in what you build using our
servicesâ
⢠Our audit reports make it easier for our customers to get approval from
their auditors, against the same standards
⢠Liability canât be outsourcedâŚ
38. Compliance: How to work with AWS Certifications
⢠Time-based Subtleties:
⢠PCI, ISO: point-in-time assessments
⢠SOC: assessment spread over time, therefore more rigorous assessment of
procedures and operations
⢠(AWS Config allows you to make a path between these, for your own auditors)
⢠FedRAMP: Continuous Monitoring and Reporting â important proof
⢠If a service for defined sensitive data isnât in scope of an audit report,
can this be designed around?
⢠Eg standing up a queue system on EC2 as a substitute for SQSâŚ
⢠Be careful of what elements of a Service are in scope, tooâŚ
⢠Metadata is typically âoutâ
39. SOC 1
⢠Availability:
⢠Audit report available to any customer with an NDA
⢠Scope:
⢠AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon
DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon
ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon
Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage
Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
⢠Sensitive data:
⢠N/A
⢠Particularly good for:
⢠Datacentre management, talks about KMS for key management and encryption
at rest, discusses Engineering bastions
⢠Downsides:
⢠None
45. Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security configuration
best practices
provides set-by-step implementation and
assessment procedures
47. Now Add an Incident Response Baseline:
⢠Have a small NACLed subnet per AZ, per VPC for isolation of misbehaving
instances
⢠flip their ENIs to it, as needed
⢠Have a Forensics role like the Audit role, per-account
⢠read-only access to (essentially) everything
⢠Have a runbook so a Forensic Investigator can work with the network admin
team to:
⢠provision a forensic workstation AMI onto the isolation subnet
⢠open a hole in the NACL to the workstation from an appropriate bastion
(or use Run Command to remotely operate forensic CLI tools)
48. Potential Further Extensions
⢠EC2 Systems Manager
⢠Inventory: like OSQuery
⢠State Manager: like OpenSCAP
⢠DMZs
⢠Bastions
⢠Management networks
49. Amazon EC2 Systems Manager
⢠Announced at Re:Invent 2016
⢠See sessions WIN401
(https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402
(https://www.youtube.com/watch?v=L5TglwWI5Yo )
50. Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities
52. Inventory
What we heard:
⢠Accurate software inventory is critical for understanding fleet
configuration and license usage
⢠Legacy solutions not optimised for cloud
⢠Self-hosting requires additional overhead
53. Inventory
Introducing Inventory
⢠End-to-end inventory collection (EC2/on-premises/Workspaces)
⢠Linux / Windows
⢠Powerful query syntax
⢠Extensible inventory schema
⢠Integrated with AWS services
54. Inventory â System Diagram
SSMAgent
EC2 Windows
Instance
SSMAgent
EC2 Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
EC2 Inventory SSM
document
Inventory
Store
EC2 Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs
56. Inventory â Configuration
⢠Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
⢠Instance information
⢠Applications
⢠AWS Components
⢠Network configuration
⢠Windows Updates
⢠Custom Inventory
57. Inventory â Custom Inventory Type
⢠Custom Inventory Collection
⢠Extensible: record any attribute for a given instance
⢠On-premise Examples: rack location, BIOS version, firewall settings
⢠Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom inventory files
to a predefined path
2. API: Use PutInventory API
58. Inventory Manager
⢠Query
⢠Search by inventory attribute
⢠Partial and inverse searches
⢠eg "Windows 2012 r2 instances running SQL Server 2016 where Windows
Update KB112342 is not installed"
⢠Integration with AWS Config
⢠Record inventory changes over time
⢠Use AWS Config Rules to monitor changes, notify
60. State Manager
⢠Maintain consistent state of instances
⢠Reapply to keep instances from drifting
⢠Easily view status of configuration changes
⢠Define schedule â ad hoc, periodic
⢠Track aggregate status for your fleet
61. State Manager â Getting started
⢠Document: Author your intent
⢠Target: Instances or tag queries
⢠Association: Binding between a document and a
target
⢠Schedule: When to apply your association
⢠Status: Check the state of your association at an
aggregate or instance level
62. Creating an Association
⢠aws ssm create-association
⢠--document-name WebServerDocument
⢠--document-version $DEFAULT
⢠--schedule-expression cron(0 */30 * * * ? *)
⢠--targets âKey=tag:Name;Values=WebServerâ
⢠--output-location "{ "S3Location": { "OutputS3Region": âus-east-1",
"OutputS3BucketName": âMyBucket", "OutputS3KeyPrefix": âMyPrefix" }
}â
⢠Configures all instances that match the tag query and reapplies every 30
minutes
63. AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture â
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
65. S3 Subtleties
⢠S3 write-only cross-account sharing
⢠Share write-only (no reading or listing of contents) from owner account
via bucket policy
⢠Writer accounts have IAM permissions to write
66. Billing Records Handled by Organizations
ItemDescription
UsageStart
Date
UsageEnd
Date
UsageQuanti
ty
Currency
Code
CostBefo
reTax
Cred
its
TaxAm
ount
TaxTy
pe
TotalCo
st
$0.000 per GB - regional data transfer under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.00000675 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.05 per GB-month of provisioned storage - US West
(Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.5
54 USD 0.56 0.0
0.0000
00 None
0.56000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 10.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SQS Requests per month are free
01.04.14
00:00
30.04.14
23:59 4153.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.00 per GB - EU (Ireland) data transfer from US West
(Northern California)
01.04.14
00:00
30.04.14
23:59 0.00003292 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.02311019 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 88.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 3.3E-7 USD 0.00 0.0
0.0000
00 None
0.00000
0
67. AWS CloudTrail logs can be delivered cross-account
CloudTrail can help achieve many tasks
Accounts can send their trails to a central
account
Central account can then do analytics
Central account can:
⣠Redistribute the trails
⣠Grant access to the trails
⣠Filter and reformat Trails (to meet privacy
requirements)
68. Staging and Masking Logs
⢠We can mask PII in CloudTrail logs
⢠Bertram Dorn has a Lambda function for it
⢠Originally intended as a proposal to address considerations in upcoming German privacy
law
⢠Can be generalised to other consistent AWS log formats
69. Staging and Masking Logs
⢠Extend it to mask relevant fields in:
⢠CloudWatch logs
⢠ELB, CloudFront, Amazon VPC flow log, etc. records
⢠...all of which use CloudWatch Logs
⢠If we use CloudWatch Events, we can use a Lambda function to land
our logs in a local S3 bucket, then use a cross-account Lambda function
to mask-and-forward
⢠Config records can be forwarded as-is
70. Staging and Masking Logs
⢠Flow Logs etc
⢠in CW Logs
Local masking
Lambda
Local S3 bucket Cross-acct
Lambda
Consolidated
logs bucket
71. Log Analytics
⢠Splunk, SumoLogic, other AWS Marketplace products
⢠ElasticSearch and Kibana
⢠https://aws.amazon.com/blogs/security/how-to-optimize-and-visualize-
your-security-groups/
⢠Athena
⢠"Run SQL against S3"
⢠QuickSight
⢠Intended for Business Intelligence, but bendable to purpose...
72. On-premise
bucket
AWS Account:
Billing
IdP server
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
API Endpoints
74. On-premise
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
API Endpoints
75. AWS Account: Logging
On-premise
bucket
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
API Endpoints
76. On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
API Endpoints
role
AWS Account: Log aggregation and anonymisation
77. role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
78. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
79. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS IAM
AWS Account: Resources
AWS
Organizations
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
80. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS IAM
AWS Account: ResourcesAWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
81. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: ResourcesAWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
82. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: Resources
AWS Account:
Audit
(External)
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
Athena
Amazon
QuickSight
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
83. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: Resources
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
84. AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: Resources
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
AWS Account: Backups
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role
AWS Account: Log aggregation and anonymisation
85. AWS Account: Resources
AWS IAM
role
AWS Account: Log aggregation and anonymisation
On-premise
AWS
Lambda
role
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: Resources
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
AWS Account: Backups
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
bucket
AWS Account:
Forensic Repo
AWS Account:
Forensic
Working
bucket
AWS Account:
Working Repo
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
86. AWS Account: Resources
AWS Account: Abstraction, Filtering
and Aggregation
AWS Account: Front-end
AWS IAM
role
AWS
Lambda
Amazon API
Gateway
Amazon API
Gateway
AWS
Lambda
role
On-premise
API Endpoints
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: Resources
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
AWS Account: Backups
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
bucket
AWS Account:
Forensic Repo
AWS Account:
Forensic
Working
bucket
AWS Account:
Working Repo
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
role
AWS Account: Log aggregation and anonymisation