Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017

Security Architecture
Recommendations for your
New AWS Operation
Dave Walker
Specialist Solutions Architect,
Security and Compliance

What to expect from the session
• "Everything Starts with a Threat Model"
• Control Mapping
• Existing Multi-Account Strategies, and Multi-Account Planning
• Organizations
• Compliance and Scoping
• CIS Benchmarks
• Putting it Together

“Everything starts with a threat model”
• STRIDE, DREAD, others
• Identify:
• Actors
• Vectors
• “Bad stuff that could happen when bad people get creative”
• Probabilities and consequences of bad stuff happening
• Apply technical and procedural mitigations
• All the way up the OSI stack, from network to application

Attack vectors
• Application-level and API-level attacks
• “If it takes input, it likely has an in-band attack vector”
• “If it has a control point, it likely has an out-of-band attack vector”
• “Even if it doesn’t itself have a useful compromise, it might be a useful
propagation vector”
• A successful attack = disruption or corruption of service output, or
reduction in responsiveness to future service calls, or being a conduit
of “bad content” to vulnerable consumers of the service
• Consider the OWASP Top 10 and other application-level attacks

Why a Mapping of Security Controls?
• PCI-DSS
• standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-
in-time certification.
• SOC 1-3
• designed by the “big 4” auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A
continuous-assessment certification, covering process and
implementation.
• ISO 27001
• outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires
mature processes.

General Headings:
• Infrastructure meta-security
• Host security
• Network security
• Logging and Auditing
• Resilience
• User Access Control and Management
• Cryptography and Key Management
• Incident Response and Forensics
• “Anti-Malware”
• Separation of Duty
• Data Lifecycle Management
• Geolocation
• Anti-DDoS

“Can our current Security Functions be mapped onto AWS?”
AWS Environment Management
Logging and Auditing
Asset Management
Management Access Control
Configuration Management
Configuration
Monitoring
AWS CloudTrail
AWS Config, API
AWS IAM
Web Console
AWS CloudFormation
AWS OpsWorks
CLI
API
SDKs
Amazon CloudWatch

Network
AWS to Customer Networks
Layer 2 Network Segregation
Stateless Traffic Management
IPsec VPN
Firewall/ Layer 3 Packet Filter
IDS/IPS
Managed DDoS Prevention
Internet and/or Direct Connect
Amazon VPC
Network Access Control Lists
VPC VGW, Marketplace
Security Groups
AWS CloudTrail, CloudWatch
Logs,SNS, VPC Flow Logging
Included in Amazon CloudFront

Encryption, Key Management
Data-In-Flight
Volume Encryption
Object Encryption
Key Management
Dedicated HSMs
Database Encryption
IPsec or TLS or your own
Amazon EBS Encryption
Amazon S3 Encryption (Server and Client Side)
AWS Key Management Service
AWS CloudHSM
TDE (RDS / Oracle EE)
Encrypted Amazon EBS (with KMS)
Encrypted Amazon Redshift

“Can our Current Security Functions be mapped onto AWS?”
Data Management
Hierarchical Storage
Deletion Protection
Versioning
Archiving
Amazon S3 Lifecycle
Amazon S3 MFA Delete
Amazon S3 Versioning
Amazon Glacier (optionally, with Vault Lock)

“Can our Current Security Functions be mapped onto AWS?”
Host / Instance Security
Traditional Controls
Instance Management
Incident Management
Asset Management
Instance Separation
Traditional Controls (mostly)
Delete-and-promote
More alternatives!
“What the API returns, is true”
PCI Level 1 Hypervisor
Dedicated Instances

Existing Multi-Account Strategies, and
Multi-Account Planning

The Story So Far
• MASCOT
• fully role- and identity-managed implementation from ProServe
• Presented at Re:Invent 2016 SAC319
(https://www.youtube.com/watch?v=pqq39mZKQXU ), SAC320
(https://www.youtube.com/watch?v=xjtSWd8z_bE )
• Bertram Dorn's work from 2014
• similar structure, but a number of differences
• https://youtu.be/CNSaJs7pWjA
• Neither covers Organizations (yet)
• MASCOT had some coverage for KMS

What Needs Segregating from What?
• Obvious cases first:
• Read access to Billing and Log records from everyone, except Auditors and
Security
• ...and even then, access should be limited to appropriate cases
• consider evidential weight
• Prod from Dev, Test and Staging
• remember Knight Capital?
• also "bug ringfencing"
• Compliance in-scope from out-of-scope
• auditors need to see a hard scope boundary
• you will want to keep in-scope as small as possible
• use both AWS Accounts and VPCs for this

• Less obvious cases:
• Look at your org chart and body of policies
• Consider how Separation of Duty and Need to Know operate
• both in and between departments
• Within org charts, policy, compliance scoping, and the need to
ringfence dev accounts where bugs could impact API access, lies the
answers to "how many
• AWS Organizations
• KMS CMKs
• AWS accounts
• ...do I need?"
What Needs Segregating from What?

In the beginning…
Your AWS Account
You

Today
Jump
Account
Your Cloud Team
Dev Account
Prod Account
Data Science
Account
Audit Account
Cross Account
Trusts
Cross Account
Resource Access
You

What do customers want to do?
Use AWS account
boundaries for
isolation.
Centrally manage
policies across
many accounts.
Delegate
permissions, but
maintain
guardrails.
See combined
view of all
charges.

Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billingAutomate AWS
account creation

Typical Use Cases
• Control the use of AWS services to help comply with
corporate security and compliance policies.
• Service Control Policies (SCPs) help you centrally control
AWS service use across multiple AWS accounts.
• Ensure that entities in your accounts can use only the
services that meet your corporate security and
compliance policy requirements.

• Automate the creation of AWS accounts for different
resources.
• API driven AWS account creation.
• Use APIs to add the new account to a group and attach
service control policies.
• Use API response to trigger additional automation (eg
deploy CloudFormation template)
Typical Use Cases

• Create different groups of accounts for development and
production resources.
• Organise groups into a hierarchy.
• Apply different policies to each group.
• Alternatively, group according to lines-of-business or
other desired dimensions.
Typical Use Cases

Key Features
• Policy framework for multiple AWS accounts.
• Group-based account management.
• Account creation and management APIs.
• Consolidated billing for all AWS accounts in your organization.
• Enable Consolidated Billing Only or All Features.

How is Organizations different from IAM?
• Create groups of AWS accounts with AWS Organizations.
• Use Organizations to attach SCPs to those groups to centrally control
AWS service use.
• Entities in the AWS accounts can only use the AWS services allowed
by both the SCP and the AWS IAM policy for the account.

How to get started?
• Revisit or create your account segmentation strategy.
• Decide which type of organization is right for you.
• Organize your AWS accounts according to it.
• Test & begin to apply SCPs slowly.
• Iterate on SCPs to achieve your desired state.

Pricing & Availability
• Available at no additional charge.
• Global service.
• Accessed through endpoint in N. Virginia region.

Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection between
the SCP and assigned IAM permissions
• Necessary but not sufficient
• IAM policy simulator is SCP aware

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "redshift:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
Blacklisting example Whitelisting example

Best practices – AWS Organizations
1. Monitor activity in the master account using CloudTrail
2. Do not manage resources in the master account
3. Manage your organization using the principal of “Least privilege”
4. Use OUs to assign controls
5. Test controls on single AWS account first
6. Only assign controls to root of organization if necessary
7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization
8. Create new AWS accounts for the right reasons

More on SCPs
• Service Control Policies
• ...which look like IAM policies
• (but without support for Conditions, in v1.0)
• Imposed by Master account on child accounts
• essentially concatenate with per-child-account IAM policies
• Allows / Denies access to specific per-service API calls, or whole services
• as with IAM policies, a single explicit Deny overrides any number of explicit
Allows
• But: they are also applied to the root user in the child account
• Here's where we get into Mandatory Access Control! 

More on SCPs
• Also:
• you don't have to apply an SCP before you populate your account with
assets...
• this lends the idea of "immutable infrastructure" to other services, from
the point of view of the child accounts
• (including Serverless)
• eg:
• S3 websites which can't have their contents changed
• Lambda functions which are invoke-only "black boxes"
• ACM cert / key pairs which can't be deleted
• Prevent CloudTrail, Config ever being turned off
• ...

More on SCPs
• In Practice:
• the imposer of the SCP in the Master account gets no privilege in the child
account's service, as a function of this capability
• this makes SCPs a neat 2-person rule mechanism, too

Compliance: How to work with AWS Certifications
• “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a
compliant deployment
• …but it won’t be usable for a purpose which touches sensitive data
• See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloud”,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZp
dzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model
• “we do our bit at AWS, but you must also do your bit in what you build using our
services”
• Our audit reports make it easier for our customers to get approval from
their auditors, against the same standards
• Liability can’t be outsourced…

Compliance: How to work with AWS Certifications
• Time-based Subtleties:
• PCI, ISO: point-in-time assessments
• SOC: assessment spread over time, therefore more rigorous assessment of
procedures and operations
• (AWS Config allows you to make a path between these, for your own auditors)
• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit report,
can this be designed around?
• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…
• Metadata is typically “out”

SOC 1
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon
DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon
ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon
Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage
Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Datacentre management, talks about KMS for key management and encryption
at rest, discusses Engineering bastions
• Downsides:
• None

SOC 2
• Availability:
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB,
Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon
Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES,
Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Risk assessment considerations, management visibility and process,
organisational structure
• Downsides:
• None

PCI-DSS
• Availability:
• Scope:
• Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect,
Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB,
Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS,
Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF
• Sensitive data:
• CVV, PAN
• Forensics cooperation, breach disclosure, explaining Shared Responsibility in
depth; also Hypervisor-based instance separation assurance
• Downsides:
• None (since the August 2015 update, when KMS was added)

ISO 27001
• Availability:
• Certificate is public at
http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of
Applicability is normally not available externally
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory
Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon
EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon
S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• N/A
• A broad-ranging “backstop” and important “tick box item” – ISMS considerations
• Downsides:
• No detailed audit report available

ISO 27018
• Availability:
• Certificate available at
https://d0.awsstatic.com/certifications/iso_27018_certification.pdf
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory
Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon
EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon
S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export,
Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• PII
• Assurance of protection of PII in AWS environments
• Downsides:
• No detailed audit report available

Baselining Individual Accounts

Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security configuration
best practices
provides set-by-step implementation and
assessment procedures

CIS AWS Foundation Automation is mostly there...

Now Add an Incident Response Baseline:
• Have a small NACLed subnet per AZ, per VPC for isolation of misbehaving
instances
• flip their ENIs to it, as needed
• Have a Forensics role like the Audit role, per-account
• read-only access to (essentially) everything
• Have a runbook so a Forensic Investigator can work with the network admin
team to:
• provision a forensic workstation AMI onto the isolation subnet
• open a hole in the NACL to the workstation from an appropriate bastion
(or use Run Command to remotely operate forensic CLI tools)

Potential Further Extensions
• EC2 Systems Manager
• Inventory: like OSQuery
• State Manager: like OpenSCAP
• DMZs
• Bastions
• Management networks

Amazon EC2 Systems Manager
• Announced at Re:Invent 2016
• See sessions WIN401
(https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402
(https://www.youtube.com/watch?v=L5TglwWI5Yo )

Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities

Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimised for cloud
• Self-hosting requires additional overhead

Inventory
Introducing Inventory
• End-to-end inventory collection (EC2/on-premises/Workspaces)
• Linux / Windows
• Powerful query syntax
• Extensible inventory schema
• Integrated with AWS services

Inventory – System Diagram
SSMAgent
EC2 Windows
Instance
SSMAgent
EC2 Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
EC2 Inventory SSM
document
Inventory
Store
EC2 Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs

Inventory – Getting Started
1. Configure Inventory
policy
2Apply Inventory
policy
3Query inventory

Inventory – Configuration
• Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory

Inventory – Custom Inventory Type
• Custom Inventory Collection
• Extensible: record any attribute for a given instance
• On-premise Examples: rack location, BIOS version, firewall settings
• Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom inventory files
to a predefined path
2. API: Use PutInventory API

Inventory Manager
• Query
• Search by inventory attribute
• Partial and inverse searches
• eg "Windows 2012 r2 instances running SQL Server 2016 where Windows
Update KB112342 is not installed"
• Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify

State Manager
• Maintain consistent state of instances
• Reapply to keep instances from drifting
• Easily view status of configuration changes
• Define schedule – ad hoc, periodic
• Track aggregate status for your fleet

State Manager – Getting started
• Document: Author your intent
• Target: Instances or tag queries
• Association: Binding between a document and a
target
• Schedule: When to apply your association
• Status: Check the state of your association at an
aggregate or instance level

Creating an Association
• aws ssm create-association
• --document-name WebServerDocument
• --document-version $DEFAULT
• --schedule-expression cron(0 */30 * * * ? *)
• --targets “Key=tag:Name;Values=WebServer”
• --output-location "{ "S3Location": { "OutputS3Region": “us-east-1",
"OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" }
}“
• Configures all instances that match the tag query and reapplies every 30
minutes

AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

S3 Subtleties
• S3 write-only cross-account sharing
• Share write-only (no reading or listing of contents) from owner account
via bucket policy
• Writer accounts have IAM permissions to write

Billing Records Handled by Organizations
ItemDescription
UsageStart
Date
UsageEnd
Date
UsageQuanti
ty
Currency
Code
CostBefo
reTax
Cred
its
TaxAm
ount
TaxTy
pe
TotalCo
st
$0.000 per GB - regional data transfer under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.00000675 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.05 per GB-month of provisioned storage - US West
(Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.5
54 USD 0.56 0.0
0.0000
00 None
0.56000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 10.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SQS Requests per month are free
01.04.14
00:00
30.04.14
23:59 4153.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.00 per GB - EU (Ireland) data transfer from US West
(Northern California)
01.04.14
00:00
30.04.14
23:59 0.00003292 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.02311019 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 88.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 3.3E-7 USD 0.00 0.0
0.0000
00 None
0.00000
0

AWS CloudTrail logs can be delivered cross-account
CloudTrail can help achieve many tasks
Accounts can send their trails to a central
account
Central account can then do analytics
Central account can:
‣ Redistribute the trails
‣ Grant access to the trails
‣ Filter and reformat Trails (to meet privacy
requirements)

Staging and Masking Logs
• We can mask PII in CloudTrail logs
• Bertram Dorn has a Lambda function for it
• Originally intended as a proposal to address considerations in upcoming German privacy
law
• Can be generalised to other consistent AWS log formats

• Extend it to mask relevant fields in:
• CloudWatch logs
• ELB, CloudFront, Amazon VPC flow log, etc. records
• ...all of which use CloudWatch Logs
• If we use CloudWatch Events, we can use a Lambda function to land
our logs in a local S3 bucket, then use a cross-account Lambda function
to mask-and-forward
• Config records can be forwarded as-is

• Flow Logs etc
• in CW Logs
Local masking
Lambda
Local S3 bucket Cross-acct
Lambda
Consolidated
logs bucket

Log Analytics
• Splunk, SumoLogic, other AWS Marketplace products
• ElasticSearch and Kibana
• https://aws.amazon.com/blogs/security/how-to-optimize-and-visualize-
your-security-groups/
• Athena
• "Run SQL against S3"
• QuickSight
• Intended for Business Intelligence, but bendable to purpose...

On-premise
bucket
AWS Account:
Billing
IdP server
Read-only, read-all flow
API and IAM call flow
Logging traffic flow
Billing traffic flow
Cryptographic key use
Organization member
account
Organization non-member
account
Backup traffic flow
API Endpoints

On-premise
bucket
AWS Account:
Billing
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
API Endpoints

On-premise
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
API Endpoints

AWS Account: Logging
On-premise
bucket
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
API Endpoints

On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
API Endpoints
role
AWS Account: Log aggregation and anonymisation

role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS Account: Resources
AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS
Organizations
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS IAM
AWS
Organizations
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS IAM
AWS Account: ResourcesAWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account: ResourcesAWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
QuickSight
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account:
Audit
(External)
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
Athena
Amazon
QuickSight
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
AWS Account: Backups
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints
role

AWS IAM
role
On-premise
AWS
Lambda
role
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
bucket
AWS Account:
Forensic Repo
AWS Account:
Forensic
Working
bucket
AWS Account:
Working Repo
Organization member
account
account
Backup traffic flow
AWS Account: IAM
Federation
API Endpoints

AWS Account: Abstraction, Filtering
and Aggregation
AWS Account: Front-end
AWS IAM
role
AWS
Lambda
Amazon API
Gateway
Amazon API
Gateway
AWS
Lambda
role
On-premise
API Endpoints
AWS
Lambda
bucketbucket
AWS Account:
Anonymised
Logs
AWS
Lambda
role
bucket
AWS Account: Bill
Aggregation and
Anonymisation
bucket
AWS Account:
Anonymised
Bills
AWS IAM
IdP server
AWS Account:
Audit
(Internal)
AWS IAM
AWS Account:
Audit
(External)
AWS Account:
Regulator
AWS IAM AWSKMS
AWS
Organizations
LDAP
AWS Account: Shared
Svcs
AWS
CloudHSM
bucket
Amazon
Athena
Amazon
QuickSight
Amazon
Redshift*
AWS
Service Catalog
bucket
AWS Account:
Forensic Repo
AWS Account:
Forensic
Working
bucket
AWS Account:
Working Repo
Organization member
account
account
Backup traffic flow
role

Dave Walker
davwal@amazon.com
Your feedback
is important to us!

Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017

Similar to Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Security Architecture recommendations for your new AWS operation - Pop-up Loft TLV 2017