1) The document discusses initial considerations for deploying applications on AWS such as how the service will be accessed, what data is being handled, and compliance needs. 2) It then covers the AWS shared responsibility model and who manages what between AWS and the customer for different types of AWS services. 3) Practical advice is provided on security controls to deploy on AWS, including using Route 53, CloudFront, S3 buckets, application load balancers, and VPC components. 4) The document concludes by recommending several AWS security audit tools including CloudTrail, Config, GuardDuty, and VPC flow logs to ensure deployments are working as planned.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Johnson, Solutions Architect
April, 2018
Security Architectures on AWS

2. What we’ll cover today …
• Initial considerations before you deploy
• Walk through AWS Shared Responsibility Model
• Practical advice on AWS security controls to deploy
• Practical advice on AWS security audit tooling

3. But first …
(Initial considerations before you deploy)

4. Ask yourself some questions:
1. How will your service will be accessed (public or private)?
2. What sort of data are you handling?
3. Are there any regulations you need to be compliant with?
4. Are there any compliance assessments you need to plan for?
5. Who will be administering the application?
6. Who needs to audit the platform (internal or external)?

5. Answers will lead you to where you put your
data
Availability
Zone A
Availability
Zone B
Availability
Zone C
Each region has at least two Availability Zones

6. Answers will lead you to AWS Artifact

7. • Integration with AWS Services
• Identity Federation
• Granular Permissions Model
• Multi-factor Authentication
• Identity information for assurance
Answers will lead you to Identity and Access
Management

8. Ok - so who manages what?
(The AWS Shared Responsibility Model)

9. Does one model work for all AWS Services?
Infrastructure
Services
Container
Services
Abstracted
Services

10. Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Management
Protocols
API
Calls

11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Container Services
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Management
Protocols
API
Calls

12. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
& Data Integrity Authentication
APIEndpoints
AWSIAM
API Calls
AWS Shared Responsibility Model:
forAbstracted Services

13. What should I consider for my
Application?
(Practical advice on AWS Security Controls to deploy)

14. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u Malformed Packet Requests
u SYN/ACK or UDP Flood
u Reflection Attacks
u DNS Floods
u Shuffle Sharding (Forced Data Distribution and Isolation)
u Anycast Striping (Ability to advertise IP Scopes from any/all Regions)
myapp.com
Amazon S3
bucket
Route 53
1
www.myapp.com
media.myapp.com

15. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u Content Caching
u Origin Acceleration
u AWS WAF Integration (Layer-7 Inspection)
u DDoS Shield and Shield Advanced Integration
myapp.com
Amazon S3
bucket
Cloudfront
2
www.myapp.com
media.myapp.com

16. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u Path Based Routing
u HTTP/HTTPS Only
u SSL/TLS Offload
u AWS WAF Integration (Layer-7 Inspection)
u DDoS Shield and Shield Advanced Integration
myapp.com
Amazon S3
bucket
Application Load
Balancer
3
www.myapp.com
media.myapp.com

17. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u AWS Macie Integration
u Static HTTP Web Server
u Origin for Cloudfront (use Custom Header for locking down)
u No HTTPS capability (use Cloudfront)
u Object and Bucket Level Logging
myapp.com
Amazon S3
bucket
S3 Bucket
4
www.myapp.com
media.myapp.com

18. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u RouteTable – Decides which networks can be routed to/from
u NACL – Stateless – Rule Based, Order-Priority [Default OPEN]
u SG – Stateful – Evaluatative [Default CLOSED]
u VPC FlowLogs – Layer 2/3 Logging in a VPC
myapp.com
Amazon S3
bucket
VPC Controls
5
www.myapp.com
media.myapp.com

19. Availability Zone #1
security group
security group
root volume
data volume
Application Load
Balancer
Amazon S3
Bucket Origin
logs
Amazon EBS
snapshot
CloudFront
distribution
EC2 instance
web app
server
Amazon
Route 53
u Amazon Inspector
u CVE / Best Practices
u CIS Benchmarks / Network Behavioral Monitoring
u AWS Systems Manager Integration – Privileged Command Execution
u AWS Systems Manager Integration – Cloudwatch Logging
myapp.com
Amazon S3
bucket
Amazon Inspector
5
www.myapp.com
media.myapp.com

20. How do I ensure it is all working as
planned?
(Practical advice on AWS Security audit tooling)

21. Myapp Production Account Myapp Dev Account Myapp Sandbox Account
Myapp Audit Account myapp Billing Account
CloudTrail
Bucket
Config
Bucket
Amazon ES
Amazon
QuickSight
Amazon
Athena
u CloudTrail (Athena or ElasticSearch)
u Config (Aggregator)
u Guard Duty
u VPC FlowLogs
u CloudTrail
u Config (incl. Config Rules)
u Guard Duty
u VPC Flow Logs
u Inspector
Amazon
GuardDuty
Multi-Account
View
Local-Account
View

22. Shall we have a look at this in
action?
(Demo time!)

23. Thank you, any questions?