KK
Uploaded byKristana Kane
227 views

Security @ (Cloud) Scale Deep Dive

This document summarizes a presentation about security at scale on AWS. It discusses AWS security controls that customers don't need to manage themselves. It also outlines the AWS Cloud Adoption Framework for adapting security practices to the cloud. Finally, it provides examples of how to implement security capabilities like identity and access management, detective controls, infrastructure security, data protection, and incident response on AWS.

Embed presentation

Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cameron Worrell, Solutions Architect August 17th, 2017 Security @ (Cloud) Scale
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda ā€¢ AWS Controls that You Donā€™t Need to Worry About ā€¢ Framework to Help You Adapt the Cloud Faster ā€¢ AWS Services that You Should be Using ā€¢ Reference Architectures that You Can Use
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls 2,500+
I wish I was a Solid State Drive in someone elseā€™s Datacenterā€¦
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Your own certifications Your own external auditsCustomerAWS Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework ā€¢ Each Perspective provides guidance for different parts of an organization ā€¢ Helps YOU adapt existing practices or introduce new practices for cloud computing
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Security Journey to the Cloud Security in the cloud is familiar. The increase in agility and the ability to perform actions faster, at a larger scale and at a lower cost, does not invalidate well- established principles of information security.
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The CAF Security Perspective 5 Core Capabilities Identity and Access Management Detective Controls Infrastructure Security Data Protection Incident Response
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built Inā€¦ Security groups are virtual firewalls that control the traffic for one or more resources AWS IAM securely controls access to AWS services and resources for your users.
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built Inā€¦
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity and Access Management AWS Organizations AWS IAM AWS Security Token Service
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls AWS CloudTrail Amazon CloudWatch AWS Config Amazon Inspector VPC Flow Logs Account Resources Network
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security AWS Shield AWS WAF Network AWS OpsWorks Resources AWS Trusted Advisor AWS Config Rules Demo @ https://waf.widgetsllc.xyz
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules ā€¢ Amazon CloudTrail should be enabledā€¦ ā€¢ Is it? ā€¢ All EBS volumes encryptedā€¦ ā€¢ Are they? ā€¢ All security groups in attached state should not have unrestricted access to port 22. ā€¢ Do they?
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules ā€¢ Codify and automate your own practices ā€¢ Get started with samples in AWS Lambda ā€¢ Implement guidelines for security best practices and compliance ā€¢ Use rules from various AWS Partners ā€¢ View compliance in one dashboard
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS Certificate Manager ā€¢ AWS Certificate Manager (AWS ACM) is a service that lets you easily provision, manage, and deploy TLS certificates for use with Amazon Elastic Load Balancer or Amazon CloudFront distribution. ā€¢ No additional charge for provisioning TLS certificates ā€¢ Manages the renewal process of TLS certificates ā€¢ Certificates are verified by Amazonā€™s certificate authority (CA), Amazon Trust Services (ATS)
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS Certificate Manager
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS KMS Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application Customer Master Keys
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response Amazon CloudWatch Amazon Lambda
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Log from __future__ import print_function import json def lambda_handler(event, context): print(json.dumps(event, indent=2))
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Respond cloudtrail = boto3.client('cloudtrail') trail_arn = event["detail"]["requestParameters"]["name "] ct_response = cloudtrail.start_logging( Name = trail_arn )
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Notify sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic" subject = 'EVENT: ' + event["detail"]["eventName"] message = "What happened? " + event["detail"]["eventName"] + "n" "What service? " + event["detail"]["eventSource"] + "n" "Where? " + event["detail"]["awsRegion"] + "n" "When? " + event["detail"]["eventTime"] + "n" "Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2)) sns = boto3.client('sns') sns_response = sns.publish( TopicArn = sns_topic, Message = message, Subject = subject, MessageStructure = 'string' )
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Amazon SNS Notification
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Complete
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda AWS WAF AWS Shield AWS Organizations AWS CloudTrail AWS Config VPC Flow Logs Amazon Inspector AWS OpsWorks
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploy Faster Wherever You Like 16 Regions ā€“ 44 Availability Zones ā€“ 82 Edge Locations Region & Number of Availability Zones AWS GovCloud (2) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6), Ohio (3) Sydney (2), Tokyo (3), Seoul (2), Mumbai (2) Canada Central (2) China Beijing (2) South America SĆ£o Paulo (3)
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
Ā© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary ā€¢ AWS Security Benefits: ā€¢ Integrated Security & Compliance ā€¢ Global Resilience, Visibility, & Control ā€¢ Maintain Your Privacy and Data Ownership ā€¢ Agility Through Security Automation ā€¢ Security Innovation at Scale ā€¢ Broad Security Partner & Marketplace Solutions
Thank You!

More Related Content

PDF
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
Ā 
PDF
Getting Started with Docker on AWS
byKristana Kane
Ā 
PDF
Deep Dive on Microservices and Docker
byKristana Kane
Ā 
PDF
Serverless Big Data Architectures: Serverless Data Analytics
byKristana Kane
Ā 
PDF
Migrating Your Databases to AWS Deep Dive on Amazon RDS and AWS
byKristana Kane
Ā 
PDF
Bluesoft @ AWS re:Invent 2017 + AWS 101
byAndrƩ Faria Gomes
Ā 
PDF
AWS Shared Security Model in Practice
byAlert Logic
Ā 
PPTX
CSS17: Dallas - The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
Ā 
Getting Started with Docker on AWS
byKristana Kane
Ā 
Deep Dive on Microservices and Docker
byKristana Kane
Ā 
Serverless Big Data Architectures: Serverless Data Analytics
byKristana Kane
Ā 
Migrating Your Databases to AWS Deep Dive on Amazon RDS and AWS
byKristana Kane
Ā 
Bluesoft @ AWS re:Invent 2017 + AWS 101
byAndrƩ Faria Gomes
Ā 
AWS Shared Security Model in Practice
byAlert Logic
Ā 
CSS17: Dallas - The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 

Similar to Security @ (Cloud) Scale Deep Dive

PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
PDF
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
byVladimir Simek
Ā 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
PPTX
Deep dive - AWS security by design
byRichard Harvey
Ā 
PDF
AWS Enterprise Summit - ķ“ė¼ģš°ė“œģ—ģ„œģ˜ ė³“ģ•ˆ - ģ–‘ģŠ¹ė„
byAmazon Web Services Korea
Ā 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
Ā 
PDF
Datensicherheit mit AWS - AWS Security Web Day
byAWS Germany
Ā 
PPTX
Managing Security on AWS
byAWS Summits
Ā 
PDF
1. aws security and compliance wwps pre-day sao paolo - markry
byAmazon Web Services LATAM
Ā 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
Ā 
PPTX
Automating AWS security and compliance
byJohn Varghese
Ā 
PPTX
Pitt Immersion Day Module 5 - security overview
byEagleDream Technologies
Ā 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
Ā 
PDF
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
byDennis Traub
Ā 
PPTX
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
by2nd Sight Lab
Ā 
PDF
Information Security in AWS - Dave Walker
byEast Midlands Cyber Security Forum
Ā 
DOCX
Basic understanding of aws
byPinto Das
Ā 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
Ā 
PPTX
AWS Security and SecOps
byShiva Narayanaswamy
Ā 
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
byVladimir Simek
Ā 
The AWS Shared Responsibility Model in Practice
byAlert Logic
Ā 
Deep dive - AWS security by design
byRichard Harvey
Ā 
AWS Enterprise Summit - ķ“ė¼ģš°ė“œģ—ģ„œģ˜ ė³“ģ•ˆ - ģ–‘ģŠ¹ė„
byAmazon Web Services Korea
Ā 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
Ā 
Datensicherheit mit AWS - AWS Security Web Day
byAWS Germany
Ā 
Managing Security on AWS
byAWS Summits
Ā 
1. aws security and compliance wwps pre-day sao paolo - markry
byAmazon Web Services LATAM
Ā 
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
Ā 
Automating AWS security and compliance
byJohn Varghese
Ā 
Pitt Immersion Day Module 5 - security overview
byEagleDream Technologies
Ā 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
Ā 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
byDennis Traub
Ā 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
by2nd Sight Lab
Ā 
Information Security in AWS - Dave Walker
byEast Midlands Cyber Security Forum
Ā 
Basic understanding of aws
byPinto Das
Ā 
Cloudifying your Security Operations on AWS
byCloudHesive
Ā 
AWS Security and SecOps
byShiva Narayanaswamy
Ā 

More from Kristana Kane

PDF
AWS Summit Atlanta Keynote
byKristana Kane
Ā 
PDF
Getting Started with AWS Lambda and Serverless Computing
byKristana Kane
Ā 
PDF
An Overview to Artificial Intelligence Services at AWS
byKristana Kane
Ā 
PDF
AWS IoT Deep Dive
byKristana Kane
Ā 
PDF
Deep Dive into Apache MXNet on AWS
byKristana Kane
Ā 
PDF
Getting Started with AWS IoT
byKristana Kane
Ā 
PDF
VMware and AWS Together - VMware Cloud on AWS
byKristana Kane
Ā 
AWS Summit Atlanta Keynote
byKristana Kane
Ā 
Getting Started with AWS Lambda and Serverless Computing
byKristana Kane
Ā 
An Overview to Artificial Intelligence Services at AWS
byKristana Kane
Ā 
AWS IoT Deep Dive
byKristana Kane
Ā 
Deep Dive into Apache MXNet on AWS
byKristana Kane
Ā 
Getting Started with AWS IoT
byKristana Kane
Ā 
VMware and AWS Together - VMware Cloud on AWS
byKristana Kane
Ā 

Recently uploaded

PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
Ā 
PDF
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
Ā 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
Ā 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
Ā 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
Ā 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
Ā 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
Ā 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
Ā 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
Ā 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
Ā 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
Ā 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
Ā 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
Ā 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
Ā 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
Ā 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
How to build hackthon projects from ZERO!
byishantyadav1111
Ā 
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
NTG - Data Center Management System Software
byMustafa Kuğu
Ā 
AI and Zero Trust: What it takes to do it right
byMark Simos
Ā 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
Ā 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
Ā 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
Ā 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
Ā 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
Ā 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
Ā 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
Ā 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
Ā 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
Ā 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
Ā 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
Ā 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
Ā 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 

Security @ (Cloud) Scale Deep Dive

  • 1.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Cameron Worrell, Solutions Architect August 17th, 2017 Security @ (Cloud) Scale
  • 2.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Agenda ā€¢ AWS Controls that You Donā€™t Need to Worry About ā€¢ Framework to Help You Adapt the Cloud Faster ā€¢ AWS Services that You Should be Using ā€¢ Reference Architectures that You Can Use
  • 3.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Agenda
  • 4.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
  • 5.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls 2,500+
  • 6.
    I wish Iwas a Solid State Drive in someone elseā€™s Datacenterā€¦
  • 7.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
  • 8.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Your own certifications Your own external auditsCustomerAWS Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls
  • 9.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework ā€¢ Each Perspective provides guidance for different parts of an organization ā€¢ Helps YOU adapt existing practices or introduce new practices for cloud computing
  • 10.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. The Security Journey to the Cloud Security in the cloud is familiar. The increase in agility and the ability to perform actions faster, at a larger scale and at a lower cost, does not invalidate well- established principles of information security.
  • 11.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. The CAF Security Perspective 5 Core Capabilities Identity and Access Management Detective Controls Infrastructure Security Data Protection Incident Response
  • 12.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
  • 13.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Security Already Built Inā€¦ Security groups are virtual firewalls that control the traffic for one or more resources AWS IAM securely controls access to AWS services and resources for your users.
  • 14.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Security Already Built Inā€¦
  • 15.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Identity and Access Management AWS Organizations AWS IAM AWS Security Token Service
  • 16.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Detective Controls AWS CloudTrail Amazon CloudWatch AWS Config Amazon Inspector VPC Flow Logs Account Resources Network
  • 17.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
  • 18.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
  • 19.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security AWS Shield AWS WAF Network AWS OpsWorks Resources AWS Trusted Advisor AWS Config Rules Demo @ https://waf.widgetsllc.xyz
  • 20.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules ā€¢ Amazon CloudTrail should be enabledā€¦ ā€¢ Is it? ā€¢ All EBS volumes encryptedā€¦ ā€¢ Are they? ā€¢ All security groups in attached state should not have unrestricted access to port 22. ā€¢ Do they?
  • 21.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules ā€¢ Codify and automate your own practices ā€¢ Get started with samples in AWS Lambda ā€¢ Implement guidelines for security best practices and compliance ā€¢ Use rules from various AWS Partners ā€¢ View compliance in one dashboard
  • 22.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
  • 23.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
  • 24.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security ā€“ AWS Config Rules
  • 25.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
  • 26.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
  • 27.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS Certificate Manager ā€¢ AWS Certificate Manager (AWS ACM) is a service that lets you easily provision, manage, and deploy TLS certificates for use with Amazon Elastic Load Balancer or Amazon CloudFront distribution. ā€¢ No additional charge for provisioning TLS certificates ā€¢ Manages the renewal process of TLS certificates ā€¢ Certificates are verified by Amazonā€™s certificate authority (CA), Amazon Trust Services (ATS)
  • 28.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS Certificate Manager
  • 29.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Data Protection ā€“ AWS KMS Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application Customer Master Keys
  • 30.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response Amazon CloudWatch Amazon Lambda
  • 31.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 32.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 33.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 34.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 35.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 36.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 37.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Log from __future__ import print_function import json def lambda_handler(event, context): print(json.dumps(event, indent=2))
  • 38.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ AWS CloudWatch Events
  • 39.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Respond cloudtrail = boto3.client('cloudtrail') trail_arn = event["detail"]["requestParameters"]["name "] ct_response = cloudtrail.start_logging( Name = trail_arn )
  • 40.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Lambda Notify sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic" subject = 'EVENT: ' + event["detail"]["eventName"] message = "What happened? " + event["detail"]["eventName"] + "n" "What service? " + event["detail"]["eventSource"] + "n" "Where? " + event["detail"]["awsRegion"] + "n" "When? " + event["detail"]["eventTime"] + "n" "Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2)) sns = boto3.client('sns') sns_response = sns.publish( TopicArn = sns_topic, Message = message, Subject = subject, MessageStructure = 'string' )
  • 41.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Amazon SNS Notification
  • 42.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Incident Response ā€“ Complete
  • 43.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
  • 44.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda AWS WAF AWS Shield AWS Organizations AWS CloudTrail AWS Config VPC Flow Logs Amazon Inspector AWS OpsWorks
  • 45.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Deploy Faster Wherever You Like 16 Regions ā€“ 44 Availability Zones ā€“ 82 Edge Locations Region & Number of Availability Zones AWS GovCloud (2) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6), Ohio (3) Sydney (2), Tokyo (3), Seoul (2), Mumbai (2) Canada Central (2) China Beijing (2) South America SĆ£o Paulo (3)
  • 46.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  • 47.
    Ā© 2017, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Summary ā€¢ AWS Security Benefits: ā€¢ Integrated Security & Compliance ā€¢ Global Resilience, Visibility, & Control ā€¢ Maintain Your Privacy and Data Ownership ā€¢ Agility Through Security Automation ā€¢ Security Innovation at Scale ā€¢ Broad Security Partner & Marketplace Solutions
  • 48.