SlideShare a Scribd company logo

Serverless Security Automation on AWS - Hamburg AWS User Group

Dennis Traub
Dennis Traub

Presented at Hamburg AWS User Group, June 6th, 2019. IT is inherently insecure and moving to the cloud could expose your workload to all new kinds of potential risks. However, AWS provides you with a large set of integrated tools to be just as secure as your on-premises solution. In this talk, you will learn how to combine these built-in tools with serverless technologies to monitor your environment and automatically detect, contain, and remediate security risks on AWS.

Technology
1 of 27
Download to read offline
Security 
 Automation
 on AWS 
 @dtraub
 Dennis Traub, Fellow at codecentric AG
What management thinks of IT
What it actually looks like
Traditional On-Premises Security Model Foundation Services Compute Storage Database Networking Infrastructure Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for end-to-end security 
 in their on-premises 
 data centers Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
AWS Security Model when using Infrastructure Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
AWS Security Model when using Container Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
AWS Security Model when using Abstracted Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
What needs to be protected Understand the systems, people, assets, 
 data, and capabilities that need to be protected Protect your assets Implement safeguards to limit or contain 
 the impact of a potential security event Detect incidents Continuously monitor access and changes
 to timely discover potential security events Respond with a plan Take action and contain the impact
 of a potential security event Restore normal operations Recover and restore capabilities or services that were impaired due to an incident NIST Cybersecurity Framework National Institute of Standards and Technology: www.nist.gov
Protect your assets Implement safeguards to limit or contain 
 the impact of a potential security event Detect incidents Continuously monitor access and changes
 to timely discover potential security events Respond with a plan Take action and contain the impact
 of a potential security event Incident Response Automation
PROTECT AWS Identity and Access Management (IAM) AWS Shield AWS Web Application Firewall (WAF) Be proactive: AWS Organizations Amazon Virtual Private Cloud (VPC) Limit the
 blast radius: AWS Key Management Service (KMS) AWS Secrets Manager Encrypt: AWS Certificate Manager (ACM)
DETECT AWS CloudTrail VPC Flow Logs Log everything: Amazon Inspector Amazon Macie Amazon CloudWatch AWS Config Detect changes
 and deviations: Amazon Trusted Advisor Amazon GuardDuty Amazon CloudWatch
RESPOND Amazon Simple Notification Service (SNS) Notify: CloudWatch Alarms CloudWatch Events AWS Lambda AWS Step Functions Automatically
 respond: AWS Systems Manager
Security Automation on AWS CloudTrail Detect: Config Lambda GuardDuty CloudWatch Respond: Step Functions Systems Manager . . . . . . Alert:
Examples
Amazon CloudTrail Amazon CloudTrail Log, monitor, and retain activity 
 in your AWS account Provides event history of your AWS 
 account activity Includes actions taken through the 
 Management Console, SDKs, command 
 line tools, and other AWS services
Scenario 1: CloudTrail Logging Disabled CloudTrail re-enable
 logging re-enable
 logging Detect RespondAlert Lambda Security Topic Email Notification invoke
 function publish
 message CloudWatch
 Events Rule logging
 disabled
AWS Config AWS
 Config Continuously records resource changes Checks compliance with desired configuration 
 using pre-built and custom rules Can also monitor EC2 instance configuration
 (OS patches, installed applications, network
 configuration, etc. with EC2 systems manager
Scenario 2: Firewall Rule Disabled AWS Config Detect RespondAlert Lambda Security Topic Email Notification invoke
 function publish
 message Network ACL port 22 opened to 0.0.0.0/0 undo
 changes CloudWatch
 Events Rule compliance
 violation
Amazon GuardDuty Amazon GuardDuty Continuously monitors account for 
 malicious or unauthorized behavior. Intelligently detects potentially compromised 
 instances or reconnaissance attempts. Delivers detailed security alerts to the 
 GuardDuty console and CloudWatch Events.
Amazon GuardDuty
Amazon GuardDuty Finding Types
. . . Scenario 3: GuardDuty Finding CloudWatch
 Events Rule finding
 detected GuardDuty Email Notification analyze finding Security Topic invoke
 function publish
 message . . . . . . Detect RespondAlert
Demo: CloudTrail Disabled
Summary: Security Automation on AWS CloudTrail Detect: Config Lambda GuardDuty CloudWatch Respond: Step Functions Systems Manager . . . . . . Alert:
The Cloud helps us to get from here …
… to there
Thank you! 
 @dtraub
 Dennis Traub, Fellow at codecentric AG

Recommended

Application Integration Patterns (not only) for Microservices
Application Integration Patterns (not only) for MicroservicesApplication Integration Patterns (not only) for Microservices
Application Integration Patterns (not only) for MicroservicesDennis Traub
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandDennis Traub
 
Best Practices in Secure Cloud Migration
Best Practices in Secure Cloud MigrationBest Practices in Secure Cloud Migration
Best Practices in Secure Cloud MigrationCloudHesive
 
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAmazon Web Services
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWSAmazon Web Services
 
Amazon web service
Amazon web serviceAmazon web service
Amazon web serviceParas Arora
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)Scott Arveseth
 
5 Steps for Preventing Ransomware
5 Steps for Preventing Ransomware5 Steps for Preventing Ransomware
5 Steps for Preventing RansomwareRapidSSLOnline.com
 

Recommended

Application Integration Patterns (not only) for Microservices
Application Integration Patterns (not only) for MicroservicesApplication Integration Patterns (not only) for Microservices
Application Integration Patterns (not only) for MicroservicesDennis Traub
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandDennis Traub
 
Best Practices in Secure Cloud Migration
Best Practices in Secure Cloud MigrationBest Practices in Secure Cloud Migration
Best Practices in Secure Cloud MigrationCloudHesive
 
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS Summit
AWS PrivateLink: Fundamentals - SRV211 - Anaheim AWS SummitAmazon Web Services
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWSAmazon Web Services
 
Amazon web service
Amazon web serviceAmazon web service
Amazon web serviceParas Arora
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)Scott Arveseth
 
5 Steps for Preventing Ransomware
5 Steps for Preventing Ransomware5 Steps for Preventing Ransomware
5 Steps for Preventing RansomwareRapidSSLOnline.com
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayAWS Germany
 
Enterprise Applications on AWS
Enterprise Applications on AWSEnterprise Applications on AWS
Enterprise Applications on AWSAmazon Web Services LATAM
 
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발Amazon Web Services Korea
 
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014CAPSiDE
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online SeriesAmazon Web Services Korea
 
AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5Neal Davis
 
AWS Business Essentials
AWS Business EssentialsAWS Business Essentials
AWS Business EssentialsAmazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9Neal Davis
 
BlazeClan Technologies
BlazeClan TechnologiesBlazeClan Technologies
BlazeClan TechnologiesVaroon Rajani
 
Introduzione ad Amazon EKS
Introduzione ad Amazon EKSIntroduzione ad Amazon EKS
Introduzione ad Amazon EKSAmazon Web Services
 
Tech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScalingTech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScalingAmazon Web Services LATAM
 
Migrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech TalksMigrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech TalksAmazon Web Services
 
CloudCircle AWS Training
CloudCircle AWS Training CloudCircle AWS Training
CloudCircle AWS Training Saasforce Consulting Private Limited
 
AWS 101 - Tel Aviv Summit 2018
AWS 101 - Tel Aviv Summit 2018AWS 101 - Tel Aviv Summit 2018
AWS 101 - Tel Aviv Summit 2018Amazon Web Services
 
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...lanfranf
 
What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?Sébastien ☁ Stormacq
 
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...Amazon Web Services Korea
 
Amazon Simple Email Service
Amazon Simple Email ServiceAmazon Simple Email Service
Amazon Simple Email ServiceAmazon Web Services
 
01 aws track 1
01 aws track 101 aws track 1
01 aws track 1JoaoSeverino2
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security WorkshopAmazon Web Services
 

More Related Content

What's hot

Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayAWS Germany
 
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발Amazon Web Services Korea
 
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014CAPSiDE
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online SeriesAmazon Web Services Korea
 
AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5Neal Davis
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9Neal Davis
 
BlazeClan Technologies
BlazeClan TechnologiesBlazeClan Technologies
BlazeClan TechnologiesVaroon Rajani
 
Tech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScalingTech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScalingAmazon Web Services LATAM
 
Migrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech TalksMigrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech TalksAmazon Web Services
 
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...lanfranf
 
What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?Sébastien ☁ Stormacq
 
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...Amazon Web Services Korea
 

What's hot (20)

Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web Day
 
Enterprise Applications on AWS
Enterprise Applications on AWSEnterprise Applications on AWS
Enterprise Applications on AWS
 
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
클라우드 기반 앱 현대화를 위한 5가지 체크리스트 - 윤석찬 :: AWS 현대적 애플리케이션 개발
 
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
AWS / CAPSiDE - Training - AWSome Day - Barcelona 2014
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
 
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
마이크로 서비스 아키텍처와 앱 모던화 – 김일호 :: AWS Builders Online Series
 
AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5AWS Certified Solutions Architect Professional Course S1-S5
AWS Certified Solutions Architect Professional Course S1-S5
 
AWS Business Essentials
AWS Business EssentialsAWS Business Essentials
AWS Business Essentials
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9AWS Certified Solutions Architect Professional Course S6-S9
AWS Certified Solutions Architect Professional Course S6-S9
 
BlazeClan Technologies
BlazeClan TechnologiesBlazeClan Technologies
BlazeClan Technologies
 
Introduzione ad Amazon EKS
Introduzione ad Amazon EKSIntroduzione ad Amazon EKS
Introduzione ad Amazon EKS
 
Tech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScalingTech Talks On Site- Edição de Maio- AutoScaling
Tech Talks On Site- Edição de Maio- AutoScaling
 
Migrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech TalksMigrating Microsoft SQL to AWS - AWS Online Tech Talks
Migrating Microsoft SQL to AWS - AWS Online Tech Talks
 
CloudCircle AWS Training
CloudCircle AWS Training CloudCircle AWS Training
CloudCircle AWS Training
 
AWS 101 - Tel Aviv Summit 2018
AWS 101 - Tel Aviv Summit 2018AWS 101 - Tel Aviv Summit 2018
AWS 101 - Tel Aviv Summit 2018
 
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
AWSome Day, Milan | 5 Marzo 2015 - Contenuto Tecnico (Danilo Poccia - AWS Sol...
 
What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?What is Amazon Web Services & How to Start to deploy your apps ?
What is Amazon Web Services & How to Start to deploy your apps ?
 
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
기업 환경 변화에 신속하게 대응하는 안전한 솔루션 : AWS End User Computing – 김종선 :: AWS Builders On...
 
Amazon Simple Email Service
Amazon Simple Email ServiceAmazon Simple Email Service
Amazon Simple Email Service
 

Similar to Serverless Security Automation on AWS - Hamburg AWS User Group

Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAmazon Web Services
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniContent Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniAmazon Web Services
 
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Amazon Web Services
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Autodesk
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Riyadh User Group
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...Amazon Web Services
 

Similar to Serverless Security Automation on AWS - Hamburg AWS User Group (20)

01 aws track 1
01 aws track 101 aws track 1
01 aws track 1
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
AWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman ShakeelAWS Cloud Controls for Security - Usman Shakeel
AWS Cloud Controls for Security - Usman Shakeel
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniContent Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
 
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
 
SEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) ScaleSEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) Scale
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
Forge - DevCon 2016: Developing & Deploying Secure, Scalable Applications on ...
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...
[AWS LA Media & Entertainment Event 2015]: Security of Digital Media Content ...
 

More from Dennis Traub

Cloud ist keine Strategie - Keynote des AWS Cloud Day, Solingen
Cloud ist keine Strategie - Keynote des AWS Cloud Day, SolingenCloud ist keine Strategie - Keynote des AWS Cloud Day, Solingen
Cloud ist keine Strategie - Keynote des AWS Cloud Day, SolingenDennis Traub
 
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017Dennis Traub
 
Taming the Monolith - Microservices Meetup Hamburg
Taming the Monolith - Microservices Meetup HamburgTaming the Monolith - Microservices Meetup Hamburg
Taming the Monolith - Microservices Meetup HamburgDennis Traub
 
Taming the Monolith
Taming the MonolithTaming the Monolith
Taming the MonolithDennis Traub
 
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015Dennis Traub
 
Strategic Appplication Development with Domain-Driven Design (DDD)
Strategic Appplication Development with Domain-Driven Design (DDD)Strategic Appplication Development with Domain-Driven Design (DDD)
Strategic Appplication Development with Domain-Driven Design (DDD)Dennis Traub
 
An Introduction to CQRS
An Introduction to CQRSAn Introduction to CQRS
An Introduction to CQRSDennis Traub
 
Strategischer Anwendungsentwurf mit Domain-Driven Design
Strategischer Anwendungsentwurf mit Domain-Driven DesignStrategischer Anwendungsentwurf mit Domain-Driven Design
Strategischer Anwendungsentwurf mit Domain-Driven DesignDennis Traub
 
DDD Modeling Workshop
DDD Modeling WorkshopDDD Modeling Workshop
DDD Modeling WorkshopDennis Traub
 
CQRS-Einführung - Teil 2
CQRS-Einführung - Teil 2CQRS-Einführung - Teil 2
CQRS-Einführung - Teil 2Dennis Traub
 
CQRS - Eine Einführung - NOUG 2011
CQRS - Eine Einführung - NOUG 2011CQRS - Eine Einführung - NOUG 2011
CQRS - Eine Einführung - NOUG 2011Dennis Traub
 

More from Dennis Traub (12)

Cloud ist keine Strategie - Keynote des AWS Cloud Day, Solingen
Cloud ist keine Strategie - Keynote des AWS Cloud Day, SolingenCloud ist keine Strategie - Keynote des AWS Cloud Day, Solingen
Cloud ist keine Strategie - Keynote des AWS Cloud Day, Solingen
 
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017
Cloud ist keine Strategie - AWS Tech Community Summit Cologne, 2017
 
Taming the Monolith - Microservices Meetup Hamburg
Taming the Monolith - Microservices Meetup HamburgTaming the Monolith - Microservices Meetup Hamburg
Taming the Monolith - Microservices Meetup Hamburg
 
Taming the Monolith
Taming the MonolithTaming the Monolith
Taming the Monolith
 
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015
DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015
 
Strategic Appplication Development with Domain-Driven Design (DDD)
Strategic Appplication Development with Domain-Driven Design (DDD)Strategic Appplication Development with Domain-Driven Design (DDD)
Strategic Appplication Development with Domain-Driven Design (DDD)
 
An Introduction to CQRS
An Introduction to CQRSAn Introduction to CQRS
An Introduction to CQRS
 
From DDD to CQRS
From DDD to CQRSFrom DDD to CQRS
From DDD to CQRS
 
Strategischer Anwendungsentwurf mit Domain-Driven Design
Strategischer Anwendungsentwurf mit Domain-Driven DesignStrategischer Anwendungsentwurf mit Domain-Driven Design
Strategischer Anwendungsentwurf mit Domain-Driven Design
 
DDD Modeling Workshop
DDD Modeling WorkshopDDD Modeling Workshop
DDD Modeling Workshop
 
CQRS-Einführung - Teil 2
CQRS-Einführung - Teil 2CQRS-Einführung - Teil 2
CQRS-Einführung - Teil 2
 
CQRS - Eine Einführung - NOUG 2011
CQRS - Eine Einführung - NOUG 2011CQRS - Eine Einführung - NOUG 2011
CQRS - Eine Einführung - NOUG 2011
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Serverless Security Automation on AWS - Hamburg AWS User Group

  • 3. What it actually looks like
  • 4. Traditional On-Premises Security Model Foundation Services Compute Storage Database Networking Infrastructure Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for end-to-end security 
 in their on-premises 
 data centers Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
  • 5. AWS Security Model when using Infrastructure Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
  • 6. AWS Security Model when using Container Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
  • 7. AWS Security Model when using Abstracted Services AWS Foundation Services Compute Storage Database Networking Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customer’s responsibility Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection AWS Global Infrastructure Regions Availability Zones Edge Locations AWS takes over responsibility from customers
  • 8. What needs to be protected Understand the systems, people, assets, 
 data, and capabilities that need to be protected Protect your assets Implement safeguards to limit or contain 
 the impact of a potential security event Detect incidents Continuously monitor access and changes
 to timely discover potential security events Respond with a plan Take action and contain the impact
 of a potential security event Restore normal operations Recover and restore capabilities or services that were impaired due to an incident NIST Cybersecurity Framework National Institute of Standards and Technology: www.nist.gov
  • 9. Protect your assets Implement safeguards to limit or contain 
 the impact of a potential security event Detect incidents Continuously monitor access and changes
 to timely discover potential security events Respond with a plan Take action and contain the impact
 of a potential security event Incident Response Automation
  • 10. PROTECT AWS Identity and Access Management (IAM) AWS Shield AWS Web Application Firewall (WAF) Be proactive: AWS Organizations Amazon Virtual Private Cloud (VPC) Limit the
 blast radius: AWS Key Management Service (KMS) AWS Secrets Manager Encrypt: AWS Certificate Manager (ACM)
  • 11. DETECT AWS CloudTrail VPC Flow Logs Log everything: Amazon Inspector Amazon Macie Amazon CloudWatch AWS Config Detect changes
 and deviations: Amazon Trusted Advisor Amazon GuardDuty Amazon CloudWatch
  • 12. RESPOND Amazon Simple Notification Service (SNS) Notify: CloudWatch Alarms CloudWatch Events AWS Lambda AWS Step Functions Automatically
 respond: AWS Systems Manager
  • 13. Security Automation on AWS CloudTrail Detect: Config Lambda GuardDuty CloudWatch Respond: Step Functions Systems Manager . . . . . . Alert:
  • 15. Amazon CloudTrail Amazon CloudTrail Log, monitor, and retain activity 
 in your AWS account Provides event history of your AWS 
 account activity Includes actions taken through the 
 Management Console, SDKs, command 
 line tools, and other AWS services
  • 16. Scenario 1: CloudTrail Logging Disabled CloudTrail re-enable
 logging re-enable
 logging Detect RespondAlert Lambda Security Topic Email Notification invoke
 function publish
 message CloudWatch
 Events Rule logging
 disabled
  • 17. AWS Config AWS
 Config Continuously records resource changes Checks compliance with desired configuration 
 using pre-built and custom rules Can also monitor EC2 instance configuration
 (OS patches, installed applications, network
 configuration, etc. with EC2 systems manager
  • 18. Scenario 2: Firewall Rule Disabled AWS Config Detect RespondAlert Lambda Security Topic Email Notification invoke
 function publish
 message Network ACL port 22 opened to 0.0.0.0/0 undo
 changes CloudWatch
 Events Rule compliance
 violation
  • 19. Amazon GuardDuty Amazon GuardDuty Continuously monitors account for 
 malicious or unauthorized behavior. Intelligently detects potentially compromised 
 instances or reconnaissance attempts. Delivers detailed security alerts to the 
 GuardDuty console and CloudWatch Events.
  • 22. . . . Scenario 3: GuardDuty Finding CloudWatch
 Events Rule finding
 detected GuardDuty Email Notification analyze finding Security Topic invoke
 function publish
 message . . . . . . Detect RespondAlert
  • 24. Summary: Security Automation on AWS CloudTrail Detect: Config Lambda GuardDuty CloudWatch Respond: Step Functions Systems Manager . . . . . . Alert:
  • 25. The Cloud helps us to get from here …
  • 27. Thank you! 
 @dtraub
 Dennis Traub, Fellow at codecentric AG