Presented at Hamburg AWS User Group, June 6th, 2019.
IT is inherently insecure and moving to the cloud could expose your workload to all new kinds of potential risks. However, AWS provides you with a large set of integrated tools to be just as secure as your on-premises solution.
In this talk, you will learn how to combine these built-in tools with serverless technologies to monitor your environment and automatically detect, contain, and remediate security risks on AWS.
4. Traditional On-Premises Security Model
Foundation Services
Compute Storage Database Networking
Infrastructure
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for
end-to-end security
in their on-premises
data centers
Client-side Data Encryption
Server-side Data
Encryption (optional)
Network Traffic Protection
5. AWS Security Model when using Infrastructure Services
AWS Foundation Services
Compute Storage Database Networking
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customer’s
responsibility
Client-side Data Encryption
Server-side Data
Encryption (optional)
Network Traffic Protection
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS takes over
responsibility from
customers
6. AWS Security Model when using Container Services
AWS Foundation Services
Compute Storage Database Networking
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customer’s
responsibility
Client-side Data Encryption
Server-side Data
Encryption (optional)
Network Traffic Protection
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS takes over
responsibility from
customers
7. AWS Security Model when using Abstracted Services
AWS Foundation Services
Compute Storage Database Networking
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customer’s
responsibility
Client-side Data Encryption
Server-side Data
Encryption (optional)
Network Traffic Protection
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS takes over
responsibility from
customers
8. What needs to be protected
Understand the systems, people, assets,
data, and capabilities that need to be protected
Protect your assets
Implement safeguards to limit or contain
the impact of a potential security event
Detect incidents
Continuously monitor access and changes
to timely discover potential security events
Respond with a plan
Take action and contain the impact
of a potential security event
Restore normal operations
Recover and restore capabilities or services
that were impaired due to an incident
NIST Cybersecurity Framework
National Institute of Standards and Technology: www.nist.gov
9. Protect your assets
Implement safeguards to limit or contain
the impact of a potential security event
Detect incidents
Continuously monitor access and changes
to timely discover potential security events
Respond with a plan
Take action and contain the impact
of a potential security event
Incident Response Automation
10. PROTECT
AWS Identity and Access
Management (IAM)
AWS Shield
AWS Web Application
Firewall (WAF)
Be proactive:
AWS
Organizations
Amazon Virtual
Private Cloud (VPC)
Limit the
blast radius:
AWS Key Management
Service (KMS)
AWS Secrets
Manager
Encrypt:
AWS Certificate
Manager (ACM)
15. Amazon CloudTrail
Amazon
CloudTrail
Log, monitor, and retain activity
in your AWS account
Provides event history of your AWS
account activity
Includes actions taken through the
Management Console, SDKs, command
line tools, and other AWS services
17. AWS Config
AWS
Config
Continuously records resource changes
Checks compliance with desired configuration
using pre-built and custom rules
Can also monitor EC2 instance configuration
(OS patches, installed applications, network
configuration, etc. with EC2 systems manager
18. Scenario 2: Firewall Rule Disabled
AWS Config
Detect RespondAlert
Lambda
Security Topic Email Notification
invoke
function
publish
message
Network ACL
port 22
opened to
0.0.0.0/0
undo
changes
CloudWatch
Events Rule
compliance
violation
19. Amazon GuardDuty
Amazon
GuardDuty
Continuously monitors account for
malicious or unauthorized behavior.
Intelligently detects potentially compromised
instances or reconnaissance attempts.
Delivers detailed security alerts to the
GuardDuty console and CloudWatch Events.