MB
Uploaded byMark Bate
353 views

Simple Security for Startups

The document discusses simple security best practices for startups using AWS. It recommends locking away root credentials, creating individual IAM users with least privilege, and using roles, MFA, and rotating credentials. It also discusses encrypting data at rest using services like S3, EBS, RDS, and Redshift, and encrypting data in transit using SSL. Logging and auditing can be done with CloudTrail. The Well-Architected Framework and Trusted Advisor provide guidance on security, reliability, performance efficiency and cost optimization.

Technology
Related topics:
Amazon Web Services

Embed presentation

Simple Security for Startups Mark Bate Solutions Architect
Shared Responsibility
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF IN
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
Your Cloud Environment
AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt)
AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location-dependent privacy and compliance requirements
AWS Global Footprint
AWS Global Footprint Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region
Virtual Private Cloud Security Layers Security Group Subnet 10.0.0.0/24 Routing Table Network ACL Security Group Subnet 10.0.1.0/24 Routing Table Network ACL Security Group Virtual Private Gateway Internet Gateway Lockdown at instance level Isolate network functions Lockdown at network level Route restrictively Router Availability Zone A Availability Zone B
Best Practice: Service Isolation • Security Groups • Don’t use 0.0.0.0/0 • Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway
Identity and Access Management
Identity and Access Management • Users & Groups
Identity and Access Management • Users & Groups • Unique Security Credentials
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
IAM Best Practices
Best Practices Lock away your AWS root account access keys
Best Practices Lock away your AWS root account access keys Create individual IAM users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions Keep a history of activity
Protecting your Data: Simplified
Securing Data at Rest Amazon RDS Redshift Amazon S3GlacierAmazon EBS > AES-256 keys > KMS integration > Easy one-click encryption
Securing Data at Rest Amazon S3 Glacier > AES-256 keys > Each object is encrypted > Each key is encrypted with a master key > Master key is rotated regularly > KMS integration
Amazon RDS Securing Data at Rest > AES-256 keys > Logs, backups, and snapshots > Read replicas > Archives and backups > CloudHSM (Oracle TDE only) > KMS integration
Redshift Securing Data at Rest > AES-256 keys > Data blocks > Metadata > Archives and backups > CloudHSM integration > 4-tier encryption architecture
Amazon EBS Securing Data at Rest > AES-256 keys > Encryption done on EC2 host > Snapshots > KMS integrated
Securing Data at Rest CloudHSM > Hardware Security Module > Single tenancy > Private key material never leaves the HSM > AWS provisioned, customer managed
Whitepaper: Encrypting Data at Rest http://bit.ly/1VVY1H4
Securing data in flight Use SSL/TLS for all of your traffic just like you do for your API access Pro Tip: Validate the SSL Certificate!
Securing data in flight Amazon ELB > SSL offloading > Perfect Forward Secrecy > SSL Security Policies
Securing data in flight > RDS Connections (all databases supported) > Public key for all regions: http://bit.ly/1G9fE4D
Auditing Made Easy
AWS CloudTrail
AWS CloudTrail Developers or scripts make calls…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket… User Action Time Tim Created 1:30pm Sue Deleted 2:40pm Kay Created 3:30pm so you can review this log
AWS CloudTrail Who made the API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from?
CloudTrail Partners
Trusted Advisor
Amazon Trusted Advisor https://console.aws.amazon.com/trustedadvisor/
Amazon Trusted Advisor
Well-Architected Framework
Well-Architected Framework • Core strategies & best practices for architecting in the cloud • Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation • https://aws.amazon.com/blogs/aws/are-you-well-architected/
Links Micro-sites https://aws.amazon.com/security https://aws.amazon.com/compliance Security Bulletins https://aws.amazon.com/security/security-bulletins/ https://alas.aws.amazon.com/ Blogs https://blogs.aws.amazon.com/security/ https://medium.com/aws-activate-startup-blog
Thank You Mark Bate Solutions Architect markbate@amazon.com @markbate

More Related Content

PDF
Amazon API Gateway
byMark Bate
 
PPTX
Amazon API Gateway
byMark Bate
 
PDF
AWS API Gateway - AJUG August 2018
byYoel Spotts
 
PDF
Aws Technical Day 2015 - Amazon API Gateway
byaws-marketing-il
 
PDF
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
bySteve Androulakis
 
PDF
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
byDanilo Poccia
 
PPTX
2016 - Serverless Microservices on AWS with API Gateway and Lambda
bydevopsdaysaustin
 
PPTX
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
byVadim Zendejas
 
Amazon API Gateway
byMark Bate
 
Amazon API Gateway
byMark Bate
 
AWS API Gateway - AJUG August 2018
byYoel Spotts
 
Aws Technical Day 2015 - Amazon API Gateway
byaws-marketing-il
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
bySteve Androulakis
 
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
byDanilo Poccia
 
2016 - Serverless Microservices on AWS with API Gateway and Lambda
bydevopsdaysaustin
 
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
byVadim Zendejas
 

Viewers also liked

PPTX
Voice enable all the things with Alexa
byMark Bate
 
PDF
Use Cases for Voice User Interface
byStefan Ostwald
 
PPTX
Amazon echo chris hwang
byJihwan Hwang
 
PPTX
Multi-Factor Auth in Alexa Skills - Faisal Valli
byOscar Merry
 
PDF
AWS Black Belt Online Seminar 2017 Auto Scaling
byAmazon Web Services Japan
 
PDF
Speak Up! Build an Alexa Skill for a Cause
byNikki Clark
 
Voice enable all the things with Alexa
byMark Bate
 
Use Cases for Voice User Interface
byStefan Ostwald
 
Amazon echo chris hwang
byJihwan Hwang
 
Multi-Factor Auth in Alexa Skills - Faisal Valli
byOscar Merry
 
AWS Black Belt Online Seminar 2017 Auto Scaling
byAmazon Web Services Japan
 
Speak Up! Build an Alexa Skill for a Cause
byNikki Clark
 

Similar to Simple Security for Startups

PDF
AWS Security Best Practices (March 2017)
byJulien SIMON
 
PPTX
Aws security best practices
bySundeep Roxx
 
PDF
Security Best Practices
byIan Massingham
 
PDF
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
PPTX
Deep dive - AWS security by design
byRichard Harvey
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
PDF
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
 
PPT
Aws training in bangalore
byapponix123
 
PPTX
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
PPTX
Identity and Access Management-CLOUD.pptx
bymuthulakshmi279332
 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PPTX
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
PDF
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
 
PDF
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
byAmazon Web Services Korea
 
PPTX
Group-1 Presentation.pptx cloud security
byTdxToxic
 
PPTX
Cloud-Post Migrastion-Security Modernization Cheatsheet.pptx
byVINEN2
 
PPTX
16h30 aws gru security deck
byinfolive
 
PDF
Security on AWS
byAmazon Web Services LATAM
 
AWS Security Best Practices (March 2017)
byJulien SIMON
 
Aws security best practices
bySundeep Roxx
 
Security Best Practices
byIan Massingham
 
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
Deep dive - AWS security by design
byRichard Harvey
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
 
Aws training in bangalore
byapponix123
 
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Identity and Access Management-CLOUD.pptx
bymuthulakshmi279332
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
byAmazon Web Services Korea
 
Group-1 Presentation.pptx cloud security
byTdxToxic
 
Cloud-Post Migrastion-Security Modernization Cheatsheet.pptx
byVINEN2
 
16h30 aws gru security deck
byinfolive
 
Security on AWS
byAmazon Web Services LATAM
 

Recently uploaded

PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PDF
Global Asset Tokenization Platforms – Summary (2026) - Garima Singh
byGarima Singh
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
Global Asset Tokenization Platforms – Summary (2026) - Garima Singh
byGarima Singh
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 

Simple Security for Startups

  • 1.
    Simple Security forStartups Mark Bate Solutions Architect
  • 2.
  • 3.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
  • 4.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF
  • 5.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF IN
  • 6.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
  • 7.
  • 8.
    AWS Global Footprint USWest (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt)
  • 9.
    AWS Global Footprint USWest (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location-dependent privacy and compliance requirements
  • 10.
  • 11.
    AWS Global Footprint AvailabilityZone Designed as independent failure zones Physically separated within a typical metropolitan region
  • 12.
    Virtual Private CloudSecurity Layers Security Group Subnet 10.0.0.0/24 Routing Table Network ACL Security Group Subnet 10.0.1.0/24 Routing Table Network ACL Security Group Virtual Private Gateway Internet Gateway Lockdown at instance level Isolate network functions Lockdown at network level Route restrictively Router Availability Zone A Availability Zone B
  • 13.
    Best Practice: ServiceIsolation • Security Groups • Don’t use 0.0.0.0/0 • Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway
  • 14.
  • 15.
    Identity and AccessManagement • Users & Groups
  • 16.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials
  • 17.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  • 18.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  • 19.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  • 20.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  • 21.
  • 22.
    Best Practices Lock awayyour AWS root account access keys
  • 23.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users
  • 24.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users
  • 25.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege
  • 26.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users
  • 27.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users
  • 28.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances
  • 29.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials
  • 30.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly
  • 31.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials
  • 32.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions
  • 33.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions Keep a history of activity
  • 34.
  • 35.
    Securing Data atRest Amazon RDS Redshift Amazon S3GlacierAmazon EBS > AES-256 keys > KMS integration > Easy one-click encryption
  • 36.
    Securing Data atRest Amazon S3 Glacier > AES-256 keys > Each object is encrypted > Each key is encrypted with a master key > Master key is rotated regularly > KMS integration
  • 37.
    Amazon RDS Securing Dataat Rest > AES-256 keys > Logs, backups, and snapshots > Read replicas > Archives and backups > CloudHSM (Oracle TDE only) > KMS integration
  • 38.
    Redshift Securing Data atRest > AES-256 keys > Data blocks > Metadata > Archives and backups > CloudHSM integration > 4-tier encryption architecture
  • 39.
    Amazon EBS Securing Dataat Rest > AES-256 keys > Encryption done on EC2 host > Snapshots > KMS integrated
  • 40.
    Securing Data atRest CloudHSM > Hardware Security Module > Single tenancy > Private key material never leaves the HSM > AWS provisioned, customer managed
  • 41.
    Whitepaper: Encrypting Dataat Rest http://bit.ly/1VVY1H4
  • 42.
    Securing data inflight Use SSL/TLS for all of your traffic just like you do for your API access Pro Tip: Validate the SSL Certificate!
  • 43.
    Securing data inflight Amazon ELB > SSL offloading > Perfect Forward Secrecy > SSL Security Policies
  • 44.
    Securing data inflight > RDS Connections (all databases supported) > Public key for all regions: http://bit.ly/1G9fE4D
  • 45.
  • 46.
  • 47.
  • 48.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints…
  • 49.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket…
  • 50.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket… User Action Time Tim Created 1:30pm Sue Deleted 2:40pm Kay Created 3:30pm so you can review this log
  • 51.
    AWS CloudTrail Who madethe API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from?
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
    Well-Architected Framework • Corestrategies & best practices for architecting in the cloud • Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation • https://aws.amazon.com/blogs/aws/are-you-well-architected/
  • 58.
  • 59.
    Thank You Mark BateSolutions Architect markbate@amazon.com @markbate