AWS Germany, profile picture
Uploaded byAWS Germany
PDF, PPTX691 views

Simple Security for Startups

The document outlines best practices for securing data and managing identities in AWS for startups. It emphasizes the importance of encryption for data at rest and in transit, the use of identity and access management (IAM) to control user permissions, and the role of AWS CloudTrail for auditing API calls. Additionally, it highlights the significance of adhering to the Well-Architected Framework for building secure and efficient cloud architectures.

Embed presentation

Download as PDF, PPTX
Simple Security for Startups Mark Bate Solutions Architect
Shared Responsibility
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF IN
Foundation Services Compute Customer Data Server-side Encryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
Your Cloud Environment
AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt)
AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location-dependent privacy and compliance requirements
AWS Global Footprint
AWS Global Footprint Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region
Virtual Private Cloud Security Layers Security Group Subnet 10.0.0.0/24 Routing Table Network ACL Security Group Subnet 10.0.1.0/24 Routing Table Network ACL Security Group Virtual Private Gateway Internet Gateway Lockdown at instance level Isolate network functions Lockdown at network level Route restrictively Router Availability Zone A Availability Zone B
Best Practice: Service Isolation • Security Groups • Don’t use 0.0.0.0/0 • Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway
Identity and Access Management
Identity and Access Management • Users & Groups
Identity and Access Management • Users & Groups • Unique Security Credentials
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
IAM Best Practices
Best Practices Lock away your AWS root account access keys
Best Practices Lock away your AWS root account access keys Create individual IAM users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions
Best Practices Lock away your AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions Keep a history of activity
Protecting your Data: Simplified
Securing Data at Rest Amazon RDS Redshift Amazon S3GlacierAmazon EBS > AES-256 keys > KMS integration > Easy one-click encryption
Securing Data at Rest Amazon S3 Glacier > AES-256 keys > Each object is encrypted > Each key is encrypted with a master key > Master key is rotated regularly > KMS integration
Amazon RDS Securing Data at Rest > AES-256 keys > Logs, backups, and snapshots > Read replicas > Archives and backups > CloudHSM (Oracle TDE only) > KMS integration
Redshift Securing Data at Rest > AES-256 keys > Data blocks > Metadata > Archives and backups > CloudHSM integration > 4-tier encryption architecture
Amazon EBS Securing Data at Rest > AES-256 keys > Encryption done on EC2 host > Snapshots > KMS integrated
Securing Data at Rest CloudHSM > Hardware Security Module > Single tenancy > Private key material never leaves the HSM > AWS provisioned, customer managed
Whitepaper: Encrypting Data at Rest http://bit.ly/1VVY1H4
Securing data in flight Use SSL/TLS for all of your traffic just like you do for your API access Pro Tip: Validate the SSL Certificate!
Securing data in flight Amazon ELB > SSL offloading > Perfect Forward Secrecy > SSL Security Policies
Securing data in flight > RDS Connections (all databases supported) > Public key for all regions: http://bit.ly/1G9fE4D
Auditing Made Easy
AWS CloudTrail
AWS CloudTrail Developers or scripts make calls…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket…
AWS CloudTrail Developers or scripts make calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket… User Action Time Tim Created 1:30pm Sue Deleted 2:40pm Kay Created 3:30pm so you can review this log
AWS CloudTrail Who made the API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from?
CloudTrail Partners
Trusted Advisor
Amazon Trusted Advisor https://console.aws.amazon.com/trustedadvisor/
Amazon Trusted Advisor
Well-Architected Framework
Well-Architected Framework • Core strategies & best practices for architecting in the cloud • Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation • https://aws.amazon.com/blogs/aws/are-you-well-architected/
Links Micro-sites https://aws.amazon.com/security https://aws.amazon.com/compliance Security Bulletins https://aws.amazon.com/security/security-bulletins/ https://alas.aws.amazon.com/ Blogs https://blogs.aws.amazon.com/security/ https://medium.com/aws-activate-startup-blog
Thank You Mark Bate Solutions Architect markbate@amazon.com @markbate

More Related Content

PDF
AWS Control Tower
byCloudHesive
 
PPTX
Aws security best practices
bySundeep Roxx
 
PPTX
Aws IAM
byChamali Liyanage
 
PPTX
AWS IAM and security
byErik Paulsson
 
PDF
AWS IAM -- Notes of 20130403 Doc Version
byErnest Chiang
 
KEY
AWS Security: A Practitioner's Perspective
byJason Chan
 
PPTX
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
by😸 Richard Spindler
 
PDF
Mansi Vaghela [AWS] | Introduction to the APN Technical Baseline Review | Inf...
byInfluxData
 
AWS Control Tower
byCloudHesive
 
Aws security best practices
bySundeep Roxx
 
Aws IAM
byChamali Liyanage
 
AWS IAM and security
byErik Paulsson
 
AWS IAM -- Notes of 20130403 Doc Version
byErnest Chiang
 
AWS Security: A Practitioner's Perspective
byJason Chan
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
by😸 Richard Spindler
 
Mansi Vaghela [AWS] | Introduction to the APN Technical Baseline Review | Inf...
byInfluxData
 

Similar to Simple Security for Startups

PDF
AWS Security Best Practices (March 2017)
byJulien SIMON
 
PDF
Security Best Practices
byIan Massingham
 
PDF
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
PPTX
Deep dive - AWS security by design
byRichard Harvey
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
PDF
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
 
PPT
Aws training in bangalore
byapponix123
 
PPTX
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
PPTX
Identity and Access Management-CLOUD.pptx
bymuthulakshmi279332
 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PPTX
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
PDF
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
 
PDF
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
byAmazon Web Services Korea
 
PPTX
Group-1 Presentation.pptx cloud security
byTdxToxic
 
PPTX
Cloud-Post Migrastion-Security Modernization Cheatsheet.pptx
byVINEN2
 
PPTX
16h30 aws gru security deck
byinfolive
 
PDF
Security on AWS
byAmazon Web Services LATAM
 
PDF
Security Best Practices_John Hildebrandt
byHelen Rogers
 
AWS Security Best Practices (March 2017)
byJulien SIMON
 
Security Best Practices
byIan Massingham
 
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
 
Deep dive - AWS security by design
byRichard Harvey
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
 
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
 
Aws training in bangalore
byapponix123
 
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Identity and Access Management-CLOUD.pptx
bymuthulakshmi279332
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Securing AWS environments by Ankit Giri
byOWASP Delhi
 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
byAmazon Web Services Korea
 
Group-1 Presentation.pptx cloud security
byTdxToxic
 
Cloud-Post Migrastion-Security Modernization Cheatsheet.pptx
byVINEN2
 
16h30 aws gru security deck
byinfolive
 
Security on AWS
byAmazon Web Services LATAM
 
Security Best Practices_John Hildebrandt
byHelen Rogers
 

More from AWS Germany

PDF
Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
byAWS Germany
 
PDF
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
byAWS Germany
 
PDF
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
byAWS Germany
 
PDF
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
byAWS Germany
 
PDF
Modern Applications Web Day | Container Workloads on AWS
byAWS Germany
 
PDF
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
byAWS Germany
 
PDF
Building Smart Home skills for Alexa
byAWS Germany
 
PDF
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
byAWS Germany
 
PDF
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
byAWS Germany
 
PDF
Log Analytics with AWS
byAWS Germany
 
PDF
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
byAWS Germany
 
PDF
AWS Programme für Nonprofits
byAWS Germany
 
PDF
Microservices and Data Design
byAWS Germany
 
PDF
Serverless vs. Developers – the real crash
byAWS Germany
 
PDF
Query your data in S3 with SQL and optimize for cost and performance
byAWS Germany
 
PDF
Secret Management with Hashicorp’s Vault
byAWS Germany
 
PDF
EKS Workshop
byAWS Germany
 
PDF
Scale to Infinity with ECS
byAWS Germany
 
PDF
Containers on AWS - State of the Union
byAWS Germany
 
PDF
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
byAWS Germany
 
Analytics Web Day | From Theory to Practice: Big Data Stories from the Field
byAWS Germany
 
Analytics Web Day | Query your Data in S3 with SQL and optimize for Cost and ...
byAWS Germany
 
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
byAWS Germany
 
Modern Applications Web Day | Manage Your Infrastructure and Configuration on...
byAWS Germany
 
Modern Applications Web Day | Container Workloads on AWS
byAWS Germany
 
Modern Applications Web Day | Continuous Delivery to Amazon EKS with Spinnaker
byAWS Germany
 
Building Smart Home skills for Alexa
byAWS Germany
 
Hotel or Taxi? "Sorting hat" for travel expenses with AWS ML infrastructure
byAWS Germany
 
Wild Rydes with Big Data/Kinesis focus: AWS Serverless Workshop
byAWS Germany
 
Log Analytics with AWS
byAWS Germany
 
Deep Dive into Concepts and Tools for Analyzing Streaming Data on AWS
byAWS Germany
 
AWS Programme für Nonprofits
byAWS Germany
 
Microservices and Data Design
byAWS Germany
 
Serverless vs. Developers – the real crash
byAWS Germany
 
Query your data in S3 with SQL and optimize for cost and performance
byAWS Germany
 
Secret Management with Hashicorp’s Vault
byAWS Germany
 
EKS Workshop
byAWS Germany
 
Scale to Infinity with ECS
byAWS Germany
 
Containers on AWS - State of the Union
byAWS Germany
 
Deploying and Scaling Your First Cloud Application with Amazon Lightsail
byAWS Germany
 

Recently uploaded

PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Designing a Blog Using Wordpress
bymarkzubi50
 

Simple Security for Startups

  • 1.
    Simple Security forStartups Mark Bate Solutions Architect
  • 2.
  • 3.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
  • 4.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF
  • 5.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations OF IN
  • 6.
    Foundation Services Compute Customer Data Server-sideEncryption (File System and/or Data) Platform, Applications, Identity & Access Management Storage Database Client-side Encryption & Data Integrity Authentication AmazonYou Networking AWS Global Infrastructure Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption/Integrity/Identity) Regions Availability Zones Edge Locations
  • 7.
  • 8.
    AWS Global Footprint USWest (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt)
  • 9.
    AWS Global Footprint USWest (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location-dependent privacy and compliance requirements
  • 10.
  • 11.
    AWS Global Footprint AvailabilityZone Designed as independent failure zones Physically separated within a typical metropolitan region
  • 12.
    Virtual Private CloudSecurity Layers Security Group Subnet 10.0.0.0/24 Routing Table Network ACL Security Group Subnet 10.0.1.0/24 Routing Table Network ACL Security Group Virtual Private Gateway Internet Gateway Lockdown at instance level Isolate network functions Lockdown at network level Route restrictively Router Availability Zone A Availability Zone B
  • 13.
    Best Practice: ServiceIsolation • Security Groups • Don’t use 0.0.0.0/0 • Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway
  • 14.
  • 15.
    Identity and AccessManagement • Users & Groups
  • 16.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials
  • 17.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  • 18.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  • 19.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  • 20.
    Identity and AccessManagement • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  • 21.
  • 22.
    Best Practices Lock awayyour AWS root account access keys
  • 23.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users
  • 24.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users
  • 25.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege
  • 26.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users
  • 27.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users
  • 28.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances
  • 29.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials
  • 30.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly
  • 31.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials
  • 32.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions
  • 33.
    Best Practices Lock awayyour AWS root account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions Keep a history of activity
  • 34.
  • 35.
    Securing Data atRest Amazon RDS Redshift Amazon S3GlacierAmazon EBS > AES-256 keys > KMS integration > Easy one-click encryption
  • 36.
    Securing Data atRest Amazon S3 Glacier > AES-256 keys > Each object is encrypted > Each key is encrypted with a master key > Master key is rotated regularly > KMS integration
  • 37.
    Amazon RDS Securing Dataat Rest > AES-256 keys > Logs, backups, and snapshots > Read replicas > Archives and backups > CloudHSM (Oracle TDE only) > KMS integration
  • 38.
    Redshift Securing Data atRest > AES-256 keys > Data blocks > Metadata > Archives and backups > CloudHSM integration > 4-tier encryption architecture
  • 39.
    Amazon EBS Securing Dataat Rest > AES-256 keys > Encryption done on EC2 host > Snapshots > KMS integrated
  • 40.
    Securing Data atRest CloudHSM > Hardware Security Module > Single tenancy > Private key material never leaves the HSM > AWS provisioned, customer managed
  • 41.
    Whitepaper: Encrypting Dataat Rest http://bit.ly/1VVY1H4
  • 42.
    Securing data inflight Use SSL/TLS for all of your traffic just like you do for your API access Pro Tip: Validate the SSL Certificate!
  • 43.
    Securing data inflight Amazon ELB > SSL offloading > Perfect Forward Secrecy > SSL Security Policies
  • 44.
    Securing data inflight > RDS Connections (all databases supported) > Public key for all regions: http://bit.ly/1G9fE4D
  • 45.
  • 46.
  • 47.
  • 48.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints…
  • 49.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket…
  • 50.
    AWS CloudTrail Developers or scriptsmake calls… EC2 RedShift IAM VPCRDS on AWS API endpoints… CloudTrail logs this to an S3 bucket… User Action Time Tim Created 1:30pm Sue Deleted 2:40pm Kay Created 3:30pm so you can review this log
  • 51.
    AWS CloudTrail Who madethe API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from?
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
    Well-Architected Framework • Corestrategies & best practices for architecting in the cloud • Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation • https://aws.amazon.com/blogs/aws/are-you-well-architected/
  • 58.
  • 59.
    Thank You Mark BateSolutions Architect markbate@amazon.com @markbate