This document summarizes a presentation on reinventing the security landscape in AWS. The presentation covers how cloud computing is gaining traction for allowing companies to focus more on innovation by reducing time spent on infrastructure. It discusses how security responsibilities are shared between AWS and customers. It also provides examples of security best practices and services in AWS like encryption, identity and access management, logging, and monitoring that can help customers strengthen their security posture while moving fast.

1. Re:Inventing Security Landscape
Eugene Yu, Global Security, Risk and Compliance
AWS Professional Services
Time : 02:20 – 03:00

2. Cloud focuses on differentiation

3. Reasons Cloud Computing is Gaining Traction in FinServ
Lower the time spent
on infrastructure
Dedicate more resources
to innovation
Concentrate on new
business initiatives

4. Cloud Security
What’s different & what’s the same?

5. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infr
astructure
Regions
Availability Zone
s
Edge Locati
ons
Client-side Data Enc
ryption
Server-side Data
Encryption
Network Traffic Prot
ection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are re
sponsible for thei
r security IN the
Cloud
AWS is responsible
for the security OF
the Cloud

6. Accreditation & Compliance,
Old and New
Old world
• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year
• Workload-specific compliance checks
New world
• Functionally necessary – high watermark
of requirements
• Audits done by third party experts
• Accountable to everyone
• Superior security drives broad compliance
• Continuous monitoring
• Compliance approach based on all
workload scenarios

7. OR
Move Fast
Stay Secure
& Compliant

8. AND
Move Fast
Stay Secure
& Compliant

9. Making life easier
Choosing security does not mean giving up
on convenience or introducing complexity

10. Strengthen your security posture
Get native functionality and tools at
no additional charge
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned from
1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations

11. Access a deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrailService
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation

12. Evolving the Practice of Security Architecture
• Security architecture as a separate function can no longer exist
• Static position papers,arc
hitecture diagrams & docu
ments
• UI-dependent consoles and “
pane of glass” technologies
• Auditing,assurance,and
compliance are decoupled
, separate processes
CurrentSecurity
Architecture
Practice

13. Evolving the Practice of Security Architecture
• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts (desi
gn choices,narrative,etc.)
committed to commonrep
ositories
• Complete solutions accou
nt for automation
• Solution architectures are l
iving audit/compliance artif
acts and evidence in a clo
sed loop
Evolved Security
Architecture Pract
ice

14. Leveraged by FSI & Enterprises Worldwide

15. Cloud Security
Design Patterns

16. Access rights just-in-time
Security Token ServiceIdentity and Access
Management
+

17. AWS IAM enables to securely control access to AWS service
s and resources
• Control who can do what and when from where
• Fine grained control of user permissions, resources and
actions
• Add multi factor authentication
• Hardware token or smartphone apps
• Test out new policies using the IAM policy simulator
Grained control of your AWS environment

18. Segregate duties between roles with IAM
Region
Internet G
ateway
Subnet10.0.1.0/24
Subnet10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
Choose who can do
what in your AWS
environment and from
where
AWS account
owner (master)
Network
management
Security
management
Server
management
Storage
management
Manage and operate

19. Amazon S3
AWS CloudTrail
Amazon Glacier
Consolidated Logging
Amazon CloudWatch
Events
+

20. AWS CloudTrail logs for many powerful use cases
CloudTrail achieves many tasks
• Security analysis
• Track changes to AWS resources, for
example VPC security groups and NACLs
• Compliance – understand AWS API call
history
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment

21. Consolidated Logging:
Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and
upload to Amazon
Redshift
Amazon EC2 in
stances
Analyze with standard
BI tools
Archive to
Amazon Glacier
AWS CloudTrail
Encrypted
end to end!

22. AWS CloudHSMAWS KMS
DIY
GlacierS3 EBS
RDS Redshift CloudTrail
Ubiquitous Encryption
+

23. Ubiquitous Encryption
AWS CloudTrail
AWS IAM
EBS
RDS
S3
Encrypted in transit
Encrypted at rest
Fully auditable
Fully managed
keys
Restricted access
AWS KMS

24. Amazon Auto-scaling
Groups
AWS Elastic Compute Cloud
Non-Persistent & Elastic
+

25. Amazon VPC
+
Security Group
+
AWS Direct Connect
Network Architecture Agility

26. You can also connect privately using AWS Direct Connect
AvailabilityZoneA
EC2
EC2
NAT
EC2Jump
EC2WebEC2WebEC2EC2Web VPC Router
Direct
ConnectVirtual Private
Gateway
Customer
Gateway
Your premises

27. AWS Lambda
Monitor and React
+
AWS
CloudWatch

28. Enforcing Encryption with CloudWatch Events
CloudWatch
Event
SNS
Check if instance is encrypted
Not EncryptedEC2
RDS
Lambda
Enforcement /
remediation actions

29. Log-in anomaly event – Detect
• "ConsoleSignInAnomalyMetricFilter": {
• "Type": "AWS::Logs::MetricFilter",
• "Properties": {
• "LogGroupName": { "Ref" : "LogGroupName" },
• "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }",
• "MetricTransformations": [
• {
• "MetricNamespace": "CloudTrailMetrics",
• "MetricName": "ConsoleSignInAnomalyCount",
• "MetricValue": "1"
• }
• ]
• }
• },

30. Log-in anomaly event – Recover
Add null IAM policy to the user (Deny all permissions):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"*"
],
"Resource": [
"*"
]
}
]
}

31. Log-in anomaly event – Investigate
Look in CloudTrail – Determine what events happened after the
ConsoleLogin.

32. Log-in anomaly event – Protect
Add Condition statements to IAM
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [”55.55.0.0/16”]
}
}

33. +
AWS CloudFormation AWS SDK
Standardized Environments &
Security as Code

34. Security Control Matrix
•Security Control Responsibility Matrix (CRM)

35. Standardized Architecture

36. What you do in any IT environment
• Firewall rules
• Network ACLs
• Network time pointers
• Internal and external subnets
• NAT rules
• Golden OS images
• Encryption algorithms for data
in transit and at rest
Security Translation to AWS
AWS JSON translation
Golden OS
Network ACLs,
subnets, firewall
rules