Thank you.The AWS Shared Responsibility
Model in Practice
Jeff Levine – Enterprise Solutions Architect, AWS
Agenda
• Introduction to AWS Security
• Overview of the Shared Security Model
• AWS Security Services and Features
• Recommendations
• Additional Resources
Introduction to AWS Security
Introduction to AWS Security
Cloud security at AWS is the highest priority. It is Job Zero.
As an AWS customer, you will benefit from a data center
and network architecture built to meet the requirements of
the most security-sensitive organizations.
• You benefit from an environment built for the most security
sensitive organizations
• AWS manages 1800+ security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data
What this means to you:
Broad Accreditations & Certifications
https://aws.amazon.com/compliance/dod/
From AWS customers:
“We can operate more securely on AWS than we can in our own data centers.”
Rob Alexander, CIO, Capital One
AWS re:Invent Conference 2015
“The fact that we can rely on the AWS security posture to boost our own security
is really important for our business. AWS does a much better job at security than
we could ever do running a cage in a data center.”
Richard Crowley
Director of Operations, Slack
The AWS
Shared Security Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
The AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Controls
More secure and
compliant systems than
any one entity could
achieve on its own at
scale
The Scope of Responsibility can Vary
.
• The scope of responsibility depends on the type of
service offered by AWS: Infrastructure, Container,
Abstracted Services.
• Understanding who is responsible for what is critical to
ensuring your AWS data and systems are secure!
Infrastructure Services
Examples: Amazon EC2, EBS, VPC
Container Services
Examples: Amazon RDS, EMR
Abstracted Services
Examples: S3, Dynamo DB
AWS Services & Features
AWS Security Tools & Features
Customer applications & content
Oversight & Monitoring
AWS and its partners including AlertLogic offer over 700 security services, tools and features.
Many mirror the familiar controls you deploy within your on-prem environments.
AlertLogic can interface with many of these AWS services directly.
Network
Security
Identity &
Access
Control
Inventory &
Config
Data
Encryption
AWS Security Tools & Features
Network
Security
Identity &
Access
Control
Inventory &
Config
Amazon VPC
Security Groups
AWS IAM
AWS Organizations
AWS Config
Amazon Systems Mgr
Data
Encryption
s2n – AWS TLS
AWS KMS
AWS CloudHSM
Oversight &
Monitoring
Amazon CloudWatch
AWS CloudTrail
Amazon GuardDuty, Macie
Recommendations
1
Understand & know the
AWS Shared Security Model.
2
Understand the AWS secure,
global, infrastructure.
e.g. regions, availability zones,
endpoints
3
Identify your control objectives
and consider the AWS services
and partner services that can
help you address them.
4
Identify and categorize your
information assets that you need
to protect.
5
Design your infrastructure with
the services you need to protect
the assets you have identified.
6
Implement identity management
controls.
7
Secure your infrastructure.
e.g. EC2, RDS, O/S, Network
8
Secure your data using
encryption at rest and in transit.
9
Monitor, alert, and audit.
10
Stay current with your AWS
knowledge through blogs, email,
training, and events.
Additional Resources
For more information
AWS Security Best Practices Whitepaper
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
AWS Risk and Compliance Whitepaper
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
AWS Security Home Page
https://aws.amazon.com/security/
AWS Compliance Home Page
https://aws.amazon.com/compliance/
AWS Security Blog
https://aws.amazon.com/blogs/security/
Summary
• Security is job zero for AWS.
• AWS takes care of the security OF the Cloud.
• You define your controls IN the Cloud.
• Compliance is more cost effective in AWS.
• AlertLogic and AWS offer a variety of services to help you
meet your security objectives in the cloud.
Thank you!
linkedin.com/jeffscottlevine
@jeffscottlevine
www.jeffscottlevine.com

The AWS Shared Responsibility Model in Practice

  • 1.
    Thank you.The AWSShared Responsibility Model in Practice Jeff Levine – Enterprise Solutions Architect, AWS
  • 2.
    Agenda • Introduction toAWS Security • Overview of the Shared Security Model • AWS Security Services and Features • Recommendations • Additional Resources
  • 3.
  • 4.
    Introduction to AWSSecurity Cloud security at AWS is the highest priority. It is Job Zero. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.
  • 5.
    • You benefitfrom an environment built for the most security sensitive organizations • AWS manages 1800+ security controls so you don’t have to • You get to define the right security controls for your workload sensitivity • You always have full ownership and control of your data What this means to you:
  • 6.
    Broad Accreditations &Certifications https://aws.amazon.com/compliance/dod/
  • 7.
    From AWS customers: “Wecan operate more securely on AWS than we can in our own data centers.” Rob Alexander, CIO, Capital One AWS re:Invent Conference 2015 “The fact that we can rely on the AWS security posture to boost our own security is really important for our business. AWS does a much better job at security than we could ever do running a cage in a data center.” Richard Crowley Director of Operations, Slack
  • 8.
  • 9.
    AWS Foundation Services ComputeStorage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  • 10.
    The AWS SharedResponsibility Model Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration AuthN & acct management Authorization policies + = Customer Controls More secure and compliant systems than any one entity could achieve on its own at scale
  • 11.
    The Scope ofResponsibility can Vary . • The scope of responsibility depends on the type of service offered by AWS: Infrastructure, Container, Abstracted Services. • Understanding who is responsible for what is critical to ensuring your AWS data and systems are secure!
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
    AWS Security Tools& Features Customer applications & content Oversight & Monitoring AWS and its partners including AlertLogic offer over 700 security services, tools and features. Many mirror the familiar controls you deploy within your on-prem environments. AlertLogic can interface with many of these AWS services directly. Network Security Identity & Access Control Inventory & Config Data Encryption
  • 17.
    AWS Security Tools& Features Network Security Identity & Access Control Inventory & Config Amazon VPC Security Groups AWS IAM AWS Organizations AWS Config Amazon Systems Mgr Data Encryption s2n – AWS TLS AWS KMS AWS CloudHSM Oversight & Monitoring Amazon CloudWatch AWS CloudTrail Amazon GuardDuty, Macie
  • 18.
  • 19.
    1 Understand & knowthe AWS Shared Security Model.
  • 20.
    2 Understand the AWSsecure, global, infrastructure. e.g. regions, availability zones, endpoints
  • 21.
    3 Identify your controlobjectives and consider the AWS services and partner services that can help you address them.
  • 22.
    4 Identify and categorizeyour information assets that you need to protect.
  • 23.
    5 Design your infrastructurewith the services you need to protect the assets you have identified.
  • 24.
  • 25.
    7 Secure your infrastructure. e.g.EC2, RDS, O/S, Network
  • 26.
    8 Secure your datausing encryption at rest and in transit.
  • 27.
  • 28.
    10 Stay current withyour AWS knowledge through blogs, email, training, and events.
  • 29.
  • 30.
    For more information AWSSecurity Best Practices Whitepaper https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf AWS Risk and Compliance Whitepaper https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf AWS Security Home Page https://aws.amazon.com/security/ AWS Compliance Home Page https://aws.amazon.com/compliance/ AWS Security Blog https://aws.amazon.com/blogs/security/
  • 31.
    Summary • Security isjob zero for AWS. • AWS takes care of the security OF the Cloud. • You define your controls IN the Cloud. • Compliance is more cost effective in AWS. • AlertLogic and AWS offer a variety of services to help you meet your security objectives in the cloud.
  • 32.