Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to protect the security of our customers’ content is of utmost importance to AWS, as is maintaining customer trust and confidence. Under the AWS shared responsibility model, AWS provides a secure global infrastructure, including compute, storage, networking and database services, as well as a range of high level services. AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This webinar focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives.
2. What
we
will
cover
today
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
3. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
4. Every
customer
has
access
to
the
same
security
capabili7es
AWS
maintains
a
formal
control
environment
• SOC
1
(SSAE
16
&
ISAE
3204)
Type
II
(was
SAS70)
• SOC
2
Type
1
• ISO
27001
Cer@fica@on
• Cer@fied
PCI
DSS
Level
1
Service
Provider
• FedRAMP
(FISMA),
ITAR,
FIPS
140-‐2
• HIPPA
and
MPAA
capable
Founda7on
Services
Compute
AWS
Global
Infrastructure
Storage
Database
Networking
Availability
Zones
Regions
Edge
Loca7ons
5. Customers
Security
is
a
shared
responsibility
between
AWS
and
our
customers
Pla[orm,
Applica@ons,
Iden@ty
&
Access
Management
Opera@ng
System,
Network
&
Firewall
Configura@on
Client-‐side
Data
Encryp@on
Server-‐side
Data
Encryp@on
Customers
configure
AWS
security
features
• Get
access
to
a
mature
vendor
marketplace
• Can
implement
and
manage
their
own
controls
• Gain
addi@onal
assurance
above
AWS
controls
•
Customer
content
Network
Traffic
Protec@on
Founda7on
Services
Compute
AWS
Global
Infrastructure
Storage
Database
Networking
Availability
Zones
Regions
Edge
Loca7ons
Culture
of
security
and
con@nual
improvement
• Ongoing
audits
and
assurance
• Protec@on
of
large-‐scale
service
endpoints
•
6. Customers
You
can
build
end-‐to-‐end
compliance,
cer7fica7on
and
audit
Your
compliant
solu@ons
Your
cer@fica@ons
Your
external
audits
and
a_esta@ons
Achieve
PCI,
HIPAA
and
MPAA
compliance
• Cer@fy
against
ISO27001
with
a
reduced
scope
• Have
key
controls
audited
or
publish
your
own
independent
a_esta@ons
•
Founda7on
Services
Compute
AWS
Global
Infrastructure
Storage
Database
Networking
Availability
Zones
Regions
Edge
Loca7ons
Culture
of
security
and
con@nual
improvement
• Ongoing
audits
and
assurance
• Protec@on
of
large-‐scale
service
endpoints
•
7. Let
AWS
take
care
of
the
heavy
liMing
for
you
Customer
Facilities
Network configuration
Physical security
Security groups
Compute infrastructure
Storage infrastructure
Network infrastructure
+
OS firewalls
Operating systems
Applications
Virtualization layer (EC2)
Proper service configuration
Hardened service endpoints
AuthN & acct management
Rich IAM capabilities
=
Authorization policies
Customers
get
to
choose
the
right
level
of
security
for
their
business.
As
an
AWS
customer
you
can
focus
on
your
business
and
not
be
distracted
by
the
muck.
8. Customers
retain
full
ownership
and
control
of
their
content
Customers
retain
ownership
of
their
intellectual
property
and
content
• Customers
manage
their
privacy
objec@ves
how
they
choose
to
• Select
the
AWS
geographical
Region
and
no
automa@c
replica@on
elsewhere
• Customers
can
encrypt
their
content,
retain
management
and
ownership
of
keys
and
implement
addi@onal
controls
to
protect
their
content
within
AWS
The
security
of
our
services
and
customers
is
key
to
AWS
• Security
starts
at
the
top
in
Amazon
with
a
dedicated
CISO
and
strong
cultural
focus
• Dedicated
internal
teams
constantly
looking
at
the
security
of
our
services
• AWS
support
personnel
have
no
access
to
customer
content
9. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
Features
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
10. AWS
lets
customers
choose
where
their
content
goes
Region
US-WEST (N. California)
EU-WEST (Ireland)
GOV CLOUD
ASIA PAC (Tokyo)
US-EAST (Virginia)
US-WEST (Oregon)
ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)
11. Take
advantage
of
high
availability
in
every
Region
Availability
Zone
US-WEST (N. California)
EU-WEST (Ireland)
GOV CLOUD
ASIA PAC (Tokyo)
US-EAST (Virginia)
US-WEST (Oregon)
ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)
12. Use
edge
loca7ons
to
serve
content
close
to
your
customers
Edge
Loca@ons
London(2)
Seattle
South Bend
New York (2)
Newark
Palo Alto
Dublin
Amsterdam
Stockholm
Tokyo
San Jose
Paris(2)
Ashburn(2)
Los Angeles (2)
Frankfurt(2)
Milan
Osaka
Jacksonville
Dallas(2)
Hong Kong
Mumbai
Chennai
St.Louis
Miami
Singapore(2)
Sao Paulo
Sydney
13. Build
your
solu7on
for
con7nuous,
resilient
opera7ons
Scalable,
fault
tolerant
services
Build
resilient
solu@ons
opera@ng
in
mul@ple
datacenters
AWS
helps
simplify
ac@ve-‐ac@ve
opera@ons
All
AWS
facili@es
are
always
on
No
need
for
a
“Disaster
Recovery
Datacenter”
when
you
can
have
resilience
Every
one
managed
to
the
same
global
standards
Robust
connec@vity
and
bandwidth
Each
AZ
has
mul@ple,
redundant
Tier
1
ISP
Service
Providers
Resilient
network
infrastructure
14. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
17. Customers
control
their
VPC
IP
address
ranges
Choose
your
VPC
address
range
• Your
own
private,
isolated
sec@on
of
the
AWS
cloud
• Every
VPC
has
a
private
IP
address
space
• That
maximum
CIDR
block
you
can
allocate
is
/16
• For
example
10.0.0.0/16
–
this
allows
256*256
=
65,536
IP
addresses
Select
IP
addressing
strategy
• You
can’t
change
the
VPC
address
space
once
it’s
created
• Think
about
overlaps
with
other
VPCs
or
exis@ng
corporate
networks
• Don’t
waste
address
space,
but
don’t’
constrain
your
growth
either
Availability Zone B
Availability Zone A
VPC A - 10.0.0.0/16
18. We
will
concentrate
on
a
single
availability
zone
just
now
Availability Zone A
VPC A - 10.0.0.0/16
19. Segment
your
VPC
address
space
into
mul7ple
subnets
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
10.0.3.0/24
10.0.4.0/24
10.0.5.0/24
20. Place
your
EC2
instances
in
subnets
according
to
your
design
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
21. Use
VPC
security
groups
to
firewall
your
instances
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
22. Each
instance
can
be
in
up
to
five
security
groups
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
“Allow outbound
connections to
the log server”
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
23. Use
separate
security
groups
for
applica7ons
and
management
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
“Allow outbound
connections to
the log server”
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
“Allow SSH and
ICMP from hosts
in the Jump Hosts
security group”
Log
10.0.5.0/24
24. Security
groups
are
stateful
with
both
ingress
and
egress
rules
VPC A - 10.0.0.0/16
Security
groups
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
•
•
•
•
Operate
at
the
instance
level
Supports
ALLOW
rules
only
Are
stateful
Max
50
rules
per
security
group
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
25. The
VPC
router
will
allow
any
subnet
to
route
to
another
in
the
VPC
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
26. Use
Network
Access
Control
Lists
to
restrict
internal
VPC
traffic
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
27. Use
Network
Access
Control
Lists
to
restrict
internal
VPC
traffic
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
“Deny all traffic between the web
server subnet and the database
server subnet”
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
28. Use
Network
Access
Control
Lists
for
defence
in
depth
VPC A - 10.0.0.0/16
NACLs
are
op@onal
NAT
Availability Zone A
10.0.1.0/24
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
• Applied
at
subnet
level,
stateless
and
permit
all
by
default
• ALLOW
and
DENY
• Applies
to
all
instances
in
the
subnet
• Use
as
a
second
line
of
defence
Jump
Router
Log
10.0.5.0/24
29. Use
Elas7c
Load
Balancers
to
distribute
traffic
between
instances
VPC A - 10.0.0.0/16
NAT
Elas7c
Load
Balancer
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
30. Elas7c
Load
Balancers
are
also
placed
in
security
groups
VPC A - 10.0.0.0/16
NAT
Elas7c
Load
Balancer
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
31. Your
security
can
scale
up
and
down
with
your
solu7on
VPC A - 10.0.0.0/16
NAT
Elas@c
load
balancers
Elas7c
Load
Balancer
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
• Instances
can
automa@cally
be
added
and
removed
from
the
balancing
pool
using
rules
• You
can
add
instances
into
Auto
security
groups
at
launch
@me
scaling
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Router
Log
10.0.5.0/24
33. Add
an
Internet
Gateway
to
route
Internet
traffic
from
your
VPC
Internet
Gateway
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
VPC
Router
34. You
choose
what
subnets
can
route
to
the
Internet
Internet
Gateway
VPC A - 10.0.0.0/16
Internet
rou@ng
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
VPC
Router
• Add
route
tables
to
subnets
to
control
Internet
traffic
flows
–
these
become
Public
subnets
• Internet
Gateway
rou@ng
allows
you
to
allocate
a
sta@c
Elas7c
IP
address
or
use
AWS-‐managed
public
IP
addresses
to
your
instance
35. NAT
instances
allow
outbound
Internet
traffic
from
private
subnets
Internet
Gateway
VPC A - 10.0.0.0/16
Internet
rou@ng
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
VPC
Router
• Use
a
NAT
instance
to
provide
Internet
connec@vity
for
private
subnets
-‐
required
to
access
AWS
update
repositories
• This
will
also
allow
back-‐end
servers
to
route
to
AWS
APIs
–
for
example
storing
logs
on
S3,
or
using
Dynamo,
SQS,
SNS
and
SWS
36. Access
AWS
API
endpoints
through
the
Internet
Gateway
Internet
Gateway
VPC A - 10.0.0.0/16
NAT
Amazon S3
Amazon
SQS
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Amazon
SNS
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Amazon
Glacier
DynamoDB
Amazon
SES
38. Add
a
Virtual
Private
Gateway
to
route
traffic
to
your
premises
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
39. You
can
create
mul7ple
IPSEC
tunnels
to
your
own
VPN
endpoints
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Customer
Gateway
40. You
can
also
connect
privately
using
AWS
Direct
Connect
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Direct
Connect
Customer
Gateway
41. You
can
also
create
VPNs
over
Direct
Connect
if
required
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Direct
Connect
Customer
Gateway
42. You
can
route
VPC
Internet
connec7ons
through
your
own
gateways
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Direct
Connect
Customer
Gateway
43. You
can
have
both
Internet
and
private
connec7vity
to
your
VPC
Internet
Gateway
VPC A - 10.0.0.0/16
NAT
Amazon S3
DynamoDB
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Direct
Connect
Customer
Gateway
44. You
can
access
AWS
Internet
endpoints
using
Direct
Connect
Internet
Gateway
VPC A - 10.0.0.0/16
NAT
Amazon S3
DynamoDB
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
VPC
Router
Your
premises
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Virtual
Private
Gateway
Direct
Connect
Customer
Gateway
45. You
can
distribute
load
across
availability
zones
to
build
resilience
Internet
Gateway
VPC A - 10.0.0.0/16
Public subnet
Web
Web
Web
Web
Private subnet
Private subnet
Elas7c
Load
Balancer
EC2
Private subnet
Auto
scaling
Applica7on
Private subnet
Applica7on
EC2
Auto
scaling
Elas7c
Load
Balancer
Private subnet
Applica7on
Applica7on
EC2
Private subnet
Auto
scaling
Availability Zone B
Auto
scaling
Elas7c
Load
Balancer
Public subnet
Availability Zone A
Elas7c
Load
Balancer
46. ELBs
will
balance
traffic
in
an
AZ
and
redirect
in
case
of
failure
Internet
Gateway
VPC A - 10.0.0.0/16
Public subnet
Web
Web
Web
Web
Private subnet
Private subnet
Elas7c
Load
Balancer
EC2
Private subnet
Auto
scaling
Applica7on
Private subnet
Applica7on
EC2
Auto
scaling
Elas7c
Load
Balancer
Private subnet
Applica7on
Applica7on
EC2
Private subnet
Auto
scaling
Availability Zone B
Auto
scaling
Elas7c
Load
Balancer
Public subnet
Availability Zone A
Elas7c
Load
Balancer
47. VPC
security
7p
Don’t
have
any
elas7c
IP
addresses
•
For
web
applica@ons,
the
only
elements
requiring
external
connec@vity
are
the
ELBs
and
the
NAT
instance
•
•
Web
servers
can
sit
in
a
private
subnet
•
•
AWS
manage
ELB
security,
customer
just
has
to
configure
them
Also
a
separate
security
group
from
ELBs
Use
jump
hosts
in
the
VPC
to
manage
hosts
rather
than
directly
connec@ng
from
external
addresses
•
Security
group
access
on
produc@on
hosts
can
be
limited
•
Enforce
a
single
point
of
control,
redundant
across
availability
zones
48. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
49. You
have
fine
grained
control
of
your
AWS
environment
AWS
IAM
enables
you
to
securely
control
access
to
AWS
services
and
resources
• Fine
grained
control
of
user
permissions,
resources
and
ac@ons
• Now
includes
support
for
RunInstances
• Add
mul@
factor
authen@ca@on
• Hardware
token
or
smartphone
apps
• Test
out
your
new
policies
using
the
Iden@ty
and
Access
Management
policy
simulator
50. Segregate
du7es
between
roles
with
IAM
AWS
account
owner
(master)
You
get
to
choose
who
can
do
what
in
your
AWS
environment
and
from
where
Network
management
Security
management
Server
management
Storage
management
VPC A - 10.0.0.0/16
Internet
Subnet 10.0.1.0/24
Availability Zone
Router
Manage
and
operate
Internet
Gateway
Customer
Gateway
Subnet 10.0.2.0/24
Availability Zone
Region
51. Use
AWS
CloudTrail
(beta)
to
track
access
to
APIs
and
IAM
Increase
your
visibility
of
what
happened
in
your
AWS
environment
• CloudTrail
will
record
access
to
API
calls
and
save
logs
in
your
S3
buckets,
no
ma_er
how
those
API
calls
were
made
• Who
did
what
and
when
and
from
what
IP
address
• Be
no@fied
of
log
file
delivery
using
the
AWS
Simple
No@fica@on
Service
• Support
for
many
AWS
services
including
EC2,
EBS,
VPC,
RDS,
IAM,
STS
and
RedShim
• Aggregate
log
informa@on
into
a
single
S3
bucket
Out
of
the
box
integra@on
with
log
analysis
tools
from
AWS
partners
including
Splunk,
AlertLogic
and
SumoLogic.
52. AWS
CloudTrail
logs
can
be
used
for
many
powerful
use
cases
CloudTrail
can
help
you
achieve
many
tasks
•
Security
analysis
•
Track
changes
to
AWS
resources,
for
example
VPC
security
groups
and
NACLs
•
Compliance
–
understand
AWS
API
call
history
•
Troubleshoot
opera@onal
issues
–
quickly
iden@fy
the
most
recent
changes
to
your
environment
CloudTrail
is
currently
available
in
US-‐WEST1
and
US-‐EAST1
53. Federate
AWS
IAM
with
your
exis7ng
directories
Keep
control
of
who
can
do
what
on
AWS
using
your
exis@ng
directory
• AWS
IAM
now
supports
SAML
2.0
• Federate
with
on-‐premise
directories
like
Ac@ve
Directory
or
another
SAML
2.0
compliant
iden@ty
provider
• Use
Ac@ve
Directory
users
and
groups
in
AWS
for
authen@ca@on
and
authoriza@on
• E.g.
‘Database
Administrators’
AD
security
group
can
have
access
to
create
and
manage
on-‐premise
and
AWS
RDS
instances
54. How
you
can
make
the
maximum
use
of
AWS
IAM
features
Rotate
your
AWS
access
keys
regularly
Avoid
hard-‐coding
You
don’t
need
to
put
creden@als
into
applica@ons
Having
a
shorter
period
an
access
key
is
ac@ve
–
access
AWS
resources
using
IAM
roles
for
EC2
•
Search
your
source
code
for
hard-‐coded
will
reduce
the
impact
if
compromised
•
the
one
in
use
access
keys
•
Create
IAM
roles
with
least-‐privilege
•
Use
IAM
roles
in
your
applica@on
and
launch
•
You
can
also
use
this
technique
to
distribute
•
Validate
that
your
applica@ons
are
s@ll
working
as
expected
non-‐AWS
creden7als
to
your
applica7ons
to
avoid
checking
them
into
GitHub!
Change
the
state
of
the
previous
access
key
to
inac@ve
your
EC2
instance
with
the
role
•
Update
all
your
applica@ons
to
use
the
new
access
key
and
validate
that
the
applica@ons
are
working
permissions
for
access
to
relevant
AWS
services,
e.g.
an
S3
bucket
•
Create
a
second
access
key
in
addi@on
to
•
Delete
the
inac@ve
access
key
55. Integrate
AWS
IAM
with
web
iden77es
in
your
solu7ons
Use
IAM
roles
to
authorise
web
iden@@es
access
to
AWS
resources
• Your
users
can
sign-‐in
with
mul@ple
authen@ca@on
op@ons
• Roles
can
be
created
on-‐the-‐fly
to
permit
AWS
resource
access
• Token
validity
can
be
limited
• No
need
to
run
your
own
EC2
endpoints
56. Your
solu7ons
can
also
use
your
exis7ng
directories
Your
applica@ons
don’t
need
to
use
AWS
IAM
• Customers
retain
their
own
design
choices
• Extend
internal
directories
into
AWS
over
private
connec@ons
• Replicate
internal
directories
into
your
VPC
or
use
trust
domains
• Create
new
directories
within
your
VPC
57. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
58. AWS
has
many
different
content
storage
services
S3
DBA
RDS
EBS
Redshim
59. Making
use
of
available
Amazon
S3
security
features
Configure
S3
access
controls
at
bucket
and
object
level
• Restrict
access
and
rights
as
@ghtly
as
possible
and
regularly
review
access
logs
• Use
versioning
for
important
file,
with
MFA
required
for
delete
Use
S3
cryptographic
features
• Use
SSL
to
protect
data
in
transit
• S3
server
side
encryp@on
•
AWS
will
transparently
encrypt
your
objects
using
AES-‐256
and
manage
the
keys
on
your
behalf
• Use
S3
client
side
encryp@on
•
•
Encrypt
informa@on
before
sending
it
to
S3
Build
yourself
or
use
the
AWS
Java
SDK
• Use
MD5
checksums
to
verify
the
integrity
of
objects
loaded
into
S3
60. Understanding
Amazon
RedShiM
security
features
Redshim
has
one-‐click
full
disk
encryp@on
as
standard
•
If
chosen,
backups
to
S3
are
also
encrypted
•
You
can
use
the
AWS
CloudHSM
to
store
your
keys
Customers
s@ll
need
to
manage
access
to
their
RedShim
clusters
•
Backup
access
logs
to
S3
for
later
analysis
–
RedShim
will
only
store
them
for
one
week
Configure
security
groups
and
consider
deploying
within
VPC
•
RedShim
loads
data
from
S3
over
SSL
•
Limit
access
to
those
S3
buckets
and
consider
the
end-‐to-‐end
data
load
process
from
source
Use
SSL
to
protect
data
in
transit
if
querying
over
the
Internet
61. Making
the
most
of
Amazon
RDS
security
features
RDS
can
reduce
the
security
burden
of
running
your
databases
•
Limit
security
group
access
to
RDS
instances
•
Limit
RDS
management
plane
access
with
AWS
IAM
permissions
Encrypt
data
in
flight
•
DBA
Oracle
Na@ve
Network
Encryp@on,
SSL
for
SQL
Server,
MySQL
and
PostgreSQL
–
especially
if
the
database
is
accessible
from
the
Internet
Encrypt
data
at
rest
in
sensi@ve
table
space
•
Na7ve
RDS
via
SQL
Server
and
Oracle
Transparent
Data
Encryp@on
•
Encrypt
sensi@ve
informa@on
at
applica@on
level
or
use
a
DB
proxy
Configure
automa@c
patching
of
minor
updates
–
let
AWS
do
the
heavy
liming
for
you
within
a
maintenance
window
you
choose
RDS
62. Use
fine-‐grained
security
with
Amazon
DynamoDB
Fine-‐grained
security
restricts
access
to
columns
and
rows
•
Will
reduce
the
impact
of
loss
of
Dynamo
DB
access
creden@als
or
coding
vulnerability
•
Each
user
can
update
their
own
row
of
data,
but
has
no
access
to
any
other
row
•
Negates
the
need
to
proxy
DynamoDB
access
–
your
end-‐user
applica@on
can
directly
call
the
relevant
APIs
Three
easy
steps
to
implement
fine-‐grained
security
① Create
an
access
policy
② Create
an
IAM
role
③ Assign
your
access
policy
to
the
role
63. Use
fine-‐grained
security
with
Amazon
DynamoDB
Your
end-‐user
applica@on
can
now
call
DynamoDB
directly
using
temporary
IAM
creden@als
generated
from
a
role
64. Encryp7ng
EBS
volumes
on
Amazon
EC2
instances
Roll
your
own
encryp@on
or
use
commercial
solu@ons
•
Windows
BitLocker
or
Linux
LUKS
for
encrypted
volumes
and
TrueCrypt
for
containers
•
SafeNet
Protect-‐V,
Trend
Secure
Cloud,
Voltage
–
some
vendors
offer
boot
volume
encryp@on
•
MapReduce
volumes
can
use
Gazzang
Managing
encryp@on
keys
is
cri7cal
and
difficult!
• How
will
you
manage
keys
and
make
sure
they
are
available
when
required,
for
example
at
instance
start-‐up?
• How
will
you
keep
them
available
and
prevent
loss?
• How
will
you
rotate
keys
on
a
regular
basis
and
keep
them
private?
EBS
65. Use
the
AWS
CloudHSM
to
store
encryp7on
keys
Tamper-‐resistant,
customer
controlled
hardware
security
module
within
your
VPC
• Industry-‐standard
SafeNet
Luna
devices.
Common
Criteria
EAL4+,
NIST
FIPS
140-‐2
cer@fied
• No
access
from
Amazon
administrators
who
manage
and
maintain
the
appliance
• High
availability
and
replica@on
to
on-‐premise
HSMs
Reliable
&
Durable
Key
Storage
• Use
for
transparent
data
encryp@on
on
self-‐
managed
databases
and
na@vely
with
AWS
Redshim
• Integrate
with
applica@ons
using
Java
APIs
• Integra@on
with
marketplace
disk-‐encryp@on
and
SSL
services
coming
soon
66. Security
best
prac7ces
for
AWS
1. Understanding
shared
responsibility
for
security
2. Using
AWS
global
reach
and
availability
features
3. Building
a
secure
virtual
private
cloud
4. Using
AWS
Iden@ty
and
Access
Management
5. Protec@ng
your
content
on
AWS
6. Building
secure
applica@ons
on
AWS
67. Controlling
and
launching
your
Amazon
EC2
instances
You
choose
the
base
image
Amazon
maintained
images
They
are
stored
as
Amazon
Machine
Images
(AMIs)
AWS
maintains
a
catalogue
of
opera@ng
system
images
and
regularly
refreshes
them
so
you
have
a
known
baseline
•
Amazon,
RedHat,
Ubuntu
or
SUSE
Linux
•
Microsom
Windows
2008
and
2012
Your
own
images
•
You
can
save
your
OS
configura@ons
as
private
AMIs
•
Can
reduce
@me
to
launch
new
servers,
for
example
save
a
pre-‐
configured
web
server
and
use
it
when
auto-‐scaling
Amazon
Marketplace
images
•
Maintained
by
Amazon’s
partner
community
Community
images
AMI
catalogue
•
Images
other
people
have
made
public
•
Many
popular
free
packages
and
tools
68. You
decide
on
network
placement
and
security
group
membership
You
choose
the
instance
configura@on
Host
configura@on
•
CPU,
memory,
architecture
type
•
You
can
ver@cally
scale
this
any@me
by
simply
restar@ng
with
a
new
configura@on
Network
placement
•
VPC
subnet,
or
EC2
classic
•
Choose
whether
to
automa@cally
a_ach
an
Internet
IP
address
Security
groups
•
Add
up
to
five
security
groups
at
launch,
or
any@me
Access
keys
and
IAM
roles
Launch
instance
AMI
catalogue
EC2
Running
instance
69. You
decide
how
to
configure
your
instance
environment
You
take
responsibility
for
final
configura@on
User
administra@on
Harden
opera@ng
system
and
pla[orms
•
•
Use
standard
hardening
guides
and
techniques
Apply
latest
security
patches
–
Amazon
maintains
repositories
Whitelis@ng
and
integrity
Malware
and
IPS
Use
host-‐based
protec@on
somware
•
Vulnerability
management
Think
of
how
they
will
work
in
an
elas@c
environment
-‐
hosts
may
only
be
in
use
for
hours
before
being
replaced
Audit
and
logging
Think
about
how
you
will
manage
administra@ve
users
•
Hardening
and
configura@on
Restrict
access
as
much
as
possible
Build
out
the
rest
of
your
standard
security
environment
Launch
instance
AMI
catalogue
EC2
Running
instance
Opera@ng
system
Configure
instance
Your
instance
70. Test
the
security
of
your
solu7ons
before
go-‐live
You
need
to
apply
the
same
secure
coding
principles
as
you
currently
do
•
•
•
•
Build
secure
applica@ons
that
can
defend
against
common
threats
like
XSS
and
SQL
Injec@on
Implement
the
OWASP
Top
10
for
web
apps
Perform
regular
penetra@on
and
web
applica@on
security
tests
Don’t
wait
for
Li_le
Bobby
Tables
to
find
your
applica@on!
Run
through
AWS
best
prac@ces,
audit
and
opera@onal
checklists
before
release
71. Patch
applica7ons
and
plaeorms
regularly
Frequent
patching
is
one
of
the
most
effec@ve
controls
• Design
applica@ons
that
can
survive
regular
recycling
and
rebuilding
of
hosts
–
queues
and
workers
• Customers
are
responsible
for
patching
their
EC2
instances
• Keep
track
of
patch
levels
and
dependencies
which
mean
applica@ons
can’t
be
patched
• Aim
to
patch
cri@cal
vulnerabili@es
in
hours
or
days,
not
weeks
• Subscribe
to
security
mailing
lists
and
news
sources
AWS
Elas@c
Beanstalk
can
help
reduce
patching
burden
for
most
web
applica@on
pla[orms
72. Check
the
integrity
of
configura7ons
and
plaeorms
Is
your
solu@on
s@ll
configured
the
way
you
intended?
•
Are
you
using
CloudTrail
to
monitor
changes
made
through
APIs?
•
Is
the
configura@on
of
your
AWS
services
correct?
•
VPC
networks,
Security
groups
and
NACLs
•
IAM
policies
and
rights
–
who
has
access
and
why
Script
and
automate
describing
your
en@re
AWS
environment
and
compare
the
results
on
an
ongoing
basis
•
Consider
using
configura@on
integrity
checking
for
EC2
instances
– Tripwire,
Chef
and
Puppet
•
Have
uncontrolled
changes
been
applied?
•
•
If
so,
how
did
it
happen?
Can
you
prevent
reoccurrence?
Try
and
whitelist
what
can
be
installed
and
ran
on
hosts
Perform
these
checks
on
a
regular
basis
73. Monitor
for
security
incidents
and
have
a
plan
to
respond
Customers
are
responsible
for
detec@ng
and
responding
to
security
incidents
within
their
solu@ons
• What
sources
of
informa@on,
logging
and
data
are
available
to
you?
AWS
CloudTrail
will
capture
and
log
API
and
IAM
ac@vity
• How
do
you
plan
to
monitor
these?
AWS
CloudWatch
can
help
you
monitor
your
AWS
resources
and
no@fy
you
when
alarms
go
off
• How
will
you
know
if
an
incident
has
taken
place?
• What
will
you
do
if
you
detect
an
incident?
• What
data
may
have
been
accessed
and
what
would
be
the
impact
of
disclosure?
74. Block
threats
to
your
applica7on
Tradi@onal
network
intrusion
detec@on
and
preven@on
is
less
relevant
now
• Dude,
where’s
my
SPAN
port?
• A_ackers
have
moved
to
layer
7
(HTTP)
so
we
need
to
follow
them
there
• You
can
s@ll
build
an
effec@ve
DMZ
within
the
VPC
using
a
wide-‐range
of
open
source
or
AWS
technology
partner
solu@ons
Drop
bad
traffic
before
it
hits
your
applica@on
and
databases
• Can
be
deployed
in
two-‐way
configura@on
to
implement
simple
DLP,
for
example
scan
outgoing
traffic
for
Credit
Card
Numbers
• Design
for
scale
and
high-‐availability
using
ELBs
• Scale
fast
and
wide
to
cope
with
huge
traffic
volumes
• Build
a
solu@on
designed
to
cope
with
volumetric
a_acks
Lets
build
an
example
in
the
next
slides
75. Building
a
scalable
threat
protec7on
layer
in
your
VPC
Internet
Gateway
VPC A - 10.0.0.0/16
Public subnet
WAF
WAF
WAF
WAF
Private subnet
Private subnet
Elas7c
Load
Balancer
EC2
Private subnet
Auto
scaling
Web
Applica7on
Private subnet
Web
Applica7on
EC2
Auto
scaling
Elas7c
Load
Balancer
Private subnet
Web
Applica7on
Web
Applica7on
EC2
Private subnet
Auto
scaling
Availability Zone B
Auto
scaling
Elas7c
Load
Balancer
Public subnet
Availability Zone A
Elas7c
Load
Balancer
76. You
can
achieve
very
large
scale
and
high
availability
Internet
Gateway
VPC A - 10.0.0.0/16
Public subnet
WAF
WAF
WAF
WAF
Private subnet
Private subnet
Elas7c
Load
Balancer
EC2
Private subnet
Auto
scaling
Web
Applica7on
Private subnet
Web
Applica7on
EC2
Auto
scaling
Elas7c
Load
Balancer
Private subnet
Web
Applica7on
Web
Applica7on
EC2
Private subnet
Auto
scaling
Availability Zone B
Auto
scaling
Elas7c
Load
Balancer
Public subnet
Availability Zone A
Elas7c
Load
Balancer
77. You
don’t
have
to
be
alone
when
facing
volumetric
afacks
78. You
can
build
a
solu7on
that
can
scale
and
offload
afacks
Auto
scaling
Player
one:
your
VPC
79. You
choose
how
far
you
can
scale
Vital
sta7s7cs
You
can
scale
your
VPC
up
to
your
financial
threshold
•
Auto-‐scale
your
applica@on
Use
queues
and
worker
instances
to
process
traffic
•
Player
one:
your
VPC
•
•
Auto
scaling
Unlimited
scale
and
bandwidth
at
your
disposal
Think
how
you
can
shard
your
databases
80. You
can
also
bring
AWS
resources
to
your
assistance
to
help
you
CloudFront
Auto
scaling
Player
one:
your
VPC
S3
Route
53
Player
two:
AWS
81. With
AWS
at
your
side
you
can
defend
against
the
largest
afacks
Vital
sta7s7cs
AWS
provides
large-‐scale
Global
endpoints
CloudFront
•
46
CloudFront
edge
loca@ons
and
growing
all
the
@me
•
•
Auto
100%
Route53
availability
SLA
scaling
24x7
dedicated
teams
responding
•
Drop
malformed
requests
•
Soaking
up
load
and
watching
your
Route
53
back
Player
one:
your
VPC
S3
Player
two:
AWS
82. Your
VPC
can
use
auto-‐scaling
to
serve
dynamic
content
Customers
E
C
2
E
C
2
E
C
2
83. Serve
your
sta7c
content
from
S3
Region
Customers
Amazon S3
S3
is
processing
>
1.5
million
requests/s
E
C
2
E
C
2
E
C
2
84. Use
CloudFront
to
cache
your
origin
servers
Region
Amazon S3
Customers
CloudFront
Edge
Loca7on
CloudFront
has
46
global
edge
loca7ons
E
C
2
E
C
2
E
C
2
85. CloudFront
can
now
also
serve
your
dynamic
content
Region
Customers
Amazon S3
Customers
Customers
E
C
2
E
C
2
E
C
2
86. CloudFront
can
unload
volume
from
your
VPC
Region
Distributed
afackers
Amazon S3
Distributed
afackers
Distributed
afackers
E
C
2
E
C
2
E
C
2
87. Route
53
is
a
global,
resilient
DNS
to
keep
your
traffic
coming
Region
Amazon S3
Distributed
afackers
Distributed
afackers
E
C
2
Distributed
afackers
Route53
E
C
2
E
C
2
88. AWS
is
delivering
and
defending
large-‐scale
endpoints
24x7
Region
Amazon S3
Distributed
afackers
Distributed
afackers
E
C
2
Distributed
afackers
Route53
E
C
2
E
C
2
89. You
can
out-‐scale
your
afacker
un7l
their
resources
diminish
Region
Amazon S3
Customers
Customers
E
C
2
Customers
Route53
E
C
2
E
C
2
90. Route
53
can
also
load
balance
traffic
across
mul7ple
AWS
Regions
DUBLIN
EC2
Availability Zone A
NAT
EC2
Route
53
NAT
EC2
Availability Zone B
Availability Zone A
NAT
EC2
Availability Zone B
SYDNEY
NAT
EC2
EC2
91. You
can
use
health-‐checks
to
failover
Regions
or
even
just
VPCs
DUBLIN
EC2
Availability Zone A
NAT
EC2
Route
53
NAT
EC2
Availability Zone B
Availability Zone A
NAT
EC2
Availability Zone B
SYDNEY
NAT
EC2
EC2
92. Amazon
Route53
makes
DNS
easy
and
reliable
DNS
is
hard
and
complex
from
a
security
viewpoint
• Route
53
lets
AWS
take
care
of
the
heavy-‐liming
• Customers
just
have
to
configure
DNS
entries
• Get
latency-‐based
rou@ng
and
health-‐checking
features
• Fall
back
to
sta@c
website
if
main
site
down
• Round-‐robin
load
balance
across
VPCs
/
Regions
Security
best
prac@ces
for
Route
53
• DNS
is
a
cri@cal
service
–
understand
and
limit
who
can
access
and
change
Route
53
configura@ons
using
AWS
IAM
• Use
two-‐factor
authen@ca@on
for
those
users
93. Amazon
CloudFront
will
deliver
your
content
from
the
nearest
edge
Use
CloudFront
to
increase
your
solu@ons
performance
and
availability
• Cache
more
than
sta@c
content
–
now
with
more
supported
HTTP
verbs
• Highly
reliable
global
network
of
edge
loca@ons
• Can
help
absorb
volumetric
a_ack
Security
best
prac@ces
for
CloudFront
• Use
private
content
op@on
to
authorise
only
signed
requests
• Use
SSL
when
POSTing
sensi@ve
informa@on
• Review
logs
for
a_ack
intelligence
–
are
you
being
targeted?
• Lock
CloudFront
to
specific
S3
origin
buckets
when
possible
• Configure
HTTPS
only
for
downloads
94. AWS
partners
can
help
you
build
secure
solu7ons
AWS partner solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
+
=
Your
secure
AWS
solu@ons
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
These
products
and
more
are
available
on
the
AWS
marketplace
-‐
WAF,
VPN,
IPS,
AV,
API
gateways,
data
encryp@on,
user
management
95. Where
you
can
go
for
help
and
further
informa7on
Browse
and
read
AWS
security
whitepapers
and
good
prac@ces
• h_p://aws.amazon.com/compliance
• h_p://aws.amazon.com/security
• Risk
and
compliance,
including
CSA
ques@onnaire
response
• Security
best
prac@ces
• Audit
and
opera@onal
checklists
to
help
you
assess
security
before
you
go
live
Sign
up
for
AWS
support
• h_p://aws.amazon.com/support
• Get
help
when
you
need
it
most
–
as
you
grow
• Choose
different
levels
of
support
with
no
long-‐term
commitment
96. Get
training
and
become
AWS
cer7fied
in
your
discipline
Get
training
from
an
instructor
or
try
the
self-‐paced
labs
• h_p://aws.amazon.com/training/
Become
AWS
cer@fied
and
gain
recogni@on
and
visibility
• h_p://aws.amazon.com/cer@fica@on
• Demonstrate
that
you
have
skills,
knowledge
and
exper@se
to
design,
deploy
and
manage
projects
applica@ons
on
the
AWS
pla[orm
• Prove
skills
and
foster
credibility
with
your
employer
and
peers
Choose
your
discipline,
or
do
all
of
them!
• AWS
Cer@fied
Solu@ons
Architect
–
Associate
Level
• AWS
Cer@fied
Developer
–
Associate
Level
(Beta)
• AWS
Cer@fied
SyOps
Administrator
–
Associate
Level
(Beta)
97. Thank
you
for
your
7me
today
Any
ques@ons?
Stephen
Quigg
squigg@amazon.com
APAC
Security
Solu@ons
Architect