SlideShare a Scribd company logo

AWS Layered Security Solutions | AWS Summit Tel Aviv 2019

Amazon Web Services
Amazon Web Services

Security is always job zero, in this session we'll discuss the best practices and use cases for securing your AWS environment. We will also discuss layered security solutions (e.g. AWS SecurityHub, Amazon GuardDuty, Amazon Inspector and Perimeter Services) from giving you insights on your environment to other security tools that help you manage your environment in a secure manner.

1 of 77
Download to read offline
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Layered Security Services S K L 3 0 3 Shllomi Ezra Business Development Manager AWS Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Introduction AWS Layered Security Services ReInforce
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ORMove fast Stay secure Before…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ORANDMove fast Stay secure Now…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Protect Detect Respond Automate Investigate RecoverIdentify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS ShieldAWS Secrets Manager AWS Firewall Manager Detect Protect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? Easy One-Click Activation without Architectural or Performance Impact
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? No Agents, No Sensors, No Network Appliances
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? Instant On Provides Findings in Minutes
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? VPC flow logs DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData Sources Threat Detection Types Threat intelligence Anomaly Detection (ML) Bitcoin Mining Instance Compromise Account Compromise Total of 47 detections AWS Security Hub SIEM Respond Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time-base)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services √ √ √
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Inspector Automated security assessment service to help improve the security and compliance of applications deployed on AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability Assessments Agentless network assessments Find externally accessible EC2 instances (internet, VPN, peering). (ex. SSH open to internet) Enhanced - with agent (optional) Using Agent, customer will get information about software listening on the ports. Amazon Inspector
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to use Amazon Inspector? Configure assessmen t Run assessmen t Findings Remediation Inspector Partners • SIEM • Reporting • Ticketing Vulnerability; Resource affected; Recommendation Take Action 1-Click
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate use of findings Findings Vulnerability; Resource affected; Recommendation EC2 Run Command Amazon Simple Notification Service AWS Lambda Run command
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability – key features Avoid complexity and impact of scanners Actionable insights Validate and fix your AWS Networking configuration Shows all open paths (Internet, VPN, etc.)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability Findings Amazon Inspector findings show: WHERE is a port is reachable from? • Internet via IGW (including instances behind ELB/ALB) • VPN or DX via VGW • Peered VPC HOW is this allowed? • Security Group • VPC: Subnet, NACL, IGW, etc. Which process is listening on port [With optional agent] • Process name & process id • Binary / executable Amazon Inspector
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does it work? Amazon Inspector analyzes AWS network configuration to find what is reachable? List of resources analyzed: • Security Groups • VPCs • Network interfaces • Subnets • Network ACLs • Route tables • Elastic load balancers • Application load balancers • Internet gateways • Virtual private gateways • Direct Connect • VPC peering connections
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. EC2 Host assessment Using an Agent installed on EC2, Amazon Inspector can assess: • Vulnerabilities in software (CVE) • Host hardening guidelines (CIS Benchmark) • AWS Security best practices. Amazon Inspector
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon Macie work?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Macie work?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does AWS Security Hub work?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting Started - AWS Security Hub work?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Partner Integrations
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Partner Integrations Firewalls Vulnerability SOAR SIEM Endpoint Compliance MSSP Other
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Insights
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Compliance Checks (CIS)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. There are two tiers of AWS Shield: • AWS Shield Standard • AWS Shield Advanced AWS Shield A Managed DDoS Protection Service AWS Shield
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced - DDoS Attack threats and Trends: Network / Transport Layer DDoS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DDoS Threats and Trends AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard Built-in DDoS Protection for Everyone DDoS Expertise
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Enhanced Protection 24x7 access to DDoS Response Team (DRT) CloudWatch Metrics Attack Diagnostics Global threat environment dashboard DDoS Expertise Visibility & Compliance Economic Benefits AWS WAF at no additional cost for protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Applications Using AWS WAF Application Vulnerabilities Bots & ScrapersHTTP Flood
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Web Application Firewall (WAF): Popular deployment modes 1. Custom Rules 3. Security Automation 2. Managed Rules Or use any combination of the above …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Web Application Firewall (WAF): Deploy in 3 easy steps Click and subscribe Associate rules in AWS WAF Find rules on AWS WAF console or AWS marketplace
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automatic block of suspicious hosts using Amazon GuardDuty and AWS WAF.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Firewall Manager Key Benefits Simplified Management of WAF Rules Integrated with AWS Organizations Centrally managed global rules, and Account-specific rules Ensure Compliance to WAF Rules Ensure entire Organization adheres to mandatory set of rules Apply protection even when new Accounts or resources are created Central Visibility Across Organization Central visibility of WAF threats across Organization Compliance Dashboard for audit firewall status An organization’s InfoSec team learns and operates WAF instead of each Account owner
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Firewall Manager Key Benefits Enable Rapid Response to Internet Attacks at scaleSecurity administrator have a single console to receive real-time threats, and respond within minutes Quickly apply CVE Patches across all applications in your Organization, or block malicious IP addresses detected by GuardDuty across entire Organization
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time-base) AWS FW Manager AWS Firewall Manager AWS WAF
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Typical Use Cases Deploy OWASP rules for PCI compliance • PCI DSS 3.0 Requirement 6 suggests customers deploy a WAF, with rules like OWASP top 10 • Subscribe to Managed Rules from AWS Marketplace • Ensure the OWASP rule is applied across all PCI-tagged resources AWS Firewall Manager AWS WAF
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. @AWSSecurityInfo
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://aws.amazon.com/blogs/security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Save the date: 27.03.2019
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shllomi Ezra Shllomie@amazon.com URL: http://bit.ly/2SB3cS5 @Shllomi

Recommended

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a serviceAmazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 

Recommended

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a serviceAmazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWSAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising EssentialsAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSAmazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightAmazon Web Services
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotAmazon Web Services
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Amazon Web Services
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Amazon Web Services
 

More Related Content

More from Amazon Web Services

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSAmazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightAmazon Web Services
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotAmazon Web Services
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Amazon Web Services
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Amazon Web Services
 

More from Amazon Web Services (20)

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSight
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
 

AWS Layered Security Solutions | AWS Summit Tel Aviv 2019

  • 1.
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Layered Security Services S K L 3 0 3 Shllomi Ezra Business Development Manager AWS Security Services
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Introduction AWS Layered Security Services ReInforce
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ORMove fast Stay secure Before…
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ORANDMove fast Stay secure Now…
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Protect Detect Respond Automate Investigate RecoverIdentify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS ShieldAWS Secrets Manager AWS Firewall Manager Detect Protect
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? Easy One-Click Activation without Architectural or Performance Impact
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? No Agents, No Sensors, No Network Appliances
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? Instant On Provides Findings in Minutes
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon GuardDuty work? VPC flow logs DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData Sources Threat Detection Types Threat intelligence Anomaly Detection (ML) Bitcoin Mining Instance Compromise Account Compromise Total of 47 detections AWS Security Hub SIEM Respond Amazon GuardDuty
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time-base)
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services √ √ √
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Inspector Automated security assessment service to help improve the security and compliance of applications deployed on AWS
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability Assessments Agentless network assessments Find externally accessible EC2 instances (internet, VPN, peering). (ex. SSH open to internet) Enhanced - with agent (optional) Using Agent, customer will get information about software listening on the ports. Amazon Inspector
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to use Amazon Inspector? Configure assessmen t Run assessmen t Findings Remediation Inspector Partners • SIEM • Reporting • Ticketing Vulnerability; Resource affected; Recommendation Take Action 1-Click
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate use of findings Findings Vulnerability; Resource affected; Recommendation EC2 Run Command Amazon Simple Notification Service AWS Lambda Run command
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability – key features Avoid complexity and impact of scanners Actionable insights Validate and fix your AWS Networking configuration Shows all open paths (Internet, VPN, etc.)
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Reachability Findings Amazon Inspector findings show: WHERE is a port is reachable from? • Internet via IGW (including instances behind ELB/ALB) • VPN or DX via VGW • Peered VPC HOW is this allowed? • Security Group • VPC: Subnet, NACL, IGW, etc. Which process is listening on port [With optional agent] • Process name & process id • Binary / executable Amazon Inspector
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does it work? Amazon Inspector analyzes AWS network configuration to find what is reachable? List of resources analyzed: • Security Groups • VPCs • Network interfaces • Subnets • Network ACLs • Route tables • Elastic load balancers • Application load balancers • Internet gateways • Virtual private gateways • Direct Connect • VPC peering connections
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. EC2 Host assessment Using an Agent installed on EC2, Amazon Inspector can assess: • Vulnerabilities in software (CVE) • Host hardening guidelines (CIS Benchmark) • AWS Security best practices. Amazon Inspector
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Amazon Macie work?
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does Macie work?
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How does AWS Security Hub work?
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting Started - AWS Security Hub work?
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Partner Integrations
  • 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Partner Integrations Firewalls Vulnerability SOAR SIEM Endpoint Compliance MSSP Other
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Insights
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub – Compliance Checks (CIS)
  • 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. There are two tiers of AWS Shield: • AWS Shield Standard • AWS Shield Advanced AWS Shield A Managed DDoS Protection Service AWS Shield
  • 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced - DDoS Attack threats and Trends: Network / Transport Layer DDoS
  • 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DDoS Threats and Trends AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
  • 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard Built-in DDoS Protection for Everyone DDoS Expertise
  • 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Enhanced Protection 24x7 access to DDoS Response Team (DRT) CloudWatch Metrics Attack Diagnostics Global threat environment dashboard DDoS Expertise Visibility & Compliance Economic Benefits AWS WAF at no additional cost for protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling
  • 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Applications Using AWS WAF Application Vulnerabilities Bots & ScrapersHTTP Flood
  • 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Web Application Firewall (WAF): Popular deployment modes 1. Custom Rules 3. Security Automation 2. Managed Rules Or use any combination of the above …
  • 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Web Application Firewall (WAF): Deploy in 3 easy steps Click and subscribe Associate rules in AWS WAF Find rules on AWS WAF console or AWS marketplace
  • 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automatic block of suspicious hosts using Amazon GuardDuty and AWS WAF.
  • 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Firewall Manager Key Benefits Simplified Management of WAF Rules Integrated with AWS Organizations Centrally managed global rules, and Account-specific rules Ensure Compliance to WAF Rules Ensure entire Organization adheres to mandatory set of rules Apply protection even when new Accounts or resources are created Central Visibility Across Organization Central visibility of WAF threats across Organization Compliance Dashboard for audit firewall status An organization’s InfoSec team learns and operates WAF instead of each Account owner
  • 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Firewall Manager Key Benefits Enable Rapid Response to Internet Attacks at scaleSecurity administrator have a single console to receive real-time threats, and respond within minutes Quickly apply CVE Patches across all applications in your Organization, or block malicious IP addresses detected by GuardDuty across entire Organization
  • 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time-base) AWS FW Manager AWS Firewall Manager AWS WAF
  • 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Typical Use Cases Deploy OWASP rules for PCI compliance • PCI DSS 3.0 Requirement 6 suggests customers deploy a WAF, with rules like OWASP top 10 • Subscribe to Managed Rules from AWS Marketplace • Ensure the OWASP rule is applied across all PCI-tagged resources AWS Firewall Manager AWS WAF
  • 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
  • 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. @AWSSecurityInfo
  • 72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://aws.amazon.com/blogs/security
  • 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 74. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Save the date: 27.03.2019
  • 77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shllomi Ezra Shllomie@amazon.com URL: http://bit.ly/2SB3cS5 @Shllomi