SlideShare a Scribd company logo

Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Public Sector Summit 2017

Download as PPTX, PDF
Amazon Web Services
Amazon Web Services

The Department of Defense's Secure Cloud Computing Architecture (SCCA) guidance provides DoD mission owners the security requirements for building a DoD compliant and secure application environment in the cloud. This session will review the DoD Cloud Security Requirements Guide and the DoD SCCA pillars and how they apply to AWS services. We will demonstrate how to build a DoD SCCA environment through automation and configuration management tools as well as discuss how to document security controls implementations. We will answer common questions, such as: how do we connect to a DoD Cloud Access Point? How do we implement a least privilege access control model? And how do we automate security event notifications and remediate issues? This session is designed for both technical and information assurance professionals that want to understand the process to move DoD systems into AWS, secure them, and get them accredited. Learn More: https://aws.amazon.com/government-education/

Technology
1 of 48
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. June 14, 2017 Deploy a DoD Secure Cloud Computing Architecture Environment in AWS Jim Caggy Manager, DoD Solutions, Amazon Web Services
• AWS has achieved FedRAMP HIGH in the AWS GovCloud (US) Region • DoD Provisional Authorizations (PA) for IL4 under the DoD Cloud Security Requirements Guidance • DoD PA for IL5 – Soon! • Connectivity to DODIN on both the East Coast and West Coast • NIPRNET/DREN-connected Amazon Virtual Private Clouds since 2014 AWS accreditations and authorizations in DoD
DoD Secure Cloud Computing Architecture • DoD Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD) • Released March 9, 2017 • Replaces the Draft CAP FRD • Provides implementation flexibility • Freedom to architect and manage as a shared services enclave
DoD SCCA component functional requirements Virtual Data Center Security Stack (VDSS) Provides network and application security capabilities, such as an application-aware firewall and/or intrusion prevention system. Virtual Data Center Management Stack (VDMS) Provides system support services for mission owner environments (AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well. Trusted Cloud Credential Manager (TCCM) An individual or entity appointed by the Authorizing Official to establish policies for controlling privileged user access to connect Virtual Private Clouds to DISN and for administrating cloud services. Cloud Access Point (CAP) Provides network access to the cloud and boundary protection of DISN from the cloud.
DoD SCCA FRD recommended leveraged services model Virtual Data Center Security Stack (VDSS) Leveraged network and application security services: • WAF - application-aware firewall • Network intrusion prevention/detection system • Network firewall w/ full packet capture • Network flow logs Virtual Data Center Management Stack (VDMS) Leveraged infrastructure management support services: • ACAS / Vulnerability scanning • HBSS / Endpoint protection • AD / LDAP / SSO / OCSP • DHCP / DNS / NTP • Patching services • Log management
Moving 3-tier web app to AWS Amazon Virtual Private Cloud (VPC) AWS Region Production data center WEB APP DB WEB LB FW COOP data center WEB APP DB WEB LB FW App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication AZ Data Center Subnet VLAN EC2 instance Server/VM Security group FW ELB Load Balancer
Architectural features & AWS services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon VPC • Your private network within AWS AWS security groups (SG) • Host firewalls • Network isolation at the host AWS network ACLs (NACL) AWS routing tables • Network isolation at subnet Multi-Availability Zones (AZs) AWS Elastic Load Balancing (ELB) AWS Auto Scaling Groups (ASG) • High availability & failover • Elasticity & scalability • Synchronous replication capable
AWS storage & database services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon Simple Storage Service (S3) • Highly durable object store Amazon Elastic Block Store (EBS) • Durable high speed storage for your servers • 1:1 – EBS:Server/Instance Amazon Elastic File System (EFS) • Durable high-speed shared files system • 1:Many – EFS:Servers/Instances Amazon Relational Database Service (RDS) • Fully managed database service
AWS log management & automation services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon CloudWatch • CloudWatch Logs – AWS, O/S, & app logs • CloudWatch Alarms – monitoring & alerting AWS CloudTrail • Collection & logging of all AWS API calls AWS Config • Point-in-time snapshots of AWS configuration AWS CloudFormation • Define & deploy configuration as code
AWS supporting services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND VPG Direct Connect Co- Location CAP CND DoDIN IAP Log management, analysis, & alerting • AWS CloudTrail • Amazon CloudWatch • Amazon VPC Flow Logs Configuration management & visibility • AWS Config • AWS Management Console Backup • Amazon Simple Storage Service (S3) • Amazon Glacier Identity and access management • AWS Identity and Access Management (IAM)
Production data center Review your existing infrastructure components WEB APP DB WEB LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Backup COOP data center WEB APP DB WEB LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Backup FW FW In addition to application & networking requirements, we need to address these services!
How do we address these infrastructure needs? → SCCA AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND VPG Direct Connect Co- Location CAP CND DoDIN IAP Web application firewall Network firewall – Full packet capture Network intrusion detection/prevention ACAS – Vulnerability scanning HBSS – Endpoint protection AD / SSO / LDAP / OCSP DNS / NTP / DHCP Log management / SEIM Patching services
SCCA architecture approach in AWS GovCloud Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND Direct Connect Co- Location CAP CND DoDIN IAP VGW Mission Owner Virtual Private Cloud (VPC) Virtual Data Center Security Stack (VDSS) Availability Zone BAvailability Zone A Network Firewall Services Network Intrusion Detection/Prevention Services Full Packet Capture Services Web Application Firewall Services Availability Zone B ACAS / Vulnerability Scanning Services HBSS / Endpoint Protection Services AD / DNS / SSO / OCSP / DCHP Services Other Shared Services Availability Zone A VGW VGW Virtual Data Center Management Stack (VDMS)Internet
Security is Job Zero for Amazon Web Services Amazon is responsible for: • Physical security • Network security • Platform security • People and processes
But security in AWS is your job too! You are responsible for the security of your: • Amazon machine image • Operating system • Applications • Application credentials • Access control • Policies and configuration
But security in AWS is your job too! You are ALSO responsible for YOUR USE of AWS services: • Selection and application • Configuration and use WE are here to HELP with: • AWS best practices • Whitepapers and configuration guides • Training and labs • Compliance accelerators and templates Amazon S3 Amazon VPC AWS CloudTrail IAM
Security IN the Cloud • Resource visibility • Identity and access management • Logging and auditing • Security through automation • Network security • Compliance through automation
Resource visibility • How often do you map your network? • What’s in your network right now?
Identity and access management • Who has access to your infrastructure? • What accounts exist on all the various components of the infrastructure?
AWS Identity and Access Management (IAM) AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users Using IAM, you can create and manage AWS users, groups, and roles Use permissions (policies) to allow and deny users, groups, and roles access to AWS resources
IAM best practices • Lock away your AWS account (root) access keys • Create individual IAM users • Use groups to assign permissions to IAM users • Configure a strong password policy for your users • Enable MFA for privileged users • Delegate by using roles instead of by sharing credentials • Rotate credentials regularly
IAM best practices • Grant least privilege with IAM policies • Use roles for applications that run on Amazon EC2 instances • Remove unnecessary credentials • Use policy conditions for extra security
Auditing • Who is accessing your resources and what are they doing with them?
Increase your visibility of what happened in your AWS environment • CloudTrail will record API calls and save logs in your S3 buckets, no matter how those API calls were made • Who did what and when and from what IP address • Be notified of log file delivery using Amazon Simple Notification Service • Support for many AWS services, including EC2, EBS, VPC, RDS, IAM, AWS STS, and Amazon RedShift • Aggregate log information into a single S3 bucket Out-of-the-box integration with log analysis tools from AWS partners, including Splunk, Alert Logic, and Sumo Logic Auditing: Use AWS CloudTrail to track API calls
Amazon VPC Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define.
Use cases enabled by VPC Extending DODIN: Bring your own NIPRNET/DREN IP space into AWS Communicate with other Amazon VPCs: Use VPC peering to communicate across the AWS network infrastructure Layered security: Use subnets, route tables, and NACLs to control access to your resources
• VPC adds network access control lists (ACLs): • (Optional) layer of security that acts as a stateless firewall for controlling traffic in and out of a subnet • Port/protocol defined with Action (Allow/Deny) • Security groups • Stateful virtual firewall applied to an instance (e.g., EC2, ELB) • Traffic must be explicitly specified by protocol, port, and security group • Can reference other security group(s) in Inbound Source and/or Outbound Destination • OS Firewall (e.g., iptables) may be implemented • Completely user-controlled security layer • Granular access control of discrete hosts • Logging network events EC2 OS Firewall AWS Security Group Inbound traffic VPC Network ACLs Region VPC defense in depth for the endpoint
VPC Flow Logs • See all of the traffic at your instances • Visibility into effects of security group rules • Troubleshooting network connectivity • Ability to analyze traffic • At VPC, subnet, and ENI level
SSH traffic allowed Sample CloudWatch Logs query: [version, acct, eni, srcaddr, destaddr, srcport, destport=22, prot, packets, bytes, start, end, action=REJECT, status] 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK VPC Flow Logs (Netflow)
VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
DoD IL4/5 Web Application Reference Architecture Co-Location CAP/ BCD Direct Connect DODIN NIPRNET Admin Access Static Web Content, Logs, and Snapshots Region Virtual Private Gateway VDMS/CSSP Enclave HBSS Server CSSP Managed ACAS Server User Access Private S3 Access MISSION VLAN(S) IAP CAP/CSSP Internal Routing VDSS Pub Pub Priv Priv Priv Priv Internet Web Applica tion P u b P u b P r i v P r i v P r i v P r i v Web Applica tion P u b P u b P r i v P r i v P r i v P r i v AWS –DoD Mission Owner DoD Mission Owner Application BCD Managed
Security through automation • Is your infrastructure configured the way you intended? • Can you verify it is still configured the way you intended?
Security through automation Programmable infrastructure means that infrastructure can for the first time be scripted, code-reviewed, and checked into a source control system – “Infrastructure as code” taken seriously can massively improve security posture – SDL (secure development lifecycle) now applies to infrastructure
AWS CloudFormation AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
Use cases enabled by CloudFormation • Security templates: Start with a known good security configuration • Infrastructure management: Manage collections of resources as stacks • Audit: Compare what you do have to what you should have
Compliance through automation • How can you get your System ATO faster? • Answer: Develop automation around your system build, artifact generation, and documentation. • Are their any reference architectures available to automate the build of the DOD SCCA and documentation process? • Answer: Yes!
How Does AWS make this easy? The Enterprise Accelerator Compliance Quick Start https://aws.amazon.com/quickstart
AWS Enterprise Accelerator Quick Start website
Enterprise Accelerator Quick Start Packages: What’s in the box? Architecture diagram Security Controls Matrix (SCM) AWS CloudFormation templates Deployment guide
Security Controls Matrix
AWS Quick Start CloudFormation templates © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Templates • CloudFormation templates − Customize and deploy through automation • Templates deliver infrastructure as code – Each template deploys a resource stack – Templates can be managed and version controlled using source code repositories (e.g., GitHub)
Deployment options  AWS Management Console  CLI deployment − Deployment scripts included with package  AWS Service Catalog (where available) − As a Service Catalog “Product”
Enlighten IT DoD Tactical – Enterprise “Big Data” Analytics in AWS Finding unique needles within piles of needles since 2012
Mission speed cyber security Deployed three Big Data Platform (BDP) Analytic Clouds in two days • Used Enlighten’s Rapid Analytic Deployment and Management Framework (RADMF.com) to speed the deployment Utilize S3 and Amazon Glacier (COOP) storage environments Utilize EMR for PCAP processing Currently running 50+ analytics and data visualization capabilities Ingested 50+ mission data types Utilize AWS Snowball Edge for secure data transport from mission site Received 300 TB of mission data in less than 90 days, on track for 1 PB
Accreditation success Mission need drove accreditation timeline Utilized existing accreditation packages where applicable • BDP’s DIACAP ATO being converted to RMF • AWS GovCloud FedRamp High Adapted to DAO’s requests • VPCs • Security controls around PCAP • Whitelist IP access • Continuous monitoring (log file analysis) Completed SSP & CONOPS within two weeks
Thank You!

Recommended

Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSAmazon Web Services
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitAmazon Web Services
 
Azure stack all you need to know
Azure stack all you need to knowAzure stack all you need to know
Azure stack all you need to knowSusantha Silva
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveAmazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft AzurePavel Ryabov
 
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017Amazon Web Services Korea
 

Recommended

Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSAmazon Web Services
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitAmazon Web Services
 
Azure stack all you need to know
Azure stack all you need to knowAzure stack all you need to know
Azure stack all you need to knowSusantha Silva
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveAmazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Amazon Web Services
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft AzurePavel Ryabov
 
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017
금융권을 위한 AWS Direct Connect 기반 하이브리드 구성 방법 - AWS Summit Seoul 2017Amazon Web Services Korea
 
AWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On GuideAWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On GuideManas Mondal
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
Migrating to the Cloud
Migrating to the CloudMigrating to the Cloud
Migrating to the CloudAmazon Web Services
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안Amazon Web Services Korea
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...Amazon Web Services Korea
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentalsRaju Kumar
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAmazon Web Services
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDSAmazon Web Services
 
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Amazon Web Services
 
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Azure Fundamentals Part 2
Azure Fundamentals Part 2Azure Fundamentals Part 2
Azure Fundamentals Part 2CCG
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
AWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAbhinav Kumar
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarHybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarAmazon Web Services Korea
 

More Related Content

What's hot

AWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On GuideAWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On GuideManas Mondal
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)RashmiDhanve
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안Amazon Web Services Korea
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesRobert Wilson
 
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...Amazon Web Services Korea
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentalsRaju Kumar
 
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Amazon Web Services
 
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...Amazon Web Services
 
Azure Fundamentals Part 2
Azure Fundamentals Part 2Azure Fundamentals Part 2
Azure Fundamentals Part 2CCG
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAbhinav Kumar
 

What's hot (20)

AWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On GuideAWS Application Migration Service-Hands-On Guide
AWS Application Migration Service-Hands-On Guide
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)
 
Migrating to the Cloud
Migrating to the CloudMigrating to the Cloud
Migrating to the Cloud
 
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례 – 조이정, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
 
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
[2017 Windows on AWS] AWS 를 활용한 Active Directory 연동 및 이관 방안
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
 
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
AWS Fargate와 Amazon ECS를 사용한 CI/CD 베스트 프랙티스 - 유재석, AWS 솔루션즈 아키텍트 :: AWS Build...
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentals
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDS
 
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
Accelerating Your Portfolio Migration to AWS Using AWS Migration Hub - ENT321...
 
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
[AWS Builders 온라인 시리즈] AWS 서비스를 활용하여 파일 스토리지 빠르게 마이그레이션 하기 - 서지혜, AWS 솔루션즈 아키텍트
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
STG309_Deep Dive Using Hybrid Storage with AWS Storage Gateway to Solve On-Pr...
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Azure Fundamentals Part 2
Azure Fundamentals Part 2Azure Fundamentals Part 2
Azure Fundamentals Part 2
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
AWS 101
AWS 101AWS 101
AWS 101
 
AWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAWS VPC & Networking basic concepts
AWS VPC & Networking basic concepts
 

Similar to Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Public Sector Summit 2017

Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarHybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarAmazon Web Services Korea
 
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...Amazon Web Services Korea
 
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...Amazon Web Services
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSAmazon Web Services
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSZlatan Dzinic
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWSAmazon Web Services
 
WIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesWIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesAmazon Web Services
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...Amazon Web Services
 
Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Amazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013Amazon Web Services
 
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017Amazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSAmazon Web Services
 

Similar to Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Public Sector Summit 2017 (20)

Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance SeminarHybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
Hybrid cloud for financial sector :: Felix Candelario :: AWS Finance Seminar
 
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
AWS를 활용한 금융권 hybrid cloud 구축하기 :: Felix Candelario :: AWS ...
 
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWS
 
Best Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWSBest Practices for Deploying Microsoft Workloads on AWS
Best Practices for Deploying Microsoft Workloads on AWS
 
Staying Secure in the Cloud
Staying Secure in the CloudStaying Secure in the Cloud
Staying Secure in the Cloud
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWS
 
WIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesWIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS Services
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2Getting Started with Windows Workloads on Amazon EC2
Getting Started with Windows Workloads on Amazon EC2
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Enterprise Workloads on AWS
Enterprise Workloads on AWSEnterprise Workloads on AWS
Enterprise Workloads on AWS
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013
 
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017
Simplifying Microsoft Architectures with AWS - CMP214 - re:Invent 2017
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Public Sector Summit 2017

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. June 14, 2017 Deploy a DoD Secure Cloud Computing Architecture Environment in AWS Jim Caggy Manager, DoD Solutions, Amazon Web Services
  • 2. • AWS has achieved FedRAMP HIGH in the AWS GovCloud (US) Region • DoD Provisional Authorizations (PA) for IL4 under the DoD Cloud Security Requirements Guidance • DoD PA for IL5 – Soon! • Connectivity to DODIN on both the East Coast and West Coast • NIPRNET/DREN-connected Amazon Virtual Private Clouds since 2014 AWS accreditations and authorizations in DoD
  • 3. DoD Secure Cloud Computing Architecture • DoD Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD) • Released March 9, 2017 • Replaces the Draft CAP FRD • Provides implementation flexibility • Freedom to architect and manage as a shared services enclave
  • 4. DoD SCCA component functional requirements Virtual Data Center Security Stack (VDSS) Provides network and application security capabilities, such as an application-aware firewall and/or intrusion prevention system. Virtual Data Center Management Stack (VDMS) Provides system support services for mission owner environments (AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well. Trusted Cloud Credential Manager (TCCM) An individual or entity appointed by the Authorizing Official to establish policies for controlling privileged user access to connect Virtual Private Clouds to DISN and for administrating cloud services. Cloud Access Point (CAP) Provides network access to the cloud and boundary protection of DISN from the cloud.
  • 5. DoD SCCA FRD recommended leveraged services model Virtual Data Center Security Stack (VDSS) Leveraged network and application security services: • WAF - application-aware firewall • Network intrusion prevention/detection system • Network firewall w/ full packet capture • Network flow logs Virtual Data Center Management Stack (VDMS) Leveraged infrastructure management support services: • ACAS / Vulnerability scanning • HBSS / Endpoint protection • AD / LDAP / SSO / OCSP • DHCP / DNS / NTP • Patching services • Log management
  • 6. Moving 3-tier web app to AWS Amazon Virtual Private Cloud (VPC) AWS Region Production data center WEB APP DB WEB LB FW COOP data center WEB APP DB WEB LB FW App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication AZ Data Center Subnet VLAN EC2 instance Server/VM Security group FW ELB Load Balancer
  • 7. Architectural features & AWS services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon VPC • Your private network within AWS AWS security groups (SG) • Host firewalls • Network isolation at the host AWS network ACLs (NACL) AWS routing tables • Network isolation at subnet Multi-Availability Zones (AZs) AWS Elastic Load Balancing (ELB) AWS Auto Scaling Groups (ASG) • High availability & failover • Elasticity & scalability • Synchronous replication capable
  • 8. AWS storage & database services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon Simple Storage Service (S3) • Highly durable object store Amazon Elastic Block Store (EBS) • Durable high speed storage for your servers • 1:1 – EBS:Server/Instance Amazon Elastic File System (EFS) • Durable high-speed shared files system • 1:Many – EFS:Servers/Instances Amazon Relational Database Service (RDS) • Fully managed database service
  • 9. AWS log management & automation services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication Amazon CloudWatch • CloudWatch Logs – AWS, O/S, & app logs • CloudWatch Alarms – monitoring & alerting AWS CloudTrail • Collection & logging of all AWS API calls AWS Config • Point-in-time snapshots of AWS configuration AWS CloudFormation • Define & deploy configuration as code
  • 10. AWS supporting services AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND VPG Direct Connect Co- Location CAP CND DoDIN IAP Log management, analysis, & alerting • AWS CloudTrail • Amazon CloudWatch • Amazon VPC Flow Logs Configuration management & visibility • AWS Config • AWS Management Console Backup • Amazon Simple Storage Service (S3) • Amazon Glacier Identity and access management • AWS Identity and Access Management (IAM)
  • 11. Production data center Review your existing infrastructure components WEB APP DB WEB LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Backup COOP data center WEB APP DB WEB LB SERVICES AD or LDAP NTP & DNS Bastion Host HBSS (AV) ACAS (VS) LOG MGMT SIEM Backup FW FW In addition to application & networking requirements, we need to address these services!
  • 12. How do we address these infrastructure needs? → SCCA AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND VPG Direct Connect Co- Location CAP CND DoDIN IAP Web application firewall Network firewall – Full packet capture Network intrusion detection/prevention ACAS – Vulnerability scanning HBSS – Endpoint protection AD / SSO / LDAP / OCSP DNS / NTP / DHCP Log management / SEIM Patching services
  • 13. SCCA architecture approach in AWS GovCloud Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet Web Server auto scaling group auto scaling group security groupsecurity group synchronous replication CND Direct Connect Co- Location CAP CND DoDIN IAP VGW Mission Owner Virtual Private Cloud (VPC) Virtual Data Center Security Stack (VDSS) Availability Zone BAvailability Zone A Network Firewall Services Network Intrusion Detection/Prevention Services Full Packet Capture Services Web Application Firewall Services Availability Zone B ACAS / Vulnerability Scanning Services HBSS / Endpoint Protection Services AD / DNS / SSO / OCSP / DCHP Services Other Shared Services Availability Zone A VGW VGW Virtual Data Center Management Stack (VDMS)Internet
  • 14. Security is Job Zero for Amazon Web Services Amazon is responsible for: • Physical security • Network security • Platform security • People and processes
  • 15. But security in AWS is your job too! You are responsible for the security of your: • Amazon machine image • Operating system • Applications • Application credentials • Access control • Policies and configuration
  • 16. But security in AWS is your job too! You are ALSO responsible for YOUR USE of AWS services: • Selection and application • Configuration and use WE are here to HELP with: • AWS best practices • Whitepapers and configuration guides • Training and labs • Compliance accelerators and templates Amazon S3 Amazon VPC AWS CloudTrail IAM
  • 17. Security IN the Cloud • Resource visibility • Identity and access management • Logging and auditing • Security through automation • Network security • Compliance through automation
  • 18. Resource visibility • How often do you map your network? • What’s in your network right now?
  • 19.
  • 20.
  • 21. Identity and access management • Who has access to your infrastructure? • What accounts exist on all the various components of the infrastructure?
  • 22. AWS Identity and Access Management (IAM) AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users Using IAM, you can create and manage AWS users, groups, and roles Use permissions (policies) to allow and deny users, groups, and roles access to AWS resources
  • 23. IAM best practices • Lock away your AWS account (root) access keys • Create individual IAM users • Use groups to assign permissions to IAM users • Configure a strong password policy for your users • Enable MFA for privileged users • Delegate by using roles instead of by sharing credentials • Rotate credentials regularly
  • 24. IAM best practices • Grant least privilege with IAM policies • Use roles for applications that run on Amazon EC2 instances • Remove unnecessary credentials • Use policy conditions for extra security
  • 25. Auditing • Who is accessing your resources and what are they doing with them?
  • 26. Increase your visibility of what happened in your AWS environment • CloudTrail will record API calls and save logs in your S3 buckets, no matter how those API calls were made • Who did what and when and from what IP address • Be notified of log file delivery using Amazon Simple Notification Service • Support for many AWS services, including EC2, EBS, VPC, RDS, IAM, AWS STS, and Amazon RedShift • Aggregate log information into a single S3 bucket Out-of-the-box integration with log analysis tools from AWS partners, including Splunk, Alert Logic, and Sumo Logic Auditing: Use AWS CloudTrail to track API calls
  • 27. Amazon VPC Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define.
  • 28. Use cases enabled by VPC Extending DODIN: Bring your own NIPRNET/DREN IP space into AWS Communicate with other Amazon VPCs: Use VPC peering to communicate across the AWS network infrastructure Layered security: Use subnets, route tables, and NACLs to control access to your resources
  • 29. • VPC adds network access control lists (ACLs): • (Optional) layer of security that acts as a stateless firewall for controlling traffic in and out of a subnet • Port/protocol defined with Action (Allow/Deny) • Security groups • Stateful virtual firewall applied to an instance (e.g., EC2, ELB) • Traffic must be explicitly specified by protocol, port, and security group • Can reference other security group(s) in Inbound Source and/or Outbound Destination • OS Firewall (e.g., iptables) may be implemented • Completely user-controlled security layer • Granular access control of discrete hosts • Logging network events EC2 OS Firewall AWS Security Group Inbound traffic VPC Network ACLs Region VPC defense in depth for the endpoint
  • 30. VPC Flow Logs • See all of the traffic at your instances • Visibility into effects of security group rules • Troubleshooting network connectivity • Ability to analyze traffic • At VPC, subnet, and ENI level
  • 31. SSH traffic allowed Sample CloudWatch Logs query: [version, acct, eni, srcaddr, destaddr, srcport, destport=22, prot, packets, bytes, start, end, action=REJECT, status] 2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK VPC Flow Logs (Netflow)
  • 32. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  • 33. DoD IL4/5 Web Application Reference Architecture Co-Location CAP/ BCD Direct Connect DODIN NIPRNET Admin Access Static Web Content, Logs, and Snapshots Region Virtual Private Gateway VDMS/CSSP Enclave HBSS Server CSSP Managed ACAS Server User Access Private S3 Access MISSION VLAN(S) IAP CAP/CSSP Internal Routing VDSS Pub Pub Priv Priv Priv Priv Internet Web Applica tion P u b P u b P r i v P r i v P r i v P r i v Web Applica tion P u b P u b P r i v P r i v P r i v P r i v AWS –DoD Mission Owner DoD Mission Owner Application BCD Managed
  • 34. Security through automation • Is your infrastructure configured the way you intended? • Can you verify it is still configured the way you intended?
  • 35. Security through automation Programmable infrastructure means that infrastructure can for the first time be scripted, code-reviewed, and checked into a source control system – “Infrastructure as code” taken seriously can massively improve security posture – SDL (secure development lifecycle) now applies to infrastructure
  • 36. AWS CloudFormation AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
  • 37. Use cases enabled by CloudFormation • Security templates: Start with a known good security configuration • Infrastructure management: Manage collections of resources as stacks • Audit: Compare what you do have to what you should have
  • 38. Compliance through automation • How can you get your System ATO faster? • Answer: Develop automation around your system build, artifact generation, and documentation. • Are their any reference architectures available to automate the build of the DOD SCCA and documentation process? • Answer: Yes!
  • 39. How Does AWS make this easy? The Enterprise Accelerator Compliance Quick Start https://aws.amazon.com/quickstart
  • 40. AWS Enterprise Accelerator Quick Start website
  • 41. Enterprise Accelerator Quick Start Packages: What’s in the box? Architecture diagram Security Controls Matrix (SCM) AWS CloudFormation templates Deployment guide
  • 43. AWS Quick Start CloudFormation templates © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Templates • CloudFormation templates − Customize and deploy through automation • Templates deliver infrastructure as code – Each template deploys a resource stack – Templates can be managed and version controlled using source code repositories (e.g., GitHub)
  • 44. Deployment options  AWS Management Console  CLI deployment − Deployment scripts included with package  AWS Service Catalog (where available) − As a Service Catalog “Product”
  • 45. Enlighten IT DoD Tactical – Enterprise “Big Data” Analytics in AWS Finding unique needles within piles of needles since 2012
  • 46. Mission speed cyber security Deployed three Big Data Platform (BDP) Analytic Clouds in two days • Used Enlighten’s Rapid Analytic Deployment and Management Framework (RADMF.com) to speed the deployment Utilize S3 and Amazon Glacier (COOP) storage environments Utilize EMR for PCAP processing Currently running 50+ analytics and data visualization capabilities Ingested 50+ mission data types Utilize AWS Snowball Edge for secure data transport from mission site Received 300 TB of mission data in less than 90 days, on track for 1 PB
  • 47. Accreditation success Mission need drove accreditation timeline Utilized existing accreditation packages where applicable • BDP’s DIACAP ATO being converted to RMF • AWS GovCloud FedRamp High Adapted to DAO’s requests • VPCs • Security controls around PCAP • Whitelist IP access • Continuous monitoring (log file analysis) Completed SSP & CONOPS within two weeks