Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Started with AWS Security

933 views

Published on

AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.

Published in: Technology
  • Login to see the comments

Getting Started with AWS Security

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Michael Capicotto Solutions Architect August 23rd, 2016 Getting Started with AWS Security
  2. 2. Prescriptive Approach Understand AWS Security Practice Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  3. 3. Understand AWS Security Practice
  4. 4. Why is Enterprise Security Traditionally Hard? Lack of visibility Low degree of automation
  5. 5. AND Move Fast Stay Secure
  6. 6. Making life easier Choosing security does not mean giving up on convenience or introducing complexity
  7. 7. Security ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security a stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  8. 8. Strengthen your security posture Get native functionality and tools Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
  9. 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  10. 10. Security Training Security Fundamentals on AWS (Free online course) Security Operations on AWS (3-day class) Details at aws.amazon.com/training
  11. 11. Build Strong Compliance Foundations
  12. 12. AWS Assurance Programs AWS maintains a formal control environment • SOC 1 Type II • SOC 2 Type II and public SOC 3 report • ISO 27001, 27017, 27018 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance
  13. 13. AWS Account Relationship AWS Account Ownership AWS Account Contact Information AWS Sales AWS Solutions Architects AWS Support AWS Professional Services AWS Consulting Partners
  14. 14. AWS Trusted Advisor AWS Trusted Advisor
  15. 15. Integrate Identity & Access Management
  16. 16. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  17. 17. Account Governance – New Accounts InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Baseline Requirements Actions & Conditions Map Enterprise Roles
  18. 18. Enable Detective Controls
  19. 19. AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch  Enable globally for all AWS Regions  Encryption & Integrity Validation  Archive & Forward  Amazon CloudWatch Logs  Metrics & Filters  Alarms & Notifications
  20. 20. Establish Network Security
  21. 21. AWS Global Footprint 12 Regions (10 Public, China Region and GovCloud Region) Canada, Ohio, India, UK and another China Region planned for 2016 and beyond 32 Availability zones (adding 11 more in 2016 across new Regions) 55+ Edge locations Region Edge location
  22. 22. VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24 VPC CIDR 10.10.0.0/16 VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24 VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24 AZ A AZ B Public ELB Internal ELB RDS Master Autoscaling Web Tier Autoscaling Application Tier Internet Gateway RDS Standby Snapshots Multi-AZ RDS Data Tier Existing Datacenter Virtual Private Gateway Customer Gateway VPN Connection Direct Connect Network Partner Location Administrators & Corporate Users Amazon Virtual Private Cloud
  23. 23. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  24. 24. Security Groups
  25. 25. Security Groups
  26. 26. Security Groups
  27. 27. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  28. 28. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  29. 29. VPC Flow Logs – CloudWatch Alarms
  30. 30. Implement Data Protection
  31. 31. Cryptographic Services Amazon CloudHSM  Deep integration with AWS Services  CloudTrail  AWS SDK for application encryption  Dedicated HSM  Integrate with on-premises HSMs  Hybrid Architectures AWS KMS
  32. 32. Optimize Change Management
  33. 33. AWS Config & Config Rules AWS Config Amazon Config Rules  Record configuration changes continuously  Time-series view of resource changes  Archive & Compare  Enforce best practices  Automatically roll-back unwanted changes  Trigger additional workflow
  34. 34. AWS Config
  35. 35. AWS Config
  36. 36. AWS Config Rules – Tenancy Enforcement Example
  37. 37. AWS Config Rules – Tenancy Enforcement Example
  38. 38. AWS Config Rules – Tenancy Enforcement Example
  39. 39. AWS Config Partners
  40. 40. MONITORING, REPORTING, & OPTIMIZATION Enterprise Security & Cost Management from CloudCheckr The CloudCheckr Unified Cloud Security and Governance Platform Leveraging AWS data – CloudTrail, Config, VPC Flow logs, CloudWatch logs, DBR, and more metrics Providing complete transparency – into 1 or across 1000s of AWS accounts Automating security, configuration, and activity monitoring and alerting Continuous monitoring of configurations, resources and permissions Active optimization, sophisticated allocation, and simplified invoicing for enterprise cloud cost management
  41. 41. SAVING $2 MILLION WHILE IMPROVING SECURITY CloudCheckr’s unified cost & security management platform Case Study Problem Statement Business Outcomes AWS usage started small and grew very complex with time Needed clarity around cost, utilization and security Saved $2 million USD Total control of the Detailed Billing Report Change monitoring for security weaknesses WWW.CLOUDCHECKR.COM CloudCheckr gives us total visibility and control over our AWS investment. Patrick Neville, Manager of Systems Operations
  42. 42. SAVES TIME & MONEY, IMPROVES SECURITY CloudCheckr’s unified cost & security management platform Case Study Problem Statement Business Outcomes Needed to track changes and costs Needed to drive accountability across all key stakeholders Saved $2 million USD Total control of the Detailed Billing Report Change monitoring for security weaknesses WWW.CLOUDCHECKR.COM The S3 functionality alone revealed immediate cost savings that paid for CloudCheckr 3x over. Dave North, Director of DevOps
  43. 43. AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation  Orchestrate changes across AWS Services  Use as foundation to Service Catalog products  Use with source code repositories to manage infrastructure changes  JSON-based text file describing infrastructure  Resources created from a template  Can be updated  Updates can be restrictured
  44. 44. Change Sets – Create Change Set
  45. 45. Change Sets
  46. 46. Change Sets
  47. 47. Automate Security Functions
  48. 48. Evolving the Practice of Security Architecture Security architecture as a separate function can no longer exist Static position papers, architecture diagrams & documents UI-dependent consoles and technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
  49. 49. Evolving the Practice of Security Architecture Security architecture can now be part of the ‘maker’ team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice AWS CodeCommit AWS CodePipeline Jenkins
  50. 50. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  51. 51. Prescriptive Approach – Get Started! Understand AWS Security Approach Build Strong Compliance Foundations Integrate Identity & Access Management Enable Detective Controls Establish Network Security Implement Data Protection Optimize Change Management Automate Security Functions
  52. 52. Visit Us! Enter to Win an Echo.
  53. 53. Thank you!

×