SlideShare a Scribd company logo

Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

There are many ways to improve your security controls in AWS accounts. In this session, we'll cover how to leverage guidelines from the Center of Internet Security (CIS), how to augment security checks, and how to build and secure AWS resources with additional tools.  Armed with the information in this session,  you will be able to harden new AWS accounts and implement security best practices from Day One.

1 of 32
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improve your security posture with AWS CloudFormation Luis Colon Sr Developer Advocate AWS CloudFormation D E V 3 4 1 R 2 Anuradha Garg Sw Development Engineer AWS CloudFormation Sam Hennessy Solutions Architect AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Improving your security posture Guidelines from the Center of Internet Security Demo: CLI tool to run checks Demo: Use CloudFormation to deploy equivalent AWS Config Rules AWS CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Before We Start… Be aware of a few basic things… What are the typical vulnerabilities? Are you writing secure code? How’s your monitoring game?
What are typical vulnerabilities?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Vulnerabilities: OWASP Top 10
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Vulnerabilities: PureSec Top 10
Are you writing secure code?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Avoiding Injection
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Avoiding Injection
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party Dependencies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party Dependencies 2 Direct 19 Indirect ~191k LOC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flow Manipulation
How’s your monitoring game?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …noneed towrite your own
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …noneed towrite your own
Automating Controls
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS AWS Foundations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Rules • Prowler • Checks CIS • Adds otherrules • Check per account/region
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/ Delivered to AWS CloudWatch Logs S3 Bucket encrypted with AWS KMS Alarms Events Rules Custom Lambda Functions AWS Lambda Functions Custom AWS Config Rules AWS Config Rules Email Notifications • Somecontrols implementedascustom AWSConfigrules • AWSCloudWatchalarms andcustomlogmetric filtersforcontinuous monitoring • CloudWatcheventrules • AWSLambdafunctions backallcustomAWSConfig andCloudWatchevents • CloudWatchrulesand eventsdependonAWS CloudTrail
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark: Deploying with CloudFormation • SelectProfileLevel (1or2) • EnableCloudWatchand CloudTrail • Implementedasanested stack • Requiresemailfor CloudWatchnotifications • over90resourcesare implemented
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark: Deploying with CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated AWS CloudWatch Rules
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated AWS Config Rules
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda Functions for Rules • Inspectthe code • Customizeit!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional Advice • Reuseexisting authentication systems • AWSCognito, Auth0, JWT • Least Privilege • No*in IAM policies • Noindividual permissions(use roles/groups) • Make policies perfunction, not aglobal one • Protect secrets • Don’t exposein logs,code oralerts • Extract parameters -useAWSSystemsManager Parameter Store • Encryption • Rotate keystomitigate events • Use AWSSecrets Manager • Usethe toolsatyourdisposal • Don'tcreatenewtoolsifyoudon’thaveto! • Yourownaudits • Loglogins,failedlogins,accountchanges(password changes,emailchanges),confirmdbtransactions… • havethresholdsonloginsfroman address,db connections,queriesper second • DoSbecomesDoW • Rotatecredentials • Separatecredentialsandpoliciesfordifferent functions • Hardenaccountsandenvironments • Automate yourcontrols
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Luis Colon Sr Developer Advocate AWS CloudFormation Anuradha Garg Sw Development Engineer AWS CloudFormation Sam Hennessy Solutions Architect AWS
Please complete the session survey in the mobile app. ! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
 
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksAmazon Web Services
 

Recommended

Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
 
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksAmazon Web Services
 
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 
DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Adding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your SceneAdding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your SceneAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018Amazon Web Services
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By DesignAmazon Web Services
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...Amazon Web Services
 
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...Amazon Web Services Korea
 
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise SecurityAmazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 

More Related Content

What's hot

Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 
DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Adding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your SceneAdding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your SceneAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018Amazon Web Services
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...Amazon Web Services
 
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...Amazon Web Services Korea
 
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 

What's hot (20)

Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
Securing Machine Learning Deployments for the Enterprise (SEC369-R1) - AWS re...
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
 
DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3DEM20 Protecting Your Data in Amazon S3
DEM20 Protecting Your Data in Amazon S3
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Adding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your SceneAdding a Sumerian Host to Your Scene
Adding a Sumerian Host to Your Scene
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
Amazon S3 Security Settings & Controls (STG308-R1) - AWS re:Invent 2018
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
 
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
GitHub to Lambda: Developing, testing and deploying serverless apps::Faten He...
 
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
Best Practices for Securing Serverless Applications (SEC362-R1) - AWS re:Inve...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 

Similar to Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:Invent 2018

How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAmazon Web Services
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAmazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day OneAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Amazon Web Services
 

Similar to Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:Invent 2018 (20)

Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Improve your Security Posture with AWS CloudFormation (DEV341-R2) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improve your security posture with AWS CloudFormation Luis Colon Sr Developer Advocate AWS CloudFormation D E V 3 4 1 R 2 Anuradha Garg Sw Development Engineer AWS CloudFormation Sam Hennessy Solutions Architect AWS
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Improving your security posture Guidelines from the Center of Internet Security Demo: CLI tool to run checks Demo: Use CloudFormation to deploy equivalent AWS Config Rules AWS CloudFormation
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Before We Start… Be aware of a few basic things… What are the typical vulnerabilities? Are you writing secure code? How’s your monitoring game?
  • 5. What are typical vulnerabilities?
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Vulnerabilities: OWASP Top 10
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Vulnerabilities: PureSec Top 10
  • 8. Are you writing secure code?
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Avoiding Injection
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Avoiding Injection
  • 11.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party Dependencies
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd Party Dependencies 2 Direct 19 Indirect ~191k LOC
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Flow Manipulation
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …noneed towrite your own
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …noneed towrite your own
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS AWS Foundations
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Rules • Prowler • Checks CIS • Adds otherrules • Check per account/region
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/ Delivered to AWS CloudWatch Logs S3 Bucket encrypted with AWS KMS Alarms Events Rules Custom Lambda Functions AWS Lambda Functions Custom AWS Config Rules AWS Config Rules Email Notifications • Somecontrols implementedascustom AWSConfigrules • AWSCloudWatchalarms andcustomlogmetric filtersforcontinuous monitoring • CloudWatcheventrules • AWSLambdafunctions backallcustomAWSConfig andCloudWatchevents • CloudWatchrulesand eventsdependonAWS CloudTrail
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark: Deploying with CloudFormation • SelectProfileLevel (1or2) • EnableCloudWatchand CloudTrail • Implementedasanested stack • Requiresemailfor CloudWatchnotifications • over90resourcesare implemented
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CIS Benchmark: Deploying with CloudFormation
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated AWS CloudWatch Rules
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated AWS Config Rules
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda Functions for Rules • Inspectthe code • Customizeit!
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional Advice • Reuseexisting authentication systems • AWSCognito, Auth0, JWT • Least Privilege • No*in IAM policies • Noindividual permissions(use roles/groups) • Make policies perfunction, not aglobal one • Protect secrets • Don’t exposein logs,code oralerts • Extract parameters -useAWSSystemsManager Parameter Store • Encryption • Rotate keystomitigate events • Use AWSSecrets Manager • Usethe toolsatyourdisposal • Don'tcreatenewtoolsifyoudon’thaveto! • Yourownaudits • Loglogins,failedlogins,accountchanges(password changes,emailchanges),confirmdbtransactions… • havethresholdsonloginsfroman address,db connections,queriesper second • DoSbecomesDoW • Rotatecredentials • Separatecredentialsandpoliciesfordifferent functions • Hardenaccountsandenvironments • Automate yourcontrols
  • 31. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Luis Colon Sr Developer Advocate AWS CloudFormation Anuradha Garg Sw Development Engineer AWS CloudFormation Sam Hennessy Solutions Architect AWS
  • 32. Please complete the session survey in the mobile app. ! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.