SlideShare a Scribd company logo

AWS Summit Auckland 2014 | Understanding AWS Security

Amazon Web Services
Amazon Web Services

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Technology
1 of 62
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services
Agenda •  Our Security •  Your Security –  Account Management (the keys to the kingdom) –  Service Isolation –  Visibility and Auditing
Security is our #1 priority
Shared security responsibility
AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on   Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on   Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
How does AWS get security? •  Physical access is recorded, videoed •  Multi-factor authentication for physical access •  Segregation of duties: staff with physical access versus staff with logical access •  And every 90 days…
How does AWS get security?
How does AWS get security?
Prove what AWS does! •  Certifications •  Audits & Attestations –  Independent 3rd parties –  Regularly refreshed –  Available to customers aws.amazon.com/compliance
Certifications & Accreditations for Workloads That Matter
What does AWS do for its security? November 2013 60 pages freely available aws.amazon.com/security/
AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on  Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
Secure your account
Identity and Access Management •  Users & Groups
Identity and Access Management •  Users & Groups •  Unique Security Credentials
Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials
Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions
Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles
Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles •  Multi-factor Authentication
ProTip #1: Account Security
Identity and Access Management 1.  Secure your Master account with MFA 2.  Create an IAM Group for your Admin team 3.  Create IAM Users for your Admin staff, as members of your Admin group 4.  Turn on MFA for these users!
ProTip #2: No hard-coded Credentials
EC2 Roles for Temporary Credentials •  Remove hard-coded credentials from scripts and config files •  Create an IAM Role and assign restricted policy •  Launch instance into Role •  AWS SDKs transparently get temporary credentials GET http://169.254.169.254/latest/ meta-data/iam/security-credentials/ s3access { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
ProTip #3: Least Privilege Policies
IAM Policies “Action” : { “route53:List*”, “route53:Get*”, “route53ChangeResourceRecordSets” } “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
IAM Policies Use Conditions to restrict key exposure “Condition”: { "IpAddress" : { "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"] } }
ProTip #4: Test Your Policies
Identity and Access Management •  Test your policies in the Policy Simulator!
Secure your data in flight
Secure your data in flight Credentials for talking to AWS APIs via REST: •  ACCESS KEY –  An identifier •  SECRET KEY –  Used to sign requests –  Shouldn’t traverse the network again •  Not retrievable from AWS again – you lose it, generate a new pair
Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip #5: Validate the SSL Certificate!
Secure your data in flight SSL offload to the Elastic Load Balancing Service
Secure your data in flight •  RDS connections can be encrypted –  Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca- cert.pem
Secure your data at rest
Secure your data at rest •  Use encrypted file systems on EBS and Storage Gateway –  dm-crypt/LUKS –  Windows BitLocker –  Windows EFS (file level) –  Products from Partners: Trend, Safenet, etc •  In your database –  RDS Oracle & SQL Server – Transparent Data Encryption •  Object Level into S3
Secure your data at rest Redshift •  By Default: –  Full disk encryption –  Uses SSL to talk to S3 •  Optionally you can: –  Set S3 backups to be encrypted –  Limit S3 bucket access –  Connect using SSL –  Run within VPC –  Use CloudHSM key store –  Backup access logs to S3 •  Redshift retains 1 week
Secure your data at rest CloudHSM: Hardware Security Modules in the cloud •  Single Tenancy •  Private key material never leaves the HSM •  AWS provisioned, customer managed
Isolate your services
Isolate your services Virtual Private Cloud •  Security Groups –  Don’t use 0.0.0.0/0 •  Subnet separation of instances with: –  Network ACLs, and IAM policy to prevent changes –  Routing tables, and IAM policy to prevent changes –  No Internet Gateway, and IAM policy to prevent changes
Isolate your services One application per instance •  Simplify forensics •  Simplify Security Groups •  Swim-lane capacity overloads •  Limit blast radius
VPC Peering
VPC Peering •  Connect two VPCs in the same Region –  No IP address conflicts •  Bridged by routing table entries (both sides of peering relationship) •  Offer & Accept model Customer B receives request from ACustomer A initiates peer to B
Log (& review) your API calls
CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
CloudTrail •  Who made the API call? •  When was the API call made? •  What was the API call? •  What were the resources that were acted up on in the API call? •  Where was the API call made from?
CloudTrail Partners
CloudTrail •  AWS Services are supporting logging API calls to CloudTrail: Kinesis, Elastic LoadBalancing, AWS CloudFormation, Amazon Eleastic MapReduce, AWS Beanstalk, AWS DirectConnect •  CloudTrail support for API calls in AP- Southeast-2 – Sydney – announced for this month (May 2014).
Support: Trusted Advisor
AWS Premium Support: make Amazon’s security team a part of your security team.
HeartBleed timeline. •  Disclosed: April 7. •  1st AWS Security Bulletin: April 7 –  Acknowledgement •  2nd AWS Security Bulletin: April 8 –  RDS instances being patched •  3rd AWS Security Bulletin: April 8 –  ELB updating, CloudFront updated; advice to customers •  4th AWS Security Bulletin: April 8 –  All AWS managed environments updated (or were already OK)
AWS Security Bulletins •  Visit the web site: https://aws.amazon.com/security/security-bulletins/ •  Subscribe to the RSS feed: http://aws.amazon.com/rss/security.rss
Monitor your AWS spend
Billing Alerts
Deep dive on more security…
https://aws.amazon.com/whitepapers/ Auditing Logging Risk Compliance Security
James’ Summary 1.  Turn on MFA for root and IAM user accounts 2.  Look at IAM Roles for EC2 Instances 3.  Use IP address conditions on Policies 4.  Create a few Billing Alerts 5.  Visit aws.amazon.com/security 6.  Talk to the AWS Solution Architecture Team about security and compliance
Developers… Please do not check your API credentials into revision control… …and please don’t check credentials in to public revision control (github, bitbucket, etc)
Visit the Solution Architecture Team today. Questions on security: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger

Recommended

The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
Pawel Rzepa
 

Recommended

The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
Federation
FederationFederation
Federation
Amazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
Amazon Web Services
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
Amazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
Amazon Web Services
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
Amazon Web Services
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
Amazon Web Services
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
Sai Kesavamatham
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
Ricardo Schmidt
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
Amazon Web Services
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
Amazon Web Services
 
AWS Enterprise Summit Manila Windows .net
AWS Enterprise Summit Manila Windows .netAWS Enterprise Summit Manila Windows .net
AWS Enterprise Summit Manila Windows .net
Amazon Web Services
 

More Related Content

What's hot

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 

What's hot (20)

Federation
FederationFederation
Federation
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
(SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive (SEC315) AWS Directory Service Deep Dive
(SEC315) AWS Directory Service Deep Dive
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
 

Viewers also liked

Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
Amazon Web Services
 
AWS Summit Tel Aviv - Startup Track - Backend Use Cases
AWS Summit Tel Aviv - Startup Track - Backend Use CasesAWS Summit Tel Aviv - Startup Track - Backend Use Cases
AWS Summit Tel Aviv - Startup Track - Backend Use Cases
Amazon Web Services
 
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANAAWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
Amazon Web Services
 

Viewers also liked (20)

AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
AWS Enterprise Summit Manila Windows .net
AWS Enterprise Summit Manila Windows .netAWS Enterprise Summit Manila Windows .net
AWS Enterprise Summit Manila Windows .net
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
Accelerating DevOps Pipelines with AWS
Accelerating DevOps Pipelines with AWSAccelerating DevOps Pipelines with AWS
Accelerating DevOps Pipelines with AWS
 
(DVO205) Monitoring Evolution: Flying Blind to Flying by Instrument
(DVO205) Monitoring Evolution: Flying Blind to Flying by Instrument(DVO205) Monitoring Evolution: Flying Blind to Flying by Instrument
(DVO205) Monitoring Evolution: Flying Blind to Flying by Instrument
 
Application Portfolio Migration
Application Portfolio MigrationApplication Portfolio Migration
Application Portfolio Migration
 
AWS Customer Presentation - ORbyte
AWS Customer Presentation - ORbyteAWS Customer Presentation - ORbyte
AWS Customer Presentation - ORbyte
 
Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
Track 3 - Atelier 3 - Assurez l’agilité et la profitabilité de votre business...
 
“Spikey Workloads” Emergency Management in the Cloud
“Spikey Workloads” Emergency Management in the Cloud“Spikey Workloads” Emergency Management in the Cloud
“Spikey Workloads” Emergency Management in the Cloud
 
NoSQL like there is No Tomorrow
NoSQL like there is No TomorrowNoSQL like there is No Tomorrow
NoSQL like there is No Tomorrow
 
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
 
(ISM312) SMB Panel—Using The Cloud to Achieve Business Agility
(ISM312) SMB Panel—Using The Cloud to Achieve Business Agility(ISM312) SMB Panel—Using The Cloud to Achieve Business Agility
(ISM312) SMB Panel—Using The Cloud to Achieve Business Agility
 
AWS Summit Tel Aviv - Startup Track - Backend Use Cases
AWS Summit Tel Aviv - Startup Track - Backend Use CasesAWS Summit Tel Aviv - Startup Track - Backend Use Cases
AWS Summit Tel Aviv - Startup Track - Backend Use Cases
 
AWS Government, Education, and Nonprofits Symposium London, United Kingdom L...
AWS Government, Education, and Nonprofits Symposium London, United Kingdom L... AWS Government, Education, and Nonprofits Symposium London, United Kingdom L...
AWS Government, Education, and Nonprofits Symposium London, United Kingdom L...
 
Relational Databases Redefined with AWS
Relational Databases Redefined with AWSRelational Databases Redefined with AWS
Relational Databases Redefined with AWS
 
AWS Customer Presentation - AdaptiveBlue
AWS Customer Presentation - AdaptiveBlueAWS Customer Presentation - AdaptiveBlue
AWS Customer Presentation - AdaptiveBlue
 
Cost Optimization at Scale
Cost Optimization at ScaleCost Optimization at Scale
Cost Optimization at Scale
 
AWS Startup Insights Singapore
AWS Startup Insights SingaporeAWS Startup Insights Singapore
AWS Startup Insights Singapore
 
CPN202 More for Less - AWS re: Invent 2012
CPN202 More for Less - AWS re: Invent 2012CPN202 More for Less - AWS re: Invent 2012
CPN202 More for Less - AWS re: Invent 2012
 
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANAAWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
AWS Partner Webcast - Make Decisions Faster with AWS and SAP on HANA
 

Similar to AWS Summit Auckland 2014 | Understanding AWS Security

AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
Amazon Web Services Korea
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
Amazon Web Services
 

Similar to AWS Summit Auckland 2014 | Understanding AWS Security (20)

CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security Update
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Securing Your Data in AWS
Securing Your Data in AWSSecuring Your Data in AWS
Securing Your Data in AWS
 
Protecting your data in AWS
Protecting your data in AWS Protecting your data in AWS
Protecting your data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

AWS Summit Auckland 2014 | Understanding AWS Security

  • 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services
  • 2. Agenda •  Our Security •  Your Security –  Account Management (the keys to the kingdom) –  Service Isolation –  Visibility and Auditing
  • 3. Security is our #1 priority
  • 5. AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on   Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  • 6. AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on   Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  • 7. How does AWS get security? •  Physical access is recorded, videoed •  Multi-factor authentication for physical access •  Segregation of duties: staff with physical access versus staff with logical access •  And every 90 days…
  • 8. How does AWS get security?
  • 9. How does AWS get security?
  • 10. Prove what AWS does! •  Certifications •  Audits & Attestations –  Independent 3rd parties –  Regularly refreshed –  Available to customers aws.amazon.com/compliance
  • 11. Certifications & Accreditations for Workloads That Matter
  • 12. What does AWS do for its security? November 2013 60 pages freely available aws.amazon.com/security/
  • 13. AWS •  Facili'es   •  Physical  Security   •  Physical  Infrastructure   •  Network  Infrastructure   •  Virtualiza'on  Infrastructure     •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  • 15. Identity and Access Management •  Users & Groups
  • 16. Identity and Access Management •  Users & Groups •  Unique Security Credentials
  • 17. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials
  • 18. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions
  • 19. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles
  • 20. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles •  Multi-factor Authentication
  • 21. ProTip #1: Account Security
  • 22. Identity and Access Management 1.  Secure your Master account with MFA 2.  Create an IAM Group for your Admin team 3.  Create IAM Users for your Admin staff, as members of your Admin group 4.  Turn on MFA for these users!
  • 24. EC2 Roles for Temporary Credentials •  Remove hard-coded credentials from scripts and config files •  Create an IAM Role and assign restricted policy •  Launch instance into Role •  AWS SDKs transparently get temporary credentials GET http://169.254.169.254/latest/ meta-data/iam/security-credentials/ s3access { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  • 25. ProTip #3: Least Privilege Policies
  • 26. IAM Policies “Action” : { “route53:List*”, “route53:Get*”, “route53ChangeResourceRecordSets” } “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  • 27. IAM Policies Use Conditions to restrict key exposure “Condition”: { "IpAddress" : { "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"] } }
  • 28. ProTip #4: Test Your Policies
  • 29. Identity and Access Management •  Test your policies in the Policy Simulator!
  • 30. Secure your data in flight
  • 31. Secure your data in flight Credentials for talking to AWS APIs via REST: •  ACCESS KEY –  An identifier •  SECRET KEY –  Used to sign requests –  Shouldn’t traverse the network again •  Not retrievable from AWS again – you lose it, generate a new pair
  • 32. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip #5: Validate the SSL Certificate!
  • 33. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  • 34. Secure your data in flight •  RDS connections can be encrypted –  Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca- cert.pem
  • 35. Secure your data at rest
  • 36. Secure your data at rest •  Use encrypted file systems on EBS and Storage Gateway –  dm-crypt/LUKS –  Windows BitLocker –  Windows EFS (file level) –  Products from Partners: Trend, Safenet, etc •  In your database –  RDS Oracle & SQL Server – Transparent Data Encryption •  Object Level into S3
  • 37. Secure your data at rest Redshift •  By Default: –  Full disk encryption –  Uses SSL to talk to S3 •  Optionally you can: –  Set S3 backups to be encrypted –  Limit S3 bucket access –  Connect using SSL –  Run within VPC –  Use CloudHSM key store –  Backup access logs to S3 •  Redshift retains 1 week
  • 38. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud •  Single Tenancy •  Private key material never leaves the HSM •  AWS provisioned, customer managed
  • 39.
  • 41. Isolate your services Virtual Private Cloud •  Security Groups –  Don’t use 0.0.0.0/0 •  Subnet separation of instances with: –  Network ACLs, and IAM policy to prevent changes –  Routing tables, and IAM policy to prevent changes –  No Internet Gateway, and IAM policy to prevent changes
  • 42. Isolate your services One application per instance •  Simplify forensics •  Simplify Security Groups •  Swim-lane capacity overloads •  Limit blast radius
  • 44. VPC Peering •  Connect two VPCs in the same Region –  No IP address conflicts •  Bridged by routing table entries (both sides of peering relationship) •  Offer & Accept model Customer B receives request from ACustomer A initiates peer to B
  • 45. Log (& review) your API calls
  • 46. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  • 47. CloudTrail •  Who made the API call? •  When was the API call made? •  What was the API call? •  What were the resources that were acted up on in the API call? •  Where was the API call made from?
  • 49. CloudTrail •  AWS Services are supporting logging API calls to CloudTrail: Kinesis, Elastic LoadBalancing, AWS CloudFormation, Amazon Eleastic MapReduce, AWS Beanstalk, AWS DirectConnect •  CloudTrail support for API calls in AP- Southeast-2 – Sydney – announced for this month (May 2014).
  • 51.
  • 52. AWS Premium Support: make Amazon’s security team a part of your security team.
  • 53.
  • 54. HeartBleed timeline. •  Disclosed: April 7. •  1st AWS Security Bulletin: April 7 –  Acknowledgement •  2nd AWS Security Bulletin: April 8 –  RDS instances being patched •  3rd AWS Security Bulletin: April 8 –  ELB updating, CloudFront updated; advice to customers •  4th AWS Security Bulletin: April 8 –  All AWS managed environments updated (or were already OK)
  • 55. AWS Security Bulletins •  Visit the web site: https://aws.amazon.com/security/security-bulletins/ •  Subscribe to the RSS feed: http://aws.amazon.com/rss/security.rss
  • 58. Deep dive on more security…
  • 60. James’ Summary 1.  Turn on MFA for root and IAM user accounts 2.  Look at IAM Roles for EC2 Instances 3.  Use IP address conditions on Policies 4.  Create a few Billing Alerts 5.  Visit aws.amazon.com/security 6.  Talk to the AWS Solution Architecture Team about security and compliance
  • 61. Developers… Please do not check your API credentials into revision control… …and please don’t check credentials in to public revision control (github, bitbucket, etc)
  • 62. Visit the Solution Architecture Team today. Questions on security: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger