AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nazar Špak, Territory Manager, AWS
Vladimír Šimek, Senior Solutions Architect, AWS
Bezpečnost v AWS cloudu

Housekeeping
• Taget audience
• Presentation about 45 minutes
• Slides in English – talk in Czech & Slovak
• Not a legal advisory (GDPR, Compliance)
• Post questions online – response via chat window and
email

Agenda
• Shared Responsibility Model
• Compliance and GDPR
• Global Infrastructure and Security
• AWS Security Solutions
• Security Best Practices
• Partners presentation – F5 Networks & Alef
• Resources

Shared Responsibility Model

Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is Job Zero

Foundation Services
Compute Storage Database Networking
Infrastructure
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Traditional On-Premise Security Model
Customers are
responsible for
end-to-end security
in their on-premise
data centers

Foundation Services
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Customer content
AWS Security Model when using IaaS (e.g. EC2 instances)
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers

Foundation Services
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Customer content
AWS Security Model when using PaaS (managed services)
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers

AWS
•Facilities
•Physical Security
•Physical Infrastructure
•Network Infrastructure
•Virtualization Infrastructure
Operating System
Application
Security Groups
OS Firewalls
Network Configuration
Account Management
Customer

How does AWS get security?
Locations in nondescript, undisclosed
facilities
Segregation of duties: staff with physical
access versus staff with logical access
24/7 trained security guards
Physical access is recorded, videoed,
stored, reviewed
Multi-factor authentication for physical
access
And every 90 days…

How does AWS get security?

Third party access
Subcontractor Access
We proactively inform our customers of any subcontractors who have access to
customer-owned data you upload onto AWS, including data that may contain personal
data.
Effective date: 15 May 2018
Subcontractors authorized by AWS to access any customer-owned data that you upload
onto AWS are the following: None!
At least 30 days before we authorize and permit any new subcontractor to access any customer-owned data, AWS will
update this website to inform customers.
https://aws.amazon.com/compliance/third-party-access/

This
To This
Security processes

AWS Global Infrastructure
New Region (coming soon)
Region & Number
of Availability Zones

Prove it!
Accreditations and Certifications

Prove what AWS does!
Certifications
Audits & Attestations
• Independent 3rd parties
• Regularly refreshed
• Available to customers
https://aws.amazon.com/compliance/

Key AWS Certifications and Assurance Programs

GDPR
AWS services comply with the General Data Protection Regulation
(GDPR) and has in place effective technical and organizational
measures for data processors to secure personal data in
accordance with the GDPR.
Customers can deploy AWS services as a key part of their GDPR
compliance plans and use numerous AWS services.
• Amazon GuardDuty – a security service featuring intelligent
threat detection and continuous monitoring
• Amazon Macie – a machine learning tool to assist discovery
and securing of personal data stored in Amazon S3
• Amazon Inspector – an automated security assessment
service to help keep applications in conformity with best
security practices
• AWS Config Rules – a monitoring service that dynamically
checks cloud resources for compliance with security rule
More Info: https://aws.amazon.com/compliance/gdpr-center/

AWS Security
Features & Solutions

In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS can be more secure than your existing
environment

Private Subnets
Within Your AWS Virtual Private Cloud (VPC)

Virtual Private Cloud (VPC)

Built-in Firewalls
You Control Access to Your Instances

HTTP
Ports 80 and 443 only
open to the Internet
SSH/RDP
Engineering staff have SSH/RDP
access to Bastion Host
AWS Multi-Tier Security Groups
Bastion
All other internet ports blocked by default

Dedicated Connection
with Direct Connect

CORP
Customer
Routers
Colocation
DX Location PRG / VIE
`
AWS Direct
Connect Routers
Direct Connect

Security has to be visible
Monitoring & Logging

AWS CloudTrail records who is accessing APIs
Store/archive
Central logging account
Troubleshoot
Monitor & alarm
AWS accounts
make API call
On a growing set of
AWS services around
the world..
CloudTrail is
continuously
recording API
calls
Amazon
EBS

AWS CloudTrail log
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176

AWS CloudWatch
Monitoring services for AWS Resources and AWS-based Applications.
Monitor and Store Logs
Set Alarms (react to changes)
View Graphs and Statistics
Collect and Track Metrics
What does it do?
How can you use it?
React to application log events and availability
Automatically scale EC2 instance fleet
View Operational Status and Identify Issues
Monitor CPU, Memory, Disk I/O, Network, etc.
CloudWatch Logs / CloudWatch Events
CloudWatch Alarms
CloudWatch Dashboards
CloudWatch Metrics

AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWSConfig
EC2
VPC
EBS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshooting Discovery

AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, pager,
SMS) Pre-configured rules:
https://github.com/awslabs/aws-config-rules

Authentication and
Authorization

Identity and Access Management
Authentication and Authorization

Authenticate
1. IAM Username/Password
2. Access Key (+ MFA)
3. Federation
Authorize
IAM Policies
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
SECRET KEY
Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Top 10 IAM best practices
1. Users – Create individual users
2. Permissions – Grant least privilege
3. Groups – Manage permissions with groups
4. Conditions – Restrict privileged access further with conditions
5. Password – Configure a strong password policy
6. Rotate – Rotate security credentials regularly
7. MFA – Enable MFA for privileged users
8. Sharing – Use IAM roles to share access
9. Roles – Use IAM roles for Amazon EC2 instances
10. Root – Reduce or remove use of root

Encryption at Rest

Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift,
WorkSpaces, Amazon Kinesis Firehose, CloudTrail
Options for using encryption in AWS

AWS Key Management Service
Encryption
Whitepaper:
https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation, deletion, and use of encryption keys in your applications
• Integrated with 19 AWS services for server-side encryption
• Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities
• Available in all commercial regions except China
• Integrated with AWS Identity and Access Management (IAM) console:

Bring Your Own Key
• You control how master keys are generated
• You store the master copy of the keys
• You import the key into KMS and set an optional expiration time in the future
• You can use imported keys with all KMS-integrated services
• You can delete and re-import the key at any time to control when AWS can use it to
encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure, including SafeNet Gemalto
and Thales e-Security

AWS CloudHSM
Encryption
Whitepaper:
https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf

What is HSM?
• Tamper-Proof and Tamper-Evident (Destroys its stored
keys if under attack)
• FIPS 140-2 Level 2 certified
• Base position is to be a keystore
• Can also be used to timestamp documents
• You can send data for encrypt / decrypt
• Needs to be backed-up (ideally to HSM on customer
premises)
• Can be (and should) be combined in HA clusters
• Is NOT a key management system

AWS CloudHSM
• You receive dedicated access to HSM appliances
• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your keys and operations on the keys
• HSMs are inside your Amazon VPC—isolated from the rest of
the network
• Uses Gemalto SafeNet Luna SA HSM appliances
• CloudHSM (and HSMs in general) aren’t for everyone
 Customers need trained staff, tight operational practice
Amazon VPC

Security Best Practices

AWS security best practices
1. Understand Shared Responsibility model implications to your security processes
2. Understand which AWS services have HA built in and which you have to set up
yourself
3. Manage AWS Accounts, IAM Users, Groups and Roles in-line with IAM best
practices (see IAM section)
4. Use bastion hosts for managing EC2 instances
5. Encrypt your data (at rest & in transit)
6. Secure your OS, Applications & Network
7. Use Logging, Monitoring & Alerting (CloudTrail, CloudWatch, VPC Flow Logs, etc.)
8. Double check which data on S3 you want to make public
9. Don’t keep your Access Key & Secret Key in a code you push to public repositories
(GitHub, GitLab, Bitbucket, ... )

AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for
availability, cost, performance and security.

AWS Security Partners

Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
AWS Security Partners

lubos@f5.com | +421 908 755152 |
@lklokner

DNS
UAC
WAF
Acceleration
ADC
VDI WEBAPPS
FW
• ICSA Certified
• ACL’s
• IP Intelligence
• IP Lists
• DoS
Protections
DNS
• Business Continuity
• GSLB
• DNS Security /
Services
• DNS Firewall
WAF
• L7 Firewall
• BOT Detection
• Anomaly Detection
• Credential Stuffing
• Client Fingerprinting
• L7 DoS Mitigation
• PCI Compliance
UAC
• Remote Access
• Pre-Authentitacion
• Multi-factor/SSO/Federation
• End Point Inspection
ADC
• SLB
• Application
Awareness
• Full Proxy
• SSL/TLS Offload /
Visibility
• Traffic
modification
Acceleration
• TCP Optimisation
• Caching/Compressio
n
• End User
Experience
• HTTP/2
FW
Users Customers Attackers
BIG-IPVE VIPRION
High Performance Services Fabric
Managemen
t
• iRules
• iControl
• iCall
• iApps
• SDx
• Cloud

50
150
25 60
5
55
4,5 mld Kč roční obrat
300 zaměstnanců

Vždy ty
nejvyšší
úrovně
partnerství…

Proč je vlastně
F5 takové téma?

27,7 aplikací na
zaměstnance
200 aplikací na
korporaci
uživatelé
různí
8,5 aplikace
dopoledne

Nelze přenášet
jednotný obsah

Výzva Problém Řešení
FIRMA VYRÁBĚJÍCÍ KOSMETIKU
Cloud Bezpečnost, load
balancing, SSO
F5 LTM, ASM, APM

Michal Motyčka
BDM F5
michal.motycka@alef.com
702 118 531

Resources

AWS Security Center
Comprehensive security portal to provide a variety of security notifications, information and documentation.
Security Whitepapers
• Overview of Security Process
• AWS Risk and Compliance
• AWS Security Best Practices
Security Bulletin
Security Resources
Vulnerability Reporting
Penetration Testing
Requests
Report Suspicious Emails
http://aws.amazon.com/security

AWS Compliance
List of compliance, assurance programs and resources:
http://aws.amazon.com/compliance/

GDPR
AWS GDPR center
http://aws.amazon.com/compliance/gdpr-center/

AWS Security Blog
Subscribe to the blog – it’s a great way to stay up-to-date on
AWS security and compliance.
Security Resources
Developer Information, Articles and Tutorials, Security
Products, and Whitepapers
http://aws.amazon.com/security/security-resources/ http://blogs.aws.amazon.com/security/

Děkujeme za pozornost!
nazaspak@amazon.com
vladsim@amazon.com

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

Similar to AWS Webinar CZSK 02 Bezpecnost v AWS cloudu (20)

More from Vladimir Simek

More from Vladimir Simek (18)

Recently uploaded

Recently uploaded (20)

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu