aws security & compliance
TRANSCRIPT
Security and Compliance
in AWS
Warsaw
Tomasz Stachlewski
AWS Solutions Architect
1. AWS Shared Responsibility Model
2. Where is my data?
3. Infrastructure security
4. Identity and access management
5. Encryption
6. Configuration management
Topics to discuss
Rob Alexander
Capital One's CIO
"The financial service industry attracts some of
the worst cyber criminals. We work closely with
AWS to develop a security model, which we
believe enables us to operate more securely
in the public cloud than we can in our own
data centers."
Partner ecosystem
Security Benefits from Community Network Effect
Customer ecosystem Everyone benefits
AWS
• AWS
• Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
CustomerCustomerShared Responsibility
• Shared Responsibility
Let AWS do the heavy lifting
Focus on what’s most valuable to your business
• Customer
• Operating System
• Application
• Security Groups
• OS Firewalls
• Network Configuration
• Account Management
Amazon EC2, Amazon EBS, Amazon VPC
Shared Responsibility: Infrastructure Services
How does AWS get security?
• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
AWS Responsibilities
Physical Security of Data Center
This
To This
How does AWS get security?
Such as Amazon S3, Amazon DynamoDB, and Amazon Kinesis
Shared Responsibility: Abstract Services
Choose where to store your data!
Ireland
EU-CENTRAL (Frankfurt)
Frankfurt
Sidney
Singapore
TokyoSeul
Beijing
Sao Paulo
N. Virginia
Oregon
N. California
GovCloud
IRELAND
FRANKFURT
S3 designed for
99.999999999%durability
Be safe!
… never delete it!
Amazon Glacier is a low-cost storage
service for archival data with long-
term retention requirements.
Non-overwrite,
non-erasable records
You can choose to keep all your content onshore in any AWS
region of YOUR choice:
• Managing your privacy objectives any way that you want
• Keep data in your chosen format and move it, or delete it,
at any time you choose
• No automatic replication of data outside of your chosen
AWS Region
• Customers can encrypt their content any way they choose
You always have full ownership and control
Amazon EC2 Multiple Layers of Security
Or maybe no neighbors?
ONLY ME! ONLY ME! ONLY ME! ONLY ME!
AWS Service Health Dashboard
AWS CloudTrail
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
AWS CloudTrailWeb service that records AWS API calls for your account and delivers logs.
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176
CloudWatch Logs: Centralize Your Logs
• Send existing system, application, and
custom log files to CloudWatch Logs
via our agent, and monitor these logs
in near real-time.
• This can help you better understand
and operate your systems and
applications, and you can store your
logs using highly durable, low-cost
storage for later access
Continuous ChangeRecording
AWS Config
Changing
Resources
Continuous ChangeRecordingChanging
Resources
AWS Config
Snapshot (ex. 2014-11-05)
History
AWS Config
Amazon Virtual Private Cloud (VPC)
Server Server
VPC:
• Logical isolation of the
Amazon Web Services
(AWS) Cloud
• Complete control of your
virtual networking
environment
Amazon Virtual Private Cloud (VPC)
Server Server
Security Control:
• Security Groups, Network
Access Control List – native
AWS Firewalls – control
who has got access to
servers.
Amazon Virtual Private Cloud (VPC)
Server Server
DATA CENTER
Internet
Dedicated
Connection
Identity and Access Management
• Users & Groups
• Unique Security Credentials
• Temporary Security
Credentials
• Policies & Permissions
• Roles
• Multi-factor Authentication
Encryption.Protecting data in-transit and at-rest.
Details about encryption can be found in the AWS Whitepaper,
“Securing Data at Rest with Encryption”.
Encryption In-Transit
HTTPS
SSL/TLS
VPN / IPSEC
SSH
Encryption At-Rest
Object
Database
Filesystem
Disk
Key Management Infrastructure
Managing encryption keys is critical yet difficult!
• How will you manage keys and make sure they are available when required, for example at instance start-up?
• How will you keep them available and prevent loss? How will you rotate keys on a regular basis and keep them private?
AWS Key Management Service
Customer Master
Key(s)
Data Key 1
Amazon
S3 ObjectAmazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Managed service to securely create, control, rotate, and use encryption keys.
AWS Key Management Service
AWS Key Management Service
AWS CloudHSM
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
Help meet compliance requirements for data security by using a dedicated
Hardware Security Module appliance with AWS.
• Dedicated, single-tenant hardware device
• Can be deployed as HA and load balanced
• Customer use cases:
• Oracle TDE
• MS SQL Server TDE
• Setup SSL connections
• Digital Rights Management (DRM)
• Document Signing
Trusted advisor
Trusted advisor
AWS Marketplace: over 2600 applications
Advanced Threat
Analytics
Application Security
Identity and Access Mgmt
Encryption & Key Mgmt
Server & Endpoint
Protection
Network Security
Vulnerability & Pen Testing
“Based on our experience, I believe
that we can be even more secure
in the AWS cloud than in our own
data centers”
Tom Soderstrom, CTO, NASA JPL
Security is Job Zero
