aws security in plain english – aws security day
TRANSCRIPT
![Page 1: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/1.jpg)
Maitreya Ranganath [email protected]
Jeremy Cowan [email protected]
Larry Gilreath [email protected]
![Page 2: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/2.jpg)
Job Zero
Network
SecurityPhysical
Security
Platform
SecurityPeople &
Procedures
![Page 3: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/3.jpg)
SHARED
![Page 4: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/4.jpg)
constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
![Page 5: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/5.jpg)
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
ust
om
ers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
![Page 6: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/6.jpg)
WHO CAN DO WHAT
![Page 7: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/7.jpg)
0. Create individual users. Benefits
• Unique credentials
• Individual credential rotation
• Individual permissions
![Page 8: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/8.jpg)
1. Grant least privilege.
Benefits
• Less chance of people making
mistakes
• Easier to relax than tighten up
• More granular control
![Page 9: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/9.jpg)
2. Manage permissions with groups.
Benefits
• Easier to assign the same
permissions to multiple users
• Simpler to reassign permissions
based on change in
responsibilities
• Only one change to update
permissions for multiple users
![Page 10: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/10.jpg)
3. Restrict privileged access further with conditions.
Benefits
• Additional granularity when
defining permissions
• Can be enabled for any AWS
service API
• Minimizes chances of
accidentally performing
privileged actions
![Page 11: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/11.jpg)
![Page 12: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/12.jpg)
Allow selected actions Production us-east-1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow”,
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment":”Production"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/*"
]
}
]
}
![Page 13: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/13.jpg)
4. Enable AWS CloudTrail and AWS Config
Benefits
• Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
• Track changes to your resources over time.
![Page 14: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/14.jpg)
Enabling AWS Config
![Page 15: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/15.jpg)
5. Configure a strong password policy. Benefits
• Ensures your users and your
data are protected
![Page 16: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/16.jpg)
Applying Password Policy
![Page 17: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/17.jpg)
6. Rotate security credentials regularly.
Benefits
• Normal best practice
![Page 18: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/18.jpg)
7. Enable MFA for privileged users.
Benefits
• Supplements user name and
password to require a one-time
code during authentication
![Page 19: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/19.jpg)
Turning MFA on AWS Root Acct
![Page 20: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/20.jpg)
8. Use IAM roles to share access. Benefits
• No need to share security
credentials
• No need to store long-term
credentials
• Use cases
- Cross-account access
- Intra-account delegation
- Federation
![Page 21: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/21.jpg)
9. Use IAM roles for Amazon EC2 instances.
Benefits
• Easy to manage access keys on
EC2 instances
• Automatic key rotation
• Assign least privilege to the
application
• AWS SDKs fully integrated
• AWS CLI fully integrated
![Page 22: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/22.jpg)
10. Reduce or remove use of root.
Benefits
• Reduce potential for misuse of
credentials
![Page 23: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/23.jpg)
10. Reduce or remove use of root.
11. Get alerted on use of Root and sensitive actions
Benefits
• Automate monitoring and
alerting of actions
![Page 24: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/24.jpg)
Get Alerted on AWS Root Use
![Page 25: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/25.jpg)
11
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Password
6. Rotate
7. MFA
8. Sharing
9. Roles
10. Root
11. Alerting -
![Page 26: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/26.jpg)
NETWORK
![Page 27: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/27.jpg)
Ava
ila
bilit
y Z
on
e A
Ava
ila
bilit
y Z
on
e B
AWS Virtual Private
Cloud • Provision a logically isolated
section of the AWS cloud
• You choose a private IP range
for your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security• AWS network will prevent
spoofing and other common
layer 2 attacks
• You cannot sniff anything but
your own EC2 host network
interface
• Control all external routing and
connectivity
![Page 28: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/28.jpg)
Web App
DBWeb
![Page 29: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/29.jpg)
App
DBWeb
Web
Deny all traffic
Allow
![Page 30: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/30.jpg)
App
DBWeb
WebPort 443
Port
443
![Page 31: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/31.jpg)
App
DBWeb
WebPUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
![Page 32: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/32.jpg)
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPCs in private and
peer specific subnets
between each VPC
Even between AWS
accountsCommon Services
AWS VPC
Peering
![Page 33: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/33.jpg)
resiliently and directly
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Websites
Big Data
Analytics
Dev and
Test
Enterprise
Apps
AWS
Internet
VPN
![Page 34: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/34.jpg)
Physical Data Center AWS VPC
VLANs / Subnets Subnets
Routers & Routing Protocols Route Tables
Stateful Firewalls Security Groups
Network ACL NACLs
Web Application Firewall AWS WAF or Partner Products
Network based IDS/IPS Host based IDS/IPS
Internet Connection Internet Gateway
Inter Data Center Links IPSec VPN or Direct Connect
![Page 35: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/35.jpg)
![Page 36: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/36.jpg)
Amazon Inspector
Security assessment tool analyzing end-to-end
application configuration and activity
![Page 37: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/37.jpg)
![Page 38: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/38.jpg)
Configuration Scanning Engine
Activity monitoring
Built-in content library
Automatable via API
Fully auditable
![Page 39: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/39.jpg)
CVE
Network Security Best Practices
Authentication Best Practices
Operating System Best Practices
Application Security Best Practices
PCI DCSS 3.0 Readiness
![Page 40: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/40.jpg)
Increased agility
Embedded expertise
Improved security posture
Streamlined compliance
![Page 41: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/41.jpg)
![Page 42: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/42.jpg)
![Page 43: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/43.jpg)
![Page 44: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/44.jpg)
AWS Config Rules
![Page 45: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/45.jpg)
Flexible rules evaluated continuously and retroactively
Dashboard and reports for common goals
Customizable remediation
API automation
![Page 46: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/46.jpg)
ecosystem
![Page 47: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/47.jpg)
Continuous monitoring for unexpected changes
Shared compliance across your organization
Simplified management of configuration changes
![Page 48: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/48.jpg)
![Page 49: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/49.jpg)
https://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
http://aws.amazon.com/answers
![Page 50: AWS Security in Plain English – AWS Security Day](https://reader034.vdocument.in/reader034/viewer/2022042907/586fb4791a28abe57d8b71ab/html5/thumbnails/50.jpg)
https://youtu.be/fCH4r3s4THQ
https://youtu.be/_wiGpBQGCjU
https://youtu.be/5_bQ6Dgk6k8
https://youtu.be/ykmqjgLdmL4
https://youtu.be/3qln2u1Vr2E