Download - AWS Security Overview · | #cloudsec AWS Security Overview Ridge XU, Solutions Architect, AWS
www.cloudsec.com | #cloudsec
AWS Security Overview
Ridge XU, Solutions Architect, AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of visibility
Low degree of automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to boost our
own security is really important for our business. AWS does a much
better job at security than we could ever do running a cage in a data
center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises data
center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automatewith deeply integrated
security services
Inheritglobal
security and compliance
controls
Highest standards for privacy and data security
Largest network
of security partners and solutions
Scale with superior visibility and
control
Move to AWS Strengthen your security posture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
RESPONSIBILITY OF SECURITY “IN” THE CLOUD
RESPONSIBILITY OF SECURITY “OF” THE CLOUD
Customer compliance and audit effort is reduced
✓ AWS Best Practices
✓ Industry Standards
✓ AWS Architecture for Standards
Built on AWS solid baseline controls
Customer scope and effort is reduced, Built on AWS baseline controls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers maintain control and ownership
• The content to store on AWS
• The country where the content is stored
• Secure the content with appropriate security measures
– 18 Regions
– 55 Availability Zones
– 132 Points of Presence (121 Edge Locations and 11 Regional Edge Caches)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale with keys managed by
our AWS Key Management Service (KMS) or managing your own encryption keys
with Cloud HSM using FIPS 140-2 Level 3
validated HSMs
Meet data residency requirements
Choose an AWS Region and AWS will not replicate it elsewhere unless you choose
to do so
Access services and tools that enable you to
build compliant infrastructure on top of AWS
Comply with local data privacy laws
by controlling who can access content, its lifecycle, and disposal
Highest standards for privacy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access Management (IAM)
AWS Directory Service
AWS Organizations
AWS Secrets Manager
AWS Single Sign-On
Amazon Cognito
AWS CloudTrail
AWS Config
AmazonCloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private Cloud (VPC)
AWS Key Management Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
IdentityDetective
controlInfrastructure
securityIncidentresponse
Dataprotection
AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity Access Management (IAM)
Define, enforce, and audit user
permissions across
AWS services, actions
and resources.
Identity & accessmanagement
Identity and accessmanagement
EC2
s3
IAM
Admin group
Developers
O&M group
DynamodbEC2
Authentication Authorization Auditable
• Segregation of duties
• Policy-based access control
• Support MFA
• Windows Active Directory, ADFS, and SAML 2.0 integration for SSO
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gain visibility of• Every action taken in AWS management console and API triggered
• IP traffic to and from your VPC
• Configuration compliance status, monitor configuration changes of your AWS resources which impacts your compliance, e.g. open database port to public internet
• Malicious or unauthorized behaviors / attacks through integrated threat intelligence and machine learningGain the visibility you need
to spot issues before they impact
the business, improve your
security posture, and reduce the
risk profile of
your environment.
Detectivecontrol
AWS CloudTrail AWS Config
Amazon GuardDutyVPC Flow Logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS Cloud where you can launch AWS resources in a virtual network that you define
• Subnets: public and private, segregation of traffic
• Security group and network access control list for inbound and outbound filtering at instance and subnet level
• VPN: Secure channel back to your on-premises DC
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructuresecurity
Auto Scaling
WEB
web :3306local :80
DB
10.0.2.0/24
private subnet
10.0.1.0/24
private subnet
ALB
DMZ
public subnet
* :80 443
Customer
DC
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web architecture
users
Auto Scaling
WEB
web :3306local :80
L3,4
Attack
L7
Attack
WAFWAF
XX
XX
CDN
DB
10.0.2.0/24
private subnet
10.0.1.0/24
private subnet
ALB
DMZ
public subnet
* :80 443
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In addition to our automatic data
encryption and management
services,
employ more features for
data protection.(including data management, data
security, and encryption key storage)
Dataprotection
AWS KMS Server Side Encryption
EBS Volume RDS
Data Encryption• AWS storage, managed databases and data warehouse
• it’s just simply check a box
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incidentresponse
Amazon CloudWatch AWS Lambda
Dealing with incident events• Notification (emails, SMS, slack, etc.)
• Quickly remediate the security events by automating the incident response
Alarm Remediate
Automation / notification
Detect
apps logs, awsaudit trail logs,
network logs, etc
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate with integrated services
CloudWatch Events
Amazon CloudWatch
CloudWatch Event
Lambda
Lambda Function
AWS Lambda
GuardDuty
Amazon GuardDuty
Automated threat remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
Security checks available to all AWS customers at no extra cost:• S3 Bucket Permissions, Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS Public
Snapshots, RDS Public Snapshots
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4,200+ products; 1400+ ISVs
AWS customers use over 481 million hours a month of Amazon EC2 for AWS Marketplace products.
Products fully integrated with AWS platform and easy to fully test
Security competency program: https://aws.amazon.com/partners/competencies/
Thousands of the world’s largest
technology and consulting companies
67 Premier Consulting Partners
An Expansive Ecosystem
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We
determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day
• Processes approximately 6 terabytes of data and 37 billion records on an average day
• Went from 3–4 weeks for server hardening to 3–4 minutes
• DevOps teams focus on automation and tools to raise the compliance bar and simplify controls
• Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management …All our new services are built as stateless docker containers,
allowing us to deploy and scale them easily using Amazon’s ECS.”
“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”
• Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization
• New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month
• Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours
• Maintain end to end visibility of patient data using AWS
Online medical care scheduling
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/https://aws.amazon.com/products/security