introduction to aws security and compliance€¦ · aws cloudtrail cloudtrail can help you achieve...

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ronan Guilfoyle, Solutions Architect

October 12th, 2017

Introduction to AWS Security

and Compliance

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Brief intro to AWS availability


AWS Global Infrastructure

16 Regions – 42 Availability Zones – 98 Edge Locations

Region & Number of Availability Zones

AWS GovCloud (2) EU

Ireland (3)

US West Frankfurt (2)

Oregon (3) London (2)

Northern California (3)

Asia Pacific

US East Singapore (2)

N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),

Seoul (2), Mumbai (2)

Canada

Central (2) China

Beijing (2)

South America

São Paulo (3)

Announced Regions

Paris, Ningxia


Example AWS Region

AZ

AZ

AZ AZ AZ

Transit

Transit


Example AWS Availability Zone

AZ

AZ

AZ AZ AZ

Transit

Transit


“We own the

customer tool”

“We own the

eCommerce API”

“We own the

`DooHickey’

product”

“We own the platform”

• Tooling

• Deployment

• Metrics


Compliance


You configure your choice of security in the cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge

Locations

Client-side Data

Encryption

Server-side Data

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & content

Custo

mers


AWS Security: A Very High BarCompliance – Programs and certifications


AWS Security Toolbox


Access a deep set of cloud security tools

Encryption

Key

Management

Service

CloudHSM Server-side

Encryption

Networking

Virtual

Private

Cloud

Web

Application

Firewall

Compliance

ConfigCloudTrail

&

Inspector

Service

Catalog

Identity

IAM Active

Directory

Integration

SAML

Federation


CENTRALIZED AUDITING STORE FOR PLATFORM EVENTS

AWS CLOUDTRAIL


AWS CloudTrail

CloudTrail can help you achieve many tasks

• Security analysis

• Track changes to AWS resources, for example

VPC security groups and NACLs

• Compliance – log and understand AWS API call

history

• Prove that you did not:

• Use the wrong region

• Use services you don’t want

• Troubleshoot operational issues – quickly

identify the most recent changes to your

environment


AWS CloudTrail


Compliance – By the numbers

70+

services

7,710 Audit

Artifacts

2,670

Controls

3,030 Audit

Requirements


Compliance – Deployable quick starts

Cloudformationtemplates


SELF-SERVICE PORTAL TO COMPLIANCE REPORTS

AWS ARTIFACT


Compliance – Automated reports

e-NDA


AMAZON MACIE

MACHINE LEARNING SERVICE TO

HELP CUSTOMERS PREVENT DATA

LOSS IN AWS.


Our Customers Ask

Us?• What data do I have in the cloud?

• Where is it located?

• How is data being shared and stored?

• How can I classify data in near-real time?

• What PII/PHI is possibly exposed?

• How do I build workflow remediation for my

security and compliance needs?


Machine Learning Challenges for Security

• Every customer is different

• Threats are ever changing

• Penalty for error is high

• Flood of data

AWS Confidential


Our Approach

Amazon Macie

Understand Your Data

Natural Language

Processing (NLP)

Understand Data Access

Machine Learning


How Does Amazon Macie Use Machine

Learning?• Understand behavioral analytics to baseline normal

behavior

• Train and develop contextualized alerts by understanding

the value of data being accessed

• Context for content


Business Critical Data in Amazon S3

• Static website content

• Source code

• SSL certificates, private

keys

• iOS and Android app

signing keys

• Database backups

• OAuth and Cloud SAAS

API Keys


MACHINE LEARNING FOR

COMPLIANCE

FOR PII-TYPES LIKE NAMES,

ADDRESSES, USER NAMES AND

PASSWORDS, A REGEX-BASED

APPROACH ISN’T POSSIBLE


AWS Confidential


MANAGED DDOS PROTECTION SERVICE

AWS SHIELD


AWS Shield

Available to ALL AWS customers at

No Additional Cost

Standard Protection Advanced Protection

Paid service that provides additional

protections, features and benefits.


AWS Shield Advanced

Always-on monitoring &

detection

Advanced L3/4 & L7 DDoS

protection

Attack notification and

reporting

24x7 access to DDoS

Response Team

AWS bill protection


POLICY-BASED MANAGEMENT FOR MULTIPLE ACCOUNTS

AWS ORGANIZATIONS


Introducing AWS Organizations

Control AWS service

use across accounts

Policy-based management for multiple AWS accounts.

Consolidate billing

and usage reporting

Automate

account creation


Service Control Policy Inheritance


SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES

AWS IDENTITY AND ACCESS MANAGEMENT (IAM)


AWS IAM - Features

IAM Users IAM Groups IAM Roles Federation


Sane default policies provided


LAYER 7 APPLICATION PROTECTION AT SCALE

AWS WEB APPLICATION FIREWALL (WAF)


AWS WAF – Features

HTTP floods Scanners and

probes

SQL injectionBots and

scrapers

IP reputation

lists

Cross-site

scripting


COLLECT AND TRACK METRICS, LOGS, ALARMS AND EVENTS

AMAZON CLOUDWATCH


Amazon CloudWatch – Features

Metrics Alarms Logging Events Dashboard


Logs→ Metrics→ Alerts/Actions

AWS

Config

CloudWatch /

CloudWatch LogsCloudWatch

alarms

AWS

CloudTrail

Amazon EC2

OS logs

Amazon

Flow Logs

Amazon SNS

email notification

HTTP/S

notification

SMS notifications

Mobile push

notificationsAnd more…

Or your preferred SIEM / Log

aggregator


Additional Resources


Whitepapers

http://tinyurl.com/kmsCryptoDetails

http://tinyurl.com/DDoSResiliencyAWS

http://tinyurl.com/WellArchitected

http://tinyurl.com/SecurityBestPractices

http://tinyurl.com/kmsCryptoDetails

http://tinyurl.com/DDoSResiliencyAWS

http://tinyurl.com/WellArchitected

http://tinyurl.com/SecurityBestPractices

introduction to aws security and compliance€¦ · aws cloudtrail cloudtrail can help you achieve...

Documents