aws security & compliance - matrix · aws security & compliance cj moses ... aws iam amazon...
Post on 19-Aug-2018
240 Views
Preview:
TRANSCRIPT
AWS Public Sector
Jerusalem | 19 Nov 2014
AWS Security & Compliance CJ Moses General Manager, Government Cloud Solu3ons
Security Is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM
SECURITY
AWS Public Sector
EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE
AWS Public Sector
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO NASA JPL
AWS Public Sector
IDC Survey
APtudes and Percep3ons Around Security and Cloud Services Nearly 60% of organiza3ons agreed that CSPs [Cloud Service Providers] provide beYer security than their own IT organiza3on
Source: IDC 2013 U.S. Cloud Security Survey Doc #242836, September 2013
AWS Public Sector
You are making API calls...
On a growing set of services around
the world…
CloudTrail is continuously recording API
calls…
And delivering log files to you
AWS Public Sector
AWS CLOUDTRAIL
Security Analysis Use log files as an input into log management and analysis solu3ons to perform security analysis and to detect user behavior paYerns.
Track Changes to AWS Resources
Track crea3on, modifica3on, and dele3on of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Opera@onal Issues
Quickly iden3fy the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.
AWS Public Sector
Defense in Depth
Mul3 level security • Physical security of the data centers • Network security • System security • Data security
DATA
AWS Public Sector
AWS Security Delivers More Control & Granularity Customize the implementa3on based on your business needs
AWS CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct Connect
AWS Storage Gateway
AWS Public Sector
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO SPECIFIC WORK
AWS Public Sector
LEAST PRIVILEGE PRINCIPLE
SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA
AWS Public Sector
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-‐TO-‐KNOW ABOUT SENSITIVE INFORMATION LIKE DATA CENTER LOCATIONS
AWS Public Sector
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-‐TO-‐KNOW IN ORDER TO ACCESS DATA CENTERS
AWS Public Sector
SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE
AWS Public Sector
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-‐AZ
AMAZON EBS SNAPSHOTS
AWS Public Sector
ENCRYPT YOUR DATA AWS CLOUDHSM
AWS Key Management Service
AMAZON EBS
AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT
AMAZON RDS
AWS Public Sector
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryp3on (e.g. S3 SSE)
Enabled – user manages encryp3on using AWS (e.g. AWS CloudHSM, AWS KMS)
Client-‐side – user manages encryp3on using their own means
AWS Public Sector
AWS CloudHSM Managed and monitored by AWS, but you control the keys
Increase performance for applications that use HSMs for key storage or encryption
Comply with stringent regulatory and contractual requirements for key protection EC2 Instance
AWS CloudHSM
AWS CloudHSM
AWS Public Sector
AWS Key Management Service Managed service that makes it easy for you to create and control the encryp3on keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. Integrated with other AWS services including Amazon EBS, Amazon S3, Amazon Redshim and AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS Public Sector
AWS CodeDeploy AWS CodeDeploy is a service that automates code deployments to Amazon EC2 instances. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid down3me during deployment, and handles the complexity of upda3ng your applica3ons. You can use AWS CodeDeploy to automate deployments, elimina3ng the need for error-‐prone manual opera3ons, and the service scales with your infrastructure so you can easily deploy to one EC2 instance or thousands.
AWS CodeCommit AWS CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories. CodeCommit eliminates the need for you to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to store anything from code to binaries, and it supports the standard func3onality of Git allowing it to work seamlessly with your exis3ng Git-‐based tools. Your team can also use CodeCommit’s online code tools to browse, edit, and collaborate on projects. CodeCommit will be available in early 2015.
AWS CodePipeline AWS CodePipeline is a con@nuous delivery and release automa@on service that aids smooth deployments. You can design your development workflow for checking in code, building the code, deploying your applica3on into staging, tes3ng it, and releasing it to produc3on. You can integrate 3rd party tools into any step of your release process or you can use CodePipeline as an end-‐to-‐end solu3on. CodePipeline enables you to rapidly deliver features and updates with high quality through the automa3on of your build, test, and release process. CodePipeline will be available in early 2015.
AWS Public Sector
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES SECURITY BEST PRACTICES
AWS Security Whitepapers
AWS Public Sector
top related