aws summit barcelona - security keynote

AWS Summit 2013 Barcelona Oct 24 – Barcelona, Spain

Bill Shinn

AWS Principal Security Solutions Architect

AWS CLOUD SECURITY

SECURITY IS UNIVERSAL

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

AWS GOV CLOUD

ITAR COMPLIANT

SECURITY IS VISIBLE

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

AWS API + CLOUDFORMATION ENVIRONMENT ARCHITECTURE DEFINITION

AND CHANGE DETECTION

SECURITY IS TRANSPARENT

SOC 1 SOC 2 SOC 3 PCI DSS L1 ISO 27001

ITAR FIPS FedRAMP HIPAA

SECURITY IS FAMILIAR

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

3. LOGICAL SECURITY

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO A SPECIFIC WORK

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT IN

YOUR AWS ACCOUNT

IAM USERS & ROLES

ACCESS TO

SERVICE APIs

NO PASSWORDS

USE SEPARATE SETS OF

CREDENTIALS

ROTATE YOUR AWS SECURITY

CREDENTIALS

3. LOGICAL SECURITY

YOUR DATA IS YOUR

MOST IMPORTANT ASSET

MFA DELETE PROTECTION

ENCRYPT YOUR DATA

AMAZON S3 SSE DATA AT REST

AWS CloudHSM

3. LOGICAL SECURITY

NEED TO KNOW

CCTV, GUARDS, MAN TRAPS,

FENCES, ETC…

3. LOGICAL SECURITY

CHANGES IN PRODUCTION

HAVE TO BE AUTHORIZED

DEV & TEST ENVIRONMENT

AWS ACCOUNT A

PRODUCTION ENVIRONMENT

AWS ACCOUNT B

DEPLOYMENT PROCESS

HAS TO BE CONSTRAINED

3. LOGICAL SECURITY

CONTINUOUS DELIVERY MODEL

CONTINUOUS DEPLOYMENT

SESSION 13:30 START-UP TRACK

REDUNDANCY & INTEGRITY

CHECKS

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

3. LOGICAL SECURITY

“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

SECURITY IS AUDITABLE

VULNERABILITY / PENETRATION

TESTING

VULNERABILITY / PENETRATION

TESTING

OBTAINED, RETAINED, ANALYZED

OBTAIN, RETAIN, ANALYSE

YOUR LOGS

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

TRUSTED ADVISOR

SECURITY IS SHARED

NETWORK SECURITY:

SPOOFING

NETWORK SECURITY:

PORT SCANNING

AMAZON EC2 SECURITY:

HOST OS SSH KEYED LOGINS VIA BASTION HOST

ALL ACCESSES LOGGED AND AUDITED

GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL

AWS ADMINS CANNOT LOG IN

CUSTOMER-GENERATED KEYPAIRS

“If you need to SSH into your

instance, improve your deployment

process.”

STATEFUL & STATELESS FIREWALL MANDATORY INBOUND

DEFAULT DENY MODE

SECURITY IS

UNIVERSAL

VISIBLE

TRANSPARENT

FAMILIAR

AUDITABLE

SHARED

AWS.AMAZON.COM / SECURITY

AWS.AMAZON.COM/COMPLIANCE

BLOGS.AWS.AMAZON.COM/SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS MARKETPLACE

SECURITY SOLUTIONS

billshin@amazon.com

aws summit barcelona - security keynote

security aws

network security

security capabilities

amazon ec2 security

aws security credentials

artificial security

data amazon s3 sse data

redundancy incident

Technology

aws summit berlin 2013 - keynote - 6wunderkinder

aws summit barcelona - opening keynote

aws summit benelux 2013 - aws cloud security keynote

aws partner summit london 2015 - keynote

aws summit benelux 2013 - 'transformation powered by the aws...

abof keynote session @ aws summit 2016

pydata barcelona keynote

aws iot workshop keynote

aws keynote 1 - aws enterprise summit - hong kong

brainsins and aws meetup keynote

setac barcelona boasts e keynote speaker lineup barcelona...

aws summit tel aviv - opening keynote

barcelona keynote web

aws enterprise summit netherlands - keynote

essentials barcelona 2015: keynote opening

aws summit nordics - security keynote

keynote aws summit 2013 sao paulo

citrix synergy barcelona 2012 keynote

keynote aws roadshow campinas 2013

eroad aws summit 2014 keynote