introduction to aws security and compliance€¦ · aws cloudtrail cloudtrail can help you achieve...

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ronan Guilfoyle, Solutions Architect

October 12th, 2017

Introduction to AWS Security

and Compliance

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Brief intro to AWS availability

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Global Infrastructure

16 Regions – 42 Availability Zones – 98 Edge Locations

Region & Number of Availability Zones

AWS GovCloud (2) EU

Ireland (3)

US West Frankfurt (2)

Oregon (3) London (2)

Northern California (3)

Asia Pacific

US East Singapore (2)

N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),

Seoul (2), Mumbai (2)

Canada

Central (2) China

Beijing (2)

South America

São Paulo (3)

Announced Regions

Paris, Ningxia

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Example AWS Region

AZ

AZ

AZ AZ AZ

Transit

Transit

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Example AWS Availability Zone

AZ

AZ

AZ AZ AZ

Transit

Transit

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

“We own the

customer tool”

“We own the

eCommerce API”

“We own the

`DooHickey’

product”

“We own the platform”

• Tooling

• Deployment

• Metrics

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Compliance

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You configure your choice of security in the cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge

Locations

Client-side Data

Encryption

Server-side Data

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & content

Custo

mers

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Security: A Very High BarCompliance – Programs and certifications

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Security Toolbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Access a deep set of cloud security tools

Encryption

Key

Management

Service

CloudHSM Server-side

Encryption

Networking

Virtual

Private

Cloud

Web

Application

Firewall

Compliance

ConfigCloudTrail

&

Inspector

Service

Catalog

Identity

IAM Active

Directory

Integration

SAML

Federation

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

CENTRALIZED AUDITING STORE FOR PLATFORM EVENTS

AWS CLOUDTRAIL

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS CloudTrail

CloudTrail can help you achieve many tasks

• Security analysis

• Track changes to AWS resources, for example

VPC security groups and NACLs

• Compliance – log and understand AWS API call

history

• Prove that you did not:

• Use the wrong region

• Use services you don’t want

• Troubleshoot operational issues – quickly

identify the most recent changes to your

environment

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS CloudTrail

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Compliance – By the numbers

70+

services

7,710 Audit

Artifacts

2,670

Controls

3,030 Audit

Requirements

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Compliance – Deployable quick starts

Cloudformationtemplates

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

SELF-SERVICE PORTAL TO COMPLIANCE REPORTS

AWS ARTIFACT

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Compliance – Automated reports

e-NDA

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AMAZON MACIE

MACHINE LEARNING SERVICE TO

HELP CUSTOMERS PREVENT DATA

LOSS IN AWS.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Our Customers Ask

Us?• What data do I have in the cloud?

• Where is it located?

• How is data being shared and stored?

• How can I classify data in near-real time?

• What PII/PHI is possibly exposed?

• How do I build workflow remediation for my

security and compliance needs?

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Machine Learning Challenges for Security

• Every customer is different

• Threats are ever changing

• Penalty for error is high

• Flood of data

AWS Confidential

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Our Approach

Amazon Macie

Understand Your Data

Natural Language

Processing (NLP)

Understand Data Access

Machine Learning

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

How Does Amazon Macie Use Machine

Learning?• Understand behavioral analytics to baseline normal

behavior

• Train and develop contextualized alerts by understanding

the value of data being accessed

• Context for content

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Business Critical Data in Amazon S3

• Static website content

• Source code

• SSL certificates, private

keys

• iOS and Android app

signing keys

• Database backups

• OAuth and Cloud SAAS

API Keys

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

MACHINE LEARNING FOR

COMPLIANCE

FOR PII-TYPES LIKE NAMES,

ADDRESSES, USER NAMES AND

PASSWORDS, A REGEX-BASED

APPROACH ISN’T POSSIBLE

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Confidential

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Confidential

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Confidential

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

MANAGED DDOS PROTECTION SERVICE

AWS SHIELD

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Shield

Available to ALL AWS customers at

No Additional Cost

Standard Protection Advanced Protection

Paid service that provides additional

protections, features and benefits.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Shield Advanced

Always-on monitoring &

detection

Advanced L3/4 & L7 DDoS

protection

Attack notification and

reporting

24x7 access to DDoS

Response Team

AWS bill protection

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

POLICY-BASED MANAGEMENT FOR MULTIPLE ACCOUNTS

AWS ORGANIZATIONS

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Introducing AWS Organizations

Control AWS service

use across accounts

Policy-based management for multiple AWS accounts.

Consolidate billing

and usage reporting

Automate

account creation

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Service Control Policy Inheritance

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES

AWS IDENTITY AND ACCESS MANAGEMENT (IAM)

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS IAM - Features

IAM Users IAM Groups IAM Roles Federation

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Sane default policies provided

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

LAYER 7 APPLICATION PROTECTION AT SCALE

AWS WEB APPLICATION FIREWALL (WAF)

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS WAF – Features

HTTP floods Scanners and

probes

SQL injectionBots and

scrapers

IP reputation

lists

Cross-site

scripting

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

COLLECT AND TRACK METRICS, LOGS, ALARMS AND EVENTS

AMAZON CLOUDWATCH

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Amazon CloudWatch – Features

Metrics Alarms Logging Events Dashboard

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Logs→ Metrics→ Alerts/Actions

AWS

Config

CloudWatch /

CloudWatch LogsCloudWatch

alarms

AWS

CloudTrail

Amazon EC2

OS logs

Amazon

Flow Logs

Amazon SNS

email notification

HTTP/S

notification

SMS notifications

Mobile push

notificationsAnd more…

Or your preferred SIEM / Log

aggregator

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Additional Resources

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Whitepapers

http://tinyurl.com/kmsCryptoDetails

http://tinyurl.com/DDoSResiliencyAWS

http://tinyurl.com/WellArchitected

http://tinyurl.com/SecurityBestPractices