an introduction to aws cloud security - etda€¦ · china beijing (2), ningxia (3) europe...
TRANSCRIPT
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
An Introduction to AWS Cloud Security
Ankush ChowdharyPrincipal Security Advisor – APJWorldwide Public Sector
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
Overview of AWS security
Understand your responsibility in the cloud
AWS Security and Compliance Programs
Overview of AWS Security Products/Services
AWS Cloud Security Design Patterns
Questions?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
22 Regions – 69 Availability Zones – 176 Edge Locations
Announced Regions
Cape Town, Jakarta, Milan
US EastN. Virginia (6), Ohio (3)
US WestN. California (3), Oregon (4)
Asia PacificMumbai (3), Seoul (2), Singapore (3),Hong Kong (3) Sydney (3), Tokyo (4), Osaka-Local (1)
CanadaCentral (2)
ChinaBeijing (2), Ningxia (3)
EuropeFrankfurt (3), Ireland (3), London (3), Paris (3), Stockholm (3)
Middle EastBahrain (3)
South AmericaSão Paulo (3)
AWS GovCloud (US)US-East (3), US-West (3)
Region & Number of Availability Zones
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Our No. 1 Priority
Designed for Security Constantly Monitored Highly
Automated
Highly
Available
Highly
Accredited
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Shared Responsibility?
Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS
services
Security measures that the cloud service provider (AWS) implements and operates
SECURITY INTHE CLOUD
SECURITY OFTHE CLOUD
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Shared Responsibility?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your data stays where you put it.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs
Global
United States
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs
Europe
Asia Pacific
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All customers benefit from the same security
60+ Assurance programs, including• SOC 1 (SSAE 16 & ISAE 3402) Type II• SOC 2 Type II and public SOC 3 report• ISO 27001• ISO 9001• PCI DSS Level 1 - Service Provider • ISO 27017 (security of the cloud)• ISO 27018 (personal data)• BSI C5 (Germany) – ESCloud (EU)• CISPE - GDPR
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Find Compliance Reports on AWS Artifact
Reports On-Demand Globally Available Easy Identification
Quick Assessments Continuous Monitoring Enhanced Transparency
https://aws.amazon.com/artifact/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Security Operations in AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automatewith deeply integrated
security services
Inheritglobal
security and compliance
controls
Highest standards for privacy and data security
Largest network
of security partners and solutions
Scale with superior visibility and
control
Move to AWS Strengthen your security posture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale with keys managed by
our AWS Key Management System (KMS) or managing your own encryption keys
with Cloud HSM using FIPS 140-2 Level 3
validated HSMs
Meet data residency requirements
Choose an AWS Region and AWS will not replicate it elsewhere unless you choose
to do so
Access services and tools that enable you to
build compliant infrastructure on top of AWS
Comply with local data privacy laws
by controlling who can access content, its lifecycle, and disposal
Highest standards for privacy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM) Securely control access to AWS services and resources
AWS Organizations Policy-based management for multiple AWS accounts
Amazon CognitoAdd user sign-up, sign-in, and access control to your web and mobile apps
AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud
AWS Single Sign-OnCentrally manage single sign-on (SSO) access to multiple AWS accounts and business applications
Define, enforce, and audit user
permissions across
AWS services, actions
and resources.
Identity & accessmanagement
Identity and accessmanagement
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrailEnable governance, compliance, and operational/risk auditing of your AWS account
AWS ConfigRecord and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting
Amazon CloudWatchMonitor AWS Cloud resources and your applications on AWS to collect metrics, monitor log files, set alarms, and automatically react to changes
Amazon GuardDutyIntelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
VPC Flow LogsCapture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs
Gain the visibility you need
to spot issues before they impact
the business, improve your
security posture, and reduce the
risk profile of
your environment.
Detectivecontrol
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems ManagerEasily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems
AWS ShieldManaged DDoS protection service that safeguards web applications running on AWS
AWS Web Application Firewall (WAF)Protects your web applications from common web exploits ensuring availability and security
Amazon InspectorAutomates security assessments to help improve the security and compliance of applications deployed on AWS
Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructuresecurity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data
AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud
Amazon MacieMachine learning-powered security service to discover, classify, and protect sensitive data
AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates for use with AWS services
Server Side EncryptionFlexible data encryption options using AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic data
encryption and management
services,
employ more features for
data protection.(including data management, data
security, and encryption key storage)
Dataprotection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config RulesCreate rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additionaldata, or restoring configuration to a known-good state
AWS LambdaUse our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents
During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incidentresponse
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Security &9 Innovative Design Patterns
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Just-in-time access rights
Temporary Credentials
Integrated Identity and Access Management
+
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Durable highly available storage
API LogsDurable and
cheap archive storage
Consolidated Logging
Performance, Network, Apps Logs
+ +Firehose data
streaming
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Storage on HSM
Managed KMI
DIY
ArchiveObjectStorage
Block Storage
Out-of-band data transfer
Database Data Warehouse Log Trails
Ubiquitous Encryption
+
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling automagically
Compute Instance
Non-Persistent & Elastic
+
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logically Isolated section of the Cloud
Network Architecture Hybrid Cloud
+Virtual Firewall
+Leased line
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual Firewall
DNS
Web App Firewall
CDN Auto-scalingScaling Load Balancer
Network Architecture
Resiliency
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Event-driven serverless
Code execution
Monitor and React swiftly
+Alarms based on
Performance, Network, Apps
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Standardized Environments & Security as Code
+Continuous
Configuration Automation
SDK
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Validate Change at Scale
+Inventory,
configuration history and change
Baselines rules for inventory and configuration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seven Systemic Advantages of Cloud Security - Seven reasons, plus one to grow on
1
2
3
4
Security is AWS highest priority; no compromises, ever
Integration of compliance and security
Economies of scale and separation of duties
Customers refocus on systems and applications
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5
6
7
8
Visibility, homogeneity, and automation
Cloud platforms as “systems containers”
Cloud, big data, security: using the cloud to secure the cloud
With cloud speed of innovation and increasing scale, the story will only get better – quickly!
Seven Systemic Advantages of Cloud Security - Seven reasons, plus one to grow on
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security “of” AWS
AWS Security WhitepaperAWS Global Security Infrastructure
Physical and Environmental Security
Business Continuity Management
Network Security
AWS Employee Access
Secure Design Principles
Change Management
AWS Account Security Features
AWS Service-Specific Security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/