an introduction to aws cloud security - etda€¦ · china beijing (2), ningxia (3) europe...

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

An Introduction to AWS Cloud Security

Ankush ChowdharyPrincipal Security Advisor – APJWorldwide Public Sector

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Agenda

Overview of AWS security

Understand your responsibility in the cloud

AWS Security and Compliance Programs

Overview of AWS Security Products/Services

AWS Cloud Security Design Patterns

Questions?


AWS Global Infrastructure

22 Regions – 69 Availability Zones – 176 Edge Locations

Announced Regions

Cape Town, Jakarta, Milan

US EastN. Virginia (6), Ohio (3)

US WestN. California (3), Oregon (4)

Asia PacificMumbai (3), Seoul (2), Singapore (3),Hong Kong (3) Sydney (3), Tokyo (4), Osaka-Local (1)

CanadaCentral (2)

ChinaBeijing (2), Ningxia (3)

EuropeFrankfurt (3), Ireland (3), London (3), Paris (3), Stockholm (3)

Middle EastBahrain (3)

South AmericaSão Paulo (3)

AWS GovCloud (US)US-East (3), US-West (3)

Region & Number of Availability Zones


Security is Our No. 1 Priority

Designed for Security Constantly Monitored Highly

Automated

Highly

Available

Highly

Accredited


What is AWS Shared Responsibility?

Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS

services

Security measures that the cloud service provider (AWS) implements and operates

SECURITY INTHE CLOUD

SECURITY OFTHE CLOUD


What is AWS Shared Responsibility?


Your data stays where you put it.


AWS Compliance Programs

Global

United States


AWS Compliance Programs

Europe

Asia Pacific


All customers benefit from the same security

60+ Assurance programs, including• SOC 1 (SSAE 16 & ISAE 3402) Type II• SOC 2 Type II and public SOC 3 report• ISO 27001• ISO 9001• PCI DSS Level 1 - Service Provider • ISO 27017 (security of the cloud)• ISO 27018 (personal data)• BSI C5 (Germany) – ESCloud (EU)• CISPE - GDPR


Find Compliance Reports on AWS Artifact

Reports On-Demand Globally Available Easy Identification

Quick Assessments Continuous Monitoring Enhanced Transparency

https://aws.amazon.com/artifact/


Customer Security Operations in AWS


Automatewith deeply integrated

security services

Inheritglobal

security and compliance

controls

Highest standards for privacy and data security

Largest network

of security partners and solutions

Scale with superior visibility and

control

Move to AWS Strengthen your security posture


Encryption at scale with keys managed by

our AWS Key Management System (KMS) or managing your own encryption keys

with Cloud HSM using FIPS 140-2 Level 3

validated HSMs

Meet data residency requirements

Choose an AWS Region and AWS will not replicate it elsewhere unless you choose

to do so

Access services and tools that enable you to

build compliant infrastructure on top of AWS

Comply with local data privacy laws

by controlling who can access content, its lifecycle, and disposal

Highest standards for privacy


AWS Identity and Access Management (IAM) Securely control access to AWS services and resources

AWS Organizations Policy-based management for multiple AWS accounts

Amazon CognitoAdd user sign-up, sign-in, and access control to your web and mobile apps

AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud

AWS Single Sign-OnCentrally manage single sign-on (SSO) access to multiple AWS accounts and business applications

Define, enforce, and audit user

permissions across

AWS services, actions

and resources.

Identity & accessmanagement

Identity and accessmanagement


AWS CloudTrailEnable governance, compliance, and operational/risk auditing of your AWS account

AWS ConfigRecord and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting

Amazon CloudWatchMonitor AWS Cloud resources and your applications on AWS to collect metrics, monitor log files, set alarms, and automatically react to changes

Amazon GuardDutyIntelligent threat detection and continuous monitoring to protect your AWS accounts and workloads

VPC Flow LogsCapture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs

Gain the visibility you need

to spot issues before they impact

the business, improve your

security posture, and reduce the

risk profile of

your environment.

Detectivecontrol


Amazon EC2 Systems ManagerEasily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems

AWS ShieldManaged DDoS protection service that safeguards web applications running on AWS

AWS Web Application Firewall (WAF)Protects your web applications from common web exploits ensuring availability and security

Amazon InspectorAutomates security assessments to help improve the security and compliance of applications deployed on AWS

Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define

Reduce surface area to manage

and increase privacy for and

control of your overall

infrastructure on AWS.

Infrastructuresecurity


AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data

AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud

Amazon MacieMachine learning-powered security service to discover, classify, and protect sensitive data

AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates for use with AWS services

Server Side EncryptionFlexible data encryption options using AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys

In addition to our automatic data

encryption and management

services,

employ more features for

data protection.(including data management, data

security, and encryption key storage)

Dataprotection


AWS Config RulesCreate rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additionaldata, or restoring configuration to a known-good state

AWS LambdaUse our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents

During an incident, containing the

event and returning to a known

good state are important elements

of a response plan. AWS provides

the following

tools to automate aspects of this

best practice.

Incidentresponse


AWS Cloud Security &9 Innovative Design Patterns


Just-in-time access rights

Temporary Credentials

Integrated Identity and Access Management

+


Durable highly available storage

API LogsDurable and

cheap archive storage

Consolidated Logging

Performance, Network, Apps Logs

+ +Firehose data

streaming


Key Storage on HSM

Managed KMI

DIY

ArchiveObjectStorage

Block Storage

Out-of-band data transfer

Database Data Warehouse Log Trails

Ubiquitous Encryption

+


Scaling automagically

Compute Instance

Non-Persistent & Elastic

+


Logically Isolated section of the Cloud

Network Architecture Hybrid Cloud

+Virtual Firewall

+Leased line


Virtual Firewall

DNS

Web App Firewall

CDN Auto-scalingScaling Load Balancer

Network Architecture

Resiliency


Event-driven serverless

Code execution

Monitor and React swiftly

+Alarms based on

Performance, Network, Apps


Standardized Environments & Security as Code

+Continuous

Configuration Automation

SDK


Validate Change at Scale

+Inventory,

configuration history and change

Baselines rules for inventory and configuration


Seven Systemic Advantages of Cloud Security - Seven reasons, plus one to grow on

1

2

3

4

Security is AWS highest priority; no compromises, ever

Integration of compliance and security

Economies of scale and separation of duties

Customers refocus on systems and applications


5

6

7

8

Visibility, homogeneity, and automation

Cloud platforms as “systems containers”

Cloud, big data, security: using the cloud to secure the cloud

With cloud speed of innovation and increasing scale, the story will only get better – quickly!

Seven Systemic Advantages of Cloud Security - Seven reasons, plus one to grow on


Security “of” AWS

AWS Security WhitepaperAWS Global Security Infrastructure

Physical and Environmental Security

Business Continuity Management

Network Security

AWS Employee Access

Secure Design Principles

Change Management

AWS Account Security Features

AWS Service-Specific Security


Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/

https://aws.amazon.com/security/

https://aws.amazon.com/compliance/

an introduction to aws cloud security - etda€¦ · china beijing (2), ningxia (3) europe...

Documents