aws summit barcelona - security keynote

AWS Summit 2013 Barcelona Oct 24 – Barcelona, Spain

Bill Shinn

AWS Principal Security Solutions Architect

AWS CLOUD SECURITY

SECURITY IS UNIVERSAL

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

AWS GOV CLOUD

ITAR COMPLIANT

SECURITY IS VISIBLE

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

AWS API + CLOUDFORMATION ENVIRONMENT ARCHITECTURE DEFINITION

AND CHANGE DETECTION

SECURITY IS TRANSPARENT

SOC 1 SOC 2 SOC 3 PCI DSS L1 ISO 27001

ITAR FIPS FedRAMP HIPAA

SECURITY IS FAMILIAR

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO A SPECIFIC WORK

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT IN

YOUR AWS ACCOUNT

IAM USERS & ROLES

ACCESS TO

SERVICE APIs

NO PASSWORDS

USE SEPARATE SETS OF

CREDENTIALS

ROTATE YOUR AWS SECURITY

CREDENTIALS




3. LOGICAL SECURITY






YOUR DATA IS YOUR

MOST IMPORTANT ASSET

MFA DELETE PROTECTION

ENCRYPT YOUR DATA

AMAZON S3 SSE DATA AT REST

AWS CloudHSM




3. LOGICAL SECURITY






NEED TO KNOW

+

CCTV, GUARDS, MAN TRAPS,

FENCES, ETC…




3. LOGICAL SECURITY






CHANGES IN PRODUCTION

HAVE TO BE AUTHORIZED

DEV & TEST ENVIRONMENT

AWS ACCOUNT A

PRODUCTION ENVIRONMENT

AWS ACCOUNT B

DEPLOYMENT PROCESS

HAS TO BE CONSTRAINED




3. LOGICAL SECURITY






CONTINUOUS DELIVERY MODEL

CONTINUOUS DEPLOYMENT

SESSION 13:30 START-UP TRACK

REDUNDANCY & INTEGRITY

CHECKS

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS




3. LOGICAL SECURITY






“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

SECURITY IS AUDITABLE

VULNERABILITY / PENETRATION

TESTING

LOGS

OBTAINED, RETAINED, ANALYZED

OBTAIN, RETAIN, ANALYSE

YOUR LOGS

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

TRUSTED ADVISOR

SECURITY IS SHARED

NETWORK SECURITY:

DDOS

NETWORK SECURITY:

SSL

NETWORK SECURITY:

SPOOFING

NETWORK SECURITY:

PORT SCANNING

AMAZON EC2 SECURITY:

HOST OS SSH KEYED LOGINS VIA BASTION HOST

ALL ACCESSES LOGGED AND AUDITED


GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL

AWS ADMINS CANNOT LOG IN

CUSTOMER-GENERATED KEYPAIRS

“If you need to SSH into your

instance, improve your deployment

process.”


STATEFUL & STATELESS FIREWALL MANDATORY INBOUND

DEFAULT DENY MODE

SECURITY IS

UNIVERSAL

VISIBLE

TRANSPARENT

FAMILIAR

AUDITABLE

SHARED

AWS.AMAZON.COM / SECURITY

AWS.AMAZON.COM/COMPLIANCE

BLOGS.AWS.AMAZON.COM/SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS MARKETPLACE

SECURITY SOLUTIONS

[email protected]

aws summit barcelona - security keynote

Technology

security aws

network security

security capabilities

amazon ec2 security

aws security credentials

artificial security

data amazon s3 sse data

redundancy incident