Kiran KuppaSolutions Architect
Amazon Web Services
Securing AWSLeverage AWS security best practices to reduce your risk.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Maitreya RanganathSolutions Architect
Amazon Web Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What to expect from this Session
• Security and Compliance in AWS• AWS Assurance Programs• AWS Security Enablers• Security by Design• DevSecOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Why - Modernize Technology Governance
The majority of technology governance relies predominantly on administrative and operational security controls with LIMITED technology enforcement.
Automation is needed to dominate governance through technology enablement.
Assets
ThreatVulnerability
Risk
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Why is this important?
Modern day IT environments present challenges to managing security and meeting compliance requirements due to the volume of data that needs to be safeguarded and increasing complexity around how users connect to data.
A reliable security approach is needed to ensure data is protected and available to authorized users and systems.
Confidentiality Integrity Availability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
1500+ Governme
nt Agencies
3600+ Education Institution
s
190 Countries
11,200+ Nonprofit
s
Security is Job Zero
Over A Million Active Customers and Every Imaginable Use Case
5
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Requirements from every industry
• Nothing better for the entire community than a tough set of customers…
Everyone’s Systems and Applications
Financial Health Care Government
Global Infrastructure
Requirements Requirements Requirements
6
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform genomic
analysis and clinical studies in a secure and compliant environment at a scale not
previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to boost our own
security is really important for our business. AWS does a much better job at
security than we could ever do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises data center
across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security and Compliance in AWS
Security Of the Cloud and Security In the Cloud
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS foundational security applies to every customer
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
• SOC 2 Type II and public SOC 3 report
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Authorization
• HIPAA and MPAA capable
Experts auditors test and validate 360° of the cloudAWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
Auditor
AWS is responsible forthe security OF the
Cloud
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Keys to cloud security
• Cloud goes beyond the traditional elements of security and adds…
• Agility
• Automation
Visibility Auditability Controllability
10
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Who owns Security in a Cloud Environment?
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Shared Security Responsibility
Infrastructure Services
Platform Services
Abstracted Services
Security is Shared and Classified by Ownership
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Shared Responsibility:for Infrastructure Services
Customer Data
Platform & Application Management
Operating system, network, and firewall configuration
Data ConfidentialityEncryption at-rest /
in-transit, authentication
Data AvailabilityHA, DR/BC, Resource Scaling
Data IntegrityAccess control, Version
control, Backups
Cu
stom
er
IAM
AW
S IAM
Managed by AWS
Managed by customers
AW
S En
dp
oin
ts
NetworkingStorageCompute
EdgeLocations
Availability
ZonesRegions
AWS Global Infrastructure
Foundation Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• AWS
• Network, Compute, Storage
• AWS Global Infrastructure
• AWS Endpoints
Infrastructure Services – Example Amazon EC2
• Customer
• Customer Data
• Customer Application
• Operating System
• Network & Firewall (VPC)
• Customer Identity & Access Mgmt
• AWS Identity & Access Mgmt(Users, Groups, Roles, Policies)
• High-Availability / Scaling
• Instance Management
• Data Protection(In-transit, At-rest, Backup)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Shared Responsibility:for Platform Services
Customer Data
Client-side data encryption & data integrity authentication
Network traffic protection encryption / integrity / identity
Cu
stom
er IA
MA
WS IA
M
Managed by customers
Managed by AWS
Platform & Application Management
Firewall
Co
nfigu
ration
Operating system & Network Configuration
AW
S En
dp
oin
ts
NetworkingDatabasesStorageCompute
EdgeLocations
AvailabilityZones
RegionsAWS Global Infrastructure
Foundation Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• AWS
• Network, Compute, Storage
• AWS Global Infrastructure
• AWS Endpoints
• Operating System
• Instance Management
• Platform / Application(Aurora, MS SQL, Oracle, MySQL, PostgreSQL)
Platform Services – Example RDS
• Customer
• Customer Data
• Firewall (VPC)
• Customer Identity & Access Mgmt(DB Users, Table Permissions)
• AWS Identity & Access Mgmt(Users, Groups, Roles, Policies)
• High-Availability / Scaling
• Data Protection(In-transit, At-rest, Backup)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Shared Responsibility:for Abstracted Services
Customer Data
Client-side data encryption, data integrity and authenticationA
WS
IAM
Managed by
customers
Client-side data encryption provided by platform (protection of data at-rest)
Network traffic encryption provided by platform (protection of data in-transit)
Platform & Application Management
Operating system, network, and firewall configuration
Managed by
AWS
AW
S
En
dp
oin
ts
NetworkingDatabasesStorageCompute
Edge
LocationsAvailability
ZonesRegions
AWS Global
Infrastructure
Foundation
Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• AWS
• Network, Compute, Storage
• AWS Global Infrastructure
• AWS Endpoints
• Platform / Application
• Data Protection (In-transit, At-rest)
• High-Availability / Scaling
Abstracted Services – Example S3
• Customer
• Customer Data
• Data Protection(In-transit, At-rest)
• AWS Identity & Access Mgmt(Users, Groups, Roles, Policies)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Part of your compliance work is done
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
Account management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
Secure, compliant workloads
19
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Does This Mean All Workloads Running on AWS are Automatically Compliant?
20
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What does this mean for you?
21
▪ Customers benefit from an environment built for the most security sensitive organizations▪ AWS manages and validates testing against more than 3000 security controls so you don’t have to▪ You get to define the right security controls for your workload sensitivity▪ You always have full ownership and control of your data
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Security & Compliance Resources
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks
DoD SRG DNB [Netherlands] CIS
FedRAMP EAR CLIA
FIPS EU Model Clauses CJIS
IRAP EU Data Protection Directive CMS EDGE
ISO 9001 FERPA CMSR
ISO 27001 GLBA CSA
ISO 27017 HIPAA FDA
ISO 27018 HITECH FedRAMP TIC
MLPS Level 3 IRS 1075 FISC
MTCS ITAR FISMA
PCI DSS Level 1 My Number Act [Japan] G-Cloud
SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)
SOC 1 Privacy Act [New Zealand] IT Grundschutz
SOC 2 PDPA - 2010 [Malaysia] MITA 3.0
SOC 3 PDPA - 2012 [Singapore] MPAA
UK Cyber Essentials U.K. DPA - 1988 NERC
VPAT / Section 508 NIST
EU-US Privacy Shield PHR
Spanish DPA Authorization UK Cloud Security Principles
Comprehensive security and compliance profile23
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Inherit global security and compliance controls
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
PCI-DSS
25
Payment Card Industry (PCI) Data Security Standard (DSS)▪AWS is Level 1 compliant (highest level). ▪Validated by an authorized independent QSA.▪You can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud.
AWS PCI Package▪Attestation of Compliance (AoC)▪PCI responsibility summary
Description of the in-scope servicesCustomer implementation considerationsOverview of shared responsibility
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS security and compliance resources
▪ AWS Artifact
▪ Introduction to AWS Security
▪ AWS Security Overview
▪ AWS Security Best Practices
▪ AWS Risk & Compliance
▪ Security at Scale Whitepapers
▪ Customer penetration testing requests
▪ Security Partner Solutions
▪ Request more information by contacting us
• aws.amazon.com/securityaws.amazon.com/compliance
26
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Security EnablersManage, secure and audit the use of AWS services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Identity and Access Management (IAM)
• Centrally manage users and user permissions in AWS
▪ Manage users, groups, roles, and policies.
▪ Define which AWS resources users can access.
▪ Federate with other Identity Providers (IdP)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Organizations
▪ Centrally manage groups of AWS accounts
▪ Simplified creation of new AWS accounts
▪ Logically group AWS accounts for management convenience
▪ Apply Service control policies (SCP)
▪ Simplified billing
▪ Control individual account permissions at scale
▪ All organization management activity is logged in AWS CloudTrail
▪ An AWS account can be a member of only one organization
▪ Console, SDK, and CLI support for all management tasks
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Multiple VPCs vs Multiple Accounts
DevelopmentVirtual Private Cloud
StagingVirtual Private Cloud
ProductionVirtual Private Cloud
Regulated (PCI)Virtual Private Cloud
DevelopmentAWS Account
Virtual Private Cloud
StagingAWS Account
Virtual Private Cloud
ProductionAWS Account
Virtual Private Cloud
Regulated (PCI)AWS Account
Virtual Private Cloud
30
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Strategies for Using Multiple AWS Accounts
31
▪ Separation of production, development and testing environments
▪ Multiple autonomous departments
▪ Centralized security management with multiple autonomous independent projects
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DevelopmentAWS Account
StagingAWS Account
ProductionAWS Account
Regulated (PCI)AWS Account
Central GovernanceAWS Account
virtual private cloud
Account
Boundary
Network
Boundary
Multiple Accounts AND Multiple VPCs
App 1 App X
App 1 App X
App 1 App X
App 1 App X
32
▪ Account provisioning
▪ Security oversight
▪ VPC configuration
▪ IAM configuration
▪ Development / approval of templates
▪ AMI creation / management
▪ Shared Services
▪ Monitoring / Logging
BillingAdministrative
Connectivity
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Compute & Network Security
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon VPC
▪ Virtual network dedicated to your AWS account.
▪ Logically isolated from other virtual networks in the AWS.
▪ You choose the IP address range for your VPC.
▪ Can span multiple Availability Zones.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon VPC Security
• VPC Security Groups (mandatory)
▪ Instance level, stateful▪ Supports ALLOW rules only▪ Default deny inbound, allow outbound▪ Use as “whitelist” – least privilege
• VPC NACLs (optional)
▪ Subnet level, stateless▪ Supports ALLOW and DENY▪ Default allow all▪ Use as “guardrails”
• Changes audited via AWS CloudTrail Security Group
Subnet
NACLs
VPC
Instance
35
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
VPC Flow Logs
▪ Agentless▪ Enable per ENI, per subnet, or per VPC▪ Logged to AWS CloudWatch Logs▪ Create alarms from log data
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
36
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS.
AWS DDoS Shield
• For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24X7 access to DDoS experts for complex cases.
• Standard Protection • Advanced Protection
Available to ALL AWS customers at No Additional Cost
Paid service that provides additional, comprehensive protections from large and
sophisticated attacks
37
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Attack notification and reporting
Attack monitoring and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports
38
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Shield Advanced cost protection
• AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53
39
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS WAF
40
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS WAF – Layer 7 application protection
HTTP floods Scanners and probes
SQL injectionBots and scrapers
IP reputation lists
Cross-site scripting
41
Use AWS WAF to Mitigate OWASP’s Top 10 Web Application
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Logging and Monitoring
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS CloudTrail• Track changes made to your AWS resources
• Records all API calls made on your account
• Enabled on a per-region basis
Integration with 3rd party solutions (ex. Splunk)
• Benefits:
▪ Resource change tracking
▪ Security analysis
▪ Demonstrate Compliance
What is recorded?✓ The identity of the API caller✓ The time of the API call✓ The request parameters✓ The response elements
43
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon CloudWatch
• AWS managed service providing a reliable, scalable, and flexible monitoring solution that you can start using within minutes.
• You no longer need to set up, manage, and scale your own monitoring systems and infrastructure.
▪ CloudWatch - monitor AWS resources and applications you run on AWS in real time
▪ CloudWatch Events - send system events from AWS resources to AWS Lambda functions, Amazon SNS topics, streams in Amazon Kinesis, and other target types
▪ CloudWatch Logs - monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, or other sources
44
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon Simple Notification Service (SNS)
• A web service that is easy to set up, operate, and send notifications.
• Publish messages from an application and immediately deliver them to subscribers or other applications.
▪ Messages published to topic.
▪ Topic subscribers receive message.
Publisher
SQS
HTTP/S
SMSSNS Topic
Subscriber
Mobile Push
Lambda
45
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
• Amazon Macie is an AI-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in AWS.
• Amazon Macie uses machine learning to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used in your organization.
• Amazon Macie continuously monitors data access activity for anomalies, and delivers alerts when it detects risk of unauthorized access or inadvertent data leaks.
Amazon Macie
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon Guard Duty
• Threat detection service
• Continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
• Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise.
• Detects potentially compromised instances or reconnaissance by attackers.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Encryption Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Key Management Service (KMS)49
Customer MasterKey(s)
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
Managed service to securely create, control, rotate, and use encryption keys.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Cloud HSM
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
Help meet compliance requirements for data security by using a dedicated Hardware Security Module appliance with AWS.
• Dedicated, single-tenant hardware device• Can be deployed as HA and load balanced
• Customer use cases:• Oracle TDE• MS SQL Server TDE• Setup SSL connections• Digital Rights Management (DRM)• Document Signing
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
KMS vs CloudHSM
KMS CloudHSM
Multi-tenant AWS service Single-tenant HSM
Highly available and durable key storage and management
Customer-managed durability and availability
AWS managed root of trust Customer managed root of trust
Broad support for AWS services Broad third-party app support
Symmetric encryption only Symmetric and asymmetric options
51
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Configuration Management
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS CloudFormation
Allows you to define a “template” which is composed of different
“resources” and then provision that template into repeatable, live, “stacks”.
53
Infrastructure as Code
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Why Infrastructure as Code?
• Automates deployment, provisioning, and configuration of the entire infrastructure
▪ Deploy servers, configure networking, assign storage
▪ Manage configuration and access
▪ Track and audit changes
• Embeds security controls and compliance auditing
54
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Service Catalog
55
▪ Centrally manage catalogs of IT services approved for use on AWS▪ Enables users to quickly deploy approved IT services in a self-service manner▪ Helps achieve consistent governance and meet compliance requirements
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Config
56
▪ Managed service that provides AWS resource inventory, configuration history, and configuration change notifications.
▪ Provides continuous details on all configuration changes associated with AWS resources.
▪ Combines with CloudTrail for full visibility into what contributed to the change.▪ Enables compliance auditing, security analysis, resource change tracking, and
troubleshooting.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
AWS Config Rules
• Features
• Flexible rules evaluated continuously and retroactively
• Dashboard and reports for common goals
• Customizable remediation
• API automation
Continuously monitors the configuration of existing and new AWS resources to assess compliance with desired configurations
Benefits
• Continuous monitoring for unexpected changes
• Shared compliance across your organization
• Simplified management of configuration changes
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Amazon Inspector
• Features
• Configuration scanning engine
• Activity monitoring
• Built-in content library
• Automatable via API
• Fully auditable
• Benefits
• Common Vulnerabilities and Exposures (CVE)
• Network Security Best Practices
• Authentication Best Practices
• Operating System Best Practices
• Application Security Best Practices
Security assessment tool analyzing end-to-end application configuration and activity
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security by DesignAutomating Security, Compliance, and Governance in AWS
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What is Security by Design (SbD)?
▪ Modern, systematic, security assurance approach
▪ Formalizes AWS account design, automates security controls, and streamlines auditing
▪ Provides security control built in throughout the AWS IT management process
Effective security is ubiquitous and automatic…
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security by Design Four Phase Approach
Understand your requirements
Build a “secure environment” that fits
your requirements
1Enforce the use of
the templatesPerform validation
activities
2 3 4
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security Controls
▪ Access
▪ Audit
▪ Config Mgmt
▪ Contingency Plans
Data Classification
▪ Data Type
▪ Data Impact
▪ Data Sensitivity
Data Usage
▪ Storage
▪ Retention
▪ Processing
▪ Sharing
Regulations
▪ Governmental
▪ Organizational
▪ Individual
#1: Understand your requirements
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#2: Build a “secure environment”
• What are the different options for securing your environment?
▪ Service selection
▪ Encryption
▪ Network segmentation
▪ User permissions
▪ Authorized OS images
▪ Resource protection
▪ Logging / monitoring
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#3: Enforce the use of templates
▪ What if the ONLY choices are “pre-approved templates?
▪ Templates guarantee ALL configurations comply with your organization’s security standards
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#4: Perform Validation Activities
• 100% Audit-Ready▪ Environments deployed from templates are audit-ready
▪ Rules defined within the templates are the baseline for comparison
• 100% Audit Coverage ▪ Auditing itself is configured and enabled via template
▪ Auditing it performed continuously and in real-time
▪ Properly scoped permissions prevent and detect attempts to tamper with or disable auditing
• 100% Visibility▪ Audit information captures the state of all deployed resources
• 100% Remediation▪ Non-compliant resources are flagged and alerts are generated
▪ These alerts can be used to trigger actions such as quarantining the offending resource
100%
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Admins
AWSCloudFormation
Template AWSService Catalog
Users
Amazon VPC
AWSCloudTrail
AWSConfig
Constrained Permissions
Amazon CloudWatch
Security by Design Deployment
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Impact of Security by Design
▪ Creates forcing functions that cannot be overridden by users
▪ Establishes reliable operation of controls
▪ Enables continuous and real-time auditing
▪ Represents the technical scripting of your governance policy
• Result
• Automated environment enabling enforcement of security and compliance polices and a functionally reliable governance model.
67
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Automated Countermeasure Examples
68
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Application DoS - Random searches
Amazon CloudFront
AWS WAF
AmazonSNS
Good users
Bad guys
AmazonS3
AWSLambda
2
1
3
4
6
Access logs to S3
Lambda parses logs
IP added to Auto Block rule
Notification
Counts requests per minute from same IP
69
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Brute force login on SSH bastion
Amazon CloudWatch
AmazonSNS
Good users
Bad guys
AWSLambda
2
1
3
SSH access logs
Alarm triggered
NACL deny rule created
Notification
SSH
DMZ Subnet
4
70
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Unintended IAM access granted
Amazon CloudWatch
Events
AmazonSNS
Devs
Elevated Privileges
AWSLambda
3
2
4
IAM API Events
Deliver event upon rule match
Revoke IAM access if user not in Admins group
Notification
5
AWS CLI
SDK
Console
1
71
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
DevSecOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Thank you!
Q&A