© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tomas Clemente SanchezSenior Consultant Security, Risk and Compliance

September 21st 2017

Getting Started with AWS Security

AND

Move Fast

Stay Secure

Making life easier

Choosing security does not mean giving up on convenience or introducing complexity

Understand AWS Security

• Shared Responsibility– Let AWS do the heavy lifting– Focus on what’s most valuable to your business

• Customer• Choice of Guest OS• Application Configuration Options• Account Management flexibility• Security Groups• ACLs• Identity Management

• AWS• Facility operations• Physical Security• Physical Infrastructure• Network Infrastructure• Virtualisation Infrastructure• Hardware lifecycle management

Security is a shared responsibility

Shared Responsibility Model

AWS Global Infrastructure

16 AWS Regions (+5 announced)

Each Region has at least 2 Availability Zones44 (+16) Availability Zones (AZs)

77 AWS Edge Locations

Availability Zone A

Availability Zone B

Availability Zone C

AWS Assurance Programs

AWS maintains a formal control environment• SOC 1 Type II • SOC 2 Type II and public SOC 3 report• ISO 27001, 27017, 27018 Certification• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance• EU Data Protection• C5 (GER), Cyber Essentials Plus (UK)

Establish network security

VPC = Virtual Private Cloud Your virtual data center on AWSBlock of IPs that define your network (typically RFC 1918)Can span multiple AZsDefault VPCs

VPC

Availability Zone A Availability Zone B

VPC CIDR: 10.1.0.0 /16

Range of IPs in your VPC IP rangeLives inside an AZCan provide security at the subnet or network level with access control lists (ACLs)Can route at the subnet levelDefault VPC subnets

VPC subnet

Subnet

Availability Zone ASubnet

Availability Zone B

10.1.1.0/24 10.1.10.0/24

VPC CIDR: 10.1.0.0 /16

NACL = network access control list

An optional layer of security that acts as a firewall for a subnetA numbered list of rules that we evaluate in orderACLs are stateless and have separate inbound and outbound rules

Network access control list

Availability Zone A Availability Zone B

VPC CIDR: 10.1.0.0 /16

VPC Subnet with ACL VPC Subnet with ACL

VPC Subnet with ACL

A security group acts as a virtual firewall for your EC2 instance An EC2 instance can have up to five security groupsSecurity groups act at the instance level, not the subnet levelSecurity groups are stateful

Security groups

Availability Zone A Availability Zone B

Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24

Security Group

EC2 EC2EC2EC2

VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24

VPC CIDR 10.10.0.0/16

VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24

VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24

AZ A AZ B

Public ELB

Internal ELB

RDSMaster

AutoscalingWeb Tier

AutoscalingApplication Tier

InternetGateway

RDSStandby

Snapshots

Multi-AZ RDSData Tier

ExistingDatacenter

VirtualPrivate

Gateway

CustomerGateway

VPN Connection

Direct Connect

NetworkPartner

Location

Administrators &Corporate Users

Amazon Virtual Private Cloud

Availability Zone A

Private subnet

Public subnet

Private subnet

Availability Zone B

Public subnet

Private subnet

ELB

Web

Back end

VPC CIDR 10.1.0.0/16

ELB

Web

Back end

VPC

sg_ELB_FrontEnd (ELB Security Group)

sg_Web_Frontend (Web Security Group)

Security Groups

sg_Backend (Backend Security Group)

Security Groups

Security Groups

Security Groups

AWS WAF: Web Application Firewall

AWS WAF in action

AWS Management ConsoleAdmins

Developers AWS APIWeb app in CloudFront

Define rules

Deploy protection

AWS WAF

AWS WAF Partner integrations

• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection

AWS Shield

Standard Protection Advanced Protection

Available to ALL AWS customers at No Additional Cost

Paid service that provides additional, comprehensive protections from large

and sophisticated attacks

Integrate Identity & Access Management

IAM: Identity and Access ManagementWith AWS IAM you get to control who can do what in your AWS environment and from where

Fine-grained control of your AWS cloud with two-factor authentication

Integrated with your existing corporate directory using SAML 2.0 and single sign-on

AWS account owner

Network management

Security management

Server management

Storage management

AWS Identity & Access Management

IAM Users IAM Groups IAM Roles IAM Policies

Implement Data Protection

Cryptographic Services

Amazon CloudHSM

ü Deep integration with AWS Servicesü CloudTrailü AWS SDK for application encryption

ü Dedicated HSM ü Integrate with on-premises HSMsü Hybrid Architectures

AWS KMS

AWS Key Management ServiceEncryption key management and compliance made easy

One-click Encryption of server and database storage

Centralized key management (create, delete, view, set policies)

Enforced, automatic key rotation

Visibility into any changes via CloudTrail

AWS Key Management Service

Enable Detective Controls

AWS CloudTrail & CloudWatch

AWSCloudTrail

Amazon CloudWatch

ü Enable globally for all AWS Regionsü Encryption & Integrity Validationü Archive & Forward

ü Amazon CloudWatch Logsü Metrics & Filtersü Alarms & Notifications

CloudTrail: Record AWS API Calls

AWS CloudTrail records AWS API calls for your account and delivers log files to you.

The recorded information includes caller identity, time, the source IP address, parameters, and the response returned by the AWS service.

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

CloudWatch Logs: Centralize Your Logs

Send existing system, application, and custom log files to CloudWatch Logs via our agent, and monitor these logs in near real-time.

This can help you better understand and operate your systems and applications, and you can store your logs using highly durable, low-cost storage for later access

VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics

AWSaccount

Source IP

Destination IP

Source port

Destination port

Interface Protocol Packets

Bytes Start/end time

Accept or reject

VPC Flow Logs

• Amazon ElasticsearchService

• AmazonCloudWatchLogssubscriptions

VPC Flow Logs – CloudWatch Alarms

Trusted Advisor

Trusted Advisor

Amazon Inspector

• Vulnerability Assessment Service• Built from the ground up to support Dev/Ops Model• Automatable via API’s• AWS Context Aware• Static & Dynamic Telemetry• Integrated with CI/CD tools• On-Demand Pricing model• CVE & CIS Rules Packages• AWS AppSec Best Practices

Prioritized findings

Detailed remediation recommendations

Optimize Change Management

AWS CloudFormation – Infrastructure as Code

Template StackAWSCloudFormation

ü Orchestrate changes across AWS Services

ü Use as foundation to Service Catalog products

ü Use with source code repositories to manage infrastructure changes

ü JSON-based text file describing infrastructure

ü Resources created from a template

ü Can be updatedü Updates can be

restrictured

Change Sets – Create Change Set

Change Sets

Change Sets

AWS Config & Config Rules

AWSConfig

Amazon ConfigRules

ü Record configuration changes continuously

ü Time-series view of resource changes

ü Archive & Compare

ü Enforce best practicesü Automatically roll-back unwanted

changesü Trigger additional workflow

AWS Config: Record AWS Environment Changes

AWS Config records AWS environment configuration and changes information for your account.

Snapshots answer the question “What did my environment look like, at time x?”

History answers the question “What changes have happened, to infrastructure element I over time?”

Continuous ChangeRecordingChanging Resources

History

Stream

Snapshot (ex. 2014-11-05)AWS Config

AWS Config – VPC Example

AWS Config – VPC Example

AWS Config Rules – Tenancy Enforcement Example

AWS Config Rules – Tenancy Enforcement Example

Resources

Security Community

Partner ecosystemCustomer ecosystemAWS Platform & Tools

AWS Marketplace Security PartnersInfrastructure Security

Logging & Monitoring

Identity & Access Control

Configuration & Vulnerability Analysis

Data Protection

aws.amazon.com/security/

AWS Training & CertificationCertification

aws.amazon.com/certification

Self-Paced Labs

aws.amazon.com/training/self-paced-labs

Try products, gain new skills, and get hands-on practice

working with AWS technologies

aws.amazon.com/training

Training

Validate your proven skills and expertise with the AWS platform

Build technical expertise to design and operate scalable, efficient applications on AWS

Strengthen your security posture

Get native functionality and tools

Over 30 global compliancecertifications and accreditations

Leverage security enhancements gleaned from millions of customer experiences

Benefit from AWS industry leading security teams 24/7, 365 days a year

Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”

Rob Alexander, CIO, Capital One

Gracias!