getting started with aws security - s3-eu-west … · getting started with aws security. and move...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tomas Clemente SanchezSenior Consultant Security, Risk and Compliance
September 21st 2017
Getting Started with AWS Security
Making life easier
Choosing security does not mean giving up on convenience or introducing complexity
• Shared Responsibility– Let AWS do the heavy lifting– Focus on what’s most valuable to your business
• Customer• Choice of Guest OS• Application Configuration Options• Account Management flexibility• Security Groups• ACLs• Identity Management
• AWS• Facility operations• Physical Security• Physical Infrastructure• Network Infrastructure• Virtualisation Infrastructure• Hardware lifecycle management
Security is a shared responsibility
AWS Global Infrastructure
16 AWS Regions (+5 announced)
Each Region has at least 2 Availability Zones44 (+16) Availability Zones (AZs)
77 AWS Edge Locations
Availability Zone A
Availability Zone B
Availability Zone C
AWS Assurance Programs
AWS maintains a formal control environment• SOC 1 Type II • SOC 2 Type II and public SOC 3 report• ISO 27001, 27017, 27018 Certification• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance• EU Data Protection• C5 (GER), Cyber Essentials Plus (UK)
VPC = Virtual Private Cloud Your virtual data center on AWSBlock of IPs that define your network (typically RFC 1918)Can span multiple AZsDefault VPCs
VPC
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
Range of IPs in your VPC IP rangeLives inside an AZCan provide security at the subnet or network level with access control lists (ACLs)Can route at the subnet levelDefault VPC subnets
VPC subnet
Subnet
Availability Zone ASubnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
NACL = network access control list
An optional layer of security that acts as a firewall for a subnetA numbered list of rules that we evaluate in orderACLs are stateless and have separate inbound and outbound rules
Network access control list
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL
A security group acts as a virtual firewall for your EC2 instance An EC2 instance can have up to five security groupsSecurity groups act at the instance level, not the subnet levelSecurity groups are stateful
Security groups
Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24
Security Group
EC2 EC2EC2EC2
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDSMaster
AutoscalingWeb Tier
AutoscalingApplication Tier
InternetGateway
RDSStandby
Snapshots
Multi-AZ RDSData Tier
ExistingDatacenter
VirtualPrivate
Gateway
CustomerGateway
VPN Connection
Direct Connect
NetworkPartner
Location
Administrators &Corporate Users
Amazon Virtual Private Cloud
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
AWS WAF in action
AWS Management ConsoleAdmins
Developers AWS APIWeb app in CloudFront
Define rules
Deploy protection
AWS WAF
AWS WAF Partner integrations
• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection
AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at No Additional Cost
Paid service that provides additional, comprehensive protections from large
and sophisticated attacks
IAM: Identity and Access ManagementWith AWS IAM you get to control who can do what in your AWS environment and from where
Fine-grained control of your AWS cloud with two-factor authentication
Integrated with your existing corporate directory using SAML 2.0 and single sign-on
AWS account owner
Network management
Security management
Server management
Storage management
Cryptographic Services
Amazon CloudHSM
ü Deep integration with AWS Servicesü CloudTrailü AWS SDK for application encryption
ü Dedicated HSM ü Integrate with on-premises HSMsü Hybrid Architectures
AWS KMS
AWS Key Management ServiceEncryption key management and compliance made easy
One-click Encryption of server and database storage
Centralized key management (create, delete, view, set policies)
Enforced, automatic key rotation
Visibility into any changes via CloudTrail
AWS CloudTrail & CloudWatch
AWSCloudTrail
Amazon CloudWatch
ü Enable globally for all AWS Regionsü Encryption & Integrity Validationü Archive & Forward
ü Amazon CloudWatch Logsü Metrics & Filtersü Alarms & Notifications
CloudTrail: Record AWS API Calls
AWS CloudTrail records AWS API calls for your account and delivers log files to you.
The recorded information includes caller identity, time, the source IP address, parameters, and the response returned by the AWS service.
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
CloudWatch Logs: Centralize Your Logs
Send existing system, application, and custom log files to CloudWatch Logs via our agent, and monitor these logs in near real-time.
This can help you better understand and operate your systems and applications, and you can store your logs using highly durable, low-cost storage for later access
VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
Amazon Inspector
• Vulnerability Assessment Service• Built from the ground up to support Dev/Ops Model• Automatable via API’s• AWS Context Aware• Static & Dynamic Telemetry• Integrated with CI/CD tools• On-Demand Pricing model• CVE & CIS Rules Packages• AWS AppSec Best Practices
AWS CloudFormation – Infrastructure as Code
Template StackAWSCloudFormation
ü Orchestrate changes across AWS Services
ü Use as foundation to Service Catalog products
ü Use with source code repositories to manage infrastructure changes
ü JSON-based text file describing infrastructure
ü Resources created from a template
ü Can be updatedü Updates can be
restrictured
AWS Config & Config Rules
AWSConfig
Amazon ConfigRules
ü Record configuration changes continuously
ü Time-series view of resource changes
ü Archive & Compare
ü Enforce best practicesü Automatically roll-back unwanted
changesü Trigger additional workflow
AWS Config: Record AWS Environment Changes
AWS Config records AWS environment configuration and changes information for your account.
Snapshots answer the question “What did my environment look like, at time x?”
History answers the question “What changes have happened, to infrastructure element I over time?”
Continuous ChangeRecordingChanging Resources
History
Stream
Snapshot (ex. 2014-11-05)AWS Config
AWS Marketplace Security PartnersInfrastructure Security
Logging & Monitoring
Identity & Access Control
Configuration & Vulnerability Analysis
Data Protection
AWS Training & CertificationCertification
aws.amazon.com/certification
Self-Paced Labs
aws.amazon.com/training/self-paced-labs
Try products, gain new skills, and get hands-on practice
working with AWS technologies
aws.amazon.com/training
Training
Validate your proven skills and expertise with the AWS platform
Build technical expertise to design and operate scalable, efficient applications on AWS
Strengthen your security posture
Get native functionality and tools
Over 30 global compliancecertifications and accreditations
Leverage security enhancements gleaned from millions of customer experiences
Benefit from AWS industry leading security teams 24/7, 365 days a year
Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
Rob Alexander, CIO, Capital One