security & compliance in aws - cloudsec web services security & compliance in aws . and move...
TRANSCRIPT
Amazon Web Services
Security & Compliance in AWS
AND
Move
Fast
Stay
Secure
ENTERPRISE
APPS
DEVELOPMENT & OPERATIONS MOBILE SERVICES APP SERVICES ANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Backup
Queuing &
Notifications
Workflow
Search
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence Databases
DevOps
Tools Networking Security Storage
Regions Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute VMs, Auto-scaling,
& Load Balancing
Storage Object, Blocks,
Archival, Import/Export
Databases Relational, NoSQL,
Caching, Migration
Networking VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
Job Zero
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any
cloud workload and now has more than 70 services that range from compute,
storage, networking, database, analytics, application services, deployment,
management and mobile
AWS Pace of Innovation
SHARED
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
AWS is
responsible for
the security OF
the Cloud
Security OF the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content C
usto
mers
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for the
security OF
the Cloud
Security IN the cloud
SECURITY IS VISIBILITY
AND AUDITABILITY
How often do you map your
network?
RIGHT NOW?
You are making
API calls... On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
Redshift AWS CloudFormation
AWS Elastic Beanstalk
SECURITY IS CONTROL
AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies
Account Governance – New Accounts
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Baseline Requirements
Actions &
Conditions Map
Enterprise
Roles
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet
10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Amazon Virtual Private Cloud
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions
VPC Flow Logs – CloudWatch Alarms
Cryptographic Services
Amazon
CloudHSM
Deep integration with AWS Services
CloudTrail
AWS SDK for application encryption
Dedicated HSM
Integrate with on-premises HSMs
Hybrid Architectures
AWS
KMS
AWS Key Management Service
PCI DSS SP L1 Compliant
Under-going FIPS140-2
Encryption key management and compliance made easy
Integrated with AWS Services
(e.g. S3, EBS, RDS, Redshift,
CloudTrail, EMR)
Highly Available and durable
Cloud HSM
dedicated access
Only you have access to your keys and
operations on the keys
CloudHSM
AWS administrator—
Manages the appliance
You—Control keys and
crypto operations
AWS Config & Config Rules
AWS
Config
Amazon
Config
Rules
Record configuration changes
continuously
Time-series view of resource
changes
Archive & Compare
Enforce best practices
Automatically roll-back unwanted
changes
Trigger additional workflow
AWS Config Rules – Tenancy Enforcement
AWS Config Rules – Tenancy Enforcement
AWS Config Rules – Tenancy Enforcement
AUDIT EVERYTHING
Auditors
Geographic
data locality
Control over regional
replication
Policies, resource
level permissions,
temporary credentials
Fine-grained
access control In-depth
logging
AWS
CloudTrail
and Config
Fine-grained visibility and control for accounts, resources, data
Visibility into
resources and
usage
Service
Describe*
APIs and
AWS
CloudWatch
Control over
deployment
AWS
CloudFormation
Governance
COMPLIANCE IS CONFIDENCE
ISO 9001
SOC 3
SOC 2
ISO 27001
ISO 27017
PCI DSS Level 1 ISO 27018
SOC 1 / ISAE 3402
GxP HIPAA
ITAR
FERPA
FISMA, RMF, and DIACAP
FedRAMP
Section 508 / VPAT
DoD SRG Levels 2 & 4
FIPS 140-2
CJIS
Cloud Security Alliance
MPAA
NIST
MLPS Level 3
G-Cloud
IT-Grundschutz
MTCS Tier 3
IRAP Cyber Essentials Plus
More accreditations & certifications than anyone
You retain control and ownership of your content
Choose your AWS region and adhere to data sovereignty laws
Compliant with ISO 27001, ISO 27017, ISO 27018
Encrypt your data using AWS Services or using your own
Data Sovereignty & Privacy
CONTINUOUS ASSURANCE
Security by Design – SbD
Security by Design (SbD) is a modern,
security assurance approach that
formalizes AWS account design, automates
security controls, and streamlines auditing.
It is a systematic approach to ensure
security; instead of relying on after-the-fact
auditing, SbD provides control insights
throughout the IT management process.
CloudTrail
CloudHSM
IAM KMS
Config
AWS Security and Compliance Security of the
cloud
Services and tools to
aid
security in the cloud
Service Type Use cases
Continuous logging Records AWS API calls for your account and
delivers log files to you
Continuous evaluations
Codified internal best practices,
misconfigurations, security vulnerabilities, or
actions on changes
On-demand evaluations Security insights into your application
deployments running inside your EC2 instance
Periodic evaluations Cost, performance, reliability, and security
checks that apply broadly
Continuous filtering Firewall rules that protect web applications from
common exploits
AWS Inspector
AWS Config
Rules
AWS Trusted
Advisor
AWS CloudTrail
AWS WAF
Amazon
CloudWatch
Amazon
Elasticsearch Service AWS
Lambda
AWS
CloudFormation
AWS
Service Catalog
AWS
CodeCommit
AWS
CodePipeline
AWS
CodeDeploy
Amazon Machine
Learning
OPS
SEC
DEV
AppSec • Security as Code
• Self-Service Testing
• Red Team/Blue Team
• Inline Enforcement
• Analytics & Insights
• Detect & Contain
• Incident Response
• Investigations
• Forensics
Infrastructure
Security
Logging and
Monitoring
Identity and
Access Control
Configuration and
Vulnerability
Analysis
Data
Protection
SaaS
SaaS
SaaS
BETTER IN AWS
Job Zero