AWS Summit 2014

Understanding AWS Security

Carlos Conde Head of EMEA Evangelism @caarlco

Different customer viewpoints on security

PR exec keep out of the news

CEO protect shareholder

value

CI{S}O preserve the

confidentiality, integrity and availability of data

Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE & PROCEDURES

NETWORK SECURITY

PHYSICAL SECURITY

PLATFORM SECURITY

SECURITY IS SHARED

WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE

WHAT WE DO

WHAT YOU HAVE TO DO

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING

YOUR DATA IS YOUR MOST IMPORTANT ASSET

IF YOUR DATA IS NOT SECURE, YOU’RE NOT SECURE

NETWORK SECURITY

“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

AWS SECURITY OFFERS MORE

VISIBILITY AUDITABILITY

CONTROL

MORE VISIBILITY

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?

TRUSTED ADVISOR

MORE AUDITABILITY

AWS CLOUDTRAIL

You are making API calls...

On a growing set of services around the

world…

CloudTrail is continuously recording API

calls…

And delivering log files to you

Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.

Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.

Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.

LOGS OBTAINED, RETAINED, ANALYZED

PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS

VULNERABILITY & PENETRATION TESTING

VULNERABILITY & PENETRATION TESTING

MORE CONTROL

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO A SPECIFIC WORK

AWS STAFF ACCESS

‣  Staff vetting ‣  Staff has no logical access to customer instances ‣  Staff control-plane access limited & monitored

Bastion hosts, Least privileged model, Zoned data center access ‣  Business needs ‣  Separate PAMS

USE SEPARATE SETS OF CREDENTIALS

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT IN YOUR AWS ACCOUNT

ACCESS TO SERVICE APIs

Amazon DynamoDB Fine Grained Access Control

Directly and securely access application data in Amazon DynamoDB Specify access permissions at table, item and attribute levels With Web Identity Federation, completely remove the need for proxy servers to perform authorization

DEPLOYMENT PROCESS HAS TO BE CONSTRAINED

DEV & TEST ENVIRONMENT

AWS ACCOUNT A

PRODUCTION ENVIRONMENT

AWS ACCOUNT B

“If you need to SSH into your instance, your deployment process is broken.”

VERSIONED AWS CLOUDFORMATION SCRIPTS

+ AWS OPSWORKS

MORE CONTROL ON YOUR DATA

MFA PROTECTION

YOUR DATA STAYS WHERE YOU PUT IT

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

DATA ENCRYPTION

CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption

Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean

ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE

AMAZON GLACIER AMAZON REDSHIFT

AMAZON RDS …

MORE AUDITABILITY MORE VISIBILITY MORE CONTROL

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”

Tom Soderstrom – CTO – NASA JPL

AWS.AMAZON.COM / SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

Thank You!

AWS EXPERT? GET CERTIFIED! aws.amazon.com/certification

Carlos Conde Head of EMEA Evangelism @caarlco