understanding aws security
DESCRIPTION
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.TRANSCRIPT
![Page 1: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/1.jpg)
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Understanding AWS Security
Stephen Schmidt
Vice President, Security Engineering &
Chief Information Security Officer
![Page 2: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/2.jpg)
Different customer viewpoints on
security:• CEO: protect shareholder value
• PR exec: keep out of the news
• CI{S}O: preserve the confidentiality, integrity
and availability of data
![Page 3: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/3.jpg)
AWS Viewpoint on SecurityArt Science
![Page 4: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/4.jpg)
Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
![Page 5: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/5.jpg)
AWS Cloud Security
“Based on our experience, I believe that we can be
even more secure in the AWS cloud than in our
own data centers.”
-Tom Soderstrom, CTO, NASA JPL
![Page 6: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/6.jpg)
AWS Security Offers Customers More
Visibility Auditability Control
![Page 7: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/7.jpg)
Visibility
– In the AWS cloud, see your entire infrastructure at the click of a
mouse
– Can you map your current network?
![Page 8: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/8.jpg)
AWS Security Delivers More Auditability
• Consistent, regular, exhaustive 3rd party
evaluations with commonly understood results
![Page 9: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/9.jpg)
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
![Page 10: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/10.jpg)
Visibility
• Logs == one component of visibility
– Obtain
– Retain
– Analyze
![Page 11: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/11.jpg)
AWS CloudTrail
You are making API
calls...
On a growing set of services
around the world…
CloudTrail is continuously recording API
calls…
And delivering log files to you
![Page 12: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/12.jpg)
Use cases enabled by CloudTrail
• Security Analysis Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
![Page 13: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/13.jpg)
What is AWS CloudTrail?
• CloudTrail records API calls in your account and delivers a log file to your S3 bucket.
• Typically, delivers an event within 15 minutes of the API call.
• Log files are delivered approximately every 5 minutes.
• Multiple partners offer integrated solutions to analyze log files.
Image Source: Jeff Barr
![Page 14: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/14.jpg)
Control
• Defense in Depth– Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security
![Page 15: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/15.jpg)
Control
• AWS Staff Access– Staff vetting
– Staff has no logical access to customer instances
![Page 16: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/16.jpg)
Control
• AWS Staff Access– Staff control-plane access limited & monitored
• Bastion hosts
• Least privileged model
![Page 17: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/17.jpg)
Control
• AWS Staff Access– Need to know
– Zoned data center access
• Business needs
• Separate PAMS
![Page 18: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/18.jpg)
Control
• Change management– Continuous operation
• Data destruction– Storage media destroyed before being permitted outside our
datacenters
– Media destruction consistent with US Dept. of Defense Directive
5220.22
![Page 19: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/19.jpg)
Control
• Shared Responsibility– Let AWS do the heavy lifting
– Focus on your business
• AWS• Facility operations
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
• Hardware lifecycle management
• Customer• Choice of Guest OS
• Application Configuration Options
• Account Management flexibility
• Security Groups
• ACLs
• Identity Management
![Page 20: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/20.jpg)
Control• Your data stays where you put it
Australia
![Page 21: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/21.jpg)
Amazon Virtual Private Cloud (VPC)
• Create a logically isolated environment in Amazon’s highly scalable infrastructure
• Specify your private IP address range into one or more public or private subnets
• Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists
• Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups
• Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet
• Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect
• Use a wizard to easily create your VPC in 4 different topologies
![Page 22: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/22.jpg)
Control• Encryption
– Customers choose the solution that’s right for them
• Regulatory
• Contractual
• Best-practices
– Options
• Automated – AWS manages encryption for the customer
• Enabled – customer manages encryption using AWS services
• Client-side – customer manages encryption using their own means
![Page 23: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/23.jpg)
AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi Factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
![Page 24: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/24.jpg)
ControlAWS CloudHSM
• Managed and monitored by AWS, but you control the keys
• Increase performance for applications that use HSMs for key storage or encryption
• Comply with stringent regulatory and contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
![Page 25: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/25.jpg)
Control
• SSO Federation using SAML– Support for SAML 2.0
– Use existing SAML identity providers to access AWS Resources
• You don’t have to add additional software!
– AWS Management Console SSO
• New sign-in URL
– https://signin.aws.amazon.com/SAML?Token=<yourdatahere>
– API federation using new assumeRoleWithSAML API
![Page 26: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/26.jpg)
DynamoDB Fine Grained Access Control• Directly and securely access
application data in DynamoDB
• Specify access permissions at table, item and attribute levels
• With Web Identity Federation, completely remove the need for proxy servers to perform authorization
![Page 27: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/27.jpg)
More New Security Features!Control access to & encryption of your data
• Elastic Load Balancing
– Perfect Forward Secrecy
– Server Order Preference
– Predefined Security Policies
• Powerful integrated permissions
– Resource level permissions: EC2, RDS, DynamoDB, CloudFormation
– Enhanced IAM support: SWF, EMR, Storage Gateway, CloudFormation, Redshift, Elastic Beanstalk
• AWS Marketplace
– 1-Click Launch into VPC
• Appliances from:
– Checkpoint
– Cisco
– Citrix
– Riverbed
– Silverpeak
– Sophos
– And many more…
![Page 28: Understanding AWS Security](https://reader031.vdocuments.us/reader031/viewer/2022020207/54b4c2ff4a795967178b4614/html5/thumbnails/28.jpg)
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Understanding AWS Security
Stephen Schmidt
Vice President, Security Engineering &
Chief Information Security Officer
Thank you!