An Introdcution To AWS Cloud Security-ETDA

Download as pdf or txt
Download as pdf or txt
You are on page 1of 33

An Introduction to AWS Cloud Security

Ankush Chowdhary
Principal Security Advisor – APJ
Worldwide Public Sector
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda

Overview of AWS security


Understand your responsibility in the cloud
AWS Security and Compliance Programs
Overview of AWS Security Products/Services
AWS Cloud Security Design Patterns
Questions?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
22 Regions – 69 Availability Zones – 176 Edge Locations
Region & Number of Availability Zones
US East China
N. Virginia (6), Ohio (3) Beijing (2), Ningxia (3)

US West Europe
N. California (3), Frankfurt (3), Ireland
Oregon (4) (3), London (3), Paris
(3), Stockholm (3)
Asia Pacific
Mumbai (3), Seoul (2), Middle East
Singapore (3),Hong Bahrain (3)
Kong (3) Sydney (3),
Tokyo (4), Osaka-Local South America
(1) São Paulo (3)

Canada AWS GovCloud (US)


Central (2) US-East (3), US-West
(3)
Announced Regions
Cape Town, Jakarta, Milan
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Our No. 1 Priority

Designed for Security Constantly Monitored Highly Highly Highly


Automated Available Accredited

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Shared Responsibility?

Security measures that the customer implements


and operates, related to the security of customer SECURITY IN
THE CLOUD
content and applications that make use of AWS
services

Security measures that the cloud service provider SECURITY OF


THE CLOUD
(AWS) implements and operates
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Shared Responsibility?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your data stays where you put it.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs
Global

United States

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs

Asia Pacific

Europe

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All customers benefit from the same security
60+ Assurance programs, including
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
• BSI C5 (Germany) – ESCloud (EU)
• CISPE - GDPR

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Find Compliance Reports on AWS Artifact

Reports On-Demand Globally Available Easy Identification

Quick Assessments Continuous Monitoring Enhanced Transparency

https://aws.amazon.com/artifact/

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Security Operations in AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Move to AWS
Strengthen your security posture

Inherit Scale with superior Highest Automate Largest


global visibility and standards with deeply network
security and control for privacy integrated of security
compliance and data security services partners and solutions
controls security

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Highest standards for privacy

Meet data Encryption at scale with Comply with local Access services and tools that
residency requirements keys managed by data privacy laws enable you to
Choose an AWS Region our AWS Key Management by controlling who build compliant
and AWS will not replicate it System (KMS) or managing can access content, its infrastructure
elsewhere unless you choose your own encryption keys lifecycle, and disposal on top of AWS
to do so with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources

AWS Organizations
Policy-based management for multiple AWS accounts
Identity
Identityand
& access
access
management Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps

AWS Directory Service


Managed Microsoft Active Directory in the AWS Cloud
Define, enforce, and audit user
permissions across AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS accounts and
AWS services, actions business applications
and resources.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account

AWS Config
Record and evaluate configurations of your AWS resources. Enable compliance
auditing, security analysis, resource change tracking, and troubleshooting
Detective
control Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Gain the visibility you need
Amazon GuardDuty
to spot issues before they impact Intelligent threat detection and continuous monitoring to protect your AWS
the business, improve your accounts and workloads
security posture, and reduce the VPC Flow Logs
risk profile of Capture information about the IP traffic going to and from network interfaces
in your VPC. Flow log data is stored using Amazon
your environment. CloudWatch Logs

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to apply
OS patches, create secure system images, and configure secure operating
systems

AWS Shield
Infrastructure Managed DDoS protection service that safeguards web applications
security running on AWS

AWS Web Application Firewall (WAF)


Protects your web applications from common web exploits ensuring
availability and security

Reduce surface area to manage Amazon Inspector


Automates security assessments to help improve the security and
and increase privacy for and compliance of applications deployed on AWS
control of your overall
Amazon Virtual Private Cloud (VPC)
infrastructure on AWS. Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data

AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Data
protection Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data

In addition to our automatic data AWS Certificate Manager


encryption and management Easily provision, manage, and deploy SSL/TLS certificates for use with AWS
services
services,
employ more features for Server Side Encryption
Flexible data encryption options using AWS service managed keys,
data protection. AWS managed keys via AWS KMS, or customer managed keys
(including data management, data
security, and encryption key storage)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
Incident Create rules that automatically take action in response to changes in your
response environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state

During an incident, containing the AWS Lambda


Use our serverless compute service to run code without provisioning or managing
event and returning to a known servers so you can scale your programmed, automated
good state are important elements response to incidents

of a response plan. AWS provides


the following
tools to automate aspects of this
best practice.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Security &
9 Innovative Design Patterns

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Just-in-time access rights

+
Temporary
Integrated Identity and
Credentials
Access Management
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Consolidated Logging

+ +
Durable and
API Logs Performance, Firehose data Durable highly
cheap archive
Network, Apps Logs streaming available storage
storage
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ubiquitous Encryption

Managed KMI
Key Storage
on HSM
+ Object
Storage
Archive Out-of-band
data transfer
Block
Storage

DIY Database Data Warehouse Log Trails


© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Non-Persistent & Elastic

+
Scaling
Compute Instance
automagically

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture
Hybrid Cloud

+ +
Logically Isolated section
Leased line Virtual Firewall
of the Cloud

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture
Resiliency
DNS

CDN Scaling Load Balancer Auto-scaling

Web App Firewall Virtual Firewall


© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitor and React swiftly

+
Alarms based on Event-driven
Performance, serverless
Network, Apps Code execution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Standardized Environments &
Security as Code

+
Continuous
SDK
Configuration
Automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Validate Change at Scale

+
Inventory, Baselines rules for
configuration history inventory and
and change configuration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seven Systemic Advantages of Cloud Security - Seven reasons,
plus one to grow on

1 Security is AWS highest priority; no compromises, ever

2 Integration of compliance and security

3 Economies of scale and separation of duties

4 Customers refocus on systems and applications

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seven Systemic Advantages of Cloud Security - Seven
reasons, plus one to grow on

5 Visibility, homogeneity, and automation

6 Cloud platforms as “systems containers”

7 Cloud, big data, security: using the cloud to secure the cloud

With cloud speed of innovation and increasing scale, the story will only get better
8 – quickly!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security “of” AWS

AWS Security Whitepaper


AWS Global Security Infrastructure
Physical and Environmental Security
Business Continuity Management
Network Security
AWS Employee Access
Secure Design Principles
Change Management
AWS Account Security Features
AWS Service-Specific Security

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You might also like