An Introdcution To AWS Cloud Security-ETDA
An Introdcution To AWS Cloud Security-ETDA
An Introdcution To AWS Cloud Security-ETDA
Ankush Chowdhary
Principal Security Advisor – APJ
Worldwide Public Sector
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
22 Regions – 69 Availability Zones – 176 Edge Locations
Region & Number of Availability Zones
US East China
N. Virginia (6), Ohio (3) Beijing (2), Ningxia (3)
US West Europe
N. California (3), Frankfurt (3), Ireland
Oregon (4) (3), London (3), Paris
(3), Stockholm (3)
Asia Pacific
Mumbai (3), Seoul (2), Middle East
Singapore (3),Hong Bahrain (3)
Kong (3) Sydney (3),
Tokyo (4), Osaka-Local South America
(1) São Paulo (3)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Shared Responsibility?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your data stays where you put it.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs
Global
United States
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Programs
Asia Pacific
Europe
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All customers benefit from the same security
60+ Assurance programs, including
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
• BSI C5 (Germany) – ESCloud (EU)
• CISPE - GDPR
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Find Compliance Reports on AWS Artifact
https://aws.amazon.com/artifact/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Security Operations in AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Move to AWS
Strengthen your security posture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Highest standards for privacy
Meet data Encryption at scale with Comply with local Access services and tools that
residency requirements keys managed by data privacy laws enable you to
Choose an AWS Region our AWS Key Management by controlling who build compliant
and AWS will not replicate it System (KMS) or managing can access content, its infrastructure
elsewhere unless you choose your own encryption keys lifecycle, and disposal on top of AWS
to do so with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Identity
Identityand
& access
access
management Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable compliance
auditing, security analysis, resource change tracking, and troubleshooting
Detective
control Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Gain the visibility you need
Amazon GuardDuty
to spot issues before they impact Intelligent threat detection and continuous monitoring to protect your AWS
the business, improve your accounts and workloads
security posture, and reduce the VPC Flow Logs
risk profile of Capture information about the IP traffic going to and from network interfaces
in your VPC. Flow log data is stored using Amazon
your environment. CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to apply
OS patches, create secure system images, and configure secure operating
systems
AWS Shield
Infrastructure Managed DDoS protection service that safeguards web applications
security running on AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Data
protection Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
Incident Create rules that automatically take action in response to changes in your
response environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Security &
9 Innovative Design Patterns
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Just-in-time access rights
+
Temporary
Integrated Identity and
Credentials
Access Management
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Consolidated Logging
+ +
Durable and
API Logs Performance, Firehose data Durable highly
cheap archive
Network, Apps Logs streaming available storage
storage
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ubiquitous Encryption
Managed KMI
Key Storage
on HSM
+ Object
Storage
Archive Out-of-band
data transfer
Block
Storage
+
Scaling
Compute Instance
automagically
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture
Hybrid Cloud
+ +
Logically Isolated section
Leased line Virtual Firewall
of the Cloud
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture
Resiliency
DNS
+
Alarms based on Event-driven
Performance, serverless
Network, Apps Code execution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Standardized Environments &
Security as Code
+
Continuous
SDK
Configuration
Automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Validate Change at Scale
+
Inventory, Baselines rules for
configuration history inventory and
and change configuration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seven Systemic Advantages of Cloud Security - Seven reasons,
plus one to grow on
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seven Systemic Advantages of Cloud Security - Seven
reasons, plus one to grow on
7 Cloud, big data, security: using the cloud to secure the cloud
With cloud speed of innovation and increasing scale, the story will only get better
8 – quickly!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security “of” AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.