Security & Compliance in the AWS Cloud Amazon Web Services
Our Culture Simple Security Controls
Job Zero
AWS Pace of Innovation AWS has been continually expanding its services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile 722 280 48 82 2009 2011 2013 2015
TECHNICAL & BUSINESS SUPPORT Support Professional Services Partner Ecosystem Training & Certification Solutions Architects HYBRID ARCHITECTURE Integrated Networking Direct Connect Identity Federation Integrated App Deployments Business Apps ANALYTICS Data Warehousing Business Intelligence Hadoop/ Spark Streaming Data Analysis Streaming Data Collection Machine Learning Elastic Search Identity Management Business Intelligence APP SERVICES Access Control Queuing & Notifications Workflow Search Email Transcoding DevOps Tools Key Management & Storage MOBILE SERVICES API Gateway Identity Sync Mobile Analytics Single Integrated Console Push Notifications MARKETPLACE Security DEVELOPMENT & OPERATIONS One-click App Deployment DevOps Resource Management Application Lifecycle Management Containers Triggers SECURITY & COMPLIANCE Monitoring & Logs Resource Templates Configuration Compliance Networking Web application firewall Databases IoT Rules Engine Device Shadows Device SDKs Device Gateway Registry Assessment and reporting Storage ENTERPRISE APPS Virtual Desktops Sharing & Collaboration Corporate Email Backup Resource & Usage Auditing Account Management Data Backups Compute VMs, Auto-scaling, & Load Balancing Storage Object, Blocks, Archival, Import/Export CORE SERVICES CDN Databases Relational, NoSQL, Caching, Migration Networking VPC, DX, DNS Security & Pricing Reports Integrated Resource Management Regions INFRASTRUCTURE Availability Zones Points of Presence
SHARED
exactly GxP ISO 13485 AS9100 ISO/TS 16949 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud
Customers decide how to implement Customer applications & content Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers have their choice of security configurations IN the Cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud
SECURITY IS VISIBILITY AND AUDITABILITY
How often do you map your network? RIGHT NOW?
AWS CLOUDTRAIL AWS CloudFormation Redshift AWS Elastic Beanstalk You are making API calls... On a growing set of services around the world AWS CloudTrail is continuously recording API calls And delivering log files to you
Changing Resources Recording AWS Config Continuous Change History Stream AWS Config Snapshot (ex. 2014-11-05)
SECURITY IS CONTROL
(USERS, RESOURCES,CONTENT)
Control access and segregate duties everywhere With AWS Identity Access Management you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with two-factor authentication Integrate with your existing corporate directory using SAML 2.0 and single sign-on AWS account owner Network management Security management Server management Storage management
you put it US-WEST (Oregon) AWS GovCloud (US) EU-WEST (Ireland) EU-CENTRAL (Frankfurt) ASIA PAC (Korea) ASIA PAC (Tokyo) US-EAST (Virginia) CHINA (Beijing) US-WEST (N. California) ASIA PAC (Mumbai) ASIA PAC (Sydney) 13 Regions 35 Availability Zones 59 Edge Locations SOUTH AMERICA (Sao Paulo) ASIA PAC (Singapore)
Availability Zone A Availability Zone B Create your own private, isolated section of the AWS cloud AWS Virtual Private Cloud Provision a logically isolated section of the AWS cloud You choose a private IP range for your VPC Segment this into subnets to deploy your compute instances AWS network security AWS network will prevent spoofing and other common layer 2 attacks You cannot sniff anything but your own EC2 host network interface Control all external routing and connectivity
connect resiliently and in private Digital Websites Dev and Test Internet VPN Big Data Analytics Enterprise Apps YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES
AWS Key Management Service Encryption key management and compliance made easy PCI DSS SP L1 Compliant Under-going FIPS140-2 Integrated with AWS Services (e.g. S3, EBS, RDS, Redshift, CloudTrail, EMR) Highly Available and durable
AUDIT EVERYTHING
Auditors
Governance Fine-grained visibility and control for accounts, resources, data Geographic data locality Visibility into resources and usage Control over deployment Control over regional replication Fine-grained access control Policies, resource level permissions, temporary credentials Service Describe* APIs and AWS CloudWatch In-depth logging AWS CloudTrail and Config AWS CloudFormation
COMPLIANCE
More accreditations & certifications than anyone SOC 1 / ISAE 3402 SOC 2 SOC 3 HIPAA CJIS DoD SRG Levels 2 & 4 MLPS Level 3 MTCS Tier 3 IRAP ISO 27001 ISO 9001 ISO 27018 GxP ITAR FERPA Section 508 / VPAT NIST FISMA, RMF, and DIACAP FedRAMP ISO 27017 PCI DSS Level 1 FIPS 140-2 G-Cloud IT-Grundschutz MPAA Cloud Security Alliance Cyber Essentials Plus
evidence
Data Sovereignty & Privacy You retain control and ownership of your content Choose your AWS region and adhere to data sovereignty laws Compliant with ISO 27001, ISO 27017, ISO 27018 Encrypt your data using AWS Services or using your own
Vibrant Partner Ecosystem Infrastructure Security Logging and Monitoring Identity and Access Control Configuration and Vulnerability Analysis Data Protection SaaS SaaS SaaS
Job Zero BETTER IN AWS
Event @ AWS Booth 설문조사이벤트 설문조사를작성하시는분들에게, AWS 티셔츠를드립니다! CLOUDSEC PoC 신청이벤트 PoC 를신청하시는분들에게, 무료컨설팅과보조배터리를드립니다!
AWS CLOUD SECURITY PARTNER In order to secure your valuable data, MEGAZONE is working together with its No.1 PARTNERS, AWS and TrendMicro, in providing diverse services. No 1. PREMIER PARTNER No 1. SECURITY PARTNER No1. Biz PARTNER