Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Similar documents
Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Security & Compliance in the AWS Cloud. Amazon Web Services

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Getting started with AWS security

Simple Security for Startups. Mark Bate, AWS Solutions Architect

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Protecting Your Data in AWS. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

LINUX, WINDOWS(MCSE),

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Getting started with AWS security

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Getting Started with AWS Security

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Cloud Computing /AWS Course Content

Introduction to Amazon Cloud & EC2 Overview

Amazon Web Services Training. Training Topics:

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

AWS Security Overview. Bill Shinn Principal Security Solutions Architect

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

AWS Solution Architect Associate

Amazon Web Services (AWS) Training Course Content

Introduction to Cloud Computing

AWS Well Architected Framework

Training on Amazon AWS Cloud Computing. Course Content

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

TECHNICAL WORKBOOK. PCI Compliance in the AWS Cloud A NITIAN. Report Date: October 17, Jordan Wiseman, QSA

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Network Security & Access Control in AWS

Security Camp 2016 Cloud Security. August 18, 2016

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Overview of AWS Security - Database Services

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Deep Freeze Cloud. Architecture and Security Overview

Title: Planning AWS Platform Security Assessment?

High School Technology Services myhsts.org Certification Courses

AWS Networking Fundamentals

Oracle WebLogic Server 12c on AWS. December 2018

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Hackproof Your Cloud Responding to 2016 Threats

AWS: Basic Architecture Session SUNEY SHARMA Solutions Architect: AWS

Scaling on AWS. From 1 to 10 Million Users. Matthias Jung, Solutions Architect

Additional Security Services on AWS

AWS_SOA-C00 Exam. Volume: 758 Questions

Standardized Architecture for PCI DSS on the AWS Cloud

Cloud and Storage. Transforming IT with AWS and Zadara. Doug Cliche, Storage Solutions Architect June 5, 2018

Amazon Web Services and Feb 28 outage. Overview presented by Divya

Vom Server bis zum WorkSpace: Windows Anwendungen auf AWS

Architecting for Greater Security in AWS

Creating your Virtual Data Centre

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Filters AWS CLI syntax, 43 Get methods, 43 Where-Object command, 43

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

CPM. Quick Start Guide V2.4.0

Advanced Techniques for DDoS Mitigation and Web Application Defense

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

AWS Landing Zone. AWS User Guide. November 2018

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Understanding Perimeter Security

TestkingPass. Reliable test dumps & stable pass king & valid test questions

Standardized Architecture for NIST High-Impact Controls on the AWS Cloud Featuring Trend Micro Deep Security

IAM Recommended Practices

25 Best Practice Tips for architecting Amazon VPC

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Creating Your Virtual Data Center

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

Minfy MS Workloads Use Case

Introduction to Amazon Cloud & EC2 Overview

Amazon Web Services. Foundational Services for Research Computing. April Mike Kuentz, WWPS Solutions Architect

AWS Solutions Architect Exam Tips

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

AWS Certified Solutions Architect - Associate 2018 (SAA-001)

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

Certificate of Registration

AWS Data Security Security Update

Better, Faster, Stronger web apps with Amazon Web Services. Senior Technology Evangelist, Amazon Web Services

2013 AWS Worldwide Public Sector Summit Washington, D.C.

NGF0502 AWS Student Slides

Amazon ElastiCache. User Guide API Version

Vernetzte Fahrerassistenzsysteme (BMW + AWS ) Hazard Preview

Security by Design Running Compliant workloads in AWS

Deploying Transit VPC for Amazon Web Services

AMAZON WEB SERVICES (AWS) SERVICES OVERVIEW & SECURITY TIPS

Architecting for HIPAA Security and Compliance on Amazon Web Services

The Orion Papers. AWS Solutions Architect (Associate) Exam Course Manual. Enter

Netflix OSS Spinnaker on the AWS Cloud

Using SQL Server on Amazon Web Services

Security Overview of the BGI Online Platform

What s New at AWS? looking at just a few new things for Enterprise. Philipp Behre, Enterprise Solutions Architect, Amazon Web Services

Expected Learning Outcomes Introduction To AWS

Securing Microservices Containerized Security in AWS

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Designing Fault-Tolerant Applications

About Intellipaat. About the Course. Why Take This Course?

Cloud Security Strategy - Adapt to Changes with Security Automation -

Transcription:

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Agenda: Overview AWS Regions Availability Zones Shared Responsibility Security Features Best Practices for IAM Data at Rest

AWS Global Footprint US West (Oregon) GovCloud EU West (Ireland) EU Central (Frankfurt) China (Beijing) Korea (Seul) Asia Pacific (Tokyo) US East (Virginia) Region US West (N.California) An independent collection of AWS resources in a defined geography A solid foundation for meeting locationdependent privacy and compliance requirements Asia Pacific (Sydney) São Paulo Asia Pacific (Singapore)

Example AWS Region AZ AZ AZ AZ AZ Transit Transit Mesh of Availability Zones (AZ) and Transit Centers Redundant paths to transit centers Transit centers connect to: Private links to other AWS regions Private links to customers Internet through peering & paid transit Metro- area DWDM links between AZs 82,864 fiber strands in region AZs <2ms apart & usually <1ms 25Tbps peak inter- AZs traffic

AWS Global Footprint Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region

Example AWS Availability Zone AZ Transit AZ AZ AZ AZ Transit 1 of 30 AZs world- wide All regions have 2 or more AZs Each AZ is 1 or more DC No data center is in two AZs Some AZs have as many as 6 DCs DCs in AZ less than ¼ ms apart

Example AWS Data Center Single DC typically over 50,000 servers & often over 80,000 Larger DCs undesirable (blast radius) Up to 102Tbps provisioned to a single DC (inter DC not intra)

Shared Responsibility Managed by Customer Optimized Network/OS/App Controls Service-specific Controls Cross-service Controls Cloud Service Provider Controls Security in the Cloud Security of the Cloud Managed by AWS ISO 27000 ISO 9001 Request reports at: aws.amazon.com/compliance/#contact

What is AWS? Deployment & Administration Application Services Compute Storage Database Networking AWS Global Infrastructure

Service Breadth & Depth 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Features Overview

Network Security Choose and combine a bunch of build in network related options: ü Build in firewall features (Security Groups and NACL s) ü Virtual Private Cloud ü Transport Encryption (IPsec and TLS) ü Dedicated Network Connection (Direct Connect) ü Cypher Suites with Perfect Forward Secrecy ü Managed NAT Gateways ü WebApplicationFilters 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Virtual Private Cloud Security Layers Availability Zone A Availability Zone B Lockdown at instance level Security Group Security Group Security Group Isolate network functions Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Lockdown at network level Network ACL Router Network ACL Route restrictively Routing Table Routing Table Virtual Private Gateway Internet Gateway

Access Control Allow only authorized administrators and applications access on AWS resources ü Multi- Factor- Authentication (MFA) ü Fine granular access to AWS object ins3- Buckets/SQS/SNS and others ü API- Request Authentication ü Geo- Restrictions ü Temporary access tokens through STS 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Monitoring and Logging Get an overview about activities on your AWS ressources ü Asset- Management and - Configuration with AWS Config ü Compliance Auditing and security analytics with AWS CloudTrail ü Identifications of configuration challenges through TrustedAdvisor ü Fine granular logging of access to S3 objects ü Detailed informations about flows in the network through VPC- FlowLogs ü Rule based config checks and actions with AWS Config Rules ü Filter and monitoring of HTTP access to applications with WAF functions in CloudFront 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Encryption Security is the first priority for AWS ü Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS) ü Centralized (by Region) managed Key- Management ü IPsec tunnels into AWS with the VPN- Gateways ü Deicated HSM modules in the cloud with CloudHSM 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

IAM Overview

Identity and Access Management Users & Groups

Identity and Access Management Users & Groups Unique Security Credentials

Identity and Access Management Users & Groups Unique Security Credentials Temporary Security Credentials

Identity and Access Management Users & Groups Unique Security Credentials Temporary Security Credentials Policies & Permissions

Identity and Access Management Users & Groups Unique Security Credentials Temporary Security Credentials Policies & Permissions Roles

Identity and Access Management Users & Groups Unique Security Credentials Temporary Security Credentials Policies & Permissions Roles Multi-factor Authentication

IAM Best Practices

Root Accounts Do Not Need Access Keys Root Accounts Do Normally Not Log In

Best Practices Lock away your AWS account access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for your users Enable MFA for privileged users Use roles for applications that run on Amazon EC2 instances Delegate by using roles instead of by sharing credentials Rotate credentials regularly Remove unnecessary credentials Use policy conditions Keep a history of activity

What type of events should I monitor for? v You can monitor any specific event recorded by CloudTrail and receive notification from CloudWatch v Monitor for security or network related events that are likely to have a high blast radius v Popular examples based on customer feedback 1. Creation, deletion and modification of security groups and VPCs 2. Changes to IAM policies or S3 bucket policies 3. Failed AWS Management Console sign-in events 4. API calls that resulted in authorization failures 5. Launching, terminating, stopping, starting and rebooting EC2 instances v Fully defined and pre-built CloudFormation template to get started

Receive email notifications of specific API activity

Demo: Kibana

Data at Rest: Simplified

Securing Data at Rest Amazon RDS Redshift > AES-256 key > KMS integration > Easy one-click encryption Amazon EBS Glacier Amazon S3

Securing Data at Rest Amazon S3 Glacier > AES-256 key > Each object is encrypted > Each key is encrypted with a master key > Master key is rotated regularly > KMS integration

Securing Data at Rest Amazon EBS > AES-256 key > Performed on EC2 host > Snapshots > KMS integrated > Each Volume gets it s DataKey > DataKey is encrypted with MasterKey

Securing Data at Rest Amazon RDS > AES-256 key > Logs, backups, and snapshots > Read replicas > Active and backup > CloudHSM (Oracle TDE only) > KMS integration

Securing Data at Rest Redshift > AES-256 key > Data blocks > Metadata > Active and backup > CloudHSM integration > 4-tier encryption architecture

Securing Data at Rest CloudHSM > Hardware Security Module > Single tenancy > Private key material never leaves the HSM > AWS provisioned, customer managed

Whitepaper: Encrypting Data at Rest https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf

Thank You Content Providers: Bertram Dorn Brian Wagner Dave Walker

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback