Getting Started with AWS Security

Similar documents
Getting started with AWS security

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Getting started with AWS security

Security & Compliance in the AWS Cloud. Amazon Web Services

Securing Microservices Containerized Security in AWS

Training on Amazon AWS Cloud Computing. Course Content

Network Security & Access Control in AWS

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Architecting for Greater Security in AWS

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

AWS Well Architected Framework

Title: Planning AWS Platform Security Assessment?

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

CYBER SECURITY WHITEPAPER

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Operational Logging & Compliance in AWS

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Hackproof Your Cloud Responding to 2016 Threats

AWS Data Security Security Update

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

LINUX, WINDOWS(MCSE),

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

INTRO TO AWS: SECURITY

Oracle WebLogic Server 12c on AWS. December 2018

Microsoft Best Practices on AWS

CogniFit Technical Security Details

CyberPosture Intelligence for Your Hybrid Infrastructure

SIEMLESS THREAT DETECTION FOR AWS

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

NGF0502 AWS Student Slides

What s New at AWS? looking at just a few new things for Enterprise. Philipp Behre, Enterprise Solutions Architect, Amazon Web Services

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

OptiSol FinTech Platforms

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Security by Design Running Compliant workloads in AWS

Introduction to Cloud Computing

The Cloud Changes Nothing and Everything! Amazon.com, Inc. and its affiliates. All rights reserved.

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus


Additional Security Services on AWS

#AWSSummit. Démarrer sur AWS. L élasticité et les outils de gestions

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Protecting Your Data in AWS. 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

SYMANTEC DATA CENTER SECURITY

Introduction to AWS GoldBase

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

AWS Reference Design Document

Vom Server bis zum WorkSpace: Windows Anwendungen auf AWS

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Standardized Architecture for PCI DSS on the AWS Cloud

25 Best Practice Tips for architecting Amazon VPC

AWS Landing Zone. AWS User Guide. November 2018

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

AWS 101. Patrick Pierson, IonChannel

About Intellipaat. About the Course. Why Take This Course?

What s New at AWS? A selection of some new stuff. Constantin Gonzalez, Principal Solutions Architect, Amazon Web Services

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Amazon Web Services Training. Training Topics:

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

locuz.com SOC Services

HIPAA Compliance and Auditing in the Public Cloud

AWS Solution Architect Associate

Understanding Perimeter Security

Get the Most Out of GoAnywhere: Achieving Cloud File Transfers and Integrations

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

Using SQL Server on Amazon Web Services

McAfee Public Cloud Server Security Suite

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Creating Your Virtual Data Center

Building a More Secure Cloud Architecture

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Amazon Web Services Course Outline

Cloud Native Security. OpenShift Commons Briefing

Amazon Search Services. Christoph Schmitter

Certificate of Registration

Standardized Architecture for NIST High-Impact Controls on the AWS Cloud Featuring Trend Micro Deep Security

Cloud Computing. Amazon Web Services (AWS)

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

Creating your Virtual Data Centre

Mid-Atlantic CIO Forum

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Splunk & Amazon Web Services

Qualys Cloud Platform

Accelerating the HCLS Industry Through Cloud Computing

Extending Enterprise Security to Multicloud and Public Cloud

AWS Networking Fundamentals

Transcription:

Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Move Fast AND Stay Secure

Making life easier Choosing security does not mean giving up on convenience or introducing complexity

Understand AWS Security

Security is a shared responsibility Shared Responsibility Let AWS do the heavy lifting Focus on what s most valuable to your business AWS Facility operations Physical Security Physical Infrastructure Network Infrastructure Virtualisation Infrastructure Hardware lifecycle management Customer Choice of Guest OS Application Configuration Options Account Management flexibility Security Groups ACLs Identity Management

Shared Responsibility Model

AWS Global Infrastructure 16 AWS Regions (+5 announced) Each Region has at least 2 Availability Zones 44 (+16) Availability Zones (AZs) Availability Zone A Availability Zone B Availability Zone C 77 AWS Edge Locations

AWS Assurance Programs AWS maintains a formal control environment SOC 1 Type II SOC 2 Type II and public SOC 3 report ISO 27001, 27017, 27018 Certification Certified PCI DSS Level 1 Service Provider FedRAMP Authorization Architect for HIPAA compliance EU Data Protection C5 (GER), Cyber Essentials Plus (UK)

Establish network security

VPC Availability Zone A Availability Zone B VPC CIDR: 10.1.0.0 /16 VPC = Virtual Private Cloud Your virtual data center on AWS Block of IPs that define your network (typically RFC 1918) Can span multiple AZs Default VPCs

VPC subnet 10.1.1.0/24 10.1.10.0/24 Subnet Subnet Availability Zone A Availability Zone B VPC CIDR: 10.1.0.0 /16 Range of IPs in your VPC IP range Lives inside an AZ Can provide security at the subnet or network level with access control lists (ACLs) Can route at the subnet level Default VPC subnets

Network access control list VPC Subnet with ACL NACL = network access control list VPC Subnet with ACL Availability Zone A VPC Subnet with ACL Availability Zone B VPC CIDR: 10.1.0.0 /16 An optional layer of security that acts as a firewall for a subnet A numbered list of rules that we evaluate in order ACLs are stateless and have separate inbound and outbound rules

Security groups Security Group EC2 EC2 EC2 EC2 Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24 Availability Zone A Availability Zone B A security group acts as a virtual firewall for your EC2 instance An EC2 instance can have up to five security groups Security groups act at the instance level, not the subnet level Security groups are stateful

Amazon Virtual Private Cloud Internet Gateway VPC CIDR 10.10.0.0/16 AZ A AZ B Existing Datacenter VPC Public Subnet 10.10.1.0/24 Public ELB VPC Public Subnet 10.10.2.0/24 VPN Connection Autoscaling Web Tier Customer Gateway Virtual Private Gateway Administrators & Corporate Users Direct Connect Internal ELB Autoscaling Application Tier Network Partner Location VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24 RDS Standby Multi-AZ RDS Data Tier Snapshots RDS Master VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24

Security Groups VPC VPC CIDR 10.1.0.0/16 Public subnet ELB sg_elb_frontend (ELB Security Group) Public subnet ELB Private subnet Web sg_web_frontend (Web Security Group) Web Private subnet Back end sg_backend (Backend Security Group) Private subnet Back end Availability Zone A Availability Zone B

Security Groups

Security Groups

Security Groups

AWS WAF: Web Application Firewall

AWS WAF in action Admins AWS Management Console Define rules AWS WAF Developers AWS API Deploy protection Web app in CloudFront

AWS WAF Partner integrations Alert Logic, Trend Micro, and Imperva integrating with AWS WAF Offer additional detection and threat intelligence Dynamically modify rulesets of AWS WAF for increased protection

AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks

Integrate Identity & Access Management

IAM: Identity and Access Management With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with two-factor authentication AWS account owner Integrated with your existing corporate directory using SAML 2.0 and single sign-on Network management Security management Server management Storage management

AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies

Implement Data Protection

Cryptographic Services AWS KMS Amazon CloudHSM ü Deep integration with AWS Services ü CloudTrail ü AWS SDK for application encryption ü Dedicated HSM ü Integrate with on-premises HSMs ü Hybrid Architectures

AWS Key Management Service Encryption key management and compliance made easy One-click Encryption of server and database storage Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail

AWS Key Management Service

Enable Detective Controls

AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch ü Enable globally for all AWS Regions ü Encryption & Integrity Validation ü Archive & Forward ü Amazon CloudWatch Logs ü Metrics & Filters ü Alarms & Notifications

CloudTrail: Record AWS API Calls AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes caller identity, time, the source IP address, parameters, and the response returned by the AWS service. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

CloudWatch Logs: Centralize Your Logs Send existing system, application, and custom log files to CloudWatch Logs via our agent, and monitor these logs in near real-time. This can help you better understand and operate your systems and applications, and you can store your logs using highly durable, low-cost storage for later access

VPC Flow Logs Agentless Enable per ENI, per subnet, or per VPC Logged to AWS CloudWatch Logs Create CloudWatch metrics from log data Alarm on those metrics Interface Source IP Source port Protocol Packets AWS account Accept or reject Destination IP Destination port Bytes Start/end time

VPC Flow Logs Amazon Elasticsearch Service Amazon CloudWatch Logs subscriptions

VPC Flow Logs CloudWatch Alarms

Trusted Advisor

Trusted Advisor

Amazon Inspector Vulnerability Assessment Service Built from the ground up to support Dev/Ops Model Automatable via API s AWS Context Aware Static & Dynamic Telemetry Integrated with CI/CD tools On-Demand Pricing model CVE & CIS Rules Packages AWS AppSec Best Practices

Prioritized findings

Detailed remediation recommendations

Optimize Change Management

AWS CloudFormation Infrastructure as Code AWS CloudFormation Template Stack ü ü ü Orchestrate changes across AWS Services Use as foundation to Service Catalog products Use with source code repositories to manage infrastructure changes ü JSON-based text file describing infrastructure ü ü ü Resources created from a template Can be updated Updates can be restrictured

Change Sets Create Change Set

Change Sets

Change Sets

AWS Config & Config Rules AWS Config ü Record configuration changes continuously ü Time-series view of resource changes ü Archive & Compare Amazon Config Rules ü Enforce best practices ü Automatically roll-back unwanted changes ü Trigger additional workflow

AWS Config: Record AWS Environment Changes AWS Config records AWS environment Changing Resources Recording Continuous Change History configuration and changes information for your account. AWS Config Stream Snapshot (ex. 2014-11-05) Snapshots answer the question What did my environment look like, at time x? History answers the question What changes have happened, to infrastructure element I over time?

AWS Config VPC Example

AWS Config VPC Example

AWS Config Rules Tenancy Enforcement Example

AWS Config Rules Tenancy Enforcement Example

Resources

Security Community AWS Platform & Tools Customer ecosystem Partner ecosystem

AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection

aws.amazon.com/security/

AWS Training & Certification Self-Paced Labs Training Certification Try products, gain new skills, and get hands-on practice working with AWS technologies Build technical expertise to design and operate scalable, efficient applications on AWS Validate your proven skills and expertise with the AWS platform aws.amazon.com/training/ self-paced-labs aws.amazon.com/training aws.amazon.com/certification

Strengthen your security posture Over 30 global compliance certifications and accreditations Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations Get native functionality and tools Benefit from AWS industry leading security teams 24/7, 365 days a year Leverage security enhancements gleaned from millions of customer experiences

Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers. Rob Alexander, CIO, Capital One

Gracias!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback