1© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Istanbul

November 8, 2016

Security and Compliance

Toros Gökkurt

Solutions Architect, Amazon Web Services

torosg@amazon.com.tr

@torosgokkurt

3© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Overview

AWS audits and attestations

Shared responsibility model

Security control framework of the AWS cloud

AWS security services and features

Security and auditing best practices in the AWS cloud

4© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Security: Top Priority

Customer

Data

Integrity

AWS

Infrastructure

Platforms

Controls

5© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Security: Benefits

Build an environment for the most security- sensitive

organizations.

Benefit ALL customers.

Validate design & operational effectiveness through AWS

third party audits.

6© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AW

S

Responsible for security

‘of’ the cloud

AWS Shared Responsibility Model

Custo

mer

Responsible for security

‘in’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Server-side Encryption(File System and/or Data)

Client-side Data

Encryption & Data

Integrity Authentication

Network Traffic Protection(Encryption / Integrity / Identify)

Compute Storage Database Networking

AWS Global

Infrastructure

Edge

Locations

Regions

Availability Zones

7© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Security of the Cloud

8© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Responsible for security

‘of’ the cloud

Securing Your AWS Infrastructure

Responsible for security

‘in’ the cloud

• AWS Security Services

• Asset Management

• Data Security

• Network Security

• Access Controls

• Physical & Environmental Security

• IT Operations

• Access Controls

• Security Policy & Governance

• Change Management

9© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Physical & Environmental Security: Physical Security

Building

Perimeter and entry

Security staff and surveillance

Two-factor authentication

Escort

10© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Physical & Environmental Security: Environmental Security

Fire detection and suppression

Power

Climate and temperature

Monitoring equipment

Storage device decommissioning

11© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

IT Operations Controls

Audit Logging Capacity

Management

Vulnerability

Management

Incident

Management

Prevent unauthorized

access going undetected

Prevent system

outages

Detect unauthorized

access

Recover and reconstitute

incidents quickly and

effectively

12© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

IT Operations Controls

Backup &

Recovery

Business

Continuity and

Disaster Recovery

Secure

Communication

Data

Management

Prevent loss of critical

dataRespond to & recover

from major disruptions

Prevent sensitive

information from being

disclosed to unauthorized

parties

Detect suspicious

activities & unauthorized

tampering of the system

13© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Access Controls

Segregation

Account Review & Audit

Background Checks

Credentials Policy

Restrict access to

information resources

+Prevent unauthorized

disclosure

14© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Security Policy & Governance Controls

Security

Policy

Risk

Assessment

Training &

Awareness

Guide operations &

information security in the

organization

Mitigate risks & reduce

exposure to

vulnerabilities

Enhance awareness of

AWS policies &

procedures

15© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Security Policy & Governance Controls

Communication Compliance HR Security Third Party

Management

Prevent unauthorized

modification or disclosure

of information

Prevent inadvertent

violation of laws &

regulations

Prevent potential security

breaches resulting from

human resource

Prevent potential

compromise of information

due to misuse

16© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Change Management Controls

Document the change

Communicate the change to the business

Test changes in non-production environments

Review changes for both technical rigor and business impact

Attain approval for the change by authorized team members

17© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Audits & Attestations

Maintain alignment with thousands of global

requirements and best practices.

Validate a ubiquitous security control

environment.

Enable customers to assess their organization’s

compliance with industry and government

requirements.

18© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Security in the Cloud

19© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Responsible for security

‘of’ the cloud

Securing Your AWS Infrastructure

Responsible for security

‘in’ the cloud

• AWS Security Services

• Asset Management

• Data Security

• Network Security

• Access Controls

• Physical & Environmental Security

• IT Operations

• Access Controls

• Security Policy & Governance

• Change Management

20© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Security Services

AWS

CloudHSM

AWS

Config

21© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Security Services

AWS IAM

AWS KMS

AWS

CloudTrail

22© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Logging in AWS

AWS

CloudTrail

• Control access to log files

• Obtain alerts on log file creation & misconfiguration

• Storage of log files

• Generate customized reporting of log data

23© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Asset Management

Asset Identification

Asset Inventory

Secure Management

Change Mangement

Audit Assets

Amazon

CloudWatch

AWS

Config

24© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Data Security

Understand

where data

resides

Identify key

management

policies

Ensure

appropriate

controls

Review: * Connection methods

* Internal policies and procedures for key management

* Encryption methods

25© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Network Security

Always use security groups

Augment security groups with Network ACLs

Use trusted connections

Design network security in Layers

Best

Practices

26© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Access Controls

Create individual IAM users

Use groups to assign permissions to IAM users

Grant least privilege

Configure a strong password policy for your users

Enable MFA for privileged users

Use roles for applications that run on Amazon EC2 instances

27© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Access Controls

Delegate by using roles instead of by sharing credentials

Rotate credentials regularly

Remove unnecessary credentials

Use policy conditions for extra security

Monitor activity in your AWS account

Demonstration: AWS Security

28© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

AWS Global Compliance

AWS Customers

Certifications

/ AttestationsLaws, Regulations,

and Privacy

Alignments /

Frameworks

Global United States Europe Asia Pacific

30© 2016 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Break