AWS Security Overview · | #cloudsec AWS Security Overview Ridge XU, Solutions Architect, AWS

www.cloudsec.com | #cloudsec

AWS Security Overview

Ridge XU, Solutions Architect, AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Why is security traditionally so hard?

Lack of visibility

Low degree of automation


ORMove fast Stay secure

Before…


ORANDMove fast Stay secure

Now…


The most sensitive workloads run on AWS

“With AWS, DNAnexus enables enterprises worldwide to perform

genomic analysis and clinical studies in a secure and compliant

environment at a scale not previously possible.”

— Richard Daly, CEO DNAnexus

“The fact that we can rely on the AWS security posture to boost our

own security is really important for our business. AWS does a much

better job at security than we could ever do running a cage in a data

center.”

— Richard Crowley, Director of Operations, Slack

“We determined that security in AWS is superior to our on-premises data

center across several dimensions, including patching,

encryption, auditing and logging, entitlements, and compliance.”

—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)


Automatewith deeply integrated

security services

Inheritglobal

security and compliance

controls

Highest standards for privacy and data security

Largest network

of security partners and solutions

Scale with superior visibility and

control

Move to AWS Strengthen your security posture


Inherit global security and compliance controls


Shared Responsibility Model

RESPONSIBILITY OF SECURITY “IN” THE CLOUD

RESPONSIBILITY OF SECURITY “OF” THE CLOUD

Customer compliance and audit effort is reduced

✓ AWS Best Practices

✓ Industry Standards

✓ AWS Architecture for Standards

Built on AWS solid baseline controls

Customer scope and effort is reduced, Built on AWS baseline controls


Customers maintain control and ownership

• The content to store on AWS

• The country where the content is stored

• Secure the content with appropriate security measures

– 18 Regions

– 55 Availability Zones

– 132 Points of Presence (121 Edge Locations and 11 Regional Edge Caches)


Scale with visibility and control


Encryption at scale with keys managed by

our AWS Key Management Service (KMS) or managing your own encryption keys

with Cloud HSM using FIPS 140-2 Level 3

validated HSMs

Meet data residency requirements

Choose an AWS Region and AWS will not replicate it elsewhere unless you choose

to do so

Access services and tools that enable you to

build compliant infrastructure on top of AWS

Comply with local data privacy laws

by controlling who can access content, its lifecycle, and disposal

Highest standards for privacy


AWS Identity & Access Management (IAM)

AWS Directory Service

AWS Organizations

AWS Secrets Manager

AWS Single Sign-On

Amazon Cognito

AWS CloudTrail

AWS Config

AmazonCloudWatch

Amazon GuardDuty

VPC Flow Logs

AWS Systems Manager

AWS Shield

AWS WAF – Web application firewall

AWS Firewall Manager

Amazon Inspector

Amazon Virtual Private Cloud (VPC)

AWS Key Management Service (KMS)

AWS CloudHSM

Amazon Macie

AWS Certificate Manager

Server-Side Encryption

AWS Config Rules

AWS Lambda

IdentityDetective

controlInfrastructure

securityIncidentresponse

Dataprotection

AWS security solutions


Identity Access Management (IAM)

Define, enforce, and audit user

permissions across

AWS services, actions

and resources.

Identity & accessmanagement

Identity and accessmanagement

EC2

s3

IAM

Admin group

Developers

O&M group

DynamodbEC2

Authentication Authorization Auditable

• Segregation of duties

• Policy-based access control

• Support MFA

• Windows Active Directory, ADFS, and SAML 2.0 integration for SSO


Gain visibility of• Every action taken in AWS management console and API triggered

• IP traffic to and from your VPC

• Configuration compliance status, monitor configuration changes of your AWS resources which impacts your compliance, e.g. open database port to public internet

• Malicious or unauthorized behaviors / attacks through integrated threat intelligence and machine learningGain the visibility you need

to spot issues before they impact

the business, improve your

security posture, and reduce the

risk profile of

your environment.

Detectivecontrol

AWS CloudTrail AWS Config

Amazon GuardDutyVPC Flow Logs


Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS Cloud where you can launch AWS resources in a virtual network that you define

• Subnets: public and private, segregation of traffic

• Security group and network access control list for inbound and outbound filtering at instance and subnet level

• VPN: Secure channel back to your on-premises DC

Reduce surface area to manage

and increase privacy for and

control of your overall

infrastructure on AWS.

Infrastructuresecurity

Auto Scaling

WEB

web :3306local :80

DB

10.0.2.0/24

private subnet

10.0.1.0/24

private subnet

ALB

DMZ

public subnet

* :80 443

Customer

DC


Web architecture

users

Auto Scaling

WEB

web :3306local :80

L3,4

Attack

L7

Attack

WAFWAF

XX

XX

CDN

DB

10.0.2.0/24

private subnet

10.0.1.0/24

private subnet

ALB

DMZ

public subnet

* :80 443


In addition to our automatic data

encryption and management

services,

employ more features for

data protection.(including data management, data

security, and encryption key storage)

Dataprotection

AWS KMS Server Side Encryption

EBS Volume RDS

Data Encryption• AWS storage, managed databases and data warehouse

• it’s just simply check a box


During an incident, containing the

event and returning to a known

good state are important elements

of a response plan. AWS provides

the following

tools to automate aspects of this

best practice.

Incidentresponse

Amazon CloudWatch AWS Lambda

Dealing with incident events• Notification (emails, SMS, slack, etc.)

• Quickly remediate the security events by automating the incident response

Alarm Remediate

Automation / notification

Detect

apps logs, awsaudit trail logs,

network logs, etc


Automate with integrated services

CloudWatch Events

Amazon CloudWatch

CloudWatch Event

Lambda

Lambda Function

AWS Lambda

GuardDuty

Amazon GuardDuty

Automated threat remediation


AWS Trusted Advisor

Security checks available to all AWS customers at no extra cost:• S3 Bucket Permissions, Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS Public

Snapshots, RDS Public Snapshots


4,200+ products; 1400+ ISVs

AWS customers use over 481 million hours a month of Amazon EC2 for AWS Marketplace products.

Products fully integrated with AWS platform and easy to fully test

Security competency program: https://aws.amazon.com/partners/competencies/

Thousands of the world’s largest

technology and consulting companies

67 Premier Consulting Partners

An Expansive Ecosystem


“I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We

determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”

• Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day

• Processes approximately 6 terabytes of data and 37 billion records on an average day

• Went from 3–4 weeks for server hardening to 3–4 minutes

• DevOps teams focus on automation and tools to raise the compliance bar and simplify controls

• Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts

—John Brady, CISO FINRA

Financial industry regulatory authority


“Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management …All our new services are built as stateless docker containers,

allowing us to deploy and scale them easily using Amazon’s ECS.”

“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”

• Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization

• New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month

• Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours

• Maintain end to end visibility of patient data using AWS

Online medical care scheduling


Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/https://aws.amazon.com/products/security

https://aws.amazon.com/security/

https://aws.amazon.com/compliance/

https://aws.amazon.com/products/security

AWS Security Overview · | #cloudsec AWS Security Overview Ridge XU, Solutions Architect, AWS

Documents

Transcript of AWS Security Overview · | #cloudsec AWS Security Overview Ridge XU, Solutions Architect, AWS