Simple Security for Startups
-
Upload
mark-bate -
Category
Technology
-
view
206 -
download
0
Transcript of Simple Security for Startups
![Page 1: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/1.jpg)
Simple Security for Startups
Mark Bate Solutions Architect
![Page 2: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/2.jpg)
Shared Responsibility
![Page 3: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/3.jpg)
Foundation ServicesCompute
Customer Data
Server-side Encryption (File System and/or Data)
Platform, Applications, Identity & Access Management
Storage Database
Client-side Encryption & Data Integrity Authentication
Am
azon
You
Networking
AWS Global Infrastructure
Operating System, Network & Firewall Configuration
Network Traffic Protection (Encryption/Integrity/Identity)
Regions Availability Zones
Edge Locations
![Page 4: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/4.jpg)
Foundation ServicesCompute
Customer Data
Server-side Encryption (File System and/or Data)
Platform, Applications, Identity & Access Management
Storage Database
Client-side Encryption & Data Integrity Authentication
Am
azon
You
Networking
AWS Global Infrastructure
Operating System, Network & Firewall Configuration
Network Traffic Protection (Encryption/Integrity/Identity)
Regions Availability Zones
Edge Locations
OF
![Page 5: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/5.jpg)
Foundation ServicesCompute
Customer Data
Server-side Encryption (File System and/or Data)
Platform, Applications, Identity & Access Management
Storage Database
Client-side Encryption & Data Integrity Authentication
Am
azon
You
Networking
AWS Global Infrastructure
Operating System, Network & Firewall Configuration
Network Traffic Protection (Encryption/Integrity/Identity)
Regions Availability Zones
Edge Locations
OF
IN
![Page 6: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/6.jpg)
Foundation ServicesCompute
Customer Data
Server-side Encryption (File System and/or Data)
Platform, Applications, Identity & Access Management
Storage Database
Client-side Encryption & Data Integrity Authentication
Am
azon
You
Networking
AWS Global Infrastructure
Operating System, Network & Firewall Configuration
Network Traffic Protection (Encryption/Integrity/Identity)
Regions Availability Zones
Edge Locations
![Page 7: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/7.jpg)
Your Cloud Environment
![Page 8: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/8.jpg)
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
![Page 9: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/9.jpg)
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
RegionAn independent collection of AWS resources in a defined geography
A solid foundation for meeting location-dependent privacy and compliance requirements
![Page 10: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/10.jpg)
AWS Global Footprint
![Page 11: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/11.jpg)
AWS Global Footprint
Availability ZoneDesigned as independent failure zones
Physically separated within a typical metropolitan region
![Page 12: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/12.jpg)
Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Security Group
Subnet 10.0.1.0/24
Routing Table
Network ACL
Security Group
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
![Page 13: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/13.jpg)
Best Practice: Service Isolation
• Security Groups • Don’t use 0.0.0.0/0
• Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway
![Page 14: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/14.jpg)
Identity and Access Management
![Page 15: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/15.jpg)
Identity and Access Management
• Users & Groups
![Page 16: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/16.jpg)
Identity and Access Management
• Users & Groups • Unique Security Credentials
![Page 17: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/17.jpg)
Identity and Access Management
• Users & Groups • Unique Security Credentials • Temporary Security
Credentials
![Page 18: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/18.jpg)
Identity and Access Management
• Users & Groups • Unique Security Credentials • Temporary Security
Credentials • Policies & Permissions
![Page 19: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/19.jpg)
Identity and Access Management
• Users & Groups • Unique Security Credentials • Temporary Security
Credentials • Policies & Permissions • Roles
![Page 20: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/20.jpg)
Identity and Access Management
• Users & Groups • Unique Security Credentials • Temporary Security
Credentials • Policies & Permissions • Roles • Multi-factor Authentication
![Page 21: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/21.jpg)
IAM Best Practices
![Page 22: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/22.jpg)
Best PracticesLock away your AWS root account access keys
![Page 23: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/23.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
![Page 24: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/24.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
![Page 25: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/25.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
![Page 26: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/26.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
![Page 27: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/27.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
![Page 28: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/28.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
![Page 29: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/29.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
![Page 30: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/30.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
![Page 31: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/31.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Remove unnecessary credentials
![Page 32: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/32.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions
![Page 33: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/33.jpg)
Best PracticesLock away your AWS root account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions
Keep a history of activity
![Page 34: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/34.jpg)
Protecting your Data: Simplified
![Page 35: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/35.jpg)
Securing Data at Rest
Amazon RDS Redshift
Amazon S3GlacierAmazon EBS
> AES-256 keys
> KMS integration
> Easy one-click encryption
![Page 36: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/36.jpg)
Securing Data at Rest
Amazon S3 Glacier
> AES-256 keys
> Each object is encrypted
> Each key is encrypted with a master key
> Master key is rotated regularly
> KMS integration
![Page 37: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/37.jpg)
Amazon RDS
Securing Data at Rest
> AES-256 keys
> Logs, backups, and snapshots
> Read replicas
> Archives and backups
> CloudHSM (Oracle TDE only)
> KMS integration
![Page 38: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/38.jpg)
Redshift
Securing Data at Rest
> AES-256 keys
> Data blocks
> Metadata
> Archives and backups
> CloudHSM integration
> 4-tier encryption architecture
![Page 39: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/39.jpg)
Amazon EBS
Securing Data at Rest
> AES-256 keys
> Encryption done on EC2 host
> Snapshots
> KMS integrated
![Page 40: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/40.jpg)
Securing Data at Rest
CloudHSM
> Hardware Security Module
> Single tenancy
> Private key material never leaves the HSM
> AWS provisioned, customer managed
![Page 42: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/42.jpg)
Securing data in flight
Use SSL/TLS for all of your trafficjust like you do for your API access
Pro Tip: Validate the SSL Certificate!
![Page 43: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/43.jpg)
Securing data in flight
Amazon ELB
> SSL offloading
> Perfect Forward Secrecy
> SSL Security Policies
![Page 44: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/44.jpg)
Securing data in flight
> RDS Connections (all databases supported)
> Public key for all regions: http://bit.ly/1G9fE4D
![Page 45: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/45.jpg)
Auditing Made Easy
![Page 46: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/46.jpg)
AWS CloudTrail
![Page 47: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/47.jpg)
AWS CloudTrail
Developers or scripts make calls…
![Page 48: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/48.jpg)
AWS CloudTrail
Developers or scripts make calls…
EC2 RedShift
IAM
VPCRDS
on AWS API endpoints…
![Page 49: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/49.jpg)
AWS CloudTrail
Developers or scripts make calls…
EC2 RedShift
IAM
VPCRDS
on AWS API endpoints…
CloudTrail logs this to an S3 bucket…
![Page 50: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/50.jpg)
AWS CloudTrail
Developers or scripts make calls…
EC2 RedShift
IAM
VPCRDS
on AWS API endpoints…
CloudTrail logs this to an S3 bucket…
User Action Time
Tim Created 1:30pm
Sue Deleted 2:40pm
Kay Created 3:30pm
so you can review this log
![Page 51: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/51.jpg)
AWS CloudTrail
Who made the API call?
When was the API call made?
What was the API call?
What were the resources that were acted up on in the API call?
Where was the API call made from?
![Page 52: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/52.jpg)
CloudTrail Partners
![Page 53: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/53.jpg)
Trusted Advisor
![Page 54: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/54.jpg)
Amazon Trusted Advisor
https://console.aws.amazon.com/trustedadvisor/
![Page 55: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/55.jpg)
Amazon Trusted Advisor
![Page 56: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/56.jpg)
Well-Architected Framework
![Page 57: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/57.jpg)
Well-Architected Framework• Core strategies & best practices for architecting in the cloud
• Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation
• https://aws.amazon.com/blogs/aws/are-you-well-architected/
![Page 58: Simple Security for Startups](https://reader031.fdocuments.in/reader031/viewer/2022030315/5880a6b31a28abd8158b787f/html5/thumbnails/58.jpg)
Links
Micro-sites https://aws.amazon.com/security https://aws.amazon.com/compliance
Security Bulletins https://aws.amazon.com/security/security-bulletins/ https://alas.aws.amazon.com/
Blogs https://blogs.aws.amazon.com/security/ https://medium.com/aws-activate-startup-blog