The fundamentals of AWS cloud security
Transcript of The fundamentals of AWS cloud security
![Page 1: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/1.jpg)
![Page 2: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/2.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The fundamentals of AWS cloud security
Becky Weiss
S E C 2 0 5 - R
Senior Principal Engineer
Amazon Web Services
![Page 3: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/3.jpg)
![Page 4: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/4.jpg)
Learn a few patterns, secure everything in AWS
Data encryption:
AWS Key Management Service
(AWS KMS)
Network security controls:
Amazon Virtual Private Cloud
(Amazon VPC)
![Page 5: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/5.jpg)
Agenda
A builder-focused introduction to AWS's security controls
• Control your cloud infrastructure: IAM
• Control your data: AWS KMS
• Control your network: Amazon VPC
➔ You will leave this session with the foundation you need to secure an AWS environment
![Page 6: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/6.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 7: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/7.jpg)
• What it is:
• ‘I’—Authentication. Support for human and application caller identities
• ‘AM’—Authorization. Powerful, flexible permissions language for controlling access to cloud resources
• Why it matters to you: Every AWS service uses IAM to authenticate and authorize API calls
• What builders need to know:
• How to make authenticated API calls to AWS from IAM identities
• Basic fluency in IAM policy language
• Where to find and how to understand service-specific authorization control details
IAM: 411
![Page 8: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/8.jpg)
AWS identities for human callers: IAM users
AWS Account
IAM User
Long-term security credential
![Page 9: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/9.jpg)
AWS identities for human callers: Federated identities
AWS Account
IAM Role:
Administrator
IAM Role:
Developer
Temporary security
credentials
![Page 10: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/10.jpg)
AWS identities for non-human callers
EC2 Instance Lambda Function Amazon SageMaker
Notebook
AWS Glue Crawler Amazon ECS Task
![Page 11: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/11.jpg)
Creating a role in the AWS Management Console
![Page 12: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/12.jpg)
How an authentication works in AWS
Caller IAM RoleAWS service, e.g.
Amazon S3
AWS Management
ConsoleAWS Command Line Interface
(AWS CLI)
AWS Tools and SDKs
via
![Page 13: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/13.jpg)
AWS-managed policies for common sets of permissions
![Page 14: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/14.jpg)
Reading and writing IAM policy
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["dynamodb:*"
],"Resource": "*"
}]
}
In English: Allowed to take all Amazon DynamoDB actions
![Page 15: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/15.jpg)
Reading and writing IAM policy
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["dynamodb:BatchGetItem","dynamodb:GetItem","dynamodb:Query"
],"Resource": "*"
}]
}
In English: Allowed to take only a few specific DynamoDB actions
![Page 16: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/16.jpg)
Reading and writing IAM policy
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["dynamodb:BatchGetItem","dynamodb:GetItem","dynamodb:Query",
],"Resource": ["arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName","arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName/index/*"
]}
]}
In English: Allowed to take specific DynamoDB actions on a specific table and its indexes
![Page 17: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/17.jpg)
Reading and writing IAM policy
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "secretsmanager:GetSecretValue","Resource": "*","Condition": {"StringEquals": {"secretsmanager:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}}
}]
}
In English: You can read secrets whose project tag matches your own
![Page 18: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/18.jpg)
How To write a least-privilege IAM policy
![Page 19: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/19.jpg)
IAM in an AWS enterprise environment
AWS Cloud
Account Account AccountAccount
![Page 20: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/20.jpg)
Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM Role
Caller IAM Policy
Target S3 Bucket
“other-account-bucket”
![Page 21: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/21.jpg)
Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM Role
Caller IAM Policy
Target S3 Bucket
“other-account-bucket”
S3 Bucket Policy
![Page 22: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/22.jpg)
Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM RoleTarget DynamoDB Table
“MyTable”
![Page 23: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/23.jpg)
Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM RoleTarget DynamoDB Table
“MyTable”
Cross-Account Access
IAM Role
![Page 24: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/24.jpg)
Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM RoleTarget DynamoDB Table
“MyTable”
Cross-Account Access
IAM Role
![Page 25: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/25.jpg)
Account 111122223333
Working across AWS account boundaries
Account 444455556666
Caller IAM RoleTarget DynamoDB Table
“MyTable”
Cross-Account Access
IAM Role
![Page 26: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/26.jpg)
Organizational Unit (OU) Organizational Unit (OU)
Managing multi-account environments withAWS Organizations
AWS Cloud
Account Account AccountAccount
AWS Organization
![Page 27: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/27.jpg)
Managing multi-account environments withAWS Organizations
Organizational Unit (OU) Organizational Unit (OU)
AWS Cloud
Account Account AccountAccount
AWS Organization
AWS Single Sign-On
![Page 28: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/28.jpg)
Organizations provides guardrails for IAM
Organizational Unit (OU) Organizational Unit (OU)
AWS Cloud
Account Account AccountAccount
AWS Organization
![Page 29: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/29.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 30: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/30.jpg)
AWS KMS: 411
• What it is: AWS-managed encryption/decryption service
• Why it matters to you: Many data-handling AWS services offer simple AWS KMS integrations. If you know how to use AWS KMS, you can protect your data at rest simply and with no management overhead.
• What builders need to know:
• The basics of how to use an AWS KMS key
• Familiarity with the AWS KMS integrations offered by many AWS data-handling services
• How to use IAM to control access to keys
![Page 31: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/31.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 32: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/32.jpg)
The mechanics of an AWS KMS key
For encrypting individual pieces of data (<=4KB):
• KMS.Encrypt(“hello world”) ➔ AQICAHiwKPHZcwiIv….
• KMS.Decrypt(“AQICAHiwKPHZcwiIv….”) ➔ “hello world”
For encrypting application data, use envelope encryption:
• KMS.GenerateDataKey ➔ symmetric data key (plaintext and encrypted)
• Use plaintext data key to encrypt your data, then discard
• Store encrypted data key alongside your data
• To decrypt:
• KMS.Decrypt(encryptedDataKey) ➔ plaintextDataKey
• Then decrypt the data with the plaintext symmetric key
AWS KMS key
EncryptedDataKey: AQIDAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yV
e3tqrBtwGBaaY6AwTrEcsjY0gTN8J8AAAAfjB8Bgk…
EncryptedPayload: AQICAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yV
e3tqrBtwGEZdK9s3SxlUE11PSPSadGAAAAaTBnBgk…
![Page 33: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/33.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 34: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/34.jpg)
Encrypting the easy way with AWS Service Integrations
Amazon S3 manages the encryption key
![Page 35: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/35.jpg)
Encrypting the easy way with AWS Service Integrations
An AWS KMS key in your account is used for encryption: “Customer-Managed Key” (CMK)
![Page 36: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/36.jpg)
IAM permissions for AWS KMS keys
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
![Page 37: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/37.jpg)
IAM permissions for AWS KMS keys
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
![Page 38: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/38.jpg)
IAM permissions for AWS KMS keys
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-
2:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"
}
![Page 39: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/39.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 40: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/40.jpg)
Amazon VPC: 411
• What it is: “Your virtual data center in the cloud,” i.e., the network for your cloud infrastructure
• Why it matters to you: When you deploy cloud infrastructure, your VPC is the network that provides connectivity to and from that infrastructure
• What builders need to know:
• VPC core concepts: Subnets and security groups
• Routing basics in VPC
• Private connectivity capabilities
![Page 41: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/41.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
![Page 42: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/42.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 43: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/43.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
VPC: 10.0.0.0/16
![Page 44: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/44.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
![Page 45: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/45.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
![Page 46: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/46.jpg)
What a VPC is and what goes in it
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
![Page 47: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/47.jpg)
If you understand nothing else about VPC . . .
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
VPC: 10.0.0.0/16
Security group
Security group
Security group
. . . understand security groups
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 48: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/48.jpg)
If you understand nothing else about VPC . . .
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
VPC: 10.0.0.0/16
Security group
Security group
Security group
. . . understand security groups
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 49: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/49.jpg)
If you understand nothing else about VPC . . .
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
VPC: 10.0.0.0/16
Security group
Security group
Security group
. . . understand security groups
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 50: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/50.jpg)
If you understand nothing else about VPC . . .
EC2 Instances EC2 Instances EC2 Instances
Amazon RDS Amazon RDS
VPC: 10.0.0.0/16
Security group
Security group
Security group
. . . understand security groups
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 51: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/51.jpg)
If you understand only two things about VPC . . .
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
VPC: 10.0.0.0/16
. . . understand routing
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 52: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/52.jpg)
If you understand only two things about VPC . . .
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
VPC: 10.0.0.0/16
. . . understand routing
Internet
gateway
Region, e.g. eu-west-1
Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c
![Page 53: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/53.jpg)
AWS resources not in your VPC
$ dig logs.eu-west-1.amazonaws.com +short
52.94.221.80
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
![Page 54: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/54.jpg)
VPC endpoints: Private connectivity to AWS services
Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
![Page 55: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/55.jpg)
VPC endpoints: Private connectivity to AWS services
Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24
VPC endpoint
10.0.50.125
VPC endpoint
10.0.51.39
VPC endpoint
10.0.52.82
Security group
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
![Page 56: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/56.jpg)
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
VPC endpoints: Network as security perimeter
Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24
VPC endpoint
10.0.50.125
VPC endpoint
10.0.51.39
VPC endpoint
10.0.52.82
VPC endpoint
policy
In English: From this network, allow only callers from my AWS Organization
![Page 57: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/57.jpg)
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
VPC endpoints: Authorization using network path
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-11112222"
}
}
}
![Page 58: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/58.jpg)
VPC: 10.0.0.0/16
Region, e.g. eu-west-1
VPC endpoints: Authorization using network path{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpce": "vpce-11112222",
"aws:PrincipalOrgId": "o-a1b2c3"
}
}
}
![Page 59: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/59.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 60: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/60.jpg)
Learn a few patterns, secure everything in AWS
Data encryption:
AWS KMS
Network security controls:
Amazon VPC
![Page 61: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/61.jpg)
Learn a few patterns, secure everything in AWS
Data encryption:
AWS KMS
Network security controls:
Amazon VPC
![Page 62: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/62.jpg)
Learn a few patterns, secure everything in AWS
Network security controls:
Amazon VPC
Data encryption:
AWS KMS
![Page 63: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/63.jpg)
Learn a few patterns, secure everything in AWS
Network security controls:
Amazon VPC
Data encryption:
AWS KMS
![Page 64: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/64.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty exam
Resources created by the experts at AWS to help you build and validate cloud security skills
![Page 65: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/65.jpg)
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Becky Weiss
![Page 66: The fundamentals of AWS cloud security](https://reader033.fdocuments.in/reader033/viewer/2022050403/62704dd82462bf28e4716f6c/html5/thumbnails/66.jpg)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.