V brownbag sept-14-2016
-
Upload
anthony-chow -
Category
Technology
-
view
84 -
download
0
Transcript of V brownbag sept-14-2016
vBrownBagAWS Solutions Architect Associate
ExamDomain 3.0 – Data Security
Sept 5, 2016
Anthony ChowTwitter: @vCloudernBeer
Blog: http://cloudn1n3.blogspot.com/
https://aws.amazon.com/certification/certified-solutions-architect-associate/
Exam Objectives
Domain 3.0: Data Security
3.1 :Recognize and implement secure practices for optimum cloud deployment and maintenance
3.2 :Recognize critical disaster recovery techniques and their implementation
Domain 3.1
vBrownBag A Cloud Guru (https://acloud.guru/) Cloud Academy (https://cloudacademy.com/) Linux Academy (https://linuxacademy.com/) Amazon Web Services:
https://aws.amazon.com/security/AWS channel on YouTube
(https://www.youtube.com/user/AmazonWebServices)Whitepaper from AWS
(https://aws.amazon.com/whitepapers/)
Study Resources for Domain 3
https://aws.amazon.com/whitepapers/ Introduction to AWS Security Process Introduction to AWS Security AWS Security Best Practices Overview of Security Processes Overview of AWS Security – Compute Services Overview of AWS Security – Storage Services AWS Risk and Compliance Whitepaper
Whitepapers from AWS
Protection of data and system - CIA Triad:ConfidentialityIntegrityAvailability
Security best practices:Data in useData in transitData at rest
Security Basics
Image source: https://d0.awsstatic.com/logos/compliance/shared_responsibility.jpg
AWS Shared Security Responsibilities
Image source: image.slidesharecdn.com/awscsaassociate-06-07-141204234102-conversion-gate01/95/aws-csa-associate-0607-19-638.jpg?cb=1417736585
AWS Built-in Security Features
AWS – Overview of Security Process
https://aws.amazon.com/compliance/ Written approval is a MUST if customer wants to perform
pen test on their instances Image source: https://d0.awsstatic.com/security-center/AwsCompliancePrograms.jpg
AWS Platform Compliance
Image source: http://image.slidesharecdn.com/awsiam-security-150921011122-lva1-app6891/95/aws-iam-and-security-3-638.jpg?cb=1442798167
AWS – Identity and Access Management (IAM)
Image source: http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/ExerciseOverview.html
AWS Virtual Private Cloud (VPC)
By default, security groups allow all outbound traffic.
Security group rules are always permissive; you can't create rules that deny access.
You can add and remove rules at any time. You can't change the outbound rules for EC2-Classic. If you're using the Amazon EC2 console, you can modify existing rules, and you can copy the rules from an existing security group to a new security group.
When you add or remove rules, your changes are automatically applied to the instances associated with the security group after a short period, depending on the connection tracking for the traffic. For more information, see Connection Tracking.
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. For more information, see Connection Tracking.
AWS VPC– Security Groups(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-
security.html)
Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.
Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.
[Inbound rules only] The source of the traffic (CIDR range) and the destination (listening) port or port range.
[Outbound rules only] The destination for the traffic (CIDR range) and the destination port or port range.
Choice of ALLOW or DENY for the specified traffic.
AWS VPC Security – ACL(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html)
Image source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
Comparison of Security Group and ACL
IP address assignment API Access Subnets and Route Tables Security Groups Network Access Control Lists (NACLS) Virtual Private Gateway Internet Gateway Dedicated Instances Elastic Network Interfaces
AWS EC2 Security
Ways to control access to S3 buckets and objects: IAM policies Access Control Lists (ACLs) Bucket Policies
Encryptions Types: Server Side (Amazon S3 Server Side Encryption - SSE):
• SSE-S3 – S3 managed Key• SSE-KMS – AWS Key Management System• SSE-C – Customer provide key
Client Side:Client Encryption library
AWS S3 Security
Distributed Denial Of Service (DDoS) Attacks. Man in the Middle (MITM) Attacks IP Spoofing. Port Scanning. Packet Sniffing
AWS DoS Mitigation
Encryption Solutions
Image source: http://image.slidesharecdn.com/encryptionkeymanagement-150701220430-lva1-app6891/95/encryption-and-key-management-in-aws-39-638.jpg?cb=1435788383
Image source: http://image.slidesharecdn.com/03cloudtrail-awsconfigbjmedit-150707140327-lva1-app6892/95/transparency-and-control-with-aws-cloudtrail-and-aws-config-5-638.jpg?cb=1436277900
AWS CloudTrail
AWS CloudWatch is a monitoring and alerting service that integrates with most AWS services like EC2 or RDS
Monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, and other sources:Monitor Logs from Amazon EC2 Instances in Real-timeMonitor AWS CloudTrail Logged EventsArchive Log Data
http://cloudacademy.com/blog/centralized-log-management-with-aws-cloudwatch-part-1-of-3/
AWS CloudWatch Logs
Image source: http://image.slidesharecdn.com/awscsaassociate-06-07-141204234102-conversion-gate01/95/aws-csa-associate-0607-36-638.jpg?cb=1417736585
AWS Trusted Advisor
Domain 3.2
Whitepaper: Using Amazon Web Services for Disaster Recovery
Image source: image.slidesharecdn.com/03hybriddisasterrecoveryfinaljwedit-150707141339-lva1-app6891/95/disaster-recovery-of-onpremises-it-infrastructure-with-aws-3-638.jpg?cb=1436278511
Domain 3.2 - Disaster Recovery
OptionsBackup and RestorePilot LightWarm StandbyMulti-site Hot Standby
Data Replication OptionsSynchronous Asynchronous
AWS Disaster Recovery
Good article that covers this topic really well http://www.ecloudgate.com/Doc/
DisasterRecovery_Overview
Study resource for AWS DR
DR – options and comparison
Image source: http://image.slidesharecdn.com/03hybriddisasterrecoveryfinaljwedit-150707141339-lva1-app6891/95/disaster-recovery-of-onpremises-it-infrastructure-with-aws-9-638.jpg?cb=1436278511
Import/ExportDiskSnowball
Storage GatewayGateway-cached volumeGateway-stored volumeGateway-virtual tape library (VTL)
Data Recovery Services
Amazon Elastic Block Store(https://aws.amazon.com/articles/1667)
Routing Policies:Simple Routing PolicyWeighted Routing Policy Latency Routing PolicyFailover Routing Policy (Public Hosted Zones Only)Geolocation Routing Policy
API request are signed with hashing function + AWS Secret Access key
Use IAM to control which operation a user can perform
AWS Route 53 Security