Stephen Quigg discusses security at AWS. He notes that security is the top priority and that AWS provides comprehensive security capabilities to support any workload. Security is shared responsibility between AWS and customers, with AWS providing visibility, auditability and control through services like CloudTrail and IAM. Customers have control over their data through encryption options and can choose the right level of security for their needs and business.
2. Our customers have different viewpoints on security
PR
Keep out of the news!
CEO
Protect shareholder
value
CI(S)O
Preserve the
confidentiality, integrity
and availability of data
3. Security is always our number one priority at AWS
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
Comprehensive Security Capabilities to Support Virtually Any Workload
21. You are making
API calls...
On a growing set of
services …
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
22. Security analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track changes to AWS resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot operational issues
Quickly identify the most recent changes made to resources in your environment.
Compliance and audit aid
Easier to demonstrate compliance with internal policies and regulatory standards.
23. ‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files,
including Splunk, SumoLogic and
Loggly
24. Amazon CloudWatch Logs can monitor your system,
application and custom log files from Amazon EC2
instances and other sources, for example:
Monitor your web server http log files and use
CloudWatch Metrics filters to identify 404 errors and
count the number of occurrences within a specified
time period
CloudWatch Alarms can then notify you when the
number of 404 errors breaches whatever threshold you
decide to set – you could use this to automatically
generate a ticket for investigation
Now monitor everything with CloudWatch logs
26. Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security DATA
27. AWS Security Delivers More Control & Granularity
Choose what’s right for your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
28. AWS EMPLOYEE ACCESS
‣ Staff vetting
‣ No logical access to customer instances
‣ Control-plane access limited and monitored
Bastion hosts, Least privileged model, Zoned data center
access
‣ Access based on strict business needs
‣ Separate PAMS
29.
30. Every network has fine-grained security control built-in
AvailabilityZoneA
AvailabilityZoneB
You control your VPC
address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space you define
• Create your own subnets and
control all internal and
external connectivity
AWS network security
• AWS network will prevent
spoofing and other common
layer 2 attacks
• Every compute instance gets
multiple security groups -
stateful firewalls
• Every subnet gets network
access control lists
31. Control firewalls for every host with security groups
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App
“Web servers will accept Port 80
from load balancers”
“App servers will
accept Port 8080
from web
servers”
“Allow SSH
access only from
from Jump Hosts”
Log
EC
2
Web
Load
balancing
32. Control traffic between each subnet with NACLs
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC
2
10.0.5.0/24
Jump
10.0.4.0/24
EC
2
App Log
EC
2
Web
“Deny all traffic between the web
server subnet and the database
server subnet”
Load
balancing
33. Control all traffic routing to the Internet
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Internet Gateway
Control Internet routing
• Create Public subnets and
Private subnets
• Implement DMZ architectures
as per normal best practices
• Allocate static Elastic IP
addresses or use AWS-
managed public IP addresses
Load
balancing
34. Connect in private to your existing datacentres
VPC A - 10.0.0.0/16
AvailabilityZoneA
10.0.1.0/24
10.0.2.0/24
EC
2
10.0.3.0/24
EC
2
10.0.4.0/24
EC
2
App
EC
2
WebEC
2
WebEC
2
EC
2
Web
Use Internet VPNs
or use AWS Direct
Connect
Your premises
Load
balancing
35. Every website can absorb attack and scale out
Amazon S3
Distributed
attackers
Customers
Customers
Route53
Sydney region
CloudFront
Your VPC
WAFWAF WAFWAF
ELB ELB
ELB ELB
App App App App
Auto
Scaling
Auto
Scaling
Auto
Scaling
Auto
Scaling
38. AWS
Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
It’s not just having services in a couple of regions
39. You can stay onshore in Australia if you need to
AWS Sydney Region
Multiple availability
zones
42. YOU CAN ENCRYPT ALL OF YOUR DATA
CHOOSE WHAT’S RIGHT FOR YOU
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption their own way
43. ENCRYPT YOUR SENSITIVE DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
44. Managed and monitored by AWS, but
you control the keys
Increase performance for applications
that use HSMs for key storage or
encryption
Comply with stringent regulatory and
contractual requirements for key
protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can store your encryption keys in AWS CloudHSM
47. Control access and segregate duties everywhere
With
AWS
IAM
you
get
to
control
who
can
do
what
in
your
AWS
environment
and
from
where
Fine-‐grained
control
of
your
AWS
cloud
with
two-‐
factor
authen<ca<on
Integrated
with
your
exis<ng
corporate
directory
using
SAML
2.0
and
single
sign-‐on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
48. AWS IAM: Recent innovations
Securely control access to AWS services and resources
• Delegation
– Roles for Amazon EC2
– Cross-account access
• Powerful integrated permissions
– Resource level permissions:
Amazon EC2, Amazon RDS,
Amazon DynamoDB, AWS
CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon
SWF, Amazon EMR, AWS Storage
Gateway, AWS CloudFormation,
Amazon Redshift, Elastic Beanstalk
• Federation
– Web Identity Federation
– AD and Shibboleth examples
– Partner integrations
• Strong authentication
– MFA-protected API access
– Password policies
• Enhanced documentation and
videos
50. You get to do all of this in
DEVELOPMENT
TESTING
PRODUCTION
51. Expand your skills with AWS
Certification
aws.amazon.com/certification
Exams
Validate your proven
technical expertise with
the AWS platform
On-Demand
Resources
aws.amazon.com/training/
self-paced-labs
Videos & Labs
Get hands-on practice
working with AWS
technologies in a live
environment
aws.amazon.com/training
Instructor-Led
Courses
Training Classes
Expand your technical
expertise to design, deploy,
and operate scalable,
efficient applications on AWS