CSS 17: NYC - The AWS Shared Responsibility Model in Practice
•Descargar como PPTX, PDF•
0 recomendaciones•267 vistas
Presentation from Amazon Web Services Solutions Architect Pat McDowell at the Cloud Security Summit in NYC on April 26, 2017.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Similar a CSS 17: NYC - The AWS Shared Responsibility Model in Practice (20)
Más de Alert Logic
Más de Alert Logic (20)
Último
Último (20)
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
- 2. Rob Alexander Capital One's chief information officer (presented at AWS re:Invent 2015 user conference keynote) "The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers."
- 3. At AWS, cloud security is job zero. All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.
- 4. Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards So AWS has world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other AWS customers Gain access to a world-class security team
- 5. Glacier Vault Lock & SEC Rule 17a-4(f) Broad Accreditations & Certifications
- 7. AWS Shared Responsibility Model Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration AuthN & acct management Authorization policies + = Customer . • Scope of responsibility depends on the type of service offered by AWS: Infrastructure, Container, Abstracted Services • Understanding who is responsible for what is critical to ensuring your AWS data and systems are secure! More secure and compliant systems than any one entity could achieve on its own at scale
- 8. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud CustomerAWS
- 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Meet your own security objectives Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls CustomerAWS
- 10. • Amazon has been building large-scale data centers for many years. • Important attributes: – Non-descript facilities – Robust perimeter controls – Strictly controlled physical access – Two or more levels of two-factor authentication • Controlled, need-based access. • All access is logged and reviewed. • Separation of Duties – Employees with physical access don’t have logical privileges. AWS Responsibilities Physical Security of Data Center
- 11. • Host operating system • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and audited • Guest (a.k.a. Instance) operating system • Customer controlled (customer owns root/admin) • AWS admins cannot log in • Customer-generated keypairs • Stateful firewall • Mandatory inbound firewall, default deny mode • Customer controls configuration via Security Groups AWS Responsibilities EC2 Security • IP Spoofing prohibited at host OS level. • Packet sniffing is ineffective (protected at hypervisor level). • Unauthorized Port Scanning a violation of TOS and is detected/blocked. • Inbound ports blocked by default. Network Security
- 13. AAA with AWS Authenticate IAM Username/Password Access Key (+ MFA) Federation Authorize IAM Policies Audit CloudTrail
- 14. AWS IAM Hierarchy of Privileges AWS Account Owner (Root) AWS IAM User Temporary Security Credentials Permissions Example Unrestricted access to all enabled services and resources. Action: * Effect: Allow Resource: * (implicit) Access restricted by Group and User policies Action: [‘s3:*’,’sts:Get*’] Effect: Allow Resource: * Access restricted by generating identity and further by policies used to generate token Action: [ ‘s3:Get*’ ] Effect: Allow Resource: ‘arn:aws:s3:::mybucket/*’ Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies and temporary credentials.
- 15. 4 Encryption
- 16. Encryption at Rest Volume Encryption EBS Encryption Filesystem Tools AWS Marketplace/Partner Object Encryption S3 Server Side Encryption (SSE) S3 SSE w/ Customer Provided Keys Client-Side Encryption Database Encryption Redshift Encryption RDS PostgreSQL KMS RDS MYSQL KMS RDS ORACLE TDE/HSM RDS MSSQL TDE
- 17. AWS Key Management Service Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Managed service to securely create, control, rotate, and use encryption keys.
- 18. • AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform. AWS Certificate Manager
- 20. AWS Shield Standard Protection Advanced Protection • Available to ALL AWS customers at No Additional Cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks
- 21. AWS WAF
- 22. Amazon Inspector • Vulnerability Assessment Service - Built from the ground up to support DevSecOps - Automatable via APIs - Integrates with CI/CD tools - On-Demand Pricing model - Static & Dynamic Rules Packages - Generates Findings
- 23. AWS CloudTrail Web service that records AWS API calls for your account and delivers logs. Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 127.0.0.1 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.176
- 24. AWS Config & Config Rules Managed service for tracking AWS inventory and configuration, and configuration change notification. AWSConfig EC2 VPC EBS CloudTrail Change Management Audit Compliance Security Analysis Troubleshootin g Discovery
- 25. Thank you.
- 26. Thank you.
Notas del editor
- Also, mention the IDC whitepaper: “Assessing the Risk: Yes, the Cloud can be More Secure than your On-Premises Environment” --Pete Lindstrom, June 2015
- Do treat security as code, allowing you to deploy and validate security infrastructure in a manner that allows you the scale and agility to protect the organization. Do create guardrails, sensible defaults, and offer templates and best practices as code. Do build security services that the organization can leverage for highly repetitive or particularly sensitive security functions. Do define actors and then storyboard their experience interacting with AWS services. Do use the AWS Trusted Advisor tool to continually assess your AWS security posture, and consider an AWS Well Architected review. Do establish a minimal viable security baseline, and continually iterate to raise the bar for the workloads you’re protecting.
- There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.
- We look after the security OF the cloud, and you look after your security IN the cloud.
- Segway to talk about FedRAMP potentially and share your experiences from around the world!
- AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. Integrated with AWS SDKs and AWS services: S3, EBS, AWS Import/Export Snowball, RDS, Redshift, CodeCommit, CloudTrail, EMR, Kinesis Firehose, Elastic Transcoder, SES, WorkSpaces, WorkMail Centralized control. Easy and automatic key rotation (KMS keeps track of old keys for decryption) *New Feature*: Bring your own keys to KMS
- Provision trusted SSL/TLS certificates from AWS for use with AWS resources: Elastic Load Balancing Amazon CloudFront distributions AWS handles the muck Key pair and CSR generation Managed renewal and deployment Domain validation (DV) through email Available through AWS Management console, CLI, or API
- Let’s talk about why we built the WAF based on customer feedback. Initially the WAF will be a CDN offering, but will be extended shortly after launch to include ELB WAFs help protect web sites & applications against attacks that cause data breaches and downtime. General WAF use cases Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS) Prevent Web Site Scraping, Crawlers, and BOTs Mitigate DDoS (HTTP/HTTPS floods) Gartner reports that main driver of WAF purchase (25-30%) is PCI compliance
- Who made the API call? When was the API call made? What was the API call? Which resources were acted up on in the API call? Where was the API call made from and made to?
- AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. Use Cases: Security analysis: Am I safe? Audit compliance: Where is the evidence? Change management: What will this change affect? Troubleshooting: What has changed? Discovery: What resources exist?