Presentation from Amazon Web Services Solutions Architect, Andrew Baird at the Cloud Security Summit in Atlanta on May 4, 2017.

1. Thank you.
©&® 2017. Amazon Web Services, Inc.

2. THE AWS SHARED
RESPONSIBILITY MODEL
IN PRACTICE
Andrew Baird
Solutions Architect, Amazon Web Services

3. Agenda
• Introduction
• Shared Responsibility Model Overview
• Understanding and Owning your Responsibilities
• Monitoring and Auditing your Responsibilities
• Filling the Gaps

4. INTRODUCTION

5. Where would some of the world’s top security
people like to work? At scale on huge challenges
with huge rewards
So AWS has world-class security and compliance
teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers
Gain access to a world-class security team

6. Glacier Vault Lock
& SEC Rule 17a-4(f) 27018
Broad Accreditations & Certifications

7. SHARED RESPONSIBILITY
MODEL OVERVIEW

8. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud
CustomerAWS

9. AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
.
• Scope of responsibility depends on the type of service offered by AWS:
Infrastructure, Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and
systems are secure!
More secure and
compliant systems
than any one entity
could achieve on its
own at scale

10. UNDERSTANDING
AND OWNING YOUR
RESPONSIBILITIES

11. Step 1: What are your compliance requirements?
Glacier Vault Lock
& SEC Rule 17a-4(f) 27018

12. Step 2: What are your application requirements?
• What will the architecture look like?
• What pieces do your compliance/security requirements apply to?
o Goal = reduce scope

13. Step 3: What AWS Services will you be using?
• Higher-level services = more security responsibility pushed to AWS
- Goal = reduce ownership
• How does this service meet my security bar?
- Responsibility varies by service:
o Automatic?
o Checkbox required?
o Application involvement required?
Amazon
RDS
Amazon
EC2
VS.
Amazon
DynamoDB
VS.

14. AWS Account
Owner (Root)
AWS IAM
User
Temporary
Security
Credentials
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by
Group and User policies
Action:
[‘s3:*’,’sts:Get*’]
Effect: Allow
Resource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]
Effect: Allow
Resource:
‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies
and temporary credentials.
Step 4: Least Privilege Access Control

15. MONITORING AND
AUDITING YOUR
RESPONSIBILITIES

16. Different log categories
• AWS Infrastructure
logs
 AWS CloudTrail
 Amazon VPC Flow
Logs
• AWS service logs
 Amazon S3
 Elastic Load Balancing
 Amazon CloudFront
 AWS Lambda
 AWS Elastic Beanstalk
 …
• Host based logs
 Messages
 Security
 NGINX/Apache/IIS
 Windows Event Logs
 Windows Performance
Counters
 …

17. AWS CloudTrail
Web service that records AWS API calls for your account and delivers logs.
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176

18. Amazon CloudWatch Logs
Monitor Logs from Amazon EC2 Instances in Real-time

19. Ubiquitous logging and monitoring
Amazon CloudWatch Logs lets you grab everything and monitor activity
 Managed service to collect and keep your logs
 Amazon CloudWatch Logs Agent for Linux and Windows
instances
 Integration with Metrics and Alarms
 Export data to Amazon S3 for analytics
 Stream to Amazon Elasticsearch Service or AWS Lambda

20. AWS Config
Managed service for tracking AWS inventory and configuration, and configuration change notification.
AWSConfig
Amazon
EC2
Amazon
VPC
Amazon
EBS
AWS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshooting Discovery

21. AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for availability, cost, performance
and security.

22. AWS Security tools: What to use?
AWS Security and Compliance
Security of the
cloud
Services and tools to
aid
security in the cloud
Service Type Use cases
Continuous logging
Records AWS API calls for your account and
delivers log files to you
Continuous evaluations
Codified internal best practices,
misconfigurations, security vulnerabilities, or
actions on changes
On-demand evaluations
Security insights into your application
deployments running inside your Amazon EC2
instance
Periodic evaluations
Cost, performance, reliability, and security
checks that apply broadly
Actions in response to
APIs and state change
AWS APIs use triggers custom Lambda actions
AWS Inspector
AWS Config Rules
AWS Trusted
Advisor
AWS CloudTrail
Amazon
CloudWach Events

23. FILLING THE
GAPS

24. AWS Partners!

25. Three Key Takeaways
• Push responsibilities to native AWS capabilities where possible.
• Let application security requirements drive your implementation.
• Leverage AWS Partners and the AWS Marketplace to fill gaps.

26. Thank you.

27. Thank you.