3. Agenda
• Introduction
• Shared Responsibility Model Overview
• Understanding and Owning your Responsibilities
• Monitoring and Auditing your Responsibilities
• Filling the Gaps
5. Where would some of the world’s top security
people like to work? At scale on huge challenges
with huge rewards
So AWS has world-class security and compliance
teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers
Gain access to a world-class security team
8. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud
CustomerAWS
9. AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
.
• Scope of responsibility depends on the type of service offered by AWS:
Infrastructure, Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and
systems are secure!
More secure and
compliant systems
than any one entity
could achieve on its
own at scale
11. Step 1: What are your compliance requirements?
Glacier Vault Lock
& SEC Rule 17a-4(f) 27018
12. Step 2: What are your application requirements?
• What will the architecture look like?
• What pieces do your compliance/security requirements apply to?
o Goal = reduce scope
13. Step 3: What AWS Services will you be using?
• Higher-level services = more security responsibility pushed to AWS
- Goal = reduce ownership
• How does this service meet my security bar?
- Responsibility varies by service:
o Automatic?
o Checkbox required?
o Application involvement required?
Amazon
RDS
Amazon
EC2
VS.
Amazon
DynamoDB
VS.
14. AWS Account
Owner (Root)
AWS IAM
User
Temporary
Security
Credentials
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by
Group and User policies
Action:
[‘s3:*’,’sts:Get*’]
Effect: Allow
Resource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]
Effect: Allow
Resource:
‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies
and temporary credentials.
Step 4: Least Privilege Access Control
17. AWS CloudTrail
Web service that records AWS API calls for your account and delivers logs.
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176
19. Ubiquitous logging and monitoring
Amazon CloudWatch Logs lets you grab everything and monitor activity
Managed service to collect and keep your logs
Amazon CloudWatch Logs Agent for Linux and Windows
instances
Integration with Metrics and Alarms
Export data to Amazon S3 for analytics
Stream to Amazon Elasticsearch Service or AWS Lambda
20. AWS Config
Managed service for tracking AWS inventory and configuration, and configuration change notification.
AWSConfig
Amazon
EC2
Amazon
VPC
Amazon
EBS
AWS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshooting Discovery
21. AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for availability, cost, performance
and security.
22. AWS Security tools: What to use?
AWS Security and Compliance
Security of the
cloud
Services and tools to
aid
security in the cloud
Service Type Use cases
Continuous logging
Records AWS API calls for your account and
delivers log files to you
Continuous evaluations
Codified internal best practices,
misconfigurations, security vulnerabilities, or
actions on changes
On-demand evaluations
Security insights into your application
deployments running inside your Amazon EC2
instance
Periodic evaluations
Cost, performance, reliability, and security
checks that apply broadly
Actions in response to
APIs and state change
AWS APIs use triggers custom Lambda actions
AWS Inspector
AWS Config Rules
AWS Trusted
Advisor
AWS CloudTrail
Amazon
CloudWach Events
25. Three Key Takeaways
• Push responsibilities to native AWS capabilities where possible.
• Let application security requirements drive your implementation.
• Leverage AWS Partners and the AWS Marketplace to fill gaps.
We look after the security OF the cloud, and you look after your security IN the cloud.
There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
Stored durably in S3
Discuss ways to consume CloudTrail logs (Console, CLI, Splunk, SumoLogic, AlertLogic, Loggly, DataDog, etc.)
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Use Cases:
Security analysis: Am I safe?
Audit compliance: Where is the evidence?
Change management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?
Discuss the Four Pillars of being Well Architected and how TA helps you with this.
These are the reasons most of our customers use AWS.
Give some examples of some of the checks in at least two pilars.