As your AWS deployment grows, so does the need to evolve your ability to stay on top of resource utilization, configuration, user access, and ever increasing choices in services and cost reduction opportunities.
In this webinar, you’ll learn from two seasoned veterans how to identify and address potential security misconfigurations and how to optimize AWS resource selection and utilization. For example, you’ll see how customers are saving time and money by using CloudCheckr to automatically check for things like open permissions on Amazon S3 storage buckets, or misconfigured Auto Scaling groups.
What you'll learn:
-How to locate and eliminate the most common misconfigurations customers tend to make with AWS
-How to create an automated process to keep your environment hardened and safe using CloudCheckr
3. Webinar Overview
Submit Your Questions using the Q&A tool.
A copy of today’s presentation will be made available on:
AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/
AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-
nPlVzJI-ccQXlxjSvJmw
4. Intro to Amazon Web Services security and pricing models
Common security and resource configuration issues that can have a
financial impact
How to use CloudCheckr to create an automated process to keep
your environment safe and cost efficient
Q&A
What We’ll Cover
5. Security on AWS
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
+
Customers
A Shared Responsibility Model
Security experts are a scarce resource
Refocus security pros on a subset of the problem
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct management
Authorization policies
6. Pricing on AWS
On-Demand
Pay for compute capacity by the
hour with no long-term
commitments
For spiky workloads,
or to define needs
Reserved
Make a low, one-time payment
and receive a significant
discount on the hourly charge
For committed utilization
7. Common Issues
$
S3 Policies
IAM Management
Incorrect Health Checks
Under-utilized Resources
Snapshot Management
Unexpected Transfer
Unwanted Resources
Empty Instance Cost
Wasted Capital
Potential Data Loss
8. Security, Utilization, and Cost Optimization
Best Practices for AWS
Aaron C. Newman
Founder, CloudCheckr
Aaron.Newman@CloudCheckr.com
9. Examples of Best Practices for IAM
• Enabled IAM Password Policies
• Rotate your IAM access keys every 90 days
• Use Multi-factor Authentication
• Use IAM groups
• Don’t grant permissions to users
• Setup an Administrators group
See “Top Ten IAM Best Practices” at http://aws.amazon.com/iam/
10. Examples of Best Practices for S3
• NEVER allow Upload/Delete permissions
open to Everyone
• Enable logging on your S3 buckets
• Review Open List permissions for sensitive
files
See “Best Practices for Using Amazon S3”
at http://aws.amazon.com/articles/1904/
11. Best Practices for Resource Utilization
• Locate and eliminate idle resources
• Right-size resources
• Don’t under or over-utilize
• Use Auto Scaling Groups
Check on ALL your resources:
EC2, EBS, ELBs, RDS, DynamoDB, ElastiCache, etc…
12. Best Practices: Monitoring Activity/Errors
• Use CloudTrail
• Make sure it’s setup and running
• Monitoring for Unauthorized Access Attempts
• Check for access from new/unauthorized users or locations
• Proactively Look for Errors in Logs
• Check sources like EC2 console output, CloudWatch, event
logs, status errors from the API
13. Why use CloudCheckr for Best Practices?
• Best practice engine provides deep knowledge
• 250+ checks across ALL the AWS Services
• To find all the issues, not just some of them
• Configurable to your environment
• For instance, how much is “idle”, what is “too many ELB HTTP
errors”
• Runs on a regular basis
• Nightly so you know in a timely fashion when something needs
your attention
• Pushes Notifications To You
• Alerted by email, so you don’t have to go looking for problems
14. Why use CloudCheckr for Best Practices?
• Capability to ignore/suppress
• Some things are ok in your environment
• Manage in a single view across all your accounts
• The larger the environment, the more complexity, the hard to track down
problems
• Monitor by tags
• Setup tags to include or exclude tags you choose
• Drilldown on problems
• Telling me I have a problem is not enough. Give me lots of details.
15. Thank You for Attending
Sign up today for free evaluation
at http://cloudcheckr.com
Aaron Newman is the Founder
of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:
aaron.newman@cloudcheckr.com
17. We’d like your feedback.
Please complete a short survey.
https://aws.asia.qualtrics.com/SE/?SID=SV_7
3zanj7xx4dY4wR
Click the link in your Chat Box