Cloud computing offers many advantages, such as the ability to scale your web applications or website on demand. But how do you scale your security and compliance infrastructure along with the business? Join this session to understand best practices for scaling your security resources as you grow from zero to millions of users. Specifically, you learn the following:
How to scale your security and compliance infrastructure to keep up with a rapidly expanding threat base.
The security implications of scaling for numbers of users and numbers of applications, and how to satisfy both needs.
How agile development with integrated security testing and validation leads to a secure environment.
Best practices and design patterns of a continuous delivery pipeline and the appropriate security-focused testing for each.
The necessity of treating your security as code, just as you would do with infrastructure.
The services covered in this session include AWS IAM, Auto Scaling, Amazon Inspector, AWS WAF, and Amazon Cognito.
2. What to expect from the session
• Scale your security and compliance infrastructure
• Agile development with integrated security testing and
validation
• Treating your security as code
3. How do you scale
your security
resources?
workload
customers
8. Security resources must scale to
keep pace with the business.
AWS
CLOUDTRAIL
AMAZON
INSPECTOR
AMAZON
VPC
AWS WAF AWS IAM
AWS KEY
MANAGEMENT
SERVICE
SERVER-SIDE
ENCRYPTION
ENCRYPTION
SDK
19. Adding a New Feature
Sharing photos with
other Cats
WhatsCat™
LOL cats »
Cat photos »
20. Resiliency
Multiple Availability Zones Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
21. Auto Scaling
Configure Auto Scaling to
scale to handle increased
traffic
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
22. Data Protection
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
AWS KMS
Amazon
S3
35. Adding a New Feature
Simple social media
application for Cats
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
36. Security Infrastructure as Code
Manage security infrastructure
just like your business
workloads
Strong change management
processAWS
CodeCommit
38. Security Infrastructure as Code
IAM stack
Infrastructure
stack
Logging
stack
IAM configuration with custom policies, groups,
and roles
VPC, security groups, network ACL, NAT gateway
configuration
AWS CloudTrail, Amazon S3 buckets, and bucket
policies for logging and archive data, Amazon
CloudWatch alarms for security-related CloudTrail
events
39. Why Security Infrastructure as Code?
Assurance
and visibility
Traceability
and change
management
Knowledge
management
Version and
Source control
40. Security CI/CD
Pipeline
Integrates and delivers your workloads
Is your most sensitive security workload
Product Release
App Code
Infrastructure Code
Security Code
41. Security of the CI/CD pipeline
Securing the application starts with securing the pipeline
• Least privilege access
• Logging and monitoring of the pipeline
AWS
IAM
AWS
CloudTrail
Amazon
CloudWatch
Security CI/CD
Pipeline
42. Security in the CI/CD pipeline
Integrated security testing and validation
• Security unit test
• Vulnerability management
Amazon
Inspector
Security and Compliance
Unit Tests
Security CI/CD
Pipeline
43. AMI Lifecycle Management
InstancePublic
AMI
Golden
AMI
Launch
instance EC2
Configure
instance
Hardened
instance
Bake AMI
Hardening and
configuration
User administration
Operating system
Running
instances
Launch
AWS
Config
AWS
Lambda
Automate AMI
baking
Amazon
Inspector
Amazon
Inspector
Amazon
Inspector
Decommission
45. Adding a New Feature
Buy Cat Food feature
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
Buy
Cat Food!
46. Encrypting
Customer Data Elastic Load
Balancing
Amazon
Route 53
AWS KMS
DynamoDB
Application
Encrypt using client-
side library for
DynamoDB in Github
Encrypt data in
applications using the
AWS encryption SDK
in your application
51. • Assess current incident
response processes and
procedures
• Test the cloud incident
response process via a
simulated exercise
Security Incident Response Simulation
52. A security practitioner's job is
to answer tough questions
Automate the way security
practitioners answer these
questions
WhatsCat™
55. Related sessions
• ARC201 - Scaling Up to Your First 10 Million Users
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC312 - Architecting for End-to-End Security in the
Enterprise
• DEV302 - Automated Governance of Your AWS
Resources