SlideShare una empresa de Scribd logo

AWS Security for Technical Decision Makers

Amazon Web Services
Amazon Web Services

This session is designed to build on from the information you have learned in an AWS Overview, Technical Essentials, or Immersion Day. It will arm Technical Decision makers with the AWS's best practice, a framework to decide which services to watch, and our top 5 tips for success. We'll focus on the next steps for building out these practices and equip you with resources to empower your future projects. Speakers: Tom Whateley, Solutions Architect, AWS

1 de 28
Descargar para leer sin conexión
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Tom Whateley Solution Architect, Amazon Web Services AWS Security for Technical Decision Makers
AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Secrets Manager AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs AWS Systems Manager AWS Shield AWS WAF – Web application firewall AWS Firewall Manager Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS Security Solutions
AWS CloudTrail Enable governance, compliance, and operational/risk auditing of your AWS account AWS Config Record and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting Amazon CloudWatch Monitor AWS Cloud resources and your applications on AWS to collect metrics, monitor log files, set alarms, and automatically react to changes Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs Gain the visibility you need to spot issues before they impact the business, improve your security posture, and reduce the risk profile of your environment. Detective control
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is AWS CloudTrail AWS CloudTrail logs activity for supported services to an AWS account Example API events that are logged: • iam:CreateUser • s3:ListBucket CloudTrail is enabled by default on all AWS accounts (as of August 2017) • Event history of create, modify, and delete operations for last seven days • Viewable, searchable, and downloadable To access CloudTrail log files directly or for a longer time period, create a trail
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail log files Gzipped JSON files declivered to a user-defined Amazon S3 bucket, containing records for one or more API events Each CloudTrail log file covers an approximately five-minute time window Log files are encrypted by default • Default is server-side encryption with Amazon S3-managed encryption keys (SSE-S3) • Can configure encryption using AWS Key Management Service (AWS KMS)-managed keys (SSE- KMS) Optional log file integrity validation using signed digest file containing log-file hashes • Digest file contains hashes for previous one hour’s worth of log files Log files can stay in the S3 bucket for as long as you like • Indefinitely by default • Can use S3 bucket lifecycle policies to configure retention
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail events Each record in a CloudTrail log file represents a single event All records contain some common fields: • Time stamp • Region • Event name (i.e., the API call) • Event source (i.e., the service) • Source IP address • User identity Event-specific request and response parameters may also be included for some events
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What do CloudTrail logs look like? { "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice” }, "eventTime": "2017-11-29T11:29:42Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "192.168.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": {"userName": "Bob”}, "responseElements": {"user": {"createDate": ”Nov 29, 2017 11:29:42 AM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID"} } }]}
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon VPC Flow Logs
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is Amazon VPC Flow Logs  Stores log in AWS CloudWatch Logs  Can be enabled on • Amazon VPC, a subnet, or a network interface • Amazon VPC & Subnet enables logging for all interfaces in the VPC/subnet • Each network interface has a unique log stream  Flow logs do not capture real-time log streams for your network interfaces  Filter desired result based on need • All, Reject, Accept • Troubleshooting or security related with alerting needs? • Think before enabling All on VPC, will you use it?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon Guard Duty
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is Amazon GuardDuty? • A threat detection service re-imagined for the cloud • Continuously monitors and protects AWS accounts, along with the applications and services running within them • Detects known and unknown threats (Zero-Days) • Makes use of artificial intelligence and machine learning • Integrated threat intelligence • Operates on CloudTrail, VPC Flow Logs & DNS • Detailed & Actionable Findings
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer provided threat intel (STIX) • Known malware infected hosts • Anonymizing proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets • Great catch-all for suspicious & malicious activity
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine learning classifiers • Larger R&D effort • Highly skilled data scientists to study data • Develop theoretical detection models • Experiment with implementations • Testing, tuning, and validation
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What can Amazon GuardDuty detect? Unusual Ports DNS ExfiltrationRDP Brute Force Temp credentials used off-instance Unusual Instance Launch Malicious or Suspicious IP Unusual Traffic Volume Connect to Blacklisted SiteRecon Anonymizing Proxy Unusual ISP Caller Bitcoin Activity Attempt to compromise account Probe API with temp creds RDP Brute Force Exfiltrate temp IAM creds over DNS RAT installed
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config & Config Rules
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config & Config Rules A continuous recording and continuous assessment service. Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change that just occurred to a resource compliant?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Configuration Item Definition: All configuration attributes for a given resource at a given point in time, captured on every configuration change
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Component Description Contains Metadata Information about this configuration item Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, resource type, Amazon Resource Name (ARN) Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource For example, for EBS Volume State of DeleteOnTermination flag, type of volume, for example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID Configuration Item
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Sample Configuration Item "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" Configuration
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Sample Configuration Item "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2014…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "12345678910", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common Attributes Relationships Related Events
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rule • AWS managed rules Defined by AWS Require minimal (or no) configuration Rules are managed by AWS • Customer managed rules Authored by you using AWS Lambda Rules execute in your account You maintain the rule A rule that checks the validity of configurations recorded
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rules—Triggers • Triggered by changes: rules invoked when relevant resources change Scoped by changes to: • Tag key/value • Resource types • Specific resource ID For example, S3 Buckets with names containing “-private-” should never allow public read access • Triggered periodically: rules invoked at specified frequency For example, account should have no long-running EC2 instances tagged “bastion”; every 3 hours
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Evaluations The result of evaluating a Config rule against a resource • Report evaluation of {Rule, ResourceType, ResourceID} directly from the rule itself
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rules—Example function evaluateCompliance(configurationItem, ruleParameters) { if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) || (configurationItem.configuration.imageId === ruleParameters.approvedImage2)) return 'COMPLIANT'; else return 'NON_COMPLIANT'; } exports.handler = function(event, context) { var invokingEvent = JSON.parse(event.invokingEvent); var ruleParameters = JSON.parse(event.ruleParameters); ... compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context); ComplianceResourceType: invokingEvent.configurationItem.resourceType, ComplianceResourceId: invokingEvent.configurationItem.resourceId, ComplianceType: compliance, ... config.putEvaluations(putEvaluationsRequest, function (err, data)
Thank you

Recomendados

Log Analytics with Amazon Elasticsearch Service - September Webinar Series
Log Analytics with Amazon Elasticsearch Service - September Webinar SeriesLog Analytics with Amazon Elasticsearch Service - September Webinar Series
Log Analytics with Amazon Elasticsearch Service - September Webinar SeriesAmazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Amazon Web Services
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 

Recomendados

Log Analytics with Amazon Elasticsearch Service - September Webinar Series
Log Analytics with Amazon Elasticsearch Service - September Webinar SeriesLog Analytics with Amazon Elasticsearch Service - September Webinar Series
Log Analytics with Amazon Elasticsearch Service - September Webinar SeriesAmazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Amazon Web Services
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Amazon Web Services
 
AWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAmazon Web Services
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Amazon Web Services
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...Amazon Web Services
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as CodeAmazon Web Services
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsAmazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Amazon Web Services
 
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Amazon Web Services
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon CognitoAmazon Web Services
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep DiveNagesh Ramamoorthy
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Amazon Web Services
 
AWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAmazon Web Services
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Amazon Web Services
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...Amazon Web Services
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as CodeAmazon Web Services
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsAmazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Amazon Web Services
 
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Amazon Web Services
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon CognitoAmazon Web Services
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
 

La actualidad más candente (20)

Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
Cloud ID Management of North Carolina Department of Public Instruction (SEC10...
 
AWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoT
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
Deep Dive on S3 Storage Management Covering New Feature Announcements - Decem...
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWS
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as Code
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
 
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep Dive
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
 

Similar a AWS Security for Technical Decision Makers

Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 

Similar a AWS Security for Technical Decision Makers (20)

AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record Change
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Security for Technical Decision Makers

  • 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Tom Whateley Solution Architect, Amazon Web Services AWS Security for Technical Decision Makers
  • 2. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Secrets Manager AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs AWS Systems Manager AWS Shield AWS WAF – Web application firewall AWS Firewall Manager Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS Security Solutions
  • 3. AWS CloudTrail Enable governance, compliance, and operational/risk auditing of your AWS account AWS Config Record and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting Amazon CloudWatch Monitor AWS Cloud resources and your applications on AWS to collect metrics, monitor log files, set alarms, and automatically react to changes Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs Gain the visibility you need to spot issues before they impact the business, improve your security posture, and reduce the risk profile of your environment. Detective control
  • 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail
  • 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is AWS CloudTrail AWS CloudTrail logs activity for supported services to an AWS account Example API events that are logged: • iam:CreateUser • s3:ListBucket CloudTrail is enabled by default on all AWS accounts (as of August 2017) • Event history of create, modify, and delete operations for last seven days • Viewable, searchable, and downloadable To access CloudTrail log files directly or for a longer time period, create a trail
  • 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail log files Gzipped JSON files declivered to a user-defined Amazon S3 bucket, containing records for one or more API events Each CloudTrail log file covers an approximately five-minute time window Log files are encrypted by default • Default is server-side encryption with Amazon S3-managed encryption keys (SSE-S3) • Can configure encryption using AWS Key Management Service (AWS KMS)-managed keys (SSE- KMS) Optional log file integrity validation using signed digest file containing log-file hashes • Digest file contains hashes for previous one hour’s worth of log files Log files can stay in the S3 bucket for as long as you like • Indefinitely by default • Can use S3 bucket lifecycle policies to configure retention
  • 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail events Each record in a CloudTrail log file represents a single event All records contain some common fields: • Time stamp • Region • Event name (i.e., the API call) • Event source (i.e., the service) • Source IP address • User identity Event-specific request and response parameters may also be included for some events
  • 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What do CloudTrail logs look like? { "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice” }, "eventTime": "2017-11-29T11:29:42Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "192.168.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": {"userName": "Bob”}, "responseElements": {"user": {"createDate": ”Nov 29, 2017 11:29:42 AM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID"} } }]}
  • 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon VPC Flow Logs
  • 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is Amazon VPC Flow Logs  Stores log in AWS CloudWatch Logs  Can be enabled on • Amazon VPC, a subnet, or a network interface • Amazon VPC & Subnet enables logging for all interfaces in the VPC/subnet • Each network interface has a unique log stream  Flow logs do not capture real-time log streams for your network interfaces  Filter desired result based on need • All, Reject, Accept • Troubleshooting or security related with alerting needs? • Think before enabling All on VPC, will you use it?
  • 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Flow Logs • Amazon Elasticsearch Service • Amazon CloudWatch Logs subscriptions
  • 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon Guard Duty
  • 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What is Amazon GuardDuty? • A threat detection service re-imagined for the cloud • Continuously monitors and protects AWS accounts, along with the applications and services running within them • Detects known and unknown threats (Zero-Days) • Makes use of artificial intelligence and machine learning • Integrated threat intelligence • Operates on CloudTrail, VPC Flow Logs & DNS • Detailed & Actionable Findings
  • 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer provided threat intel (STIX) • Known malware infected hosts • Anonymizing proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets • Great catch-all for suspicious & malicious activity
  • 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine learning classifiers • Larger R&D effort • Highly skilled data scientists to study data • Develop theoretical detection models • Experiment with implementations • Testing, tuning, and validation
  • 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What can Amazon GuardDuty detect? Unusual Ports DNS ExfiltrationRDP Brute Force Temp credentials used off-instance Unusual Instance Launch Malicious or Suspicious IP Unusual Traffic Volume Connect to Blacklisted SiteRecon Anonymizing Proxy Unusual ISP Caller Bitcoin Activity Attempt to compromise account Probe API with temp creds RDP Brute Force Exfiltrate temp IAM creds over DNS RAT installed
  • 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config & Config Rules
  • 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config & Config Rules A continuous recording and continuous assessment service. Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change that just occurred to a resource compliant?
  • 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Configuration Item Definition: All configuration attributes for a given resource at a given point in time, captured on every configuration change
  • 21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Component Description Contains Metadata Information about this configuration item Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, resource type, Amazon Resource Name (ARN) Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource For example, for EBS Volume State of DeleteOnTermination flag, type of volume, for example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID Configuration Item
  • 22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Sample Configuration Item "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" Configuration
  • 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Sample Configuration Item "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2014…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "12345678910", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common Attributes Relationships Related Events
  • 24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rule • AWS managed rules Defined by AWS Require minimal (or no) configuration Rules are managed by AWS • Customer managed rules Authored by you using AWS Lambda Rules execute in your account You maintain the rule A rule that checks the validity of configurations recorded
  • 25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rules—Triggers • Triggered by changes: rules invoked when relevant resources change Scoped by changes to: • Tag key/value • Resource types • Specific resource ID For example, S3 Buckets with names containing “-private-” should never allow public read access • Triggered periodically: rules invoked at specified frequency For example, account should have no long-running EC2 instances tagged “bastion”; every 3 hours
  • 26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Evaluations The result of evaluating a Config rule against a resource • Report evaluation of {Rule, ResourceType, ResourceID} directly from the rule itself
  • 27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Config Rules—Example function evaluateCompliance(configurationItem, ruleParameters) { if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) || (configurationItem.configuration.imageId === ruleParameters.approvedImage2)) return 'COMPLIANT'; else return 'NON_COMPLIANT'; } exports.handler = function(event, context) { var invokingEvent = JSON.parse(event.invokingEvent); var ruleParameters = JSON.parse(event.ruleParameters); ... compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context); ComplianceResourceType: invokingEvent.configurationItem.resourceType, ComplianceResourceId: invokingEvent.configurationItem.resourceId, ComplianceType: compliance, ... config.putEvaluations(putEvaluationsRequest, function (err, data)