Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to protect the security of our customers content is of utmost importance to AWS, as is maintaining customer trust and confidence. Under the AWS shared responsibility model, AWS provides a secure global infrastructure, including compute, storage, networking and database services, as well as a range of high level services. AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives. Topics covered include: • The AWS approach to security and how responsibilities are shared between AWS and our customers • How to build your own secure virtual private cloud and integrate it with your existing solutions • How to use AWS Identity and Access Management to securely manage and operate your applications • Best practices for securing your AWS account, your content and your applications View a recording of this webinar here: http://youtu.be/Ihe_8o00-WI

1. Journey through the Cloud:
Security Best Practices on AWS
Ian Massingham – Technical Evangelist
@IanMmmm

2. Journey through the cloud
Common use cases & stepping stones into the AWS cloud
Learning from customer journeys
Best practices to bootstrap your projects

3. Security Best Practices on AWS
Architected to be one of the most flexible and secure cloud environments
Removes many of the security headaches that come with infrastructure
Ensures complete customer privacy and segregation
Built in Security Features

4. Agenda
Sharing the Security Responsibility
Overview of AWS Security Features
Best Practices
Verifying our Security
Useful Resources

5. Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
Validated by security experts
Collaboration on Enhancements
Every Customer Benefits
People &
Procedures Platform
Security Network
Security Physical
Security

6. Sharing the Security
Responsibility

7. Shared Security Model
• Shared Responsibility
– Let AWS do the heavy lifting
– Focus on your business
• Customer
• Choice of Guest OS
• Application Configuration Options
• Account Management flexibility
• Security Groups
• ACLs
• Identity Management
• AWS
• Facility operations
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
• Hardware lifecycle
management

8. Shared Security Model: Infrastructure Services
Such as Amazon EC2, Amazon EBS, and Amazon VPC

9. Shared Security Model: Container Services
Such as Amazon RDS and Amazon EMR

10. Shared Security Model: Abstracted Services
Such as Amazon S3 and Amazon DynamoDB

11. AWS Security Features

12. SECURE ACCESS!
API ENDPOINTS USE SSL!

13. BUILT IN FIREWALLS!
YOU CONTROL ACCESS TO YOUR INSTANCES!

14. UNIQUE USERS!
WITH SPECIFIC ACCESS LEVELS!

15. MULTI-FACTOR
AUTHENTICATION!
BUILT IN!

16. PRIVATE SUBNETS!
WITHIN YOUR AWS VIRTUAL PRIVATE CLOUD!

17. ENCRYPTED DATA
STORAGE!
WITHIN YOUR AWS VIRTUAL PRIVATE CLOUD!

18. DEDICATED
CONNECTION!
AN OPTION WITH AWS DIRECT CONNECT!

19. SECURITY LOGS!
AWS CLOUDTRAIL LOGS API ACTIVITY!

20. ISLOATED
GOVCLOUD!
FOR US GOVERNMENT USERS!

21. CLOUD HSM!
A HIGHLY SECURE WAY TO STORE KEYS!

22. TRUSTED ADVISOR!
YOUR CUSTOMISED CLOUD EXPERT!

23. Best Practices

24. 1️⃣
Know the AWS Shared Responsibility Model!
Build your systems using AWS as the foundation & architect an !
ISMS that takes advantage of AWS features !
Customer Data
Shared responsibility
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data
Integrity Authentication
Foundation Services
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Compute Storage Database Networking
You
Amazon
AWS Global Infrastructure
Availability Zones
Regions
Edge Locations

25. 2️⃣
Understand the AWS Secure Global Infrastructure!
Regions, Availability Zones and Endpoints!
Regions
An independent collection of AWS resources in a defined geography
A solid foundation for meeting location-dependent privacy and compliance
requirements
Availability Zones
Designed as independent failure zones
Physically separated within a typical metropolitan region

26. 2️⃣
Understand the AWS Secure Global Infrastructure!
Using the IAM service!
AWS Identity and Access Management (IAM) enables you to
securely control access to AWS services and resources for your
users.
Using IAM, you can create and manage AWS users and groups
and use permissions to allow and deny their access to AWS
resources via credentials such as access keys, passwords and
multi-factor authentication devices.
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

27. 3️⃣
Define and Categorize Assets on AWS!
Identify all the information assets that you need to protect !

28. ️4️⃣
Design Your ISMS to Protect Your Assets on AWS!
Establish a standard for implementing, operating, monitoring, reviewing,
maintaining & improving your information security management system!
November 2013
Best Practices Security Services – AWS Amazon Web Assets on AWS
Your Your ISMS to Protect Design After you have determined assets, categories, and costs, establish a standard for implementing, operating, monitoring,
reviewing, maintaining, and improving your information security management system (ISMS) on AWS. Security
requirements differ in every organization, depending on the following factors:
x Business needs and objectives
x Processes employed
x Size and structure of the organization
All these factors can change over time, so it is a good practice to build a cyclical process for managing all of this
information.
Table 2 suggests a phased approach to designing and building an ISMS in AWS. You might also find standard frameworks,
such as ISO 27001, helpful with ISMS design and implementation.
Phase Title Description
1 Define scope and
boundaries.
Define which regions, Availability Zones, instances and AWS resources are “in
scope.” If you exclude any component (for example, AWS manages facilities, so you
can leave it out of your own management system), state what you have excluded
and why explicitly.
x Objectives that set the direction and principles for action regarding
information security
x Legal, contractual, and regulatory requirements
x Risk management objectives for your organization
x How you will measure risk
2 Define an ISMS policy. Include the following:
management approves the plan
from groups in your
input Web Services – AWS Security Best Practices November 2013
Amazon Phase much as possible. AWS risk automation can narrow down the scope of resources
required for risk management.
There are several risk assessment methodologies, including OCTAVE (Operationally
Critical Threat, Asset, and Vulnerability Evaluation), ISO 31000:2009 Risk
Management, ENISA (European Network and Information Security Agency, IRAM
(Information Risk Analysis Methodology), and NIST (National Institute of Standards
Title Description
& Technology) Special Publication (SP) 800-30 rev.1 Risk Management Guide.
4 Identify risks We recommend that you create a risk register by mapping all your assets to threats,
and then, based on the vulnerability assessment and impact analysis results,
creating a new risk matrix for each AWS environment.
Here’s an example risk register:
x Assets
x Threats to those assets
x Vulnerabilities that could be exploited by those threats
x Consequences if those vulnerabilities are exploited
5 Analyze and evaluate
risks
Analyze and evaluate the risk by calculating business impact, likelihood and
probability, and risk levels.
security controls,
include applying addressing risks. Options transferring risks.
for Select options risk, or risks accepting risks, avoiding Address 6 7 Choose a security
control framework
When you choose your security controls, use a framework, such as ISO 27002, NIST
SP 800-53, COBIT (Control Objectives for Information and related Technology) and
CSA-CCM (Cloud Security Alliance-Cloud Control Matrix. These frameworks comprise
a set of reusable best practices and will help you to choose relevant controls.
8 Get management
approval
Even after you have implemented all controls, there will be residual risk. We
recommend that you get approval from your business management that
acknowledges all residual risks, and approvals for implementing and operating the
ISMS.
9 Statement of
applicability
Create a statement of applicability that includes the following information:
x Which controls you chose and why
x Which controls are in place
you plan to put in place

29. 5️⃣
Manage AWS Accounts, IAM Users, Groups & Roles!
Operate a under the principle of least privilege!
AWS Account
Your AWS account represents a business relationship between you and
AWS. AWS accounts have root permissions to all AWS resources and
services, so they are very powerful.
IAM Users
With IAM you can create multiple users, each with individual security
credentials, all controlled under a single AWS account.
IAM users can be a person, service, or application that needs access to your
AWS resources through the management console, CLI, or directly via APIs.

30. 5️⃣
Manage AWS Accounts, IAM Users, Groups & Roles!
Strategies for using multiple AWS accounts!
Business
Requirement
Proposed
Design
Comments
Centralized
security
management
Single
AWS
Account
Centralize
informa7on
security
management
and
minimize
overhead.
Separa7on
of
produc7on,
development
&
tes7ng
accounts
Three
AWS
Accounts
Create
one
AWS
account
for
produc7on
services,
one
for
development
and
one
for
tes7ng
Mul7ple
autonomous
departments
Mul7ple
AWS
Accounts
Create
separate
AWS
accounts
for
each
autonomous
part
of
the
organiza7on.
You
can
assign
permissions
and
policies
under
each
account
Centralized
security
management
with
mul7ple
autonomous
independent
projects
Mul7ple
AWS
Accounts
Create
a
single
AWS
account
for
common
project
resources
(such
as
DNS
services,
Ac7ve
Directory,
CMS
etc.).
Then
create
separate
AWS
accounts
per
project.
You
can
assign
permissions
and
policies
under
each
project
account
and
grant
access
to
resources
across
accounts.

31. 5️⃣
Manage AWS Accounts, IAM Users, Groups & Roles!
Delegation using IAM Roles and Temporary Security Credentials!
Applications on Amazon EC2 that need to access AWS resources
Cross Account Access
Identify Federation

32. 6️⃣
Manage OS-level Access to Amazon EC2 Instances!
You own the credentials, but AWS helps you bootstrap initial access to the OS!
Amazon EC2 Key Pairs
Used to authenticate SSH access to Linux instances and to generate the
initial administrator password on Windows instances.
If you have higher security requirements, you are free to implement
alternative authentication mechanisms and disable Amazon EC2 Key Pair
Authentication

33. 7️⃣
Secure Your Data!
At rest & in transit!
Resource Access Authorisation
Users or IAM Roles can only access resources after authentication
Fine grained resources policies can restrict users or permit users to access
only the resources that you specify
{!
!"Effect": "Allow”,!
!"Action": ["s3:GetObject”,"s3:PutObject”],!
!"Resource": ["arn:aws:s3:::myBucket/amazon/snakegame/${cognito-identity.amazonaws.com:sub}"]!
}!

34. 7️⃣
Secure Your Data!
At rest & in transit!
Storing and Managing Encryption Keys
We recommend you store your keys in tamper-proof storage, such as
Hardware Security Modules. AWS CloudHSM is one option available to help
you do this.
As an alternative, you can store keys on your premise and access these over
secure links, such as AWS Direct Connect with IPsec or IPsec VPNs
http://aws.amazon.com/cloudhsm/

35. 7️⃣
Secure Your Data!
At rest & in transit!
Protecting Data at Rest
Options differ by AWS Service.
Amazon S3 – Server side encryption with Amazon S3 managed keys or your
own encryption keys with Customer-Provided Keys (SSE-C)
Amazon EBS – use volume encryption provided by your operating system.
For example, Windows EFS or Microsoft Windows Bitlocker, Linux dm-crypt,
TrueCrypt, SafeNet ProtectV
Amazon RDS – use database specific cryptographic functions
EMR/DynamoDB – see Security Best Practices Whitepaper for options

36. 8️⃣
Secure Your Operating Systems & Applications!
With the shared responsibility model you manage !
operating systems & application security!
OS Hardening and Updates
Use of Amazon Machine Images (AMIs) makes it easy to deploy
standardized operating system and application builds
Amazon provides and maintains a preconfigured set of AMIs, but you are
also free to create your own and use these as the basis for EC2 instances
that you deploy
Standard OS hardening principles can and should be applied to the
operating systems that you chose to run on EC2 instances
There are lots more details best practices for securing your OS environment
in the AWS Security Best Practices Whitepaper

37. 9️⃣
Secure Your Infrastructure!
Using AWS platform features!
Amazon Virtual Private Cloud (VPC)
Create private clouds within the AWS Cloud
Use your own IP address space, allocated by you. Use RFC1918 private
address space for non-internet-routable networks
Connect to your VPC via the Internet, IPsec over the Internet, AWS Direct
Connect, AWS Direct Connect with IPsec or a combination of these.
Define your own subnet topology, routing table and create custom service
instances such as DNS or time servers

38. 9️⃣
Secure Your Infrastructure!
Using AWS platform features!
Security Zoning and Network Segmentation
Network segmentation simply isolates one network from another
Security zones are groups of system components with similar security levels
that have common controls applied to them
Combine AWS platform security features with your own overlay infrastructure
components such as repositories, DNS & time servers to segment networks
and create security zones
The AWS elastic cloud infrastructure & automated deployment tools mean
that you can apply the same security controls across all AWS regions
Repeatable and uniform deployments improve your overall security posture

39. 1️⃣ 0️⃣
Monitoring, Alerting, Audit Trail & Incident Response!
Area
Considera6on
Log
collec7on
Adapt existing processes, tools & methodologies for use in the cloud!
Note
how
log
files
are
collected.
OJen
opera7ng
system,
applica7on,
or
third-­‐
party/middleware
agents
collect
log
file
informa7on
Log
transport
Implement OS & Higher Level Monitoring
Logs may be generated by a variety of network components as well as operating
systems, platforms and applications
We recommend logging and analysis of the following event types:
• Actions taken by any individual with root or administrative privileges
• Access to all audit trails
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Initialization of audit logs
• Creation and deletion of system level objects
When
log
files
are
centralized,
transfer
them
to
the
central
loca7on
in
a
secure,
reliable,
and
7mely
fashion
Log
storage
Centralize
log
files
from
mul7ple
instances
to
facilitate
reten7on
policies,
as
well
as
analysis
and
correla7on
Log
taxonomy
Present
different
categories
of
log
files
in
a
format
suitable
for
analysis
Log
analysis/
correla7on
Log
files
provide
security
intelligence
aJer
you
analyze
them
and
correlate
events
in
them.
You
can
analyze
logs
in
real
7me,
or
at
scheduled
intervals.
Log
protec7on/
security
Log
files
are
sensi7ve.
Protect
them
through
network
control,
iden7ty
and
access
management,
protec7on/
encryp7on,
data
integrity
authen7ca7on,
and
tamper-­‐proof
7me-­‐stamping

40. 1️⃣ 0️⃣
Monitoring, Alerting, Audit Trail & Incident Response!
Area
Considera6on
Log
collec7on
Adapt existing processes, tools &methodologies for use in the cloud!
Note
how
log
files
are
collected.
OJen
opera7ng
system,
applica7on,
or
third-­‐
party/middleware
agents
collect
log
file
informa7on
Log
transport
Use CloudWatch Logs to Centralise Your Logs
CloudWatch Logs enables you to monitor and troubleshoot your systems and
applications using your existing system, application, and custom log files.
When
log
files
are
centralized,
transfer
them
to
the
central
loca7on
in
a
secure,
reliable,
and
7mely
fashion
Log
storage
Centralize
log
files
from
mul7ple
instances
to
facilitate
reten7on
policies,
as
well
as
analysis
and
correla7on
Log
taxonomy
Send your existing system, application, and custom log files to CloudWatch Logs
and monitor these logs in near real-time.
Present
different
categories
of
log
files
in
a
format
suitable
for
analysis
Log
analysis/
correla7on
Log
files
provide
security
intelligence
aJer
you
analyze
them
and
correlate
events
in
them.
You
can
analyze
logs
in
real
7me,
or
at
scheduled
intervals.
Log
protec7on/
security
This can help you better understand and operate your systems and applications,
and you can store your logs using highly durable, low-cost storage for later
access
Log
files
are
sensi7ve.
Protect
them
through
network
control,
iden7ty
and
access
management,
protec7on/
encryp7on,
data
integrity
authen7ca7on,
and
tamper-­‐proof
7me-­‐stamping

41. 1️⃣ 0️⃣
Monitoring, Alerting, Audit Trail & Incident Response!
Adapt existing processes, tools &methodologies for use in the cloud!
Use CloudTrail to Record AWS API Calls
AWS CloudTrail is a web service that records AWS API calls for your account and
delivers log files to you.
The recorded information includes the identity of the API caller, the time of the
API call, the source IP address of the API caller, the request parameters, and the
response elements returned by the AWS service.
With CloudTrail, you can get a history of AWS API calls for your account. The
AWS API call history produced by CloudTrail enables security analysis, resource
change tracking, and compliance auditing.

42. Verifying Our Security

43. Compliance at AWS
AWS is Level 1 compliant under the Payment Card Industry (PCI)
Data Security Standard (DSS). Customers can run applications on
our PCI-compliant technology infrastructure for storing, processing,
and transmitting credit card information in the cloud.
AWS is ISO 27001 certified under the International Organization for
Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted
global security standard that outlines the requirements for
information security management systems.
Many other government and industry compliance requirements are
also met by AWS. Find more at:
aws.amazon.com/compliance

44. Where to go
to learn more

45. Resources
aws.amazon.com/security
aws.amazon.com/compliance
aws.amazon.com/iam
aws.amazon.com/vpc

46. AWS
Security
Blog
blogs.aws.amazon.com/security/

47. White Papers Amazon Web Services – AWS Security Best Practices November 2013
Page 1 of 56
AWS Security Best Practices
Dob Todorov
Yinal Ozkan
November 2013
(Please consult http://aws.amazon.com/security for the latest version of this paper)
AWS Security Whitepaper
http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
AWS Security Best Practices Whitepaper
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
AWS Risk and Compliance Whitepaper
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf

48. AWS Training & Certification
Certification
Demonstrate your skills,
knowledge, and expertise
with the AWS platform
aws.amazon.com/certification
Self-Paced Labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training/
self-paced-labs
Training
Skill up and gain
confidence to design,
develop, deploy and
manage your applications
on AWS
aws.amazon.com/training

49. AWS ENTERPRISE
SUMMIT LONDON
October 21
bit.ly/EntSumLDN

50. Ian Massingham – Technical Evangelist
@IanMmmm
@AWS_UKI for local AWS events & news
@AWScloud for Global AWS News and Announcements
©Amazon.com, Inc. and its affiliates. All rights reserved.

51. We typically see customers start by trying our services
Get started now at : aws.amazon.com/getting-started

52. You can get started for free…
Get started now at : aws.amazon.com/free

53. Design your application for the AWS Cloud
More details on the AWS Architecture Center at : aws.amazon.com/architecture