Más contenido relacionado La actualidad más candente (20) Similar a Proteggere applicazioni e dati nel cloud AWS (20) Más de Amazon Web Services (20) Proteggere applicazioni e dati nel cloud AWS1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Strengthen Cybersecurity
with AWS
1
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Security Challenges are We Facing?
Large volume of
alerts and the
need to prioritize
3
Prioritizing
Lack of single
pane of glass
across security and
compliance tools
4
Visibility
Dozens of security
tools with
different data
formats
2
Multiple formats
Ensure your AWS
infrastructure
meets compliance
requirements
1
Compliance
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security 101
• Data
• Application
• OS
• Virtualization
• Infrastructure
• Physical
• Data
• Application
• OS
• Virtualization
• Infrastructure
• Physical
• Data
• Application
• OS
• Virtualization
• Infrastructure
• Physical
Data
Application
OS
Virtualization
Infrastructure
Physical
On-premises Infrastructure Container Abstract
Your responsibility AWS responsibility
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Improve your security posture with AWS
On AWSOn-premises
Big Perimeter
End-to-End Ownership
Build it all yourself
Server-centric approach
De-centralised Administration
Focus on physical assets
Multiple (manual) processes
Micro-Perimeters
Own just enough
Focus on your core values
Service-Centric approach
Central control plane (API)
Focus on protecting data
Everything is automated
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Assurance
Start with bare concrete
Periodic checks
Workload-specific compliance
checks
Must keep pace and invest in
security innovation
Heterogeneous governance
processes and tools
Typically reactive
Start on accredited services
Continuous monitoring
Compliance approach based
on all workload scenarios
Security innovation drives
broad compliance
Integrated governance
processes and tools
Focus on prevention
On AWSOn-premises
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unpatched
vulnerabilities
Security
misconfigurations
Weak, leaked,
stolen passwords
Social
engineering Insider threat
Attacker Tactics for Initial Compromise
AWS Systems
Manager
Amazon
Inspector
AWS
Marketplace
AWS Systems
Manager
Amazon
Inspector
AWS
Marketplace Guidance
Amazon GuardDuty
AWS CloudTrail
AWS Secrets
Manager
Amazon GuardDuty
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attacker Tactics for Initial Compromise
https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advantages of the API
• Authoritative - the interface to, and between, AWS services
• Auditable – always know what, and who, is doing what
• Secure – verified integrity, authenticated, no covert channels
• Fast - can be read and manipulated in sub-second time
• Precise – defines the state of all infrastructure and services
• Evolving – continuously improving
• Uniform - provides consistency across disparate components
• Automatable - enables some really cool capabilities
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Logical Separation
• Virtual Private Cloud (VPC)
• Not possible for information to pass between multiple tenants without
specifically being authorized by both transmitting and receiving
customers
• Virtualization
• Nitro hypervisor
• Firecracker
• Encryption & key management, encrypting data at-rest
and in-transit
• Built-in encryption (examples: Amazon S3, Amazon EBS)
• Key Management Service (KMS)
• CloudHSM
• Dedicated Instances, dedicated hosts, and bare metal
https://d1.awsstatic.com/whitepapers/compliance/AWS_Logical_Separation_Handbook.pdf
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Services Overview
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS Config
AWS Systems Manager Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security
Hub
AWS Lambda Amazon CloudWatch
Amazon
CloudWatch
AWS
CloudTrail
AWS IoT
Device
Defender
AWS Key
Management
Service
AWS Identity and
Access
Management (IAM)
AWS Single
Sign-On
AWS
Firewall
Manager
AWS Secrets
Manager
AWS
Shield
AWS
WAF
Amazon VPC
Snapshot Archive
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS ML powered Security
Services
12
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS ML powered Security Services
Amazon Macie Amazon GuardDuty
Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys
Threat detection
• VPC Flowlog analysis
• Unusual API calls.
• Potentially unauthorized
deployments that indicate a
possible account compromise.
• Potentially compromised instances
or reconnaissance by attackers.
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging and Audit
15
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch AWS CloudTrail
Core logging services
Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those
API calls were made
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing - includes EC2, EBS, VPC, RDS,
IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional logs from external systems and locations:
Gaming IOT sensorsDevices
External
systems
and
applications Web content
Logs, logs, and
more logs …
Databases Servers NetworkingStorage
Internal
systems
and
applications
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Log data analytics
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cyber Data Lake
Realtime
Application
and Users
activities
On premises
activities
Cyber Data
Lake
AWS
Security
Services
Analytics
Machine/Deep
Learning
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cyber Data Lake
Realtime
Application
and Users
activities
On premises
activities
Cyber Data
Lake
AWS
Security
Services
Machine/Deep
Learning
Amazon EMR Amazon Athena
Amazon Elasticsearch
Service
AWS Glue
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Elasticsearch: Analyzing Log Data
Application monitoring & root-cause analysis Security Information and Event Management
(SIEM)
IoT & mobile Business & clickstream analytics
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ElasticSearch VPC flow logs Analysis
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub Overview
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub Benefits
Managed regional AWS service in minutes that aggregates
findings across AWS accounts
Manage security and compliance findings in a single location,
increasing efficiency of locating relevant data
Create custom insights to track issues unique to your environment
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub workflow
Enable AWS Security
Hub for all your
accounts.
Account 1
Account 2
Account 3
Conduct automated
compliance scans
and checks.
Take action based
on findings.
Continuously
aggregate and
prioritize findings.
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance Standards
• Based on CIS AWS Foundations Benchmark
• Findings are displayed on main dashboard for
quick access
• Best practices information is provided to help
mitigate issuesCompliance
Standards
AWS Security Hub
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub insights
Security findings that are correlated and grouped for prioritization
• More than 20 pre-built insights provided by AWS and AWS partners
• Ability to create your own insights
• Dashboard provides visibility into the top security findings
• Additional details for each finding is available for review
EC2 instances that have
missing security patches
S3 buckets with stored
credentials
S3 buckets with public read
and write permissions
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Finding Format
~100 JSON-formatted fields
Finding Types
• Sensitive Data Identifications
• Software and Configuration Checks
• Unusual Behaviors
• Tactics, Techniques, and
Procedures (TTPs)
• Effects
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated compliance checks
43 fully automated,
nearly continuous
checks
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Insights help identify resources that require attention
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Case: Alert Triage
Security
findings as
custom events
AWS Lambda Function 1
Status: Yellow
AWS Lambda Function 2
…
Notify SecOps team with
Amazon SNS
Status: Red
AWS Security Hub
Amazon CloudWatch
Events Rule
Amazon Simple
Notification Service
AWS Lambda
Customizable response and remediation actions
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Case: Compliance Scans
An ACL configuration
change is discovered
by Security Hub –
bucket set to public
1
Lambda function
sets bucket ACL
back to private
3
2
Security Hub invokes
Lambda function
AWS Lambda
Amazon Simple Storage
Service (S3)
AWS Security Hub
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key takeaways
Collect and process security findings from multiple accounts within a region
Evaluate your compliance against regulatory and best practice frameworks
Identify and prioritize the most important issues by grouping and correlating
security findings with Insights
Understand and manage your overall AWS security and compliance posture