SlideShare una empresa de Scribd logo

Proteggere applicazioni e dati nel cloud AWS

Amazon Web Services
Amazon Web Services

La sicurezza nel cloud, per AWS, è una priorità. I clienti che scelgono di utilizzare i servizi AWS traggono vantaggio da un'architettura di data center e di rete progettata per soddisfare i requisiti delle organizzazioni più esigenti a livello di sicurezza.Durante questa sessione vedremo quali sono gli strumenti che AWS mette a disposizione dei propri clienti per rendere le proprie applicazioni e i propri dati sicuri.

1 de 33
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Strengthen Cybersecurity with AWS 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Security Challenges are We Facing? Large volume of alerts and the need to prioritize 3 Prioritizing Lack of single pane of glass across security and compliance tools 4 Visibility Dozens of security tools with different data formats 2 Multiple formats Ensure your AWS infrastructure meets compliance requirements 1 Compliance
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security 101 • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical Data Application OS Virtualization Infrastructure Physical On-premises Infrastructure Container Abstract Your responsibility AWS responsibility
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improve your security posture with AWS On AWSOn-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protecting data Everything is automated
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Assurance Start with bare concrete Periodic checks Workload-specific compliance checks Must keep pace and invest in security innovation Heterogeneous governance processes and tools Typically reactive Start on accredited services Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance Integrated governance processes and tools Focus on prevention On AWSOn-premises
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Unpatched vulnerabilities Security misconfigurations Weak, leaked, stolen passwords Social engineering Insider threat Attacker Tactics for Initial Compromise AWS Systems Manager Amazon Inspector AWS Marketplace AWS Systems Manager Amazon Inspector AWS Marketplace Guidance Amazon GuardDuty AWS CloudTrail AWS Secrets Manager Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attacker Tactics for Initial Compromise https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advantages of the API • Authoritative - the interface to, and between, AWS services • Auditable – always know what, and who, is doing what • Secure – verified integrity, authenticated, no covert channels • Fast - can be read and manipulated in sub-second time • Precise – defines the state of all infrastructure and services • Evolving – continuously improving • Uniform - provides consistency across disparate components • Automatable - enables some really cool capabilities
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Logical Separation • Virtual Private Cloud (VPC) • Not possible for information to pass between multiple tenants without specifically being authorized by both transmitting and receiving customers • Virtualization • Nitro hypervisor • Firecracker • Encryption & key management, encrypting data at-rest and in-transit • Built-in encryption (examples: Amazon S3, Amazon EBS) • Key Management Service (KMS) • CloudHSM • Dedicated Instances, dedicated hosts, and bare metal https://d1.awsstatic.com/whitepapers/compliance/AWS_Logical_Separation_Handbook.pdf
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Services Overview Protect Detect Respond Automate Investigate RecoverIdentify AWS Config AWS Systems Manager Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Lambda Amazon CloudWatch Amazon CloudWatch AWS CloudTrail AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On AWS Firewall Manager AWS Secrets Manager AWS Shield AWS WAF Amazon VPC Snapshot Archive
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services 12
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services Amazon Macie Amazon GuardDuty Content Classification • PII and personal data • Source code • SSL certificates, private keys • iOS and Android app signing keys • Database backups • OAuth and Cloud SAAS API Keys Threat detection • VPC Flowlog analysis • Unusual API calls. • Potentially unauthorized deployments that indicate a possible account compromise. • Potentially compromised instances or reconnaissance by attackers.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging and Audit 15
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Core logging services Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made Who did what and when and from where (IP address) • CloudTrail/Config support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift • Edge/CDN, WAF, ELB,VPC/Network FlowLogs • Easily Aggregate all log information • CloudWatch Alarms
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional logs from external systems and locations: Gaming IOT sensorsDevices External systems and applications Web content Logs, logs, and more logs … Databases Servers NetworkingStorage Internal systems and applications
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Log data analytics
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Analytics Machine/Deep Learning
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Machine/Deep Learning Amazon EMR Amazon Athena Amazon Elasticsearch Service AWS Glue
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elasticsearch: Analyzing Log Data Application monitoring & root-cause analysis Security Information and Event Management (SIEM) IoT & mobile Business & clickstream analytics
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ElasticSearch VPC flow logs Analysis
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Overview
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Benefits Managed regional AWS service in minutes that aggregates findings across AWS accounts Manage security and compliance findings in a single location, increasing efficiency of locating relevant data Create custom insights to track issues unique to your environment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub workflow Enable AWS Security Hub for all your accounts. Account 1 Account 2 Account 3 Conduct automated compliance scans and checks. Take action based on findings. Continuously aggregate and prioritize findings.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance Standards • Based on CIS AWS Foundations Benchmark • Findings are displayed on main dashboard for quick access • Best practices information is provided to help mitigate issuesCompliance Standards AWS Security Hub
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub insights Security findings that are correlated and grouped for prioritization • More than 20 pre-built insights provided by AWS and AWS partners • Ability to create your own insights • Dashboard provides visibility into the top security findings • Additional details for each finding is available for review EC2 instances that have missing security patches S3 buckets with stored credentials S3 buckets with public read and write permissions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Finding Format ~100 JSON-formatted fields Finding Types • Sensitive Data Identifications • Software and Configuration Checks • Unusual Behaviors • Tactics, Techniques, and Procedures (TTPs) • Effects
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated compliance checks 43 fully automated, nearly continuous checks
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Insights help identify resources that require attention
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Alert Triage Security findings as custom events AWS Lambda Function 1 Status: Yellow AWS Lambda Function 2 … Notify SecOps team with Amazon SNS Status: Red AWS Security Hub Amazon CloudWatch Events Rule Amazon Simple Notification Service AWS Lambda Customizable response and remediation actions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Compliance Scans An ACL configuration change is discovered by Security Hub – bucket set to public 1 Lambda function sets bucket ACL back to private 3 2 Security Hub invokes Lambda function AWS Lambda Amazon Simple Storage Service (S3) AWS Security Hub
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Collect and process security findings from multiple accounts within a region Evaluate your compliance against regulatory and best practice frameworks Identify and prioritize the most important issues by grouping and correlating security findings with Insights Understand and manage your overall AWS security and compliance posture

Recomendados

Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWS
Amazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
Serverless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudServerless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloud
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 

Recomendados

Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWS
Amazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
Serverless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudServerless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloud
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
VIJAY REDDY
 
AWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPRAWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPR
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Amazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Amazon Web Services
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
VIJAY REDDY
 
AWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPRAWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPR
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 

La actualidad más candente (20)

Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Security overview-aws-lambda
Security overview-aws-lambdaSecurity overview-aws-lambda
Security overview-aws-lambda
 
AWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPRAWS per la semplificazione del percorso di conformità al GDPR
AWS per la semplificazione del percorso di conformità al GDPR
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
 

Similar a Proteggere applicazioni e dati nel cloud AWS

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 

Similar a Proteggere applicazioni e dati nel cloud AWS (20)

Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWS
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWS
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS SummitDetecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & Compliance
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Proteggere applicazioni e dati nel cloud AWS

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Strengthen Cybersecurity with AWS 1
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Security Challenges are We Facing? Large volume of alerts and the need to prioritize 3 Prioritizing Lack of single pane of glass across security and compliance tools 4 Visibility Dozens of security tools with different data formats 2 Multiple formats Ensure your AWS infrastructure meets compliance requirements 1 Compliance
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security 101 • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical Data Application OS Virtualization Infrastructure Physical On-premises Infrastructure Container Abstract Your responsibility AWS responsibility
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improve your security posture with AWS On AWSOn-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protecting data Everything is automated
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Assurance Start with bare concrete Periodic checks Workload-specific compliance checks Must keep pace and invest in security innovation Heterogeneous governance processes and tools Typically reactive Start on accredited services Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance Integrated governance processes and tools Focus on prevention On AWSOn-premises
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Unpatched vulnerabilities Security misconfigurations Weak, leaked, stolen passwords Social engineering Insider threat Attacker Tactics for Initial Compromise AWS Systems Manager Amazon Inspector AWS Marketplace AWS Systems Manager Amazon Inspector AWS Marketplace Guidance Amazon GuardDuty AWS CloudTrail AWS Secrets Manager Amazon GuardDuty
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attacker Tactics for Initial Compromise https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advantages of the API • Authoritative - the interface to, and between, AWS services • Auditable – always know what, and who, is doing what • Secure – verified integrity, authenticated, no covert channels • Fast - can be read and manipulated in sub-second time • Precise – defines the state of all infrastructure and services • Evolving – continuously improving • Uniform - provides consistency across disparate components • Automatable - enables some really cool capabilities
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Logical Separation • Virtual Private Cloud (VPC) • Not possible for information to pass between multiple tenants without specifically being authorized by both transmitting and receiving customers • Virtualization • Nitro hypervisor • Firecracker • Encryption & key management, encrypting data at-rest and in-transit • Built-in encryption (examples: Amazon S3, Amazon EBS) • Key Management Service (KMS) • CloudHSM • Dedicated Instances, dedicated hosts, and bare metal https://d1.awsstatic.com/whitepapers/compliance/AWS_Logical_Separation_Handbook.pdf
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Services Overview Protect Detect Respond Automate Investigate RecoverIdentify AWS Config AWS Systems Manager Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Lambda Amazon CloudWatch Amazon CloudWatch AWS CloudTrail AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On AWS Firewall Manager AWS Secrets Manager AWS Shield AWS WAF Amazon VPC Snapshot Archive
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services 12
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services Amazon Macie Amazon GuardDuty Content Classification • PII and personal data • Source code • SSL certificates, private keys • iOS and Android app signing keys • Database backups • OAuth and Cloud SAAS API Keys Threat detection • VPC Flowlog analysis • Unusual API calls. • Potentially unauthorized deployments that indicate a possible account compromise. • Potentially compromised instances or reconnaissance by attackers.
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging and Audit 15
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Core logging services Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made Who did what and when and from where (IP address) • CloudTrail/Config support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift • Edge/CDN, WAF, ELB,VPC/Network FlowLogs • Easily Aggregate all log information • CloudWatch Alarms
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional logs from external systems and locations: Gaming IOT sensorsDevices External systems and applications Web content Logs, logs, and more logs … Databases Servers NetworkingStorage Internal systems and applications
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Log data analytics
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Analytics Machine/Deep Learning
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Machine/Deep Learning Amazon EMR Amazon Athena Amazon Elasticsearch Service AWS Glue
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elasticsearch: Analyzing Log Data Application monitoring & root-cause analysis Security Information and Event Management (SIEM) IoT & mobile Business & clickstream analytics
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ElasticSearch VPC flow logs Analysis
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Overview
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Benefits Managed regional AWS service in minutes that aggregates findings across AWS accounts Manage security and compliance findings in a single location, increasing efficiency of locating relevant data Create custom insights to track issues unique to your environment
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub workflow Enable AWS Security Hub for all your accounts. Account 1 Account 2 Account 3 Conduct automated compliance scans and checks. Take action based on findings. Continuously aggregate and prioritize findings.
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance Standards • Based on CIS AWS Foundations Benchmark • Findings are displayed on main dashboard for quick access • Best practices information is provided to help mitigate issuesCompliance Standards AWS Security Hub
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub insights Security findings that are correlated and grouped for prioritization • More than 20 pre-built insights provided by AWS and AWS partners • Ability to create your own insights • Dashboard provides visibility into the top security findings • Additional details for each finding is available for review EC2 instances that have missing security patches S3 buckets with stored credentials S3 buckets with public read and write permissions
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Finding Format ~100 JSON-formatted fields Finding Types • Sensitive Data Identifications • Software and Configuration Checks • Unusual Behaviors • Tactics, Techniques, and Procedures (TTPs) • Effects
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated compliance checks 43 fully automated, nearly continuous checks
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Insights help identify resources that require attention
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Alert Triage Security findings as custom events AWS Lambda Function 1 Status: Yellow AWS Lambda Function 2 … Notify SecOps team with Amazon SNS Status: Red AWS Security Hub Amazon CloudWatch Events Rule Amazon Simple Notification Service AWS Lambda Customizable response and remediation actions
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Compliance Scans An ACL configuration change is discovered by Security Hub – bucket set to public 1 Lambda function sets bucket ACL back to private 3 2 Security Hub invokes Lambda function AWS Lambda Amazon Simple Storage Service (S3) AWS Security Hub
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Collect and process security findings from multiple accounts within a region Evaluate your compliance against regulatory and best practice frameworks Identify and prioritize the most important issues by grouping and correlating security findings with Insights Understand and manage your overall AWS security and compliance posture