Customers using AWS benefit from over 1,800 security and compliance controls built into the AWS platform and operations. In this session, you will learn how to take advantage of the advanced security features of the AWS platform to gain the visibility, agility, and control needed to be more secure in the cloud than in legacy environments. We'll take a look at several reference architectures for common workloads and highlight the innovative ways customers are using AWS to manage security more efficiently. After attending this session, you will be familiar with the shared security responsibility model and how you can inherit controls from the rich compliance and accreditation programs maintained by AWS.
2. Agenda
• Built-in AWS controls you
inherit
• Framework to help you adopt
cloud security best practices
• AWS services to automate your
security at scale
• Incident response reference
architecture example
8. AWS Security Controls
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Your own
accreditation
Your own
certifications
Your own
external auditsCustomerAWS
Customer scope
and effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
9. Cloud Adoption Framework
• Helps you adapt
existing practices
or introduce new
practices for cloud
computing
10. The Security Journey to the Cloud
Security in the cloud is familiar.
Ability to perform actions faster, at a larger scale and lower
cost, does not invalidate well-established principles of
information security.
11. The CAF Security Perspective
5 Core Capabilities
Identity and Access Management
Detective Controls
Infrastructure Security
Data Protection
Incident Response
12. Scaling to >1 Million Users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
Elastic Load
Balancing
Balancer
RDS DB Instance
Read Replica
Amazon RDS DB
Instance Read
Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
Amazon
DynamoDB
Amazon SQS
Amazon
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
AWS Lambda
13. Security Already Built In…
Security groups are
virtual firewalls
that control the
traffic for one or
more resources
AWS Identity and
Access Management
(IAM) securely
controls access to
AWS services and
resources for your
users.
20. Infrastructure Security – AWS Config Rules
• Amazon CloudTrail should be enabled…
Is it?
• All Amazon EBS volumes encrypted…
Are they?
• All security groups in attached state should not have
unrestricted access to port 22.
Do they?
24. Data Protection - Encryption
Encryption In Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At Rest
Object
Database
Filesystem
Disk
25. Data Protection –
AWS Certificate Manager (ACM)
• Easily provision,
manage, and
deploy TLS
certificates
• Use with Amazon
Elastic Load
Balancing (ELB) or
Amazon CloudFront
distribution
26. Data Protection – AWS Certificate Manager
Request a
certificate
1. Add domain
names
2. Review &
request
3. Validation
27. Data Protection – AWS Key Management Service
(AWS KMS)
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
Customer Master Keys
41. Scaling to >1 Million Users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
42. Scaling to >1 Million Users
RDS DB Instance
Active (Multi-AZ)
Availability Zone
ELB
Balancer
RDS DB Instance
Read Replica
RDS DB Instance
Read Replica
Web
Instance
Web
Instance
Web
Instance
Web
Instance
Amazon
Route 53
User
Amazon S3
Amazon
CloudFront
DynamoDB
Amazon SQS
ElastiCache
Worker
Instance
Worker
Instance
Amazon
CloudWatch
Internal App
Instance
Internal App
Instance Amazon SES
Lambda
AWS
WAF
AWS
Shield
AWS
Organizations
AWS
CloudTrail
AWS
Config
VPC Flow Logs
Amazon
Inspector
AWS
OpsWorks
44. AWS Marketplace Security Partners
Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability
Analysis
Data Protection
45. Summary
o Integrated security & compliance
o Global resilience, visibility, & control
o Maintain your privacy & data ownership
o Agility through security automation
o Security innovation at scale
o Broad security partner & marketplace solutions