27. ELB
security
group
DMZ
public subnet
CloudFront
Edge Location
security group
WAF / Proxy
private subnet
DDo
S
users
WAF
Auto
Scaling
ELB
security
group
Auto Scaling
security
group
frontend
servers
private subnet
web app
server
• VPC:
NACL
Security Group
ELB
Auto Scaling Group
• CloudFront
AWS雲中安全最佳實踐之二:層次化的網路防護
29. Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application in
Amazon EC2
AWS or Your Key
management infrastructure
Your Encrypted Data in AWS Services
…
AWS雲中安全最佳實踐之三:保護關鍵數據
33. Key Question DIY
AWS Marketplace
Partner Solution
AWS CloudHSM
AWS Key
Management Service
Where are keys
generated and stored
Your network or in AWS Your network or in AWS In AWS, on an HSM that
you control
AWS
Where keys are used Your network or your
EC2 instance
Your network or your
EC2 instance
AWS or your
applications
AWS services or your
applications
How to control key use Config files, Vendor-
specific management
Vendor-specific
management
Customer code +
Safenet APIs
Policy you define;
enforced in AWS
Responsibility for
Performance/Scale
You You You AWS
Integration with AWS
services?
Limited Limited Limited Yes
Price Variable
$$$$$
Per hour/per year
0-$$$
Per hour
$$$
Per key/usage
$
AWS雲上的幾種金鑰管理方案對比
AWS靜態資料保護最佳實踐 白皮書:
https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf
34. You are making API calls... On a growing set of services
around the world…
AWS CloudTrail is continuously
recording API calls…
And delivering log files to you
AWS
CloudWatch
AWS雲中安全最佳實踐之四:安全視覺化
41. 雲安全資訊與事件管理(SIEM)
VPC subnet
Availability Zone
Security group
VPC subnet
Availability Zone
Security group
Virtual
Gateway
Corporate
data centre
Users
Data centre router
Update
Servers
Connectivity
CloudTrail
CloudWatch
SIEM
Aggregator