Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Using AWS Organizations to Ensure Compliance in Your Cloud

1.317 visualizaciones

Publicado el

AWS is hosting the first FSI Cloud Symposium in Hong Kong, which will take place on Thursday, March 23, 2017 at Grand Hyatt Hotel. The event will bring together FSI customers, industry professional and AWS experts, to explore how to turn the dream of transformation, innovation and acceleration into reality by exploiting Cloud, Voice to Text and IoT technologies. The packed agenda includes expert sessions on a host of pressing issues, such as security and compliance, as well as customer experience sharing on how cloud computing is benefiting the industry.

Speaker: Brian Wagner, Security Consultant, Professional Services, AWS

Publicado en: Tecnología
  • Sé el primero en comentar

Using AWS Organizations to Ensure Compliance in Your Cloud

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brian Wagner, AWS Security Consultant 23 March 2017 Using AWS Organizations to Ensure Compliance in Your Cloud
  2. 2. In this session How did we get here Service Overview Best practices Troubleshooting
  3. 3. How did we get here
  4. 4. Users Groups Roles PoliciesResources S3 A AWS Account Overview
  5. 5. A Administrative Boundary Resources Containment Billing Entity Environmental Business Workload AWS Account Decisions
  6. 6. AWS Accounts, One to Many A W A W S A S W S A W A W W S S S A W S A A A W SWWS S A AW W A A
  7. 7. Service Overview
  8. 8. AWS Organizations • New management capability for centrally managing multiple AWS accounts - Simplified creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organizational control policies (OCP) - Simplified billing • Console, SDK, and CLI support for all management tasks
  9. 9. AWS Organizations A1 A2 A4 M Master Account / Administrative root Organizational Unit (OU) AWS Account Organization Control policy (OCP) AWS Resources A3 Dev Test Prod
  10. 10. Apply Organizational Control Policies (OCP) • Describes controls to be applied • Different use cases have different types of OCPs • OCPs can be attached to - Organization - OUs - AWS account • OCPs are inherited up the hierarchy - AWS Account OU Organization
  11. 11. AWS Organizations A1 A2 A4 A Dev Test Prod A3
  12. 12. OCP V1: Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – Whitelisting - Define the list of APIs that must be blocked – Blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  13. 13. SCPs are necessary but not sufficient SCP IAM Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:*
  14. 14. Simplified Billing • Single payer for all AWS accounts • All AWS usage across AWS accounts in your organization rolled up for volume pricing and billing • All existing Consolidated Billing families will be migrated to an organization in billing mode
  15. 15. Different Management Levels You select the management level when creating a new organization Billing mode • Backward-compatible with current Consolidated Billing (CB) • Organization created from Consolidated Billing family automatically in Billing mode Full-control mode • Everything included in Billing mode • Enables management of ALL types of OCPs • Changing from Billing mode to Full control mode requires consent from all AWS accounts in your organization
  16. 16. Least Privilege for Management • IAM permissions for all AWS Organizations actions • You can also specify AWS Organizations resources (organization, OU, AWS account) as resources in an IAM policy • You can delegate permissions to manage your organization to an IAM user in another AWS account by using IAM roles • All organization management activity is logged in AWS CloudTrail
  17. 17. Best practices
  18. 18. Best practices – AWS Organizations • Monitor activity of the master account using CloudTrail • Do not manage resources in the master account • Manage your organization using the principle of “Least Privilege” • Use OUs to assign controls • Test controls on single AWS account first • Only assign controls to root of organization if necessary • Avoid mixing “whitelisting” and “blacklisting” SCPs in organization • Create new AWS accounts for the right reasons
  19. 19. • Reduce or remove use of root • Create Individual IAM Users • Configure a strong password policy • Enable MFA for privileged users • Grant least privilege • Manage permissions with groups • Restrict privileged access further with conditions • Rotate security credentials regularly • Use IAM roles to share access • Use IAM roles for Amazon EC2 instances • Monitor activity Best practices – AWS IAM
  20. 20. • AWS Organizations • IAM Policies for AWS Organizations • Logging AWS Organizations events with AWS Cloudtrail • Troubleshooting AWS Organization Policies • IAM Policy Simulator Resources
  21. 21. Thank you! Brian Wagner, AWS Security Consultant