SlideShare a Scribd company logo

AWS Security Best Practices for Well-Architected Infrastructures

Amazon Web Services
Amazon Web Services

As your use of the AWS platform matures and evolves you need to be continuously looking at ways to improve your security posture and take advantage of new security services and features. In this advanced technical session we will share architecture patterns for different workloads, IAM policy tips & tricks, how to implement security automation and for forensics. Be prepared for a technically deep session on AWS security. Speaker: Ben Potter, AWS Cloud Security Consultant, Amazon Web Services

Technology
1 of 39
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ben Potter AWS Cloud Security Consultant, Amazon Web Services Level 300 © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Well-Architected for Security Advanced Session
Agenda • Design Principles • Infrastructure Protection • Identity & Access Management • Incident Response & Forensics
Security Design Principles
Well-Architected Security Design Principles • Apply security at all layers • Enable traceability • Implement a principle of least privilege • Focus on securing your system • Automate security best practices
Example Corp
Example Corp Current Architecture Public Web www.example.com AWS Edge Locations Amazon Route 53 Amazon CloudFront Production VPC - Sydney Development VPC - Sydney ELB RDS Master RDS Standby Public Web ELB RDS Master RDS Standby Development Account >< Production Account Design App Design App AZ 1 AZ 2 AZ 1 AZ 2
Current Storage AWS managed IAM policies: • Administrator • Power user • EC2 roles Root login is never used examplecorp-cfn-templates CloudFormation Templates examplecorp-dbexport Database Exports examplecorp-logs-cloudtrail CloudTrail Logs EBS Data Volumes Default KMS key Identity & Access Management
Example Corp Self Assessment SEC 2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? SEC 3. How are you limiting automated access to AWS resources? SEC 5. How are you enforcing network and host-level boundary protection? SEC 6. How are you leveraging AWS service level security features? SEC 8. How are you classifying your data? SEC 9. How are you encrypting and protecting your data at rest? SEC 10. How are you managing keys? SEC 12. How do you ensure that you have the appropriate incident response?
Infrastructure Protection
Multi VPC & Account Strategy • Security & data classification • Supportability & limits • Automation & lifecycle • Networking & data centre centric Considerations for a multi-account, multi-VPC strategy;
Split Public Web & Design Apps Public Web www.example.com AWS Edge Locations Amazon Route 53 Amazon CloudFront Production VPC - Sydney Development VPC - Sydney ELB RDS Master RDS Standby Public Web ELB RDS Master RDS Standby Development Account >< Production Account Design App Design App AZ 1 AZ 2 AZ 1 AZ 2
New DNS Architecture: Public Info Web Site CloudFront Primary Sydney OregonGeo Record Set Oceania: origin. > apac. North America: origin. > usa. Default: origin. > usa. Zone example.com Route53 Health Check CloudFront Failover
AWS WAF New Edge Architecture: Public Info Web Site Amazon S3 Static Hosting CloudFront Failover Site *.example Route 53 Failover health check The internet CloudFront Primary Site www.example Amazon S3 Static Hosting AWS WAF Route 53 Origin Routing 1 to Many Regions VPC EC2 Amazon S3 Error Pages Custom Header Secret
New VPC Architecture: Public Info Web Site EC2 WAF Public Web VPC - Sydney ELB Public Web CloudFront Edge Locations ELB AZ 1 AZ 2 AZ 3 Services
New VPC Architecture: Design App Elastic Load Balancing Proxy DNS Filtering DLP VPN Application VPC Egress VPC Services VPC Bastions Security Tools Code Tools CI/CD AZ 1 AZ 2 AZ 3 Design App ELB
New Storage examplecorp-dbexport-syd-accid-123abc Unique Suffix examplecorp-dbexport ! Old buckets are canaries S3: • Automatic remediation of object ACLs • Enforcing encrypted objects • Object tagging for data classification • Replicating critical data All EBS volumes KMS keys per application, envr
VPC: Tips from the Trenches • Use Security Group outbound rules • Use NACL’s, sparingly, horizontal • Avoid launch wizard to create Security Groups • Avoid using default route table • Decide on IGW use and control with IAM
Identity & Access Management
Account Structure Production Development Master M Playpen OU Playpen (Sydney)A Playpen (Oregon)A Security OU Security OperationsA Security ForensicsA Current Future Production OU Design App (Sydney)A Design App (Oregon)A Public Web (Global)A Development OU Design App (Sydney)A Design App (Oregon)A A Public Web (Global) Blacklist OCP Blacklist OCP Blacklist OCP Blacklist OCP Blacklist OCP
New Roles & Policies Assumed IAM roles: • Break-glass administrator: CloudTrail & security maintenance • Security Operators Read only audit + read only logs to all accounts • Developers/Operators Every day reduced scope + EC2 Systems Manager • Playpen Unrestricted, no access to development or production Guardrails
IAM: Force Tags & Restrict "Effect": "Allow", "Action": [ "ec2:RunInstances"], "Condition": { "StringEquals": { "aws:RequestTag/Classification": ”Public", "aws:RequestTag/Application": ”Public Web”}, "ForAllValues:StringEquals": { "aws:TagKeys": [”Classification",”Application"]}} "Resource": { "arn:aws:ec2:ap-southeast-2:123456789012:instance/*”, "arn:aws:ec2:ap-southeast-2:123456789012:volume/*”} ..... How to lock down to region & tag: “Classification” : ”Top Secret" “Team” : ”Team A” “Application” : ”Public Web” “Owner” : ”Marketing"
IAM: Tag Restrictions "Effect": "Allow", "Action": [ ”rds:CreateDBCluster"], "Resource": { "arn:aws:rds:ap-southeast-2:123456789012:cluster:myprefix-*”} "Effect": "Allow", "Action": [ ”rds:CreateDBInstance"], "Resource": { "arn:aws:rds:ap-southeast-2:123456789012:db:myprefix-*”} How to lock down to region & tag for RDS:
IAM: Lambda Restrictions "Effect": ”Deny", "Action": [ "lambda:CreateFunction"", "lambda:UpdateFunctionCode", "lambda:DeleteFunction” ], "Resource": { "arn:aws:lambda:ap-southeast-2:123456789012:function:security*” } Naming lambda’s with a prefix prevents security automations from being tampered with:
S3 Bucket Policy: Explicit Deny "Effect": "Deny", "Principal": "*", "Action": [ "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutBucketVersioning", "s3:PutLifecycleConfiguration", ], Ensures no IAM user or role can modify, requires root login to revoke:
S3 Bucket Policy: Force KMS Key "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::BucketName/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:ap-southeast-2:123456789012:key/key-id" } } Note: All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL/TLS or by using SigV4 Forces use of KMS encrypted object with specific key:
IAM: KMS Policy "Effect": "Deny", "Action": [ "kms:Encrypt", "kms:CreateGrant", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncrypt*" ], "Resource": [ "arn:aws:kms:ap-southeast-2:123456789012: key/1234abcd-12ab-34cd-56ef-1234567890ab" ] Denies use of default master key:
IAM: User Policy "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }, "Resource": [ "arn:aws:iam::123456789012:role/name“ ] } All users have minimum privileges and assume roles:
Demo
Incident Response & Forensics
Example Corp: First Incident Monitoring tools alerted to web instance network anomaly in VPC Flow Logs 630247214269 eni-0123456a 10.0.1.221 10.76.2.101 27039 22 6 5 268 1466491141 1466491200 REJECT OK ? Web Instance Web Instance 443 IN | 3128 OUT 443 IN | 3128 OUT
Incident Response A well handled incident (NIST 800-61) • Preparation • Detection & Analysis • Containment, Eradication and Recovery (Response) • Post-Incident Activity The Function of each • Automation • Plan and Procedure • Communications
Containment, Eradication and Forensics SnapshotWeb Instance Instance Anomaly Detected Amazon EBS Amazon EBS Mem Dump Web Instance Forensics Application VPC Cleanroom VPC Share Snapshot Create New Volume 443 IN | 3128 OUT n/a IN | n/a OUT
Demo
Automated Incident Response Air Gapped Forensics Lab: Tooling Snapshots & dumps EC2 Systems Manager: Log & data collection Memory collection Lambdas: IAM Policy collection Snapshot creation Account snapshot transfer Security Group changes Log Triggers: Privilege Elevation Restricted Action Attempts Malware DLP Violation
Forensics Clean Room • Define the goals for the Lab • Define the boundary • Automate as much as possible • Remember any access to the lab is a risk Memory - FTK Imager - LiME - Volatility Network - Wireshark - Moloch - p0f - GRR Commercial - FireEye - EnCase - FTK
AWS IR: Open Source Tool $ aws_ir instance-compromise --instance-ip 192.0.2.15 --user ec2-user --ssh-key key.pem Initial connection to AmazonWebServices made. Beginning inventory of instances world wide. This might take a minute... Security Group Created sg-abcd1234 Security Group Egress Access Revoked for sg-abcd1234 Shifted instance into isolate security group. Took a snapshot of volume vol-abcd1234 to snapshot snap-abcd1234 Attempting run margarita shotgun for ec2-user on 192.0.2.15 with key.pem dumping memory to s3://abc123 capture complete Stopping instance: instance_id=i-abcd1234 CLI for instance and access key based response
Resources AWS Security Benchmarks http://bit.ly/AWSSecB AWS Well Architected Framework http://bit.ly/WellArchF Automatically Remediate S3 object ACLs http://bit.ly/S3ACL Code 06 = bmV5LXNl
References Well-Architected Framework: http://bit.ly/WellArchF IAM policy fragments: http://bit.ly/2myqcWH Proxy examples: http://amzn.to/2obP1UL http://amzn.to/2mXlTiU Automation examples: http://bit.ly/2n0rcyP DevSecOps: http://bit.ly/2npRvBw CIS Foundations Checker: http://bit.ly/AWSSecB Automatically remediate S3 object ACLs: http://bit.ly/S3ACL Federated API and CLI Access: http://amzn.to/2nOV2L3 CloudSploit: http://bit.ly/2nORZm1 CloudFormation Security Best Practices: http://amzn.to/2nXWc3o
Thank you! “I fear not the man that has practiced 10,000 kicks, but I fear the man who practiced one kick 10,000 times.” Bruce Lee

Recommended

Migrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSMigrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSAmazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Amazon Web Services
 
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013Amazon Web Services
 
AWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud
AWS Enterprise Summit Netherlands - Starting Your Journey in the CloudAWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud
AWS Enterprise Summit Netherlands - Starting Your Journey in the CloudAmazon Web Services
 
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMail
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMailAWS Enterprise Summit Netherlands - WorkSpaces & WorkMail
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMailAmazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 

Recommended

Migrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSMigrating the GoPro Plus Cloud Service to Amazon ECS
Migrating the GoPro Plus Cloud Service to Amazon ECSAmazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Amazon Web Services
 
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013Amazon Web Services
 
AWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud
AWS Enterprise Summit Netherlands - Starting Your Journey in the CloudAWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud
AWS Enterprise Summit Netherlands - Starting Your Journey in the CloudAmazon Web Services
 
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMail
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMailAWS Enterprise Summit Netherlands - WorkSpaces & WorkMail
AWS Enterprise Summit Netherlands - WorkSpaces & WorkMailAmazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014Amazon Web Services
 
DevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous DeploymentDevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous DeploymentAmazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...Amazon Web Services
 
Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight Amazon Web Services
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAmazon Web Services
 
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...Amazon Web Services
 
Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016Amazon Web Services
 
Automated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWSAutomated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWSAmazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation OptionsAmazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierAmazon Web Services
 
How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment  How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment  Amazon Web Services
 
Build A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersBuild A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersAmazon Web Services
 
AWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the CloudAWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the CloudAdrian Hornsby
 
AWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July MeetupAWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July MeetupIan Massingham
 

More Related Content

What's hot

Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014Amazon Web Services
 
DevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous DeploymentDevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous DeploymentAmazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...Amazon Web Services
 
Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight Amazon Web Services
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAmazon Web Services
 
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...Amazon Web Services
 
Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016Amazon Web Services
 
Automated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWSAutomated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWSAmazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSAmazon Web Services
 
(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation OptionsAmazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierAmazon Web Services
 
How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment  How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment  Amazon Web Services
 
Build A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersBuild A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersAmazon Web Services
 

What's hot (20)

Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
(WEB302) Best Practices for Running WordPress on AWS | AWS re:Invent 2014
 
DevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous DeploymentDevOps for the Enterprise: Continuous Deployment
DevOps for the Enterprise: Continuous Deployment
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
 
Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight Visualising Your Data Insights with Amazon QuickSight
Visualising Your Data Insights with Amazon QuickSight
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
 
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
AWS APAC Webinar Week - AWS MySQL Relational Database Services Best Practices...
 
Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016Getting Started with Managed Services | AWS Public Sector Summit 2016
Getting Started with Managed Services | AWS Public Sector Summit 2016
 
Automated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWSAutomated DevOps Workflows with Chef on AWS
Automated DevOps Workflows with Chef on AWS
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
 
How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment  How Serverless Computing Enables Microservices and Micropayment 
How Serverless Computing Enables Microservices and Micropayment 
 
Build A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million UsersBuild A Website on AWS for Your First 10 Million Users
Build A Website on AWS for Your First 10 Million Users
 

Similar to AWS Security Best Practices for Well-Architected Infrastructures

AWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the CloudAWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the CloudAdrian Hornsby
 
AWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July MeetupAWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July MeetupIan Massingham
 
Being Well Architected in the Cloud (Updated)
Being Well Architected in the Cloud (Updated)Being Well Architected in the Cloud (Updated)
Being Well Architected in the Cloud (Updated)Adrian Hornsby
 
Being Well-Architected in the Cloud
Being Well-Architected in the CloudBeing Well-Architected in the Cloud
Being Well-Architected in the CloudAmazon Web Services
 
Automating Security in your IaC Pipeline
Automating Security in your IaC PipelineAutomating Security in your IaC Pipeline
Automating Security in your IaC PipelineAmazon Web Services
 
re:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudre:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudAmazon Web Services
 
Being Well Architected in the Cloud
Being Well Architected in the CloudBeing Well Architected in the Cloud
Being Well Architected in the CloudAdrian Hornsby
 
Increase Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesIncrease Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesAmazon Web Services
 
Increase Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesIncrease Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesAmazon Web Services
 
Deep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceDeep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceAmazon Web Services
 
AWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAnthony Palmer
 
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...Amazon Web Services
 
re:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupre:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupCloudHesive
 
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...Amazon Web Services
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Aws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaAws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaHelen Rogers
 

Similar to AWS Security Best Practices for Well-Architected Infrastructures (20)

AWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the CloudAWS Startup Day Bangalore: Being Well-Architected in the Cloud
AWS Startup Day Bangalore: Being Well-Architected in the Cloud
 
AWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July MeetupAWS Update from AWS User Group UK July Meetup
AWS Update from AWS User Group UK July Meetup
 
Being Well Architected in the Cloud (Updated)
Being Well Architected in the Cloud (Updated)Being Well Architected in the Cloud (Updated)
Being Well Architected in the Cloud (Updated)
 
Being Well-Architected in the Cloud
Being Well-Architected in the CloudBeing Well-Architected in the Cloud
Being Well-Architected in the Cloud
 
Automating Security in your IaC Pipeline
Automating Security in your IaC PipelineAutomating Security in your IaC Pipeline
Automating Security in your IaC Pipeline
 
re:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloudre:Invent recap session 2: Being well Architected in the cloud
re:Invent recap session 2: Being well Architected in the cloud
 
Being Well Architected in the Cloud
Being Well Architected in the CloudBeing Well Architected in the Cloud
Being Well Architected in the Cloud
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
Increase Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesIncrease Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web Services
 
Increase Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web ServicesIncrease Speed and Agility with Amazon Web Services
Increase Speed and Agility with Amazon Web Services
 
DW on AWS
DW on AWSDW on AWS
DW on AWS
 
Deep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceDeep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database Service
 
AWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent RecapAWS Meetup Fort Lauderdale Re:invent Recap
AWS Meetup Fort Lauderdale Re:invent Recap
 
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...
(ARC302) Running Lean Architectures: How to Optimize for Cost Efficiency | AW...
 
re:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetupre:Invent Recap-AWSMeetup
re:Invent Recap-AWSMeetup
 
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...
Disaster Recovery Site on AWS - Minimal Cost Maximum Efficiency (STG305) | AW...
 
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
Simplificando Arquiteturas Microsoft com os Serviços da AWS - ARC204 - Sao P...
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Aws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon ElishaAws-What You Need to Know_Simon Elisha
Aws-What You Need to Know_Simon Elisha
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

AWS Security Best Practices for Well-Architected Infrastructures

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ben Potter AWS Cloud Security Consultant, Amazon Web Services Level 300 © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Well-Architected for Security Advanced Session
  • 2. Agenda • Design Principles • Infrastructure Protection • Identity & Access Management • Incident Response & Forensics
  • 4. Well-Architected Security Design Principles • Apply security at all layers • Enable traceability • Implement a principle of least privilege • Focus on securing your system • Automate security best practices
  • 6. Example Corp Current Architecture Public Web www.example.com AWS Edge Locations Amazon Route 53 Amazon CloudFront Production VPC - Sydney Development VPC - Sydney ELB RDS Master RDS Standby Public Web ELB RDS Master RDS Standby Development Account >< Production Account Design App Design App AZ 1 AZ 2 AZ 1 AZ 2
  • 7. Current Storage AWS managed IAM policies: • Administrator • Power user • EC2 roles Root login is never used examplecorp-cfn-templates CloudFormation Templates examplecorp-dbexport Database Exports examplecorp-logs-cloudtrail CloudTrail Logs EBS Data Volumes Default KMS key Identity & Access Management
  • 8. Example Corp Self Assessment SEC 2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? SEC 3. How are you limiting automated access to AWS resources? SEC 5. How are you enforcing network and host-level boundary protection? SEC 6. How are you leveraging AWS service level security features? SEC 8. How are you classifying your data? SEC 9. How are you encrypting and protecting your data at rest? SEC 10. How are you managing keys? SEC 12. How do you ensure that you have the appropriate incident response?
  • 10. Multi VPC & Account Strategy • Security & data classification • Supportability & limits • Automation & lifecycle • Networking & data centre centric Considerations for a multi-account, multi-VPC strategy;
  • 11. Split Public Web & Design Apps Public Web www.example.com AWS Edge Locations Amazon Route 53 Amazon CloudFront Production VPC - Sydney Development VPC - Sydney ELB RDS Master RDS Standby Public Web ELB RDS Master RDS Standby Development Account >< Production Account Design App Design App AZ 1 AZ 2 AZ 1 AZ 2
  • 12. New DNS Architecture: Public Info Web Site CloudFront Primary Sydney OregonGeo Record Set Oceania: origin. > apac. North America: origin. > usa. Default: origin. > usa. Zone example.com Route53 Health Check CloudFront Failover
  • 13. AWS WAF New Edge Architecture: Public Info Web Site Amazon S3 Static Hosting CloudFront Failover Site *.example Route 53 Failover health check The internet CloudFront Primary Site www.example Amazon S3 Static Hosting AWS WAF Route 53 Origin Routing 1 to Many Regions VPC EC2 Amazon S3 Error Pages Custom Header Secret
  • 14. New VPC Architecture: Public Info Web Site EC2 WAF Public Web VPC - Sydney ELB Public Web CloudFront Edge Locations ELB AZ 1 AZ 2 AZ 3 Services
  • 15. New VPC Architecture: Design App Elastic Load Balancing Proxy DNS Filtering DLP VPN Application VPC Egress VPC Services VPC Bastions Security Tools Code Tools CI/CD AZ 1 AZ 2 AZ 3 Design App ELB
  • 16. New Storage examplecorp-dbexport-syd-accid-123abc Unique Suffix examplecorp-dbexport ! Old buckets are canaries S3: • Automatic remediation of object ACLs • Enforcing encrypted objects • Object tagging for data classification • Replicating critical data All EBS volumes KMS keys per application, envr
  • 17. VPC: Tips from the Trenches • Use Security Group outbound rules • Use NACL’s, sparingly, horizontal • Avoid launch wizard to create Security Groups • Avoid using default route table • Decide on IGW use and control with IAM
  • 18. Identity & Access Management
  • 19. Account Structure Production Development Master M Playpen OU Playpen (Sydney)A Playpen (Oregon)A Security OU Security OperationsA Security ForensicsA Current Future Production OU Design App (Sydney)A Design App (Oregon)A Public Web (Global)A Development OU Design App (Sydney)A Design App (Oregon)A A Public Web (Global) Blacklist OCP Blacklist OCP Blacklist OCP Blacklist OCP Blacklist OCP
  • 20. New Roles & Policies Assumed IAM roles: • Break-glass administrator: CloudTrail & security maintenance • Security Operators Read only audit + read only logs to all accounts • Developers/Operators Every day reduced scope + EC2 Systems Manager • Playpen Unrestricted, no access to development or production Guardrails
  • 21. IAM: Force Tags & Restrict "Effect": "Allow", "Action": [ "ec2:RunInstances"], "Condition": { "StringEquals": { "aws:RequestTag/Classification": ”Public", "aws:RequestTag/Application": ”Public Web”}, "ForAllValues:StringEquals": { "aws:TagKeys": [”Classification",”Application"]}} "Resource": { "arn:aws:ec2:ap-southeast-2:123456789012:instance/*”, "arn:aws:ec2:ap-southeast-2:123456789012:volume/*”} ..... How to lock down to region & tag: “Classification” : ”Top Secret" “Team” : ”Team A” “Application” : ”Public Web” “Owner” : ”Marketing"
  • 22. IAM: Tag Restrictions "Effect": "Allow", "Action": [ ”rds:CreateDBCluster"], "Resource": { "arn:aws:rds:ap-southeast-2:123456789012:cluster:myprefix-*”} "Effect": "Allow", "Action": [ ”rds:CreateDBInstance"], "Resource": { "arn:aws:rds:ap-southeast-2:123456789012:db:myprefix-*”} How to lock down to region & tag for RDS:
  • 23. IAM: Lambda Restrictions "Effect": ”Deny", "Action": [ "lambda:CreateFunction"", "lambda:UpdateFunctionCode", "lambda:DeleteFunction” ], "Resource": { "arn:aws:lambda:ap-southeast-2:123456789012:function:security*” } Naming lambda’s with a prefix prevents security automations from being tampered with:
  • 24. S3 Bucket Policy: Explicit Deny "Effect": "Deny", "Principal": "*", "Action": [ "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutBucketVersioning", "s3:PutLifecycleConfiguration", ], Ensures no IAM user or role can modify, requires root login to revoke:
  • 25. S3 Bucket Policy: Force KMS Key "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::BucketName/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:ap-southeast-2:123456789012:key/key-id" } } Note: All GET and PUT requests for an object protected by AWS KMS will fail if they are not made via SSL/TLS or by using SigV4 Forces use of KMS encrypted object with specific key:
  • 26. IAM: KMS Policy "Effect": "Deny", "Action": [ "kms:Encrypt", "kms:CreateGrant", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncrypt*" ], "Resource": [ "arn:aws:kms:ap-southeast-2:123456789012: key/1234abcd-12ab-34cd-56ef-1234567890ab" ] Denies use of default master key:
  • 27. IAM: User Policy "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }, "Resource": [ "arn:aws:iam::123456789012:role/name“ ] } All users have minimum privileges and assume roles:
  • 28. Demo
  • 29. Incident Response & Forensics
  • 30. Example Corp: First Incident Monitoring tools alerted to web instance network anomaly in VPC Flow Logs 630247214269 eni-0123456a 10.0.1.221 10.76.2.101 27039 22 6 5 268 1466491141 1466491200 REJECT OK ? Web Instance Web Instance 443 IN | 3128 OUT 443 IN | 3128 OUT
  • 31. Incident Response A well handled incident (NIST 800-61) • Preparation • Detection & Analysis • Containment, Eradication and Recovery (Response) • Post-Incident Activity The Function of each • Automation • Plan and Procedure • Communications
  • 32. Containment, Eradication and Forensics SnapshotWeb Instance Instance Anomaly Detected Amazon EBS Amazon EBS Mem Dump Web Instance Forensics Application VPC Cleanroom VPC Share Snapshot Create New Volume 443 IN | 3128 OUT n/a IN | n/a OUT
  • 33. Demo
  • 34. Automated Incident Response Air Gapped Forensics Lab: Tooling Snapshots & dumps EC2 Systems Manager: Log & data collection Memory collection Lambdas: IAM Policy collection Snapshot creation Account snapshot transfer Security Group changes Log Triggers: Privilege Elevation Restricted Action Attempts Malware DLP Violation
  • 35. Forensics Clean Room • Define the goals for the Lab • Define the boundary • Automate as much as possible • Remember any access to the lab is a risk Memory - FTK Imager - LiME - Volatility Network - Wireshark - Moloch - p0f - GRR Commercial - FireEye - EnCase - FTK
  • 36. AWS IR: Open Source Tool $ aws_ir instance-compromise --instance-ip 192.0.2.15 --user ec2-user --ssh-key key.pem Initial connection to AmazonWebServices made. Beginning inventory of instances world wide. This might take a minute... Security Group Created sg-abcd1234 Security Group Egress Access Revoked for sg-abcd1234 Shifted instance into isolate security group. Took a snapshot of volume vol-abcd1234 to snapshot snap-abcd1234 Attempting run margarita shotgun for ec2-user on 192.0.2.15 with key.pem dumping memory to s3://abc123 capture complete Stopping instance: instance_id=i-abcd1234 CLI for instance and access key based response
  • 37. Resources AWS Security Benchmarks http://bit.ly/AWSSecB AWS Well Architected Framework http://bit.ly/WellArchF Automatically Remediate S3 object ACLs http://bit.ly/S3ACL Code 06 = bmV5LXNl
  • 38. References Well-Architected Framework: http://bit.ly/WellArchF IAM policy fragments: http://bit.ly/2myqcWH Proxy examples: http://amzn.to/2obP1UL http://amzn.to/2mXlTiU Automation examples: http://bit.ly/2n0rcyP DevSecOps: http://bit.ly/2npRvBw CIS Foundations Checker: http://bit.ly/AWSSecB Automatically remediate S3 object ACLs: http://bit.ly/S3ACL Federated API and CLI Access: http://amzn.to/2nOV2L3 CloudSploit: http://bit.ly/2nORZm1 CloudFormation Security Best Practices: http://amzn.to/2nXWc3o
  • 39. Thank you! “I fear not the man that has practiced 10,000 kicks, but I fear the man who practiced one kick 10,000 times.” Bruce Lee