aws apac webinar week - top 5 ways to secure your business on aws
Post on 13-Apr-2017
655 Views
Preview:
TRANSCRIPT
aws.amazon.com/webinars/apac/webinar-week | #AWSWebinarWeek
Top 5 Ways to Secure Your Business on AWSShaun Ray, Enterprise Solution Architect
Top 5 reason why you should attend• Security is our number one priority
• Learn how to protect your investment
• Become familiar with the new AWS security services
• Incorporate security everywhere
• Choose the right AWS security service to reduce your risk
v
First a bit of a refresher
v
Familiar Security Model
Validated and driven by customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is Job Zero
v
2007 2008 2009 2010 2011 2012 2013 2014
48 6182
159
280
514Security, compliance, governance, and audit related launches and updatesAWS constantly innovating – driven by your needs
v
Every Customer Gets the Same AWS Security Foundations
You can choose to keep all your content onshore in any AWS region of YOUR choice• AWS makes no secondary use of customer content• Managing your privacy objectives any way that you want• Keep data in your chosen format and move it, or delete it, at any time
you choose• No automatic replication of data outside of your chosen AWS Region• Customers can encrypt their content any way they choose
You always have full ownership and control
v
AWS looks after the
security OF the platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge
Locations
Encryption Key Management
Client and Server Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer ContentC
usto
mer
sSecurity is shared between AWS and Customers
Customers are responsible for their security IN the Cloud
Enterprise AgreementCommercial and Legal
Data SovereigntyRegulation
Liability and IP Ownership
Direct ConnectPrivate Link to
AWS
Non-Public ApplicationsCost Reduction
Public Endpoint Access
Enterprise SupportProactive Engagement
Infrastructure Event Management (IEM)15 Minute Response
Proactive Support
Three Key Enablers….
vFeature CostAmazon VPC $0VPC Security Groups $0AWS Identity & Access Management (IAM) $0
AWS Security Token Service (STS) $0AWS CloudTrail (service) $0VPC Flow Logs $0TLS-enabled AWS API access $0
How much does security cost..
vPro Tip #5 – Harden your accounts
Top 5 Security Tips
v
Hardening an AWS AccountEnable MFA on Root Account
Enable CloudTrail for all Regions
Put Hardware Token in Safe
Use Role Based Access
v
Reduce the Surface Area
Security Token Service
Reduce Privileged accounts
Constantly Reduce Manual Process
Consolidated Billing payer account ownerNon - Production AWS
Account
Master Consolidated Billing AWS Account
Production AWS Account
Consolidated Billing linked account owner
Consolidated Billing linked account owner
Cross Account Role
IAM User
IAM User (billing)
Payer and Linked Accounts
v
Production Account
Direct Connect
Shared Services
VPN
Production
DMZ
Non-Production
Non - Production Account
DC
Master Consolidated Billing Account
Multi Account Architecture
Audit Account
CloudTrail Logs
Log Analyser
vPro Tip #5 – Harden your accounts
Top 5 Security Tips
Pro Tip #4 – Audit everything
v
AWS CloudTrail
You are making API calls...
On a growing set of services around
the world…
AWS CloudTrail is continuously recording API
calls…
And delivering log files to you
v
HTTPS Requests
Amazon S3
Access Logs to S3
Alarms set to triggeron config change
Triggers Alarms
Third Party Audit System
AWS CloudTrailAWS API Requests Logs
Elastic LoadBalancingHTTP Requests
CloudWatch
alarm Amazon SES
emailAmazon SNS
Amazon Lambda
HTTP Webhook
Building your own audit capability
New Accounts
AWS Config
AWS CloudTrail
InfoSec’s Cross-
Account Roles
AWS Account Credential
Management(“Root
Account”)
Federation
AWS Account Ownership
AWS Account Contact
Information
AWS Sales and Support Relationship
Baseline Requirements
Existing Accounts
AWS Config
AWS CloudTrail
InfoSec’s Cross-
Account Roles
AWS Account Credential
Management(“Root
Account”)
Federation
AWS Account Ownership
AWS Account Contact
Information
AWS Sales and Support Relationship
Baseline Requirements
vHTTP and HTTPs requests logged with ELB Logging
API and Console calls logged with CloudTrail Logs
Network traffic logged with VPC Flow Logs
VPC change history logged with AWS Config
IAM policy and user changed logged with AWS Config
Application level metrics logged with CloudWatch Logs
Out of the box….
vPro Tip #5 – Harden your accounts
Top 5 Security Tips
Pro Tip #4 – Audit everything
Pro Tip #3 – Classify your data and encrypt
v
What is your data classification?
Public
Confidential
Highly Confidential
Protected
CMS, No Customer Data, Freely Available
Internal Only, May Contain Limited Account Information
Full Account Identifiers, Breach of Privacy Law, Board Papers
Financial Data, Transaction Information, Customer Master
v
AWS CloudTrail
IAMEBS
RDS
Redshift
S3
Glacier
Encrypted in transit
and at rest
Fully auditable
Fully managed keys
Restricted access
Ubiquitous Encryption
vPro Tip #5 – Harden your accounts
Top 5 Security Tips
Pro Tip #4 – Audit everything
Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius
v
Every network has fine-grained security built-inAv
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
You control your VPC address range• Your own private, isolated
section of the AWS cloud• Every VPC has a private IP
address space you define• Create your own subnets and
control all internal and external connectivity
AWS network security• AWS network will prevent
spoofing and other common layer 2 attacks
• Every compute instance gets multiple security groups - stateful firewalls
• Every subnet gets network access control lists
vRoute 53 – 100% Availability SLA on DNS
CloudFront– 52 Edge Locations to serve your content
ELB – Multi-AZ load balancing
Traffic Distribution– Run active/active with traffic split
Auto Scaling – Grow from zero to hundreds of instances
Availability - Out of the box….
vEC2 Auto Recovery – Recover from Hardware Failures
ASG 1:1:1 – Dead mans handle – Rebuild and Restart
ELB – Multi-AZ load balancing with auto register
EBS Snapshots – Crash consistent backup
RDS Snapshots – Application consistent backup
S3 Durability - 99.999999999% Durability
Resilience - Out of the box….
vPro Tip #5 – Harden your accounts
Top 5 Security Tips
Pro Tip #4 – Audit everything
Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius
Pro Tip #1 – Security in depth
vAmazon VPC Data Centre
VPC Security Groups L4 Stateful FirewallAWS Identity & Access Management (IAM) Identity & Access
AWS Security Token Service (STS) Token Based AuthAWS CloudTrail Audit LoggingVPC Flow Logs Traffic Logging
ELB Logs Web LoggingNetwork Access Control List L4 Firewall - Subnet
Mapping Policy to Features in AWS
v
AWS SbD (Secure by Design)
Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing.
Build security in everywhere.
CloudTrailCloudHSM
IAMKMS
Config
Version Control CI Server
Package Builder
Deploy ServerCommit to
repoDevPullCode
AMIs
Send build report to dev andstop everything if build failed
Staging EnvTest Env
CodeConfigTests
Prod Env
Push
Config InstallCreate
Repo
AWS CloudFormation templates for Env
Generate
DevOps DevSecOps
Security Repository
Security services
Deployments
Vulnerability and pen testing
•Security Infrastructure tests•Security unit tests in app
v
AWS WAF Benefits
Increased Protection Against Web Attacks
Security Integrated with How You Develop Applications
Ease of Deployment & Maintenance
Improved Web Traffic Visibility
Cost Effective Web Application Protection
v
AWS Inspector Benefits
Identify Security Issues in Your Web Applications
Streamline Security Compliance
Apply AWS Security Expertise to your Application
Increased Agility without Compromising Security
Validate your Organization’s Security Standards
v
AWS ConfigRules Benefits
Easy to Get Started
Ecosystem of Partners
Simplified Management
Continuous Monitoring
Cloud Governance Dashboard
v
The Formula: aws.amazon.com
Inspector ConfigWAF SbD
+ + + = Security built in everywhere
vPro Tip #5 – Harden your accounts
Summary - Top 5 Security Tips
Pro Tip #4 – Audit everything
Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius
Pro Tip #1 – Security in depth
vAWS credentials provider chain that looks for credentials in this order:Ninja Tip:
Environment Variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEYJava System Propertiesaws.accessKeyId and aws.secretKeyCredential ProfilesFile at the default location (~/.aws/credentials)Instance ProfileCredentials delivered through the Amazon EC2 metadata service
v
Next steps: aws.amazon.com
/inspector (Preview)
/compliance/securitybydesign
Goldbase (Automated reference architecture)
/config (Preview)
/waf
v
Training
• AWS Security Fundamentals• Free 3-hour online class is designed to introduce
fundamental cloud computing and AWS security concepts.
• Security Operations on AWS• A 3-day technical deep dive on how to stay secure and
compliant in the AWS cloud.
Online Labs & Training
Gain confidence and hands-on experience with AWS.
Watch free Instructional Videos and explore Self-Paced Labs
Instructor Led Classes
Learn how to design, deploy and operate highly available, cost-
effective and secure applications on AWS in courses led by qualified
AWS instructors
Validate your technical expertise with AWS and use practice exams to help you
prepare for AWS Certification
AWS Certification
More info at http://aws.amazon.com/training
top related