aws.amazon.com/webinars/apac/webinar-week | #AWSWebinarWeek

Top 5 Ways to Secure Your Business on AWSShaun Ray, Enterprise Solution Architect

Top 5 reason why you should attend• Security is our number one priority

• Learn how to protect your investment

• Become familiar with the new AWS security services

• Incorporate security everywhere

• Choose the right AWS security service to reduce your risk

v

First a bit of a refresher

v

Familiar Security Model

Validated and driven by customers’ security experts

Benefits all customers

PEOPLE & PROCESS

SYSTEM

NETWORK

PHYSICAL

Security is Job Zero

v

2007 2008 2009 2010 2011 2012 2013 2014

48 6182

159

280

514Security, compliance, governance, and audit related launches and updatesAWS constantly innovating – driven by your needs

v

Every Customer Gets the Same AWS Security Foundations

You can choose to keep all your content onshore in any AWS region of YOUR choice• AWS makes no secondary use of customer content• Managing your privacy objectives any way that you want• Keep data in your chosen format and move it, or delete it, at any time

you choose• No automatic replication of data outside of your chosen AWS Region• Customers can encrypt their content any way they choose

You always have full ownership and control

v

AWS looks after the

security OF the platform

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge

Locations

Encryption Key Management

Client and Server Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer ContentC

usto

mer

sSecurity is shared between AWS and Customers

Customers are responsible for their security IN the Cloud

Enterprise AgreementCommercial and Legal

Data SovereigntyRegulation

Liability and IP Ownership

Direct ConnectPrivate Link to

AWS

Non-Public ApplicationsCost Reduction

Public Endpoint Access

Enterprise SupportProactive Engagement

Infrastructure Event Management (IEM)15 Minute Response

Proactive Support

Three Key Enablers….

vFeature CostAmazon VPC $0VPC Security Groups $0AWS Identity & Access Management (IAM) $0

AWS Security Token Service (STS) $0AWS CloudTrail (service) $0VPC Flow Logs $0TLS-enabled AWS API access $0

How much does security cost..

vPro Tip #5 – Harden your accounts

Top 5 Security Tips

v

Hardening an AWS AccountEnable MFA on Root Account

Enable CloudTrail for all Regions

Put Hardware Token in Safe

Use Role Based Access

v

Reduce the Surface Area

Security Token Service

Reduce Privileged accounts

Constantly Reduce Manual Process

Consolidated Billing payer account ownerNon - Production AWS

Account

Master Consolidated Billing AWS Account

Production AWS Account

Consolidated Billing linked account owner

Consolidated Billing linked account owner

Cross Account Role

IAM User

IAM User (billing)

Payer and Linked Accounts

v

Production Account

Direct Connect

Shared Services

VPN

Production

DMZ

Non-Production

Non - Production Account

DC

Master Consolidated Billing Account

Multi Account Architecture

Audit Account

CloudTrail Logs

Log Analyser

vPro Tip #5 – Harden your accounts

Top 5 Security Tips

Pro Tip #4 – Audit everything

v

AWS CloudTrail

You are making API calls...

On a growing set of services around

the world…

AWS CloudTrail is continuously recording API

calls…

And delivering log files to you

v

HTTPS Requests

Amazon S3

Access Logs to S3

Alarms set to triggeron config change

Triggers Alarms

Third Party Audit System

AWS CloudTrailAWS API Requests Logs

Elastic LoadBalancingHTTP Requests

CloudWatch

alarm Amazon SES

emailAmazon SNS

Amazon Lambda

HTTP Webhook

Building your own audit capability

New Accounts

AWS Config

AWS CloudTrail

InfoSec’s Cross-

Account Roles

AWS Account Credential

Management(“Root

Account”)

Federation

AWS Account Ownership

AWS Account Contact

Information

AWS Sales and Support Relationship

Baseline Requirements

Existing Accounts

AWS Config

AWS CloudTrail

InfoSec’s Cross-

Account Roles

AWS Account Credential

Management(“Root

Account”)

Federation

AWS Account Ownership

AWS Account Contact

Information

AWS Sales and Support Relationship

Baseline Requirements

vHTTP and HTTPs requests logged with ELB Logging

API and Console calls logged with CloudTrail Logs

Network traffic logged with VPC Flow Logs

VPC change history logged with AWS Config

IAM policy and user changed logged with AWS Config

Application level metrics logged with CloudWatch Logs

Out of the box….

vPro Tip #5 – Harden your accounts

Top 5 Security Tips

Pro Tip #4 – Audit everything

Pro Tip #3 – Classify your data and encrypt

v

What is your data classification?

Public

Confidential

Highly Confidential

Protected

CMS, No Customer Data, Freely Available

Internal Only, May Contain Limited Account Information

Full Account Identifiers, Breach of Privacy Law, Board Papers

Financial Data, Transaction Information, Customer Master

v

AWS CloudTrail

IAMEBS

RDS

Redshift

S3

Glacier

Encrypted in transit

and at rest

Fully auditable

Fully managed keys

Restricted access

Ubiquitous Encryption

vPro Tip #5 – Harden your accounts

Top 5 Security Tips

Pro Tip #4 – Audit everything

Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius

v

Every network has fine-grained security built-inAv

aila

bilit

y Zo

ne A

Avai

labi

lity

Zone

B

You control your VPC address range• Your own private, isolated

section of the AWS cloud• Every VPC has a private IP

address space you define• Create your own subnets and

control all internal and external connectivity

AWS network security• AWS network will prevent

spoofing and other common layer 2 attacks

• Every compute instance gets multiple security groups - stateful firewalls

• Every subnet gets network access control lists

vRoute 53 – 100% Availability SLA on DNS

CloudFront– 52 Edge Locations to serve your content

ELB – Multi-AZ load balancing

Traffic Distribution– Run active/active with traffic split

Auto Scaling – Grow from zero to hundreds of instances

Availability - Out of the box….

vEC2 Auto Recovery – Recover from Hardware Failures

ASG 1:1:1 – Dead mans handle – Rebuild and Restart

ELB – Multi-AZ load balancing with auto register

EBS Snapshots – Crash consistent backup

RDS Snapshots – Application consistent backup

S3 Durability - 99.999999999% Durability

Resilience - Out of the box….

vPro Tip #5 – Harden your accounts

Top 5 Security Tips

Pro Tip #4 – Audit everything

Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius

Pro Tip #1 – Security in depth

vAmazon VPC Data Centre

VPC Security Groups L4 Stateful FirewallAWS Identity & Access Management (IAM) Identity & Access

AWS Security Token Service (STS) Token Based AuthAWS CloudTrail Audit LoggingVPC Flow Logs Traffic Logging

ELB Logs Web LoggingNetwork Access Control List L4 Firewall - Subnet

Mapping Policy to Features in AWS

v

AWS SbD (Secure by Design)

Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing.

Build security in everywhere.

CloudTrailCloudHSM

IAMKMS

Config

Version Control CI Server

Package Builder

Deploy ServerCommit to

repoDevPullCode

AMIs

Send build report to dev andstop everything if build failed

Staging EnvTest Env

CodeConfigTests

Prod Env

Push

Config InstallCreate

Repo

AWS CloudFormation templates for Env

Generate

DevOps DevSecOps

Security Repository

Security services

Deployments

Vulnerability and pen testing

•Security Infrastructure tests•Security unit tests in app

v

AWS WAF Benefits

Increased Protection Against Web Attacks

Security Integrated with How You Develop Applications

Ease of Deployment & Maintenance

Improved Web Traffic Visibility

Cost Effective Web Application Protection

v

AWS Inspector Benefits

Identify Security Issues in Your Web Applications

Streamline Security Compliance

Apply AWS Security Expertise to your Application

Increased Agility without Compromising Security

Validate your Organization’s Security Standards

v

AWS ConfigRules Benefits

Easy to Get Started

Ecosystem of Partners

Simplified Management

Continuous Monitoring

Cloud Governance Dashboard

v

The Formula: aws.amazon.com

Inspector ConfigWAF SbD

+ + + = Security built in everywhere

vPro Tip #5 – Harden your accounts

Summary - Top 5 Security Tips

Pro Tip #4 – Audit everything

Pro Tip #3 – Classify your data and encryptPro Tip #2 – Reduce your blast radius

Pro Tip #1 – Security in depth

vAWS credentials provider chain that looks for credentials in this order:Ninja Tip:

Environment Variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEYJava System Propertiesaws.accessKeyId and aws.secretKeyCredential ProfilesFile at the default location (~/.aws/credentials)Instance ProfileCredentials delivered through the Amazon EC2 metadata service

v

Next steps: aws.amazon.com

/inspector (Preview)

/compliance/securitybydesign

Goldbase (Automated reference architecture)

/config (Preview)

/waf

v

Training

• AWS Security Fundamentals• Free 3-hour online class is designed to introduce

fundamental cloud computing and AWS security concepts.

• Security Operations on AWS• A 3-day technical deep dive on how to stay secure and

compliant in the AWS cloud.

Online Labs & Training

Gain confidence and hands-on experience with AWS.

Watch free Instructional Videos and explore Self-Paced Labs

Instructor Led Classes

Learn how to design, deploy and operate highly available, cost-

effective and secure applications on AWS in courses led by qualified

AWS instructors

Validate your technical expertise with AWS and use practice exams to help you

prepare for AWS Certification

AWS Certification

More info at http://aws.amazon.com/training