Download - 9월 웨비나 - AWS 클라우드 보안의 이해 (양승도 솔루션즈 아키텍트)
PowerPoint Presentation
AWS
[email protected]. 09.
In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud. 1
AWS
2
3
DATA
. 4
DB1DB2App1App2Web1Web2SW1SW2LB1LB2
5
6
?
7
AWSAWS .
API (++) . .
. . AWS 8 , AWS . AWS API . API . . .8
AWS
AWS ( or ) (// ), , (IAM), , Customers
AWS
AWS .
AWS . AWS / , AWS . . . .
9
AWS
AWS
VPC NACLVPC Flow LogsBastion Hosts / NATHTTPS / SSL / TLS
Service CatalogConfigIAM(MFA/Role)Cloud Watch Logs
KMSCloudHSMCloudTrail
AWS . AWS VPC IAM KMS . AWS . ISO27017/27018 , VPC Security Group 500 . NAT NAT G/W . , Config IAM . IAM , CloudTrail .10
AWS ! , /,
, , , 2015 40% , 722
269(37%)
722 37
AWS . , . , 40% , . AWS .
11
AWS // .
, AWS . ISO27017/27018 . AWS , .
12
/ - (Disk Wiping)
13
14
, AWS Tom Soderstrom, CTO, NASA JPL
AWS .(Visibility)(Controllability) (Auditability)
.. .16
(, , )
: , .
.. .. . .. ,. ..
18
: = software! , , . . .
We think it can get better. ESM .... ..ems ( (Enterprise Security Management)
. .. . . . , SIEM(security information and event management) , , . SIEM . . . .. . AS-IS . . ..
.19
AWS CloudWatchAWS AWS
EC2AutoScalingELBRoute 53EBSStorage GatewayCloudFrontDynamoDBElastiCacheRDSEMRSNSSQSEBS Custom
CPU . . , .. 200 200 . 200 .. 100 . . . 100 . . . . .20
CloudWatch Logs Amazon CloudWatch Logs: EC2 , . ;
HTTP (404 ) CloudWatch Metrics
404 CloudWatch Alarms . =>
.. . .. EC2 () () . . . . ,, .. . ..
1 5..
.
404 URL 21
AWS Trusted Advisor Security
. (TCP) .. . . TA .( ) .10 .
As is . .. .
Trusted advisor gives you best practices recommendations in 4 different areas:Cost optimization- Security - Fault tolerance- Performance22
Here you have a couple of recommendations regarding security, including the usage of security groups, IAM accounts, MFA authentication for root, etc.
71 20 . Unrestricted .. . . . .
23
AWS InspectorAgent - API Rule PackageCVE (common vulnerabilities and exposures) Network security best practices 4 Authentication best practices 9 Operating system security best practices 4 Application security best practices 2 PCI DSS 3.0 readiness 25
, .
, . ,( )
knowledge base RULE SET . (
CVE several thousand checksNetwork Security 4 checks (weak ciphers, vulnerable TLS version, SMB packet signing)Authentication 9OS 4AppSec 2PCI 25
..OS .
..( 8 ) ..
..
24
(, , )
And just like an electricity grid, where you would not wire every factory to the same power station, the AWS infrastructure is global, with multiple regions around the globe from which services are available. This means you have control over things like where you applications run, where you data is stored, and where best to serve your customers from. 26
( !)
27
Encryption - /
,Securing Data at Rest with Encryption.
HTTPSSSL/TLSSSHVPNObject
ObjectDatabaseFilesystemDisk
To be used for customers with HIPAA requirements. Keep hidden otherwise.28
AWS KMS - //
Customer MasterKey(s)
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshift Cluster
Data Key 2
Data Key 3
Data Key 4
// :EBSS3RedshiftAWS SDKAWS CloudTrail : KMS Cryptographic Details.
To be used for customers with HIPAA requirements. Keep hidden otherwise.29
AWS Key Management Service AWS
IAM
S3RedShiftGlacier
EBSRDS
30
AWS Key Management ServiceIntegrated with Amazon EBS
USER
AWS Identity and Access Management (IAM)
AWS . / , , (Role) APIs, AWS ( ) ,
A username for each userGroups to manage multiple usersCentralized access controlOptional provisions:Password for console accessPolicies to control access to AWS APIsTwo methods to sign API calls:X.509 certificateAccess Key ID + Secret Access KeyMultifactor Authentication
33
Each user can have a specific policy which defines what she can do with AWS. You can pick a policy from the list of predefined ones we offer
34
NETWORK
AWS Cloud
A
BAWS Virtual Private Cloud VPC IP EC2 AWS network securityAWS IP Spoofing 2 EC2
36
Web
App
DB
Web
37
(NACL)
App
DB
Web
Web
AllowDeny all trafficAllowAllow
38
EC2 (Security Group)
App
DB
Port 3306
Web
Web
Port 443
Port 443
Port 443Port 443Port 443Deny all traffic
( )
39
( or DC)
Private
AppOn-Prem
DBPublic
Private
Web
Web
40
AWSAWS DirectConnect
DC
App
/
App
AWS Internet VPN
41
WEBWAS
WEBWAS
www.a.com
WAF on CloudFront edgesusersSafeTraffic
Edge Location
Edge Location59 edges
WAF
WAF
hackersBad botslegitimatetrafficSQL Injection, XSS, ..site scripting
AWS WAF
CloudFront edge WAF monitor & filter
edge scaling
CloudFront
SQL injection, XSS
42
(, , )
Consistent, regular, exhaustive 3rd party evaluations with commonly understood resultsPeople often ask, really the cloud can support PCI? Yes, many customers are moving to AWS especially for this feature (ex: Vodaphone Italy)
44
The key difference between SOC 2 and SOC 3 reports is that the former contains a detailed description of the service auditor's tests and results of controls as well as the auditor's opinion on the description of the service organization's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.45
API ... CloudTrail API AWS CloudTrailAWS
CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
Just a few weeks ago, we added the ability for CloudTrail to record both successful and unsuccessful console logins from your AWS IAM accounts as well... .. .. .. .. .(SNS)
46
AWS Config
AWS (AWS SNS) TroubleshootingDiscovery : ?
: ?
: ?
: ?
AWS 47
AWS Config Rules AWS AWS Lambda
, .
, . ,( )
knowledge base RULE SET . (
CVE several thousand checksNetwork Security 4 checks (weak ciphers, vulnerable TLS version, SMB packet signing)Authentication 9OS 4AppSec 2PCI 25
..OS .
..( 8 ) ..
..
48
AWS Config Rules
, .49
/ .
SaaS
SaaS
SaaS
, AWS . , , , .
AWS Marketplace is an important part of the AWS ecosystem. Through the AWS Marketplace you can buy many of the same tools as you use within your own environments today, all validated and optimized to work in an AWS environment. There are over 200 offerings available, across 7 key technology areas, Advanced Threat Analytics, Application Security, Identity and Access Management, Server & Endpoint Protection, Network Security, Encryption and Key Management, and Vulnerability and Pen Testing.
These are some of our key partners in each of these spaces, and many of you will be running at least a few of these already.
Why Customer purchase through Marketplacefast evaluation and procurement of softwareSimplifies buying by eliminating contracting process / no need to get a new vendor approvedOn demand pricing options for annual with hourly option when customer bursts
50
!
51
:
" Redshift . , Redshift 55 .
-- Nate Simmons, Principal Architecthttp://aws.amazon.com/cn/solutions/case-studies/nasdaq-finqloud/http://aws.amazon.com/solutions/case-studies/nasdaq-omx/
S3EMRHSM S3 EMR HSM S3
EMR
What Nasdaq ,
AWS ( Redshift)
Redshif dw .
on-premise HSM HSM S3 EMR
52
AWS AWS : http://aws.amazon.com/security AWS AWS
The main point of this slide is to introduce the fact that AWS takes security very seriously. We dedicate an entire section of our website to the Security and Compliance Center to communicate with our customers providing things like:Security and Compliance whitepapersSecurity best practice whitepapers Security bulletinsRequests for customer penetration testing
This presentation is a brief overview of the information on this site, please be aware of it and check out the site for more details and information.53
, , :http://aws.amazon.com/security/security-resources/ + AWS :http://blogs.aws.amazon.com/security/AWS AWS https://aws.amazon.com/ko/blogs/korea/
..URL .. (, ) .
, .54
!
55