Download - Cloud Security with Amazon Web Services
![Page 1: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/1.jpg)
Securityin theAWS Cloud
Steve [email protected]@steveriley@awscloudhttp://stvrly.wordpress.comhttp://aws.typepad.com
![Page 2: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/2.jpg)
Amazon Web Services: 4 regionsAmazon CloudFront: 16 edge locations
![Page 3: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/3.jpg)
![Page 4: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/4.jpg)
![Page 5: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/5.jpg)
![Page 6: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/6.jpg)
![Page 7: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/7.jpg)
![Page 8: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/8.jpg)
http://status.aws.amazon.com/
![Page 9: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/9.jpg)
![Page 10: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/10.jpg)
![Page 11: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/11.jpg)
Amazon S3Amazon
SimpleDBAmazon RDS (multi
AZ)
Amazon EBSAmazon RDS (one
AZ)
Amazon EC2
++++
++
![Page 12: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/12.jpg)
000000
0 0 0 0 0
0 0 0 0 0
/ /////
/ / / / /
/ / / / /null zzzzzz
![Page 13: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/13.jpg)
DoD 5220.22-M and NIST 800-88
![Page 14: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/14.jpg)
Hypervisor layer
Physical interfaces
AWS firewall
Customer 1security groups
Customer 2security groups
Customer nsecurity groups
Customer 1virtual interfaces
Customer 2virtual interfaces
Customer nvirtual interfaces
Customer 1 Customer 2 Customer n…
…
…
AWS admins onlySSH via bastionsAudits reviewed
Customer onlyInbound flowsDefault deny
Customer onlySSH, ID/pw, X.509Root/admin
![Page 15: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/15.jpg)
• DDoS attacks
• MITM attacks
• IP spoofing• Packet
sniffing• Port
scanning
![Page 16: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/16.jpg)
Hypervisor layer
Physical interfaces
AWS firewall
Customer 1security groups
Customer 2security groups
Customer nsecurity groups
Customer 1virtual
interfaces
Customer 2virtual
interfaces
Customer nvirtual
interfaces
Customer 1 Customer 2 Customer n…
…
…
AWS admins onlySSH via bastionsAudits reviewed
Customer onlyInbound flowsDefault deny
Customer onlySSH, ID/pw, X.509Root/admin control
AW
SYou
![Page 17: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/17.jpg)
Web tier Application tier Database tier
HTTP/HTTPSfrom Internet
SSH/RDP management
from corpnet
SSH/RDP management
from corpnet
SSH/RDP managementfrom corpnet, vendor
![Page 18: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/18.jpg)
![Page 19: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/19.jpg)
ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0ec2-authorize WebSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize AppSG -P prot -p AppPortRange -o WebSGec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize DBSG -P prot -p DBPortRange -o AppSGec2-authorize DBSG -P tcp -p 22|3389 -s CorpNetec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
![Page 20: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/20.jpg)
ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0. . .
ec2-authorize WebSG -P tcp -p 80 -o InspSGec2-authorize WebSG -P tcp -p 443 -o InspSGec2-authorize WebSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize AppSG -P prot -p AppPortRange -o WebSGec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize DBSG -P prot -p DBPortRange -o AppSGec2-authorize DBSG -P tcp -p 22|3389 -s CorpNetec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
![Page 21: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/21.jpg)
Your corporate network
AmazonWeb ServicesCloud
Your VPC
IPsec tunnel mode128-bit AES, SHA-1, PFS, BGP
![Page 22: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/22.jpg)
Your corporate network
AmazonWeb ServicesCloud
Your VPC
Currently• EC2 on-demand and reserved• EBS• CloudWatch• Linux/Unix and Windows• US-East, EU-West
Upcoming• >1 AZ, >1 router• Bidirectional Internet• Elastic IPs• Elastic Load Balancing• Autoscaling• DevPay• Inter-subnet security groups• Subnet ACLs
![Page 23: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/23.jpg)
Things to know• “Key” = name of object• 99.999999999% annual durability• Versioning support
• List•Upload/delete•View permissions• Edit permissions
•Open/download•View Permissions• Edit Permissions
![Page 24: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/24.jpg)
Bucket policiesBucket policy Access control list
Grant/deny an account access to multiple resources Grant user access to single resource
Restrict based on custom conditions• Strings, numbers, booleans• Dates, times• IP addresses• Amazon resource names
No conditions
Policies can include request attributes• Current time• Whether using SSL• Source IP• User agent• Epoch• Referrer
No request attributes
• Choice of 25 operations on objects, buckets, and bucket sub-resources• Know your JSON
![Page 25: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/25.jpg)
![Page 26: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/26.jpg)
• AWS services• Resources
• Source IP• Time of day• Use of SSL
![Page 27: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/27.jpg)
http://aws.amazon.com/iam/
![Page 28: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/28.jpg)
IAM details
• Preview beta includes:– Amazon EC2, S3, VPC, SQS, SNS, RDS,
SimpleDB, Auto Scaling, ELB– Configured via API calls– Add users, define groups and hierarchies, set
permissions, enable API calls, assign MFAs
• Future:– User login to console, user management
console
• No additional charge
![Page 29: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/29.jpg)
http://aws.amazon.com/mfa/
![Page 30: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/30.jpg)
![Page 31: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/31.jpg)
*:*
![Page 32: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/32.jpg)
Compliance
• HIPAA– Current customer deployments–Whitepaper describes the specifics
• SAS 70 type II–Multiple audits– Simplified process to get your copy
• FISMA moderate Authority to Operate
• ISO 27001/27002
![Page 33: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/33.jpg)
SAS 70 Type II controlsSecurity Organization Controls provide reasonable assurance that there is a clear information security policy that
is communicated throughout the organization to users.
Amazon Employee Lifecycle
Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.
Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.
Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately.
Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.
Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.
Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Data Integrity, Availability, and Redundancy
Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.
![Page 35: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/35.jpg)
http://aws.amazon.com/security/
![Page 36: Cloud Security with Amazon Web Services](https://reader034.vdocuments.net/reader034/viewer/2022051618/55d50db1bb61ebe71a8b4577/html5/thumbnails/36.jpg)
Thank you very much!
Steve [email protected]@steveriley@awscloudhttp://stvrly.wordpress.comhttp://aws.typepad.com