www.cloudsec.com | #CLOUDSEC

Security & Compliance in the AWS Cloud

Vijay Rangarajan – Senior Cloud Architect, ASEANAmazon Web Services@awscloud

Security & Compliance in the AWS Cloud

ENTERPRISE APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

DataWarehousing

Hadoop/Spark

Streaming Data Collection

Machine Learning

Elastic Search

Virtual Desktops

Sharing & Collaboration

Corporate Email

Backup

Queuing & Notifications

Workflow

Search

Email

Transcoding

One-click App Deployment

Identity

Sync

Single Integrated Console

PushNotifications

DevOps Resource Management

Application Lifecycle Management

Containers

Triggers

Resource Templates

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Training & Certification

Security & Pricing Reports

Partner Ecosystem

Solutions Architects

MARKETPLACE

Business Apps

Business Intelligence DatabasesDevOps

Tools NetworkingSecurity Storage

Regions Availability Zones

Points of Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling, & Load Balancing

StorageObject, Blocks, Archival, Import/Export

DatabasesRelational, NoSQL, Caching, Migration

NetworkingVPC, DX, DNSCDN

Access Control

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

HYBRID ARCHITECTURE

Data Backups

Integrated App Deployments

DirectConnect

IdentityFederation

IntegratedResource Management

Integrated Networking

API Gateway

IoT

Rules Engine

Device Shadows

Device SDKs

Registry

Device Gateway

Streaming Data Analysis

Business Intelligence

MobileAnalytics

Job Zero

2009

48

280

722

82

2011 2013 2015

AWS has been continually expanding its’ services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile

AWS Pace of Innovation

Our Culture

Simple Security Controls

SHARED

exactly

GxPISO 13485AS9100ISO/TS 16949

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge

Locations

AWS is responsible for the security OF

the Cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge

Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & contentC

usto

mer

sCustomers have their choice of

security configurations IN

the Cloud

AWS is responsible for the

security OFthe Cloud

decide how to implement

SECURITY IS VISIBILITY AND AUDITABILITY

How often do you map your network?

RIGHT NOW?

You are making API calls...

On a growing set of services around the

world…

AWS CloudTrail is continuously recording API

calls…

And delivering log files to you

AWS CLOUDTRAIL

RedshiftAWS CloudFormation

AWS Elastic Beanstalk

Continuous ChangeRecordingChanging Resources

History

Stream

Snapshot (ex. 2014-11-05)AWS Config

AWS Config

SECURITY IS CONTROL

(USERS, RESOURCES,CONTENT)

Control access and segregate duties everywhereWith AWS Identity Access Management you get to control who can do what in your AWS environment and from where

Fine-grained control of your AWS cloud with two-factor authentication

Integrate with your existing corporate directory using SAML 2.0 and single sign-on

AWS account owner

Network management

Security management

Server management

Storage management

US-WEST (Oregon)

EU-WEST (Ireland)

ASIA PAC (Tokyo)

US-WEST (N. California)

SOUTH AMERICA (Sao

Paulo)

US-EAST (Virginia)

AWS GovCloud (US)

ASIA PAC (Sydney)

ASIA PAC (Singapore)

CHINA (Beijing)

EU-CENTRAL (Frankfurt)

you put itASIA PAC (Korea)

13 Regions35 Availability Zones59 Edge Locations

ASIA PAC (Mumbai)

Create your own private, isolated section of the AWS cloudAv

aila

bilit

y Zo

ne A

Avai

labi

lity

Zone

B

AWS Virtual Private Cloud Provision a logically

isolated section of the AWS cloud

You choose a private IP range for your VPC

Segment this into subnets to deploy your compute instances

AWS network security AWS network will prevent

spoofing and other common layer 2 attacks

You cannot sniff anything but your own EC2 host network interface

Control all external routing and connectivity

connect resiliently and in private

YOUR AWS ENVIRONMENT

AWSDirect

ConnectYOUR

PREMISES

Digital Websites

Big Data Analytics

Dev and Test

Enterprise Apps

Internet VPN

AWS Key Management Service

PCI DSS SP L1 CompliantUnder-going FIPS140-2

Encryption key management and compliance made easy

Integrated with AWS Services(e.g. S3, EBS, RDS, Redshift,

CloudTrail, EMR)

Highly Available and durable

Cloud HSMdedicated access

Only you have access to your keys and operations on the keys

CloudHSM

AWS administrator—Manages the appliance

You—Control keys and crypto operations

AUDIT EVERYTHING

Auditors

Geographic data locality

Control over regionalreplication

Policies, resource level permissions,

temporary credentials

Fine-grainedaccess control In-depth

logging

AWS CloudTrail and Config

Fine-grained visibility and control for accounts, resources, data

Visibility into resources and

usage

Service Describe* APIs and

AWS CloudWatch

Control over deployment

AWS CloudFormation

Governance

COMPLIANCE

ISO 9001

SOC 3

SOC 2

ISO 27001

ISO 27017

PCI DSS Level 1ISO 27018

SOC 1 / ISAE 3402

GxPHIPAA

ITAR

FERPA

FISMA, RMF, and DIACAP

FedRAMP

Section 508 / VPAT

DoD SRG Levels 2 & 4

FIPS 140-2

CJIS

Cloud Security Alliance

MPAA

NIST

MLPS Level 3

G-Cloud

IT-Grundschutz

MTCS Tier 3

IRAP Cyber Essentials Plus

More accreditations & certifications than anyone

evidence

You retain control and ownership of your content

Choose your AWS region and adhere to data sovereignty laws

Compliant with ISO 27001, ISO 27017, ISO 27018

Encrypt your data using AWS Services or using your own

Data Sovereignty & Privacy

Vibrant Partner EcosystemInfrastructure Security

Logging and Monitoring

Identity and Access Control

Configuration and Vulnerability Analysis

Data Protection

SaaS

SaaSSaaS

Job ZeroBETTER IN AWS

Vijay Rangarajan Amazon Web Services@awscloud