the 2014 aws enterprise summit - understanding aws security
DESCRIPTION
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.TRANSCRIPT
AWS Security
Bill Shinn [email protected]
Principal Solutions Architect - Security, Amazon Web Services
Sami Zuhuruddin, [email protected]
Solutions Architect, Amazon Web Services
Different customer viewpoints on security
PR execkeep out of the news
CEOprotect shareholder
value
CI{S}Opreserve the
confidentiality, integrity and availability of data
Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
Customer Ecosystem
Partner Ecosystem
Every Customer Benefits
Physical Security
People & Procedures
Network Security
Platform Security
SECURITY IS SHARED
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
WHAT WE DO
FOR YOU
WHAT YOU DO YOURSELF
EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
AWS Security Offers More…
Visibility Auditability Control
MORE VISIBILITY
• Can you map your network?
• What is in your environment right now?
TRUSTED ADVISOR
MORE AUDITABILITY
Certifications and Accreditations for Workloads That Matter
Security control objectives
1. Security organization
2. Amazon user access
3. Logical security
4. Secure data handling
5. Physical security and environmental safeguards
6. Change management
7. Data integrity, availability and redundancy
8. Incident handling
AWS CLOUDTRAIL
You are making API calls...
On a growing set of services around
the world…
CloudTrail is continuously recording API
calls…
And delivering log files to you
Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.
Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.
Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.
‣ CloudTrail records API calls and delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15 minutes of the API call.
‣ Log files are delivered approximately every 5 minutes.
‣ Multiple partners offer integrated solutions to analyze log files.
LOGSOBTAINED, RETAINED, ANALYZED
PROTECT YOUR LOGS WITH IAMARCHIVE YOUR LOGS
MORE CONTROL
Defense in DepthMulti level security
• Physical security of the data centers• Network security• System security• Data security
DATA
AWS Security Delivers More Control & Granularity
AWS CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted
Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct Connect
AWS Storage Gateway
Customize the implementation based on your business needs
LEAST PRIVILEGE PRINCIPLE AT AWS
Least Privilege Principle
Confine roles only to the material required to do specific work
Least Privilege Principle
Separate networks for corporate work vs. accessing customer data
Least Privilege Principle
Must have a business need-to-know about sensitive information like data center
locations
Least Privilege Principle
Must have a business need-to-know in order to access data centers
Simple Security Controls
Are the easiest to get right, easiest to audit, and easiest to enforce
MORE CONTROLON IDENTITY & ACCESS
Use AWS Identity & Access Management (IAM)
Control who can do what with your AWS account
Best Practice
AWS IAM: Recent InnovationsSecurely control access to AWS services and resources
• Delegation– Roles for Amazon EC2– Cross-account access
• Powerful integrated permissions– Resource level permissions:
Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation
– Access control policy variables– Policy Simulator– Enhanced IAM support: Amazon
SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk
• Federation– Web Identity Federation– AD and Shibboleth
examples– Partner integrations– Case study: Expedia
• Strong authentication– MFA-protected API access– Password policies
• Enhanced documentation and videos
ACCESS TOSERVICE APIs
Amazon DynamoDB Fine Grained Access Control
Directly and securely access application data in Amazon DynamoDB
Specify access permissions at table, item and attribute levels
With Web Identity Federation, completely remove the need for proxy servers to perform authorization
MORE CONTROLOF YOUR DATA
MFA Delete Protection
Your data stays where you put it
Best Practice
It’s Not Just Having Services in a Couple of Regions
Hundreds of thousands of customers across 190 countries
800+ government agencies
3,000+ educational institutions
10 regions
26 availability zones
52 edge locations
Everyday, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise.
Use Multiple AZs
Amazon S3Amazon DynamoDBAmazon RDS Multi-AZAmazon EBS snapshots
Best Practice
Data Encryption
Choose what’s right for you…• Automated – AWS manages encryption • Enabled – user manages encryption using AWS• Client-side – user manages encryption using
their own mean
AWS CloudHSM
Managed and monitored by AWS, but you control the keys
Increase performance for applications that use HSMs for key storage or encryption
Comply with stringent regulatory and contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
Encrypt Your Data
AWS CloudHSMAmazon S3 SSEAmazon GlacierAmazon RedshiftAmazon RDS…
Best Practice
More Auditability
More Visibility
More Control
IDC Survey
• Attitudes and perceptions around security and cloud services
• Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud security survey
Doc #242836, September 2013
AWS.AMAZON.COM / SECURITY
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS MARKETPLACE
SECURITY SOLUTIONS