SlideShare a Scribd company logo
1 of 19
Download to read offline
Shared Security
Responsibilities in AWS
John Martinez, Principal Solutions Architect, Evident.io
The Obligatory “Me” Slide
• Principal Solutions Architect at Evident.io
• 4+ years AWS and Cloud Experience (but almost all AWS)
• Worked in two of the largest AWS environments
• Unix & Linux geek
• I am NOT a “SECURITY” guy!
• Passionate about DevOps, Security and helping people out
Shared Responsibilities???
The minute we gave developers the
power to create infrastructure, security
became their responsibility, too!
On-Prem Compared to AWS
On-Prem!
• Physical key(cards) to DC
• Firewalls
• Network and Power Cables
AWS!
• API Access Key and Secret
• EC2 Security Groups
• VPC and EC2 APIs
And you still need to allow inbound access to your apps!
The Scary Stuff
etc…
Security Responsibilities
Where AWS stops and YOU begin
Doesn’t have to
be scary!
AWS Responsibilities*
• Data center access (yes, there’s still data centers back there
somewhere!)
• Physical infrastructure (servers, storage, network gear and stuff)
• Network security
• API end-points
*Full detail found in the AWS Security Whitepaper
(http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)
AWS Security Services
• Identity and Access Management (IAM)
• Secure Token Service (STS) - used indirectly via IAM with Roles
• EC2 Security Groups
• EC2 Keypairs (SSH)
• VPC Subnet ACLs
• CloudTrail
• CloudHSM
The following suggestions are
from personal experience, YMMV
⚠️
The Really Long IAM Section.1
AWS provides IAM and STS for you to use, but you have to figure out how to best
use them
• Enable MFA for root accounts NOW
• Then, enable MFA for IAM users next
• Enable a password policy for your IAM users
• Switch to using Roles for EC2 instances
• Limit scope of EC2 Instance Profile policies — only allow what apps need to
do, nothing more
The Really Long IAM Section.2
AWS provides IAM and STS for you to use, but you have to figure out how to
best use them
• Limit the amount of people with “Admin” policies attached to their IAM users
• Demand that your 3rd party vendors use cross-account delegation using IAM
roles
• Protect the shit out of your API Access Keys and Secret Keys (encrypt laptop
drives, do not store on EC2 instances, do not put in GitHub repos, etc., etc.)
• If you’re an enterprise, consider federating Console access with SAML
Notes on S3
• If you’re not careful, you can inadvertently give people access to
your secrets…by making the wrong object public
• However, it can be a great place to store and distribute secrets…if
protected well and used with features like IAM Roles for EC2
• Configure bucket policies so they are complimentary to IAM policies
• Use object versioning and lifecycle rules to archive to Glacier
Complimentary Policy Examples
IAM User Policy
S3 Bucket Policy
Be Vigilant of Strange Activity
• Instances in a region you’re not normally in (t1.micro are especially
favorites for testing your reaction)
• IAM users you don’t recognize
• Weird behavior form your applications
• More S3 objects and buckets than you remember or missing
objects and buckets
• An unexpected increase in your AWS bill
So, What Can I do???
• Use CloudFormation to deploy and maintain the state of your
infrastructure (infrastructure *IS* code)
• Use SNS to alert you where possible: CloudFormation, AutoScaling
• Use CloudTrail to keep an eye on API activity
• Maintain blacklists/whitelists on reverse proxies behind ELBs
• And if you suspect the worst, involve AWS Support ASAP
• Subscribe to Evident.io :-)
Resources
!
Evident.io AWS Security Resource
Center
http://evident.io/aws-security-
resource-center
!
!
!
AWS Security Blog
http://blogs.aws.amazon.com/
security/blog
AWS Security Center
http://aws.amazon.com/security/
Thank you!
john@evident.io
@johnmartinez
http://www.evident.io/
Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

More Related Content

Similar to Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
How to prepare for & respond to security incidents in your AWS environment
 How to prepare for & respond to security incidents in your AWS environment How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environmentNathan Case
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
 
Server’s variations bsw2015
Server’s variations bsw2015Server’s variations bsw2015
Server’s variations bsw2015Laurent Cerveau
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?TheFamily
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Cymmetria
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive ScaleAmazon Web Services
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityDavid Etue
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 

Similar to Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17 (20)

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Implementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best PracticesImplementing the Top 10 AWS Security Best Practices
Implementing the Top 10 AWS Security Best Practices
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
 
How to prepare for & respond to security incidents in your AWS environment
 How to prepare for & respond to security incidents in your AWS environment How to prepare for & respond to security incidents in your AWS environment
How to prepare for & respond to security incidents in your AWS environment
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
 
Server’s variations bsw2015
Server’s variations bsw2015Server’s variations bsw2015
Server’s variations bsw2015
 
Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?Comment choisir entre Parse, Heroku et AWS ?
Comment choisir entre Parse, Heroku et AWS ?
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale(SPOT303) Security Operations at Massive Scale
(SPOT303) Security Operations at Massive Scale
 
Rugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with SecurityRugged Building Materials and Creating Agility with Security
Rugged Building Materials and Creating Agility with Security
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 

Recently uploaded

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 

Recently uploaded (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 

Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17

  • 1. Shared Security Responsibilities in AWS John Martinez, Principal Solutions Architect, Evident.io
  • 2. The Obligatory “Me” Slide • Principal Solutions Architect at Evident.io • 4+ years AWS and Cloud Experience (but almost all AWS) • Worked in two of the largest AWS environments • Unix & Linux geek • I am NOT a “SECURITY” guy! • Passionate about DevOps, Security and helping people out
  • 4. The minute we gave developers the power to create infrastructure, security became their responsibility, too!
  • 5. On-Prem Compared to AWS On-Prem! • Physical key(cards) to DC • Firewalls • Network and Power Cables AWS! • API Access Key and Secret • EC2 Security Groups • VPC and EC2 APIs And you still need to allow inbound access to your apps!
  • 7. Security Responsibilities Where AWS stops and YOU begin Doesn’t have to be scary!
  • 8. AWS Responsibilities* • Data center access (yes, there’s still data centers back there somewhere!) • Physical infrastructure (servers, storage, network gear and stuff) • Network security • API end-points *Full detail found in the AWS Security Whitepaper (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)
  • 9. AWS Security Services • Identity and Access Management (IAM) • Secure Token Service (STS) - used indirectly via IAM with Roles • EC2 Security Groups • EC2 Keypairs (SSH) • VPC Subnet ACLs • CloudTrail • CloudHSM
  • 10. The following suggestions are from personal experience, YMMV ⚠️
  • 11. The Really Long IAM Section.1 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Enable MFA for root accounts NOW • Then, enable MFA for IAM users next • Enable a password policy for your IAM users • Switch to using Roles for EC2 instances • Limit scope of EC2 Instance Profile policies — only allow what apps need to do, nothing more
  • 12. The Really Long IAM Section.2 AWS provides IAM and STS for you to use, but you have to figure out how to best use them • Limit the amount of people with “Admin” policies attached to their IAM users • Demand that your 3rd party vendors use cross-account delegation using IAM roles • Protect the shit out of your API Access Keys and Secret Keys (encrypt laptop drives, do not store on EC2 instances, do not put in GitHub repos, etc., etc.) • If you’re an enterprise, consider federating Console access with SAML
  • 13. Notes on S3 • If you’re not careful, you can inadvertently give people access to your secrets…by making the wrong object public • However, it can be a great place to store and distribute secrets…if protected well and used with features like IAM Roles for EC2 • Configure bucket policies so they are complimentary to IAM policies • Use object versioning and lifecycle rules to archive to Glacier
  • 14. Complimentary Policy Examples IAM User Policy S3 Bucket Policy
  • 15. Be Vigilant of Strange Activity • Instances in a region you’re not normally in (t1.micro are especially favorites for testing your reaction) • IAM users you don’t recognize • Weird behavior form your applications • More S3 objects and buckets than you remember or missing objects and buckets • An unexpected increase in your AWS bill
  • 16. So, What Can I do??? • Use CloudFormation to deploy and maintain the state of your infrastructure (infrastructure *IS* code) • Use SNS to alert you where possible: CloudFormation, AutoScaling • Use CloudTrail to keep an eye on API activity • Maintain blacklists/whitelists on reverse proxies behind ELBs • And if you suspect the worst, involve AWS Support ASAP • Subscribe to Evident.io :-)
  • 17. Resources ! Evident.io AWS Security Resource Center http://evident.io/aws-security- resource-center ! ! ! AWS Security Blog http://blogs.aws.amazon.com/ security/blog AWS Security Center http://aws.amazon.com/security/