SlideShare a Scribd company logo

AWS Innovate Ottawa: Security & Compliance

Amazon Web Services
Amazon Web Services

• AWS Shared Responsibility Model • Key management options in AWS • Infrastructure security capabilities • Compliance, governance, and configuration tools • Monitoring and auditing features

1 of 50
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Geordie Anderson, Solutions Architect September 20, 2017 AWS Security and Compliance
Prescriptive Approach Understand AWS Security and Best Practices Build Strong Compliance Foundations Integrate Identity & Access Management Enable Auditing and Detective Controls Establish Network Security Implement Data Protection Optimize Change Management and Governance Automate Security Functions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand AWS Security and Best Practices
AND Move Fast Stay Secure
Security At AWS Is Our #1 Priority Familiar Security Model Security measures are validated and driven by security experts across our customer base Superset of security controls that benefit all customers PEOPLE & PROCESS SYSTEM NETWORK PHYSICAL
Improving Security With The Cloud “From a physical and logical security standpoint, I believe that, if done right, public cloud computing is as or more secure than self-hosting.” – Steve Randich, EVP and CIO, Financial Industry Regulatory Authority, USA FINRA now deploying multiple Hadoop-based and Redshift-based analytics apps core to their regulatory mission • Multi-petabyte clusters growing by terabytes per day • Core apps in full production since January 2015 • Half way through a 2 year plan to go “all in” to the AWS cloud
Secure Cloud Architecture Municipal Property Assessment Corporation • Responsible for providing valuations for more than 5 million properties • Moved from its traditional IT architecture to AWS, to be more responsive and agile in serving its customers • Runs its core property valuation engine on AWS • Leveraging Amazon Virtual Private Cloud (VPC) as part of its security architecture
AWS Shared Responsibility Model DatabaseStorageCompute Networking Edge Locations Regions Avail. Zones AWS Global Infrastructure Customers are responsible for security ‘in’ the Cloud AWS is responsible for security ‘of’ the Cloud Customer Content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (Filesystem and/or Data) Network Traffic Protection (Encryption / Integrity / Identity)
AWS Security Training AWS Security Fundamentals Free 3 hour online course Security Operations on AWS Instructor-led 3 day class Details at aws.amazon.com/training
AWS Security Whitepapers Introduction to AWS Security AWS Security Best Practices AWS Security Checklist Introduction to AWS Security Processes Overview of AWS Security - Storage Services Overview of AWS Security - Database Services Overview of AWS Security - Compute Services Overview of AWS Security - Application Services Overview of AWS Security - Analytics, Mobile and Application Services Overview of AWS Security - Network Services Security at Scale: Logging in AWS Security at Scale: Governance in AWS ... and more… Details at aws.amazon.com/security/security-resources/
AWS CIS Benchmarks AWS has partnered with the Center for Internet Security to create two consensus-based, best-practice security configuration guides which will align to multiple security frameworks globally https://www.cisecurity.org/ The Benchmarks are: • Recommended technical control rules/values for hardening operating systems, middleware, software applications, and network devices • Distributed free of charge by CIS in .PDF format • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build Strong Compliance Foundations
AWS Reports, Certifications & Accreditations https://aws.amazon.com/compliance/
AWS Artifact – Compliance Reports Provides customers with an easier process to obtain certain AWS compliance reports (SOC, PCI, ISO) with self-service, on-demand access via the console AWS Artifact
Security is a Shared Responsibility Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration Authentication management Authorization policies + = Customer More secure and compliant systems than any one entity could achieve on its own at scale
Trusted Advisor • Best practice and recommendation engine • Proactive guidance • Helping customers reduce spend • Giving customers insight into running more secure, highly available environments • 4 main categories
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrate Identity & Access Management
AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts Consolidate billing and usage reporting Automate account creation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable Auditing and Detective Controls
AWS CloudTrail – Cloud Usage Audit Logging Users are constantly making API calls... On a growing set of AWS services around the world… AWS CloudTrail is continuously recording and logging the API calls… Who made the request? What was requested? When and from where? What was the response?
Amazon CloudWatch – Monitoring Service • Provides visibility and metrics into every aspect of your AWS environment • Metrics are automatically actionable and can call notifications, set alarms, run code, etc. Metrics include • EC2 Instances (CPU usage, networking, etc.) • RDS instances (connections, CPU, etc.) • ELB metrics (healthy backends, network, etc.) • Support for custom metrics
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Establish Network Security
Virtual Private Cloud (VPC) /16 Availability Zone A Availability Zone B Public Subnet Public Subnet /22 /221019 IPs 1019 IPs Private Subnet with Outbound NAT Private Subnet with Outbound NAT /20 /204091 IPs 4091 IPs Private Subnet Private Subnet /20 /204091 IPs 4091 IPs
Example Architecture AWS Region (Canada – Montreal) 10.10.0.0/16 Availability Zone A Availability Zone B Web Subnet A 10.10.1.0/24 Database Subnet A 10.10.5.0/24 Web Subnet B 10.10.2.0/24 Database Subnet B 10.10.6.0/24 Web Tier Security Group Database Tier Security Group Web Server Web Server Web Server Web Server ELB Internet Gateway (IGW) Web Tier Auto Scaling Group App Subnet A 10.10.3.0/24 App Subnet B 10.10.4.0/24 App Tier Security Group App Server App Server App Server App Server App Tier Auto Scaling Group Synchronous Replication ELB
Multiple VPCs Sandbox Development QA Staging Production PCI Compliant Apps Non Regulated Apps Business Unit A Business Unit B
VPC Flow Logs – See All Your Traffic • Agentless • Enable per network interface, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data, and alarm on those metrics Source IP Destination IP Source Port Destination Port Interface Protocol Packets Bytes Start Time Accept or Reject Account ID End Time
Visualize Your Traffic With Amazon Elasticsearch Service and Kibana VPC Flow Logs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement Data Protection
It’s Always YOUR Data! • Customers choose where to place their data • Customers can encrypt data using native AWS tools and/or 3rd party solutions • AWS regions are geographically isolated by design • Data is not replicated to other AWS regions and does not move • Customers own their data, the ability to encrypt it, move it, and delete it
Data Encryption in AWS Encryption In Transit SSL/TLS VPN / IPSEC SSH Encryption At Rest Object Database Filesystem Disk
We Use Keys to Encrypt / Decrypt Data Unencrypted Data + { AES DES RC4 Blowfish } + = Encrypted Data + { AES DES RC4 Blowfish } + = ENCRYPTION ALGORITHM ENCRYPTION ALGORITHM Encrypted Data Unencrypted Data
Key Management Options in AWS There are different options based on complexity, performance, cost, integration, operations, and compliance requirements Do It Yourself AWS Marketplace Partner Solutions AWS Key Management Service (KMS) AWS CloudHSM http://smallbusiness.com/wp- content/uploads/2014/04/lego-worker.jpg Represents a sample of AWS Marketplace Key Management Partner Solutions. Further details available here: https://aws.amazon.com/marketplace/
Other AWS Security Services AWS Shield Managed DDoS protection AWS Web Application Firewall (WAF) A web application firewall that helps protect web applications from common web exploits Amazon Macie Machine learning powered security service to discover, classify, and protect sensitive data Amazon Inspector Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
AWS Marketplace: One-Stop Shop For Security Tools Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Optimize Change Management and Governance
AWS Config & Config Rules AWS Config AWS Config Rules • Resource inventory and configuration history • Records configuration changes continuously • Time-series view of resource changes • Archive and compare • Configuration change notifications to enable security and governance • Powerful configuration rule system • Define custom rules that can look for desirable or undesirable conditions • Enforce best practices using automated compliance checks • Trigger additional alerts or workflow
AWS Config Partners Represents a sample of AWS Config Partners, part of the AWS Service Delivery Program. Further details available here: https://aws.amazon.com/config/partners/
AWS Service Catalog Portfolios of IT Approved Products Resource Launch Product Permissions Constraints End-User Self-Service Portal Administration Interface Users / Groups Portfolios CloudFormation Templates Tags ConstraintsAccounts AWS Service Catalog End-Users
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate Security Functions
AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation • Orchestrate changes across AWS Services • Use as foundation to Service Catalog products • Use with source code repositories to manage infrastructure changes • JSON-based text file describing infrastructure • Group of resources created from a template • Can be updated • Updates can be restricted
Security By Design Infrastructure as code – automate deployment, provisioning, and configurations of AWS cloud environments CloudFormation Service CatalogStack Templates Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
https://i.stack.imgur.com/Lm3Td.jpg https://i.stack.imgur.com/Lm3Td.jpg Pets vs Cattle
https://i.stack.imgur.com/Lm3Td.jpg https://i.stack.imgur.com/Lm3Td.jpg https://blog.engineyard.com/images/cows-in-server-farm.jpg
EC2 Your catalog of approved templates Your custom template specs Your custom running template Hardening Audit and logging Vulnerability management Malware and HIPS Whitelisting and integrity User administration Operating system • Configure and harden EC2 instances to your own specs • Use host-based protection software • Manage administrative users • Enforce separation of duties & least privilege • Connect to your existing services, e.g. SIEM, patching • The immutable infrastructure pattern Enforce Consistent Security On Servers Base OS image
Evolving the Practice of Security Architecture Security architecture as a separate function can no longer exist Static position papers, architecture diagrams, risk assessments & documents UI-dependent consoles and technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
Evolving the Practice of Security Architecture Security architecture can now be part of the “maker” team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice AWS CodeCommit AWS CodePipeline Jenkins
Summary Understand AWS Security and Best Practices Build Strong Compliance Foundations Integrate Identity & Access Management Enable Auditing and Detective Controls Establish Network Security Implement Data Protection Optimize Change Management and Governance Automate Security Functions
Thank you!

Recommended

Amazon Rekognition Best Practices - DevDay Austin 2017
Amazon Rekognition Best Practices - DevDay Austin 2017Amazon Rekognition Best Practices - DevDay Austin 2017
Amazon Rekognition Best Practices - DevDay Austin 2017Amazon Web Services
 
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Amazon Web Services
 
AWS Innovate Ottawa Keynote - Jeff Kratz
AWS Innovate Ottawa Keynote - Jeff Kratz AWS Innovate Ottawa Keynote - Jeff Kratz
AWS Innovate Ottawa Keynote - Jeff KratzAmazon Web Services
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:Amazon Web Services
 
Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa: Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa:Amazon Web Services
 
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWS
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWSENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWS
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWSAmazon Web Services
 
Cost Optimization at Scale
Cost Optimization at ScaleCost Optimization at Scale
Cost Optimization at ScaleAmazon Web Services
 
aws basics
aws basicsaws basics
aws basicsSean Hull
 

Recommended

Amazon Rekognition Best Practices - DevDay Austin 2017
Amazon Rekognition Best Practices - DevDay Austin 2017Amazon Rekognition Best Practices - DevDay Austin 2017
Amazon Rekognition Best Practices - DevDay Austin 2017Amazon Web Services
 
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Amazon Web Services
 
AWS Innovate Ottawa Keynote - Jeff Kratz
AWS Innovate Ottawa Keynote - Jeff Kratz AWS Innovate Ottawa Keynote - Jeff Kratz
AWS Innovate Ottawa Keynote - Jeff KratzAmazon Web Services
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:Amazon Web Services
 
Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa: Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa:Amazon Web Services
 
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWS
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWSENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWS
ENT211_How to Assess Your Organization’s Readiness to Migrate at Scale to AWSAmazon Web Services
 
Cost Optimization at Scale
Cost Optimization at ScaleCost Optimization at Scale
Cost Optimization at ScaleAmazon Web Services
 
aws basics
aws basicsaws basics
aws basicsSean Hull
 
AWS Training and Certification
AWS Training and CertificationAWS Training and Certification
AWS Training and CertificationAmazon Web Services
 
Big Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of LightBig Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of LightAmazon Web Services LATAM
 
Building your Cloud Strategy
Building your Cloud StrategyBuilding your Cloud Strategy
Building your Cloud StrategyAmazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...Amazon Web Services
 
Adding image and video analysis to your app
Adding image and video analysis to your appAdding image and video analysis to your app
Adding image and video analysis to your appAmazon Web Services
 
Windows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoWindows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoAmazon Web Services
 
Operating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSOperating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSTom Laszewski
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
AWS 微服務架構分享
AWS 微服務架構分享AWS 微服務架構分享
AWS 微服務架構分享Amazon Web Services
 
Fort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudFort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudCloudHesive
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Tom Laszewski
 
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐Amazon Web Services
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud JourneyAmazon Web Services
 
AWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton SeminarAWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton SeminarAmazon Web Services
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAmazon Web Services
 
AWS Storage and Edge Processing
AWS Storage and Edge ProcessingAWS Storage and Edge Processing
AWS Storage and Edge ProcessingAmazon Web Services
 
Aws cloud adoption_framework
Aws cloud adoption_frameworkAws cloud adoption_framework
Aws cloud adoption_frameworkIBM India Pvt Ltd
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeCloudHesive
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduVladimir Simek
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 

More Related Content

What's hot

Big Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of LightBig Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of LightAmazon Web Services LATAM
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...Amazon Web Services
 
Adding image and video analysis to your app
Adding image and video analysis to your appAdding image and video analysis to your app
Adding image and video analysis to your appAmazon Web Services
 
Windows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoWindows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoAmazon Web Services
 
Operating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSOperating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSTom Laszewski
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Amazon Web Services
 
Fort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudFort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudCloudHesive
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Tom Laszewski
 
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐Amazon Web Services
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud JourneyAmazon Web Services
 
AWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton SeminarAWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton SeminarAmazon Web Services
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAmazon Web Services
 
Aws cloud adoption_framework
Aws cloud adoption_frameworkAws cloud adoption_framework
Aws cloud adoption_frameworkIBM India Pvt Ltd
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeCloudHesive
 

What's hot (20)

AWS Training and Certification
AWS Training and CertificationAWS Training and Certification
AWS Training and Certification
 
Big Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of LightBig Data & Analytics - Innovating at the Speed of Light
Big Data & Analytics - Innovating at the Speed of Light
 
Building your Cloud Strategy
Building your Cloud StrategyBuilding your Cloud Strategy
Building your Cloud Strategy
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
 
Adding image and video analysis to your app
Adding image and video analysis to your appAdding image and video analysis to your app
Adding image and video analysis to your app
 
Windows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate TorontoWindows Workloads on AWS - AWS Innovate Toronto
Windows Workloads on AWS - AWS Innovate Toronto
 
Operating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSOperating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWS
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
AWS 微服務架構分享
AWS 微服務架構分享AWS 微服務架構分享
AWS 微服務架構分享
 
Fort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudFort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the Cloud
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
 
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
Track 3 Session 4_企業工作負載遷移至 AWS 的最佳實踐
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud Journey
 
AWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton SeminarAWS Customer Presentation - Angelbeat Princeton Seminar
AWS Customer Presentation - Angelbeat Princeton Seminar
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
 
AWS Storage and Edge Processing
AWS Storage and Edge ProcessingAWS Storage and Edge Processing
AWS Storage and Edge Processing
 
Aws cloud adoption_framework
Aws cloud adoption_frameworkAws cloud adoption_framework
Aws cloud adoption_framework
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our Time
 

Similar to AWS Innovate Ottawa: Security & Compliance

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduVladimir Simek
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...Amazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markryAmazon Web Services LATAM
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesAhmad Khan
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesAmazon Web Services
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 

Similar to AWS Innovate Ottawa: Security & Compliance (20)

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
SEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) ScaleSEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) Scale
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and Features
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security Update
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS Innovate Ottawa: Security & Compliance

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Geordie Anderson, Solutions Architect September 20, 2017 AWS Security and Compliance
  • 3. Prescriptive Approach Understand AWS Security and Best Practices Build Strong Compliance Foundations Integrate Identity & Access Management Enable Auditing and Detective Controls Establish Network Security Implement Data Protection Optimize Change Management and Governance Automate Security Functions
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand AWS Security and Best Practices
  • 6. Security At AWS Is Our #1 Priority Familiar Security Model Security measures are validated and driven by security experts across our customer base Superset of security controls that benefit all customers PEOPLE & PROCESS SYSTEM NETWORK PHYSICAL
  • 7. Improving Security With The Cloud “From a physical and logical security standpoint, I believe that, if done right, public cloud computing is as or more secure than self-hosting.” – Steve Randich, EVP and CIO, Financial Industry Regulatory Authority, USA FINRA now deploying multiple Hadoop-based and Redshift-based analytics apps core to their regulatory mission • Multi-petabyte clusters growing by terabytes per day • Core apps in full production since January 2015 • Half way through a 2 year plan to go “all in” to the AWS cloud
  • 8. Secure Cloud Architecture Municipal Property Assessment Corporation • Responsible for providing valuations for more than 5 million properties • Moved from its traditional IT architecture to AWS, to be more responsive and agile in serving its customers • Runs its core property valuation engine on AWS • Leveraging Amazon Virtual Private Cloud (VPC) as part of its security architecture
  • 9. AWS Shared Responsibility Model DatabaseStorageCompute Networking Edge Locations Regions Avail. Zones AWS Global Infrastructure Customers are responsible for security ‘in’ the Cloud AWS is responsible for security ‘of’ the Cloud Customer Content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (Filesystem and/or Data) Network Traffic Protection (Encryption / Integrity / Identity)
  • 10. AWS Security Training AWS Security Fundamentals Free 3 hour online course Security Operations on AWS Instructor-led 3 day class Details at aws.amazon.com/training
  • 11. AWS Security Whitepapers Introduction to AWS Security AWS Security Best Practices AWS Security Checklist Introduction to AWS Security Processes Overview of AWS Security - Storage Services Overview of AWS Security - Database Services Overview of AWS Security - Compute Services Overview of AWS Security - Application Services Overview of AWS Security - Analytics, Mobile and Application Services Overview of AWS Security - Network Services Security at Scale: Logging in AWS Security at Scale: Governance in AWS ... and more… Details at aws.amazon.com/security/security-resources/
  • 12. AWS CIS Benchmarks AWS has partnered with the Center for Internet Security to create two consensus-based, best-practice security configuration guides which will align to multiple security frameworks globally https://www.cisecurity.org/ The Benchmarks are: • Recommended technical control rules/values for hardening operating systems, middleware, software applications, and network devices • Distributed free of charge by CIS in .PDF format • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build Strong Compliance Foundations
  • 14. AWS Reports, Certifications & Accreditations https://aws.amazon.com/compliance/
  • 15. AWS Artifact – Compliance Reports Provides customers with an easier process to obtain certain AWS compliance reports (SOC, PCI, ISO) with self-service, on-demand access via the console AWS Artifact
  • 16. Security is a Shared Responsibility Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration Authentication management Authorization policies + = Customer More secure and compliant systems than any one entity could achieve on its own at scale
  • 17. Trusted Advisor • Best practice and recommendation engine • Proactive guidance • Helping customers reduce spend • Giving customers insight into running more secure, highly available environments • 4 main categories
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrate Identity & Access Management
  • 19. AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
  • 20. AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts Consolidate billing and usage reporting Automate account creation
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable Auditing and Detective Controls
  • 22. AWS CloudTrail – Cloud Usage Audit Logging Users are constantly making API calls... On a growing set of AWS services around the world… AWS CloudTrail is continuously recording and logging the API calls… Who made the request? What was requested? When and from where? What was the response?
  • 23. Amazon CloudWatch – Monitoring Service • Provides visibility and metrics into every aspect of your AWS environment • Metrics are automatically actionable and can call notifications, set alarms, run code, etc. Metrics include • EC2 Instances (CPU usage, networking, etc.) • RDS instances (connections, CPU, etc.) • ELB metrics (healthy backends, network, etc.) • Support for custom metrics
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Establish Network Security
  • 25. Virtual Private Cloud (VPC) /16 Availability Zone A Availability Zone B Public Subnet Public Subnet /22 /221019 IPs 1019 IPs Private Subnet with Outbound NAT Private Subnet with Outbound NAT /20 /204091 IPs 4091 IPs Private Subnet Private Subnet /20 /204091 IPs 4091 IPs
  • 26. Example Architecture AWS Region (Canada – Montreal) 10.10.0.0/16 Availability Zone A Availability Zone B Web Subnet A 10.10.1.0/24 Database Subnet A 10.10.5.0/24 Web Subnet B 10.10.2.0/24 Database Subnet B 10.10.6.0/24 Web Tier Security Group Database Tier Security Group Web Server Web Server Web Server Web Server ELB Internet Gateway (IGW) Web Tier Auto Scaling Group App Subnet A 10.10.3.0/24 App Subnet B 10.10.4.0/24 App Tier Security Group App Server App Server App Server App Server App Tier Auto Scaling Group Synchronous Replication ELB
  • 27. Multiple VPCs Sandbox Development QA Staging Production PCI Compliant Apps Non Regulated Apps Business Unit A Business Unit B
  • 28. VPC Flow Logs – See All Your Traffic • Agentless • Enable per network interface, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data, and alarm on those metrics Source IP Destination IP Source Port Destination Port Interface Protocol Packets Bytes Start Time Accept or Reject Account ID End Time
  • 29. Visualize Your Traffic With Amazon Elasticsearch Service and Kibana VPC Flow Logs
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implement Data Protection
  • 31. It’s Always YOUR Data! • Customers choose where to place their data • Customers can encrypt data using native AWS tools and/or 3rd party solutions • AWS regions are geographically isolated by design • Data is not replicated to other AWS regions and does not move • Customers own their data, the ability to encrypt it, move it, and delete it
  • 32. Data Encryption in AWS Encryption In Transit SSL/TLS VPN / IPSEC SSH Encryption At Rest Object Database Filesystem Disk
  • 33. We Use Keys to Encrypt / Decrypt Data Unencrypted Data + { AES DES RC4 Blowfish } + = Encrypted Data + { AES DES RC4 Blowfish } + = ENCRYPTION ALGORITHM ENCRYPTION ALGORITHM Encrypted Data Unencrypted Data
  • 34. Key Management Options in AWS There are different options based on complexity, performance, cost, integration, operations, and compliance requirements Do It Yourself AWS Marketplace Partner Solutions AWS Key Management Service (KMS) AWS CloudHSM http://smallbusiness.com/wp- content/uploads/2014/04/lego-worker.jpg Represents a sample of AWS Marketplace Key Management Partner Solutions. Further details available here: https://aws.amazon.com/marketplace/
  • 35. Other AWS Security Services AWS Shield Managed DDoS protection AWS Web Application Firewall (WAF) A web application firewall that helps protect web applications from common web exploits Amazon Macie Machine learning powered security service to discover, classify, and protect sensitive data Amazon Inspector Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
  • 36. AWS Marketplace: One-Stop Shop For Security Tools Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Optimize Change Management and Governance
  • 38. AWS Config & Config Rules AWS Config AWS Config Rules • Resource inventory and configuration history • Records configuration changes continuously • Time-series view of resource changes • Archive and compare • Configuration change notifications to enable security and governance • Powerful configuration rule system • Define custom rules that can look for desirable or undesirable conditions • Enforce best practices using automated compliance checks • Trigger additional alerts or workflow
  • 39. AWS Config Partners Represents a sample of AWS Config Partners, part of the AWS Service Delivery Program. Further details available here: https://aws.amazon.com/config/partners/
  • 40. AWS Service Catalog Portfolios of IT Approved Products Resource Launch Product Permissions Constraints End-User Self-Service Portal Administration Interface Users / Groups Portfolios CloudFormation Templates Tags ConstraintsAccounts AWS Service Catalog End-Users
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate Security Functions
  • 42. AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation • Orchestrate changes across AWS Services • Use as foundation to Service Catalog products • Use with source code repositories to manage infrastructure changes • JSON-based text file describing infrastructure • Group of resources created from a template • Can be updated • Updates can be restricted
  • 43. Security By Design Infrastructure as code – automate deployment, provisioning, and configurations of AWS cloud environments CloudFormation Service CatalogStack Templates Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
  • 46. EC2 Your catalog of approved templates Your custom template specs Your custom running template Hardening Audit and logging Vulnerability management Malware and HIPS Whitelisting and integrity User administration Operating system • Configure and harden EC2 instances to your own specs • Use host-based protection software • Manage administrative users • Enforce separation of duties & least privilege • Connect to your existing services, e.g. SIEM, patching • The immutable infrastructure pattern Enforce Consistent Security On Servers Base OS image
  • 47. Evolving the Practice of Security Architecture Security architecture as a separate function can no longer exist Static position papers, architecture diagrams, risk assessments & documents UI-dependent consoles and technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
  • 48. Evolving the Practice of Security Architecture Security architecture can now be part of the “maker” team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice AWS CodeCommit AWS CodePipeline Jenkins
  • 49. Summary Understand AWS Security and Best Practices Build Strong Compliance Foundations Integrate Identity & Access Management Enable Auditing and Detective Controls Establish Network Security Implement Data Protection Optimize Change Management and Governance Automate Security Functions