6. Security At AWS Is Our #1 Priority
Familiar Security
Model
Security measures are
validated and driven by
security experts across our
customer base
Superset of security
controls that benefit all
customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
7. Improving Security With The Cloud
“From a physical and logical security standpoint, I
believe that, if done right, public cloud computing is
as or more secure than self-hosting.”
– Steve Randich, EVP and CIO, Financial Industry Regulatory Authority, USA
FINRA now deploying multiple Hadoop-based and Redshift-based
analytics apps core to their regulatory mission
• Multi-petabyte clusters growing by terabytes per day
• Core apps in full production since January 2015
• Half way through a 2 year plan to go “all in” to the AWS cloud
8. Secure Cloud Architecture
Municipal Property Assessment Corporation
• Responsible for providing valuations for more
than 5 million properties
• Moved from its traditional IT architecture to
AWS, to be more responsive and agile in
serving its customers
• Runs its core property valuation engine on AWS
• Leveraging Amazon Virtual Private Cloud (VPC)
as part of its security architecture
9. AWS Shared Responsibility Model
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customers are
responsible for
security ‘in’ the Cloud
AWS is responsible for
security ‘of’ the Cloud
Customer Content
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(Filesystem and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)
10. AWS Security Training
AWS Security Fundamentals
Free 3 hour online course
Security Operations on AWS
Instructor-led 3 day class
Details at aws.amazon.com/training
11. AWS Security Whitepapers
Introduction to AWS Security
AWS Security Best Practices
AWS Security Checklist
Introduction to AWS Security Processes
Overview of AWS Security - Storage Services
Overview of AWS Security - Database Services
Overview of AWS Security - Compute Services
Overview of AWS Security - Application Services
Overview of AWS Security - Analytics, Mobile and Application Services
Overview of AWS Security - Network Services
Security at Scale: Logging in AWS
Security at Scale: Governance in AWS
... and more…
Details at aws.amazon.com/security/security-resources/
12. AWS CIS Benchmarks
AWS has partnered with the Center for Internet Security to create two consensus-based, best-practice
security configuration guides which will align to multiple security frameworks globally
https://www.cisecurity.org/
The Benchmarks are:
• Recommended technical control
rules/values for hardening operating
systems, middleware, software applications,
and network devices
• Distributed free of charge by CIS in .PDF
format
• Used by thousands of enterprises as the
basis for security configuration policies and
the de facto standard for IT configuration
best practices
15. AWS Artifact – Compliance Reports
Provides customers with an easier process to obtain certain AWS
compliance reports (SOC, PCI, ISO) with self-service, on-demand
access via the console
AWS Artifact
16. Security is a Shared Responsibility
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
Authentication management
Authorization policies
+ =
Customer
More secure and
compliant systems
than any one entity
could achieve on its
own at scale
17. Trusted Advisor
• Best practice and
recommendation engine
• Proactive guidance
• Helping customers reduce
spend
• Giving customers insight into
running more secure, highly
available environments
• 4 main categories
19. AWS Identity & Access Management
IAM Users IAM Groups IAM Roles IAM Policies
20. AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts
Consolidate billing
and usage reporting
Automate
account creation
22. AWS CloudTrail –
Cloud Usage Audit Logging
Users are
constantly
making API
calls...
On a growing set of
AWS services
around the world…
AWS CloudTrail
is continuously
recording and
logging the API
calls…
Who made the request?
What was requested?
When and from where?
What was the response?
23. Amazon CloudWatch –
Monitoring Service
• Provides visibility and metrics into every aspect
of your AWS environment
• Metrics are automatically actionable and can call
notifications, set alarms, run code, etc.
Metrics include
• EC2 Instances (CPU usage, networking, etc.)
• RDS instances (connections, CPU, etc.)
• ELB metrics (healthy backends, network, etc.)
• Support for custom metrics
25. Virtual Private Cloud (VPC)
/16
Availability Zone A Availability Zone B
Public Subnet Public Subnet
/22 /221019 IPs 1019 IPs
Private Subnet with Outbound NAT Private Subnet with Outbound NAT
/20 /204091 IPs 4091 IPs
Private Subnet Private Subnet
/20 /204091 IPs 4091 IPs
26. Example Architecture
AWS Region (Canada – Montreal)
10.10.0.0/16
Availability Zone A Availability Zone B
Web Subnet A 10.10.1.0/24
Database Subnet A 10.10.5.0/24
Web Subnet B 10.10.2.0/24
Database Subnet B 10.10.6.0/24
Web Tier Security Group
Database Tier Security Group
Web
Server
Web
Server
Web
Server
Web
Server
ELB
Internet Gateway (IGW)
Web Tier Auto Scaling Group
App Subnet A 10.10.3.0/24 App Subnet B 10.10.4.0/24
App Tier Security Group
App
Server
App
Server
App
Server
App
Server
App Tier Auto Scaling Group
Synchronous Replication
ELB
28. VPC Flow Logs – See All Your Traffic
• Agentless
• Enable per network interface, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data, and alarm on those metrics
Source IP
Destination IP
Source Port
Destination Port
Interface Protocol
Packets
Bytes
Start Time Accept
or
Reject
Account ID
End Time
31. It’s Always YOUR Data!
• Customers choose where to place their data
• Customers can encrypt data using native AWS tools
and/or 3rd party solutions
• AWS regions are geographically isolated by design
• Data is not replicated to other AWS regions and does not
move
• Customers own their data, the ability to encrypt it, move it,
and delete it
32. Data Encryption in AWS
Encryption In Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At Rest
Object
Database
Filesystem
Disk
33. We Use Keys to Encrypt / Decrypt Data
Unencrypted
Data
+ {
AES
DES
RC4
Blowfish
} + = Encrypted
Data
+ {
AES
DES
RC4
Blowfish
} + =
ENCRYPTION
ALGORITHM
ENCRYPTION
ALGORITHM
Encrypted
Data
Unencrypted
Data
34. Key Management Options in AWS
There are different options based on complexity, performance, cost,
integration, operations, and compliance requirements
Do It
Yourself
AWS Marketplace
Partner Solutions
AWS Key
Management Service
(KMS)
AWS CloudHSM
http://smallbusiness.com/wp-
content/uploads/2014/04/lego-worker.jpg
Represents a sample of AWS Marketplace Key Management Partner Solutions.
Further details available here: https://aws.amazon.com/marketplace/
35. Other AWS Security Services
AWS Shield
Managed DDoS protection
AWS Web Application Firewall
(WAF)
A web application firewall that helps
protect web applications from common
web exploits
Amazon Macie
Machine learning powered security service
to discover, classify, and protect sensitive
data
Amazon Inspector
Automated security assessment service that
helps improve the security and compliance
of applications deployed on AWS
36. AWS Marketplace:
One-Stop Shop For Security Tools
Infrastructure
Security
Logging &
Monitoring
Identity & Access
Control
Configuration &
Vulnerability Analysis
Data Protection
38. AWS Config & Config Rules
AWS Config AWS Config Rules
• Resource inventory and configuration
history
• Records configuration changes
continuously
• Time-series view of resource changes
• Archive and compare
• Configuration change notifications to
enable security and governance
• Powerful configuration rule system
• Define custom rules that can look
for desirable or undesirable
conditions
• Enforce best practices using
automated compliance checks
• Trigger additional alerts or workflow
39. AWS Config Partners
Represents a sample of AWS Config Partners, part of the AWS Service Delivery Program.
Further details available here: https://aws.amazon.com/config/partners/
40. AWS Service Catalog
Portfolios of
IT Approved
Products
Resource
Launch
Product
Permissions
Constraints
End-User
Self-Service Portal
Administration Interface
Users / Groups
Portfolios CloudFormation
Templates
Tags
ConstraintsAccounts
AWS
Service Catalog
End-Users
42. AWS CloudFormation –
Infrastructure as Code
Template StackAWS
CloudFormation
• Orchestrate changes across AWS
Services
• Use as foundation to Service
Catalog products
• Use with source code repositories
to manage infrastructure changes
• JSON-based text file
describing infrastructure
• Group of resources
created from a template
• Can be updated
• Updates can be
restricted
43. Security By Design
Infrastructure as code – automate deployment, provisioning, and
configurations of AWS cloud environments
CloudFormation Service CatalogStack
Templates
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
46. EC2
Your catalog of
approved templates
Your custom
template specs
Your custom
running template
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
• Configure and harden EC2 instances to your own specs
• Use host-based protection software
• Manage administrative users
• Enforce separation of duties & least privilege
• Connect to your existing services, e.g. SIEM, patching
• The immutable infrastructure pattern
Enforce Consistent Security On Servers
Base OS
image
47. Evolving the Practice of Security Architecture
Security architecture as a separate function can no longer exist
Static position papers,
architecture diagrams, risk
assessments & documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice
48. Evolving the Practice of Security Architecture
Security architecture can now be part of the “maker” team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions
account for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline
Jenkins