Professional Documents
Culture Documents
Fundamentals of Aws Security 1156248642 190430082401
Fundamentals of Aws Security 1156248642 190430082401
Fundamentals of Aws Security 1156248642 190430082401
Security
Esteban Hernandez, Specialist SA for Security &
Compliance , EMEA
30/04/2019
© 2019,
2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Strengthen your security posture
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
You have opened an AWS account, now what?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Anatomy of an AWS account
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Anatomy of an AWS account
AWS Account 1234567891011
Global services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Global Infrastructure
20 Regions – 60 Availability Zones – 160 Points of presence Regions and Availability Zones
US East China
N. Virginia (6) Beijing (2)
Ohio (3) Ningxia (3)
US West Europe
N. California (3) Frankfurt (3)
Oregon (3) Ireland (3)
Asia Pacific London (3)
Mumbai (2) Paris (3)
Seoul (2) Stockholm (3)
Singapore (3) South America
Sydney (3) São Paulo (3)
Tokyo (4) GovCloud (US)
Osaka-Local (1) US-East (3)
Canada US-West (3)
Central (2)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Inherit global security and compliance controls
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Compliance Program
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Compliance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Accessing AWS Compliance Reports
AWS Artifact:
• On-demand access to AWS’
compliance reports
• Globally available
• Easy identification
• Quick assessments
• Continuous monitoring
• Enhanced transparency
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
In a region
eu-west-1
VPC
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
The AWS Shared Responsibility Model
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Shared Responsibility Model
Customer content
Customers are
Platform, Applications, Identity & Access Management responsible for
their security and
Operating System, Network & Firewall Configuration compliance IN
Customers the Cloud
Client-side Data Server-side Data Network Traffic
Encryption Encryption Protection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Summary of Customer Responsibility in the Cloud
Applications Firewall
Operating System
Networking/Firewall
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
In short:
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS security solutions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Identity and Access
Management
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Understanding planes of access
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Understanding planes of access
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Identity & Access Management (IAM)
Simple AD
Microsoft AD
AD Connector
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Detective Control
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Config – Configuration monitoring
AWS Config is a fully managed service that provides you with an inventory of
your AWS resources, lets you audit the resource configuration history and
notifies you of resource configuration changes.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Compliance change detection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon GuardDuty
GuardDuty Monitors:
• Unusual API calls.
• Potentially unauthorized deployments that indicate a possible account
compromise.
• Potentially compromised instances or reconnaissance by attackers.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Intelligent threat detection with Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Security Hub Overview
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Security Hub: Automated Assessment Versus
Standards
43 fully automated,
nearly continuous
checks
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Trusted Advisor – Real time guidance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Detective Control - Logging
and Auditing
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Full visibility and logging features
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Tracking of user activity and API usage with AWS
CloudTrail
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon CloudWatch – Monitoring service
Metrics include
• EC2 Instances (CPU Usage, Networking, etc)
• RDS instances (Connections, CPU, etc)
• ELB metrics (Healthy backends, Network, etc)
• Many services are included
• Support for Custom metrics
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
CloudWatch Dashboards sample
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS Accept
account or reject
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Infrastructure Security
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Network isolation with Virtual Private Cloud
eu-west-1
• Define your own IP address space with
VPC networks, subnets, routing
• Connect your offices with AWS using
Direct Connect or VPN
• Configure Security Groups (virtual
firewalls) for your instances
• Configure the Network Access Control
List for control at the network layer level
• Enable private connections to AWS
services using AWS Private Link
• Connect the accounts of your
organization or other organizations
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon VPC Endpoints
Use cases
• Secure storage of files
• Private databases
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Shield
Standard & Advanced
AWS Firewall
Economic AWS WAF at no Manager Cost Protection for
additional cost at no additional scaling
Benefits for protected resources
cost
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Shield
Standard
Layer 3/4 Protection for Everyone
Automatic defense against the most common network
and transport layer DDoS attacks for any AWS resource,
in any AWS Region
Comprehensive defense against all known network and
AWS Shield transport layer attacks when using Amazon CloudFront
Standard and Amazon Route 53
SYN Floods, UDP Floods, Reflection Attacks, etc.
Detection Mitigation
• Enhanced Layer 3 attack detection • Traffic Engineering for Large DDoS Attacks
• Network ACLs executed at the border for EIPs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon Inspector
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Amazon Inspector – common use cases
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
How to use Amazon Inspector?
Configure Run
Findings Take Action
assessment assessment
Vulnerability; Remediation
Resource affected;
1-Click for network Recommendation Inspector
reachability
Partners
• SIEM
• Reporting
• Ticketing
Store in Database
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Penetration Testing of your AWS environment
Effective immediately, AWS customers are welcome to carry out security assessments or
penetration tests against their AWS infrastructure without prior approval for 8 services.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Data Privacy and Encryption
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Data Protection In-Transit and At-Rest
SSL/TLS Object
Database
VPN / IPSEC
Filesystem
SSH Disk
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Certificate Manager (ACM), In-Transit
• Provision trusted SSL/TLS certificates from AWS for use with AWS
resources:
• Elastic Load Balancing
• Amazon CloudFront distributions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Data Encryption At-Rest
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Key Management Service (AWS KMS)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS CloudHSM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS CloudHSM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Incident Response
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Responding to Findings: Remediation
Automatic Remediation
GuardDuty CloudWatch Events Lambda
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Largest ecosystem of security partners and solutions
Data
protection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
At AWS Security is Job Zero
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Q&A
Name of presenter
© 2018,
2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Thank you!
© 2019,
2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Additional Resources
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Quick Starts
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What are AWS Quick Starts?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security-focused Quick Starts
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
CIS Benchmark on AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Answers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What is AWS Answers?
https://aws.amazon.com/answers/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Blogs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What are AWS Blogs?
https://aws.amazon.com/blogs/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Securing data on S3 using bucket policies
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-
defense-in-depth-to-help-secure-your-amazon-s3-data/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Finally, some links to remember…
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark