An Introdcution To AWS Cloud Security-ETDA

An Introduction to AWS Cloud Security
Ankush Chowdhary
Principal Security Advisor – APJ
Worldwide Public Sector
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
Overview of AWS security

Understand your responsibility in the cloud
AWS Security and Compliance Programs
Overview of AWS Security Products/Services
AWS Cloud Security Design Patterns
Questions?
AWS Global Infrastructure
22 Regions – 69 Availability Zones – 176 Edge Locations
Region & Number of Availability Zones
US East China
N. Virginia (6), Ohio (3) Beijing (2), Ningxia (3)
US West Europe
N. California (3), Frankfurt (3), Ireland
Oregon (4) (3), London (3), Paris
(3), Stockholm (3)
Asia Pacific
Mumbai (3), Seoul (2), Middle East
Singapore (3),Hong Bahrain (3)
Kong (3) Sydney (3),
Tokyo (4), Osaka-Local South America
(1) São Paulo (3)
Canada AWS GovCloud (US)

Central (2) US-East (3), US-West
(3)
Announced Regions
Cape Town, Jakarta, Milan
Security is Our No. 1 Priority
Designed for Security Constantly Monitored Highly Highly Highly

Automated Available Accredited
What is AWS Shared Responsibility?
Security measures that the customer implements

and operates, related to the security of customer SECURITY IN
THE CLOUD
content and applications that make use of AWS
services
Security measures that the cloud service provider SECURITY OF

THE CLOUD
(AWS) implements and operates
What is AWS Shared Responsibility?
Your data stays where you put it.
AWS Compliance Programs
Global
United States
AWS Compliance Programs
Asia Pacific
Europe
All customers benefit from the same security
60+ Assurance programs, including
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
• BSI C5 (Germany) – ESCloud (EU)
• CISPE - GDPR
Find Compliance Reports on AWS Artifact
Reports On-Demand Globally Available Easy Identification
Quick Assessments Continuous Monitoring Enhanced Transparency
https://aws.amazon.com/artifact/
Customer Security Operations in AWS
Move to AWS
Strengthen your security posture
Inherit Scale with superior Highest Automate Largest

global visibility and standards with deeply network
security and control for privacy integrated of security
compliance and data security services partners and solutions
controls security
Highest standards for privacy
Meet data Encryption at scale with Comply with local Access services and tools that
residency requirements keys managed by data privacy laws enable you to
Choose an AWS Region our AWS Key Management by controlling who build compliant
and AWS will not replicate it System (KMS) or managing can access content, its infrastructure
elsewhere unless you choose your own encryption keys lifecycle, and disposal on top of AWS
to do so with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Identity
Identityand
& access
access
management Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service

Managed Microsoft Active Directory in the AWS Cloud
Define, enforce, and audit user
permissions across AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS accounts and
AWS services, actions business applications
and resources.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable compliance
auditing, security analysis, resource change tracking, and troubleshooting
Detective
control Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Gain the visibility you need
Amazon GuardDuty
to spot issues before they impact Intelligent threat detection and continuous monitoring to protect your AWS
the business, improve your accounts and workloads
security posture, and reduce the VPC Flow Logs
risk profile of Capture information about the IP traffic going to and from network interfaces
in your VPC. Flow log data is stored using Amazon
your environment. CloudWatch Logs
Amazon EC2 Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to apply
OS patches, create secure system images, and configure secure operating
systems
AWS Shield
Infrastructure Managed DDoS protection service that safeguards web applications
security running on AWS
AWS Web Application Firewall (WAF)

Protects your web applications from common web exploits ensuring
availability and security
Reduce surface area to manage Amazon Inspector

Automates security assessments to help improve the security and
and increase privacy for and compliance of applications deployed on AWS
control of your overall
Amazon Virtual Private Cloud (VPC)
infrastructure on AWS. Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Data
protection Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
In addition to our automatic data AWS Certificate Manager

encryption and management Easily provision, manage, and deploy SSL/TLS certificates for use with AWS
services
services,
employ more features for Server Side Encryption
Flexible data encryption options using AWS service managed keys,
data protection. AWS managed keys via AWS KMS, or customer managed keys
(including data management, data
security, and encryption key storage)
AWS Config Rules
Incident Create rules that automatically take action in response to changes in your
response environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
During an incident, containing the AWS Lambda

Use our serverless compute service to run code without provisioning or managing
event and returning to a known servers so you can scale your programmed, automated
good state are important elements response to incidents
of a response plan. AWS provides

the following
tools to automate aspects of this
best practice.
AWS Cloud Security &
9 Innovative Design Patterns
Just-in-time access rights
+
Temporary
Integrated Identity and
Credentials
Access Management
Consolidated Logging
+ +
Durable and
API Logs Performance, Firehose data Durable highly
cheap archive
Network, Apps Logs streaming available storage
storage
Ubiquitous Encryption
Managed KMI
Key Storage
on HSM
+ Object
Storage
Archive Out-of-band
data transfer
Block
Storage
DIY Database Data Warehouse Log Trails

Non-Persistent & Elastic
+
Scaling
Compute Instance
automagically
Network Architecture
Hybrid Cloud
+ +
Logically Isolated section
Leased line Virtual Firewall
of the Cloud
Network Architecture
Resiliency
DNS
CDN Scaling Load Balancer Auto-scaling
Web App Firewall Virtual Firewall

Monitor and React swiftly
+
Alarms based on Event-driven
Performance, serverless
Network, Apps Code execution
Standardized Environments &
Security as Code
+
Continuous
SDK
Configuration
Automation
Validate Change at Scale
+
Inventory, Baselines rules for
configuration history inventory and
and change configuration
Seven Systemic Advantages of Cloud Security - Seven reasons,
plus one to grow on
1 Security is AWS highest priority; no compromises, ever
2 Integration of compliance and security
3 Economies of scale and separation of duties
4 Customers refocus on systems and applications
Seven Systemic Advantages of Cloud Security - Seven
reasons, plus one to grow on
5 Visibility, homogeneity, and automation
6 Cloud platforms as “systems containers”
7 Cloud, big data, security: using the cloud to secure the cloud
With cloud speed of innovation and increasing scale, the story will only get better
8 – quickly!
Security “of” AWS
AWS Security Whitepaper

AWS Global Security Infrastructure
Physical and Environmental Security
Business Continuity Management
Network Security
AWS Employee Access
Secure Design Principles
Change Management
AWS Account Security Features
AWS Service-Specific Security
Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/

An Introdcution To AWS Cloud Security-ETDA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Introdcution To AWS Cloud Security-ETDA

Uploaded by

Copyright:

Available Formats

An Introduction to AWS Cloud Security

Overview of AWS security

Canada AWS GovCloud (US)

Designed for Security Constantly Monitored Highly Highly Highly

Security measures that the customer implements

Security measures that the cloud service provider SECURITY OF

Reports On-Demand Globally Available Easy Identification

Quick Assessments Continuous Monitoring Enhanced Transparency

Inherit Scale with superior Highest Automate Largest

AWS Directory Service

AWS Web Application Firewall (WAF)

Reduce surface area to manage Amazon Inspector

In addition to our automatic data AWS Certificate Manager

During an incident, containing the AWS Lambda

of a response plan. AWS provides

DIY Database Data Warehouse Log Trails

CDN Scaling Load Balancer Auto-scaling

Web App Firewall Virtual Firewall

1 Security is AWS highest priority; no compromises, ever

2 Integration of compliance and security

3 Economies of scale and separation of duties

4 Customers refocus on systems and applications

5 Visibility, homogeneity, and automation

6 Cloud platforms as “systems containers”

AWS Security Whitepaper

You might also like