Top Banner
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS Security Bill Murray, Sr Manager, AWS Security Programs
63

Understanding AWS Security

Sep 08, 2014

Download

Technology

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”  That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture. 
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Understanding AWS Security

© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Understanding AWS Security

Bill Murray,

Sr Manager, AWS Security Programs

Page 2: Understanding AWS Security

Different customer viewpoints on security

PR execkeep out of the news

CEOprotect shareholder

value

CI{S}Opreserve the

confidentiality, integrity

and availability of data

Page 3: Understanding AWS Security

Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE &

PROCEDURES

NETWORK

SECURITY

PHYSICAL

SECURITY

PLATFORM

SECURITY

Page 4: Understanding AWS Security

SECURITY IS SHARED

Page 5: Understanding AWS Security

WHAT NEEDS

TO BE DONE

TO KEEP THE

SYSTEM SAFE

Page 6: Understanding AWS Security

WHAT

WE DO

FOR YOU

WHAT YOU DO

YOURSELF

Page 7: Understanding AWS Security

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

Page 8: Understanding AWS Security

“Based on our experience, I believe that we

can be even more secure in the AWS

cloud than in our own data centers”

Tom Soderstrom – CTO – NASA JPL

Page 9: Understanding AWS Security

AWS SECURITY OFFERS MORE

VISIBILITY

AUDITABILITY

CONTROL

Page 10: Understanding AWS Security

MORE VISIBILITY

Page 11: Understanding AWS Security

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

Page 12: Understanding AWS Security
Page 13: Understanding AWS Security
Page 14: Understanding AWS Security

TRUSTED ADVISOR

Page 15: Understanding AWS Security
Page 16: Understanding AWS Security
Page 17: Understanding AWS Security
Page 18: Understanding AWS Security

MORE AUDITABILITY

Page 19: Understanding AWS Security
Page 20: Understanding AWS Security

SECURITY CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

Page 21: Understanding AWS Security
Page 22: Understanding AWS Security

AWS CLOUDTRAIL

Page 23: Understanding AWS Security

You are making

API calls...On a growing set of

services around the

world…

CloudTrail is

continuously

recording API

calls…

And delivering

log files to you

Page 24: Understanding AWS Security

Security AnalysisUse log files as an input into log management and analysis solutions to perform

security analysis and to detect user behavior patterns.

Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2

instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.

Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.

Page 25: Understanding AWS Security

‣ CloudTrail records API calls and

delivers a log file to your S3 bucket.

‣ Typically, delivers an event within 15

minutes of the API call.

‣ Log files are delivered approximately

every 5 minutes.

‣ Multiple partners offer integrated

solutions to analyze log files.

Page 26: Understanding AWS Security

LOGS

OBTAINED, RETAINED, ANALYZED

Page 27: Understanding AWS Security
Page 28: Understanding AWS Security
Page 29: Understanding AWS Security

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

Page 30: Understanding AWS Security
Page 31: Understanding AWS Security
Page 32: Understanding AWS Security

MORE CONTROL

Page 33: Understanding AWS Security

Defense in DepthMulti level security

• Physical security of the data centers

• Network security

• System security

• Data security

Page 34: Understanding AWS Security

AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs

AWS

CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct

Connect

AWS Storage

Gateway

Page 35: Understanding AWS Security

LEAST PRIVILEGE PRINCIPLE

AT AWS

Page 36: Understanding AWS Security

LEAST PRIVILEGE PRINCIPLECONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO SPECIFIC WORK

Page 37: Understanding AWS Security

LEAST PRIVILEGE PRINCIPLESEPARATE NETWORKS FOR CORPORATE WORK VS.

ACCESSING CUSTOMER DATA

Page 38: Understanding AWS Security

LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW ABOUT

SENSITIVE INFORMATION LIKE DATACENTER

LOCATIONS

Page 39: Understanding AWS Security

LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER

TO ACCESS DATACENTERS

Page 40: Understanding AWS Security

SIMPLE SECURITY CONTROLSARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,

AND EASIEST TO ENFORCE

Page 41: Understanding AWS Security
Page 42: Understanding AWS Security

MORE CONTROL

ON IDENTITY & ACCESS

Page 43: Understanding AWS Security

USE AWS IAMIDENTITY & ACCESS MANAGEMENT

Page 44: Understanding AWS Security

CONTROL WHO CAN DO WHAT

WITH YOUR AWS ACCOUNT

Page 45: Understanding AWS Security
Page 46: Understanding AWS Security

AWS IAM: Recent InnovationsSecurely control access to AWS services and resources

• Delegation

– Roles for Amazon EC2

– Cross-account access

• Powerful integrated permissions

– Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation

– Access control policy variables

– Policy Simulator

– Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk

• Federation

– Web Identity Federation

– AD and Shibboleth examples

– Partner integrations

– Case study: Expedia

• Strong authentication

– MFA-protected API access

– Password policies

• Enhanced documentation and videos

Page 47: Understanding AWS Security

ACCESS TO

SERVICE APIs

Page 48: Understanding AWS Security

Amazon DynamoDB Fine Grained

Access Control

Directly and securely access application

data in Amazon DynamoDB

Specify access permissions at table, item

and attribute levels

With Web Identity Federation, completely

remove the need for proxy servers to

perform authorization

Page 49: Understanding AWS Security

MORE CONTROL

OF YOUR DATA

Page 50: Understanding AWS Security

MFA DELETE PROTECTION

Page 51: Understanding AWS Security
Page 52: Understanding AWS Security

YOUR DATA STAYS

WHERE YOU PUT IT

Page 53: Understanding AWS Security
Page 54: Understanding AWS Security

USE MULTIPLE AZsAMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

Page 55: Understanding AWS Security

DATA ENCRYPTION

CHOOSE WHAT’S RIGHT FOR YOU:

Automated – AWS manages encryption

Enabled – user manages encryption using AWS

Client-side – user manages encryption using their own mean

Page 56: Understanding AWS Security

AWS CloudHSM

Managed and monitored by AWS, but you

control the keys

Increase performance for applications that

use HSMs for key storage or encryption

Comply with stringent regulatory and

contractual requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM

Page 57: Understanding AWS Security

ENCRYPT YOUR DATAAWS CLOUDHSM

AMAZON S3 SSE

AMAZON GLACIER

AMAZON REDSHIFT

AMAZON RDS

Page 58: Understanding AWS Security

MORE AUDITABILITY

MORE VISIBILITY

MORE CONTROL

Page 59: Understanding AWS Security

IDC Survey

Attitudes and Perceptions Around Security and Cloud Services

Nearly 60% of organizations agreed that CSPs [Cloud Service

Providers] provide better security than their own IT organization

Source: IDC 2013 U.S. Cloud Security Survey

Doc #242836, September 2013

Page 60: Understanding AWS Security

AWS.AMAZON.COM/SECURITY

Page 61: Understanding AWS Security

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

Page 62: Understanding AWS Security

AWS MARKETPLACE

SECURITY SOLUTIONS

Page 63: Understanding AWS Security

© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

AWS Security

Bill Murray, Sr. Manager, AWS Security Programs

Thank You!