Page 1
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Understanding AWS Security
Bill Murray,
Sr Manager, AWS Security Programs
Page 2
Different customer viewpoints on security
PR execkeep out of the news
CEOprotect shareholder
value
CI{S}Opreserve the
confidentiality, integrity
and availability of data
Page 3
Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
Page 4
SECURITY IS SHARED
Page 5
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
Page 6
WHAT
WE DO
FOR YOU
WHAT YOU DO
YOURSELF
Page 7
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
Page 8
“Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
Page 9
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
Page 11
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
Page 18
MORE AUDITABILITY
Page 20
SECURITY CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
Page 23
You are making
API calls...On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
Page 24
Security AnalysisUse log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.
Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.
Page 25
‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files.
Page 26
LOGS
OBTAINED, RETAINED, ANALYZED
Page 29
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
Page 33
Defense in DepthMulti level security
• Physical security of the data centers
• Network security
• System security
• Data security
Page 34
AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
Page 35
LEAST PRIVILEGE PRINCIPLE
AT AWS
Page 36
LEAST PRIVILEGE PRINCIPLECONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK
Page 37
LEAST PRIVILEGE PRINCIPLESEPARATE NETWORKS FOR CORPORATE WORK VS.
ACCESSING CUSTOMER DATA
Page 38
LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW ABOUT
SENSITIVE INFORMATION LIKE DATACENTER
LOCATIONS
Page 39
LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER
TO ACCESS DATACENTERS
Page 40
SIMPLE SECURITY CONTROLSARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,
AND EASIEST TO ENFORCE
Page 42
MORE CONTROL
ON IDENTITY & ACCESS
Page 43
USE AWS IAMIDENTITY & ACCESS MANAGEMENT
Page 44
CONTROL WHO CAN DO WHAT
WITH YOUR AWS ACCOUNT
Page 46
AWS IAM: Recent InnovationsSecurely control access to AWS services and resources
• Delegation
– Roles for Amazon EC2
– Cross-account access
• Powerful integrated permissions
– Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk
• Federation
– Web Identity Federation
– AD and Shibboleth examples
– Partner integrations
– Case study: Expedia
• Strong authentication
– MFA-protected API access
– Password policies
• Enhanced documentation and videos
Page 47
ACCESS TO
SERVICE APIs
Page 48
Amazon DynamoDB Fine Grained
Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify access permissions at table, item
and attribute levels
With Web Identity Federation, completely
remove the need for proxy servers to
perform authorization
Page 49
MORE CONTROL
OF YOUR DATA
Page 50
MFA DELETE PROTECTION
Page 52
YOUR DATA STAYS
WHERE YOU PUT IT
Page 54
USE MULTIPLE AZsAMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
Page 55
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
Page 56
AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
Page 57
ENCRYPT YOUR DATAAWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
…
Page 58
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
Page 59
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service
Providers] provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013
Page 60
AWS.AMAZON.COM/SECURITY
Page 61
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
Page 62
AWS MARKETPLACE
SECURITY SOLUTIONS
Page 63
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Security
Bill Murray, Sr. Manager, AWS Security Programs
Thank You!