© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ronan Guilfoyle, Solutions Architect
October 12th, 2017
Introduction to AWS Security
and Compliance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brief intro to AWS availability
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global Infrastructure
16 Regions – 42 Availability Zones – 98 Edge Locations
Region & Number of Availability Zones
AWS GovCloud (2) EU
Ireland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3)
Announced Regions
Paris, Ningxia
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example AWS Region
AZ
AZ
AZ AZ AZ
Transit
Transit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example AWS Availability Zone
AZ
AZ
AZ AZ AZ
Transit
Transit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“We own the
customer tool”
“We own the
eCommerce API”
“We own the
`DooHickey’
product”
“We own the platform”
• Tooling
• Deployment
• Metrics
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You configure your choice of security in the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Custo
mers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security: A Very High BarCompliance – Programs and certifications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Toolbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access a deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrail
&
Inspector
Service
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CENTRALIZED AUDITING STORE FOR PLATFORM EVENTS
AWS CLOUDTRAIL
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
CloudTrail can help you achieve many tasks
• Security analysis
• Track changes to AWS resources, for example
VPC security groups and NACLs
• Compliance – log and understand AWS API call
history
• Prove that you did not:
• Use the wrong region
• Use services you don’t want
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance – By the numbers
70+
services
7,710 Audit
Artifacts
2,670
Controls
3,030 Audit
Requirements
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance – Deployable quick starts
Cloudformationtemplates
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SELF-SERVICE PORTAL TO COMPLIANCE REPORTS
AWS ARTIFACT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance – Automated reports
e-NDA
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AMAZON MACIE
MACHINE LEARNING SERVICE TO
HELP CUSTOMERS PREVENT DATA
LOSS IN AWS.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Customers Ask
Us?• What data do I have in the cloud?
• Where is it located?
• How is data being shared and stored?
• How can I classify data in near-real time?
• What PII/PHI is possibly exposed?
• How do I build workflow remediation for my
security and compliance needs?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Machine Learning Challenges for Security
• Every customer is different
• Threats are ever changing
• Penalty for error is high
• Flood of data
AWS Confidential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Approach
Amazon Macie
Understand Your Data
Natural Language
Processing (NLP)
Understand Data Access
Machine Learning
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Does Amazon Macie Use Machine
Learning?• Understand behavioral analytics to baseline normal
behavior
• Train and develop contextualized alerts by understanding
the value of data being accessed
• Context for content
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Business Critical Data in Amazon S3
• Static website content
• Source code
• SSL certificates, private
keys
• iOS and Android app
signing keys
• Database backups
• OAuth and Cloud SAAS
API Keys
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MACHINE LEARNING FOR
COMPLIANCE
FOR PII-TYPES LIKE NAMES,
ADDRESSES, USER NAMES AND
PASSWORDS, A REGEX-BASED
APPROACH ISN’T POSSIBLE
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Confidential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Confidential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Confidential
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MANAGED DDOS PROTECTION SERVICE
AWS SHIELD
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield
Available to ALL AWS customers at
No Additional Cost
Standard Protection Advanced Protection
Paid service that provides additional
protections, features and benefits.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
POLICY-BASED MANAGEMENT FOR MULTIPLE ACCOUNTS
AWS ORGANIZATIONS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billing
and usage reporting
Automate
account creation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Control Policy Inheritance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES
AWS IDENTITY AND ACCESS MANAGEMENT (IAM)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM - Features
IAM Users IAM Groups IAM Roles Federation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sane default policies provided
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LAYER 7 APPLICATION PROTECTION AT SCALE
AWS WEB APPLICATION FIREWALL (WAF)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF – Features
HTTP floods Scanners and
probes
SQL injectionBots and
scrapers
IP reputation
lists
Cross-site
scripting
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
COLLECT AND TRACK METRICS, LOGS, ALARMS AND EVENTS
AMAZON CLOUDWATCH
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch – Features
Metrics Alarms Logging Events Dashboard
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logs→ Metrics→ Alerts/Actions
AWS
Config
CloudWatch /
CloudWatch LogsCloudWatch
alarms
AWS
CloudTrail
Amazon EC2
OS logs
Amazon
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notificationsAnd more…
Or your preferred SIEM / Log
aggregator
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Whitepapers
http://tinyurl.com/kmsCryptoDetails
http://tinyurl.com/DDoSResiliencyAWS
http://tinyurl.com/WellArchitected
http://tinyurl.com/SecurityBestPractices