•SecurityoftheCloud•SecurityIntheCloud•YourProductandServicesRoadmap(innovation)•AWSandCloudServices•GrowthandExpansionatAWS•Questions&Discussion
Agenda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Shared Responsibility Model
AWS is responsible for the security OF
the cloud
AWSFoundationServices
Compute Storage Database Networking
AWSGlobalInfrastructure Regions
AvailabilityZonesEdgeLocations
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auditing - Comparisonon-prem vs on AWS
Start with bare concreteFunctionally optional – you can build a secure system without itAudits done by an in-house teamAccountable to yourselfTypically check once a yearWorkload-specific compliance checksMust keep pace and invest in security innovation
on-prem
Start on base of accredited servicesFunctionally necessary – high watermark of requirementsAudits done by third party expertsAccountable to everyoneContinuous monitoringCompliance approach based on all workloadscenariosSecurity innovation drives broad compliance
on AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What this means
You benefit from an environment built for the most security sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload sensitivity
You always have full ownership and control of your data
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSFoundationServices
Compute Storage Database Networking
AWSGlobalInfrastructure Regions
AvailabilityZonesEdgeLocations
Meet your own security objectives
Customer scope and effort is reduced
Better results throughfocused efforts
Built on AWSconsistent baseline controls
Yourownexternalaudits
Custom
ers Yourown
accreditationYourown
certifications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Navigating Shared Responsibility
Achieving accreditation or certification on AWS is possible but how can we help?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Industry Best Practices for Securing AWS Resources
CIS Amazon Web Services FoundationsArchitecture agnostic set of security configuration best practicesprovides set-by-step implementation and assessment procedures
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Industry Best Practices for Securing AWS Resources
Benchmarks for AWS MarketplaceO.S images hardened according to the trusted secure configuration baselines prescribed by CIS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NetworkTrafficProtectionEncryption/Integrity/Identity
AWSFoundationServicesCompute Storage Database Networking
AWSGlobalInfrastructure Regions
AvailabilityZonesEdgeLocations
Optional– Opaquedata:1’sand0’s(intransit/atrest)
Platform&ApplicationsManagement
Customercontent
Custom
ers
AWS Shared Responsibility Model:for Infrastructure Services
Managed by
Managed by
Client-SideDataencryption&DataIntegrityAuthentication
AWSIAM
CustomerIAM
OperatingSystem,Network&FirewallConfiguration
Server-SideEncryptionFireSystemand/orData
APIEndpoints
Mgmt Protocols
API Calls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure ServiceExample – EC2
• Foundation Services — Networking, Compute, Storage• AWS Global Infrastructure• AWS API Endpoints
AWS
• Customer Data• Customer Application• Operating System• Network & Firewall• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling• Instance Management• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles, Policies)
Cus
tom
ers
RESPONSIBILITIES
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSFoundationServicesCompute Storage Database Networking
AWSGlobalInfrastructure Regions
AvailabilityZonesEdgeLocations
Optional– Opaquedata:1’sand0’s(intransit/atrest)
Firewall
Configuration
Platform&ApplicationsManagement
OperatingSystem,NetworkConfiguration
Customercontent
Custom
ers
AWS Shared Responsibility Model:for Container Services Managed by
Managed by
Client-SideDataencryption&DataIntegrityAuthentication
NetworkTrafficProtectionEncryption/Integrity/Identity
AWSIAM
CustomerIAM
APIEndpoints
Mgmt Protocols
API Calls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure ServiceExample – RDS
• Foundational Services –Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints• Operating System• Platform / Application
AWS
• Customer Data• Firewall (VPC)• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles, Policies)
• High Availability• Data Protection (Transit, Rest,
Backup)• Scaling
Cus
tom
ers
RESPONSIBILITIES
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSFoundationServicesCompute Storage Database Networking
AWSGlobalInfrastructure Regions
AvailabilityZonesEdgeLocations
Platform&ApplicationsManagement
OperatingSystem,Network&FirewallConfiguration
Customercontent
Custom
ers
AWS Shared Responsibility Model:for Abstract Services
Managed by
Managed by
DataProtectionbythePlatformProtectionofDataatRest
NetworkTrafficProtectionbythePlatformProtectionofDataatinTransit
(optional)
OpaqueData:1’sand0’s
(inflight/atrest)
Client-SideDataEncryption&DataIntegrityAuthentication
APIEndpoints
AWSIAM
API Calls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Foundational Services • AWS Global Infrastructure• AWS API Endpoints• Operating System
• Platform / Application• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Cus
tom
ers
Infrastructure ServiceExample – S3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
InfrastructureServices
ContainerServices
AbstractServices
AWS Pace of InnovationAWS has been continually expanding its services tosupport virtually any cloud workload, and it now has more than 90 services that range from compute, storage, networking, database, analytics, application services, deployment, management, developer, mobile, Internet of Things (IoT), Artificial Intelligence (AI), security, hybrid and enterprise applications. AWS has launched a total of 928 new features and/or services year to date* for a total of 3,841 new features and/or services since inception in 2006.
2010
61
516
1,017
159
2012 2014 2016
* As of 1 October 2017
3,841AWS Direct
Connect
AWS Elastic Beanstalk
Schema Conversion Tool
AWS Shield EFS
WorkSpaces
Amazon Lumberyard
AmazonPinpoint
AWS IoT
AWS Managed ServicesAmazon Route 53
AWS Import/Export
AWS OpsWorks forChef Automate
Redshift
Dynamo DB
Amazon Polly
AWS Snowball
AWS Organizations
Device Farm
Amazon Config
Amazon RDS for Aurora
WorkDocs
AWS Snowball Edge
CodeCommit
AWS CodePipeline
AWS Service Catalog
CloudWatch Logs
Amazon Lex
AWS Greengrass
Amazon EC2Systems Manager
AWS WAF
Amazon Appstream 2.0
Amazon Athena
AWS Glue
Amazon Lightsail
Amazon Rekognition
AWS Step Functions
AWS DiscoveryServices
AWS CertificateManager
Amazon ElastiCache
Mobile Analytics
AWS Mobile Hub
AWS Storage GatewayAWS OpsWorks
AWS BatchAmazon Inspector
EC2Container Service
Amazon Cognito
AWS CodeDeploy
AWS Personal Health Dashboard
AWS Snowmobile
Lambda
* As of 1 October 2017
AWS Codebuild
AWS X-Ray
Amazon QuickSight
Amazon Kinesis Firehose
Amazon Workmail
Amazon Inspector
Machine Learning