© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mitigate Risks Using Cloud-Native
Infrastructure Security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda• Examine on-premises infrastructure security• Are there any issues we want to avoid?
• Examine cloud-native infrastructure security services• Can these help address existing issues?
• Let’s build!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before we begin
Start this session with a fundamental premise
When you’re tempted to ask “Where is?”, instead ask “Why did I need?”
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-premises architecturesNetwork centric security• Firewalls• Multiple layers of
network-based security services
• Routing & subnet Isolation
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
Reality is a little more complicatedMultiples of everything• Multiple firewalls• Multiple services • Multiple shared
dependencies
What does this mean for isolation?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
When an intrusion happensWhat happens when isolation breaks down?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
When an intrusion happensWhat happens when isolation breaks down?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
When an intrusion happensWhat happens when isolation breaks down?
What about your internal architecture? Change Management?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Services
VPC Connections Web sites and
services
Database Services
Auth Services
Shared Services
Security Services
Web Tier
DMZ
Auth Services
Internal Tier
Internet
Internal Web sites and shared services
Database Services
When an intrusion happensWhat happens when isolation breaks down?
What about your internal architecture? Change Management?
Why would we want to copy this?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reducing risks using cloud-native solutions• Provide granular control• Improve application
isolation• Lower operational
burden• Security insight across
all environments
• Improved admin access
• Security Groups & NACL’s
• Virtual Private Clouds• AWS CloudFormation
• Amazon GuardDuty, AWS CloudTrail, AWS Config
• AWS Systems Manager
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Web DB
Cloud-nativearchitecturesIsolation by default• Easier & more
restrictive
Secure insights across the boardNew ways to secure access• What if there was
no SSH or RDP?
13
Web Application VPC10.0.0.0/16
AWS Cloud
us-east-1a Availability Zone
Services VPC10.1.0.0/16
Proof of Concept VPC10.250.0.0/16
Amazon GuardDutyAWS ConfigAWS CloudTrail
Services subnet
Public subnet
Public subnet
AWS Systems Manager
SSM S3IGW IGW
us-east-1b Availability Zone
Private subnet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s Build!
http://tiny.cc/reinforce-fnd203
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What did we learn?• We can see everything going on in our AWS environment• We have more granular, provable control of
communications at a lower operational burden• We can still explicitly deny access, but now in more places• We have detailed logging and advanced monitoring of our
control and data planes• We can solve issues we never thought possible – like
admin port risk
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging & monitoring
Identity & access control
Configuration & vulnerability
analysis
Data protection
Host basedsecurity
Let’s not forget about partners