Date post: | 07-Aug-2015 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 895 times |
Download: | 4 times |
Shaun Norris – Head of Solu2ons Architecture -‐ ASEAN
Security Best Prac2ces for AWS
Old World
Large upfront capital investment
Basic compute and storage only
Responsible for feature upgrades
Slow to get new capabilities
Low, variable cost
Broad and deep platform
New features arrive daily
Ready to use
Some AWS Customers in Singapore.
What we will cover today
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
(and how Splunk can help)
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
Every customer has access to the same security capabili2es AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3204) Type II (was SAS70) • SOC 2 Type 1 • ISO 27001 CerBficaBon • CerBfied PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-‐2 • HIPPA and MPAA capable
Founda2on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca2ons
Founda2on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca2ons
Client-‐side Data EncrypBon
Server-‐side Data EncrypBon
Network Traffic ProtecBon
Pla[orm, ApplicaBons, IdenBty & Access Management
OperaBng System, Network & Firewall ConfiguraBon
Customer content
Custom
ers
• Culture of security and conBnual improvement
• Ongoing audits and assurance
• ProtecBon of large-‐scale service endpoints
• Customers configure AWS security features
• Get access to a mature vendor marketplace
• Can implement and manage their own controls
• Gain addiBonal assurance above AWS controls
Security is a shared responsibility between AWS and our customers
Founda2on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca2ons
Your compliant soluBons
Custom
ers
• Culture of security and conBnual improvement
• Ongoing audits and assurance
• ProtecBon of large-‐scale service endpoints
You can build end-‐to-‐end compliance, cer2fica2on and audit
Your cerBficaBons
Your external audits and a_estaBons
• Achieve PCI, HIPAA and MPAA compliance
• CerBfy against ISO27001 with a reduced scope
• Have key controls audited or publish your own independent a_estaBons
Let AWS take care of the heavy liNing for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
Customers retain ownership of their intellectual property and content • Customers manage their privacy objecBves how they choose to • Select the AWS geographical Region and no automaBc replicaBon elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement addiBonal controls to protect their content within AWS
The security of our services and customers is key to AWS • Security starts at the top in Amazon with a dedicated CISO and strong cultural focus
• Dedicated internal teams constantly looking at the security of our services • AWS support personnel have no access to customer content
Customers retain full ownership and control of their content
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management Features
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
Region
ASIA PAC (Sydney)
AWS lets customers choose where their content goes
Availability Zone
Take advantage of high availability in every Region
Build your solu2on for con2nuous, resilient opera2ons
Scalable, fault tolerant services Build resilient soluBons operaBng in mulBple datacenters AWS helps simplify acBve-‐acBve operaBons
All AWS faciliBes are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards
Robust connecBvity and bandwidth Each AZ has mulBple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
Each AWS Region has mul2ple availability zones Av
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
Your VPC spans every availability zone in the Region Av
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
Customers control their VPC IP address ranges
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Avai
labi
lity
Zone
B
Choose your VPC address range • Your own private, isolated
secBon of the AWS cloud • Every VPC has a private IP
address space • That maximum CIDR block you
can allocate is /16 • For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP addresses
Select IP addressing strategy • You can’t change the VPC
address space once it’s created
• Think about overlaps with other VPCs or exisBng corporate networks
• Don’t waste address space, but don’t’ constrain your growth either
We will concentrate on a single availability zone just now
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Segment your VPC address space into mul2ple subnets
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
NAT
10.0.5.0/24 10.0.4.0/24
EC2
EC2 Web
Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app servers on port 8080”
Log
EC2 Web
Use separate security groups for applica2ons and management
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app servers on port 8080”
“Allow outbound connections to the log server”
“Allow SSH and ICMP from hosts
in the Jump Hosts security group”
Log
EC2 Web
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
“Deny all traffic between the web server subnet and the database
server subnet”
Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
NACLs are opBonal • Applied at subnet level, stateless and
permit all by default • ALLOW and DENY • Applies to all instances in the subnet • Use as a second line of defence
Use Elas2c Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web
Elas2c Load Balancer
Your security can scale up and down with your solu2on
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web EC2 EC2 Web
ElasBc load balancers • Instances can automaBcally be
added and removed from the balancing pool using rules
• You can add instances into security groups at launch Bme
Elas2c Load Balancer
Auto scaling
Add an Internet Gateway to route Internet traffic from your VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Internet Gateway
VPC Router
You choose what subnets can route to the Internet
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Internet Gateway
VPC Router
Internet rouBng • Add route tables to subnets to
control Internet traffic flows – these become Public subnets
• Internet Gateway rouBng allows you to allocate a staBc Elas2c IP address or use AWS-‐managed public IP addresses to your instance
Integra2ng your VPC with your exis2ng infrastructure
Your premises
Add a Virtual Private Gateway to route traffic to your premises
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Virtual Private Gateway
Your premises
You can create mul2ple IPSEC tunnels to your own VPN endpoints
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Virtual Private Gateway
Customer Gateway
Your premises
You can also connect privately using AWS Direct Connect
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
You can also create VPNs over Direct Connect if required
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
You can route VPC Internet connec2ons through your own gateways
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
You can have both Internet and private connec2vity to your VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Internet Gateway
Amazon S3 DynamoDB NAT
Customer Gateway
Your premises
You can access AWS Internet endpoints using Direct Connect
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Internet Gateway
Amazon S3 DynamoDB NAT
Customer Gateway
Your premises
You can distribute load across availability zones to build resilience
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Elas2c Load Balancer
Avai
labi
lity
Zone
B
Web
Public subnet
EC2
EC2
Private subnet
Private subnet
Web Auto scaling
Applica2on Applica2on
Elas2c Load Balancer
Private subnet
Elas2c Load Balancer Public subnet
Web
Private subnet
Web
Elas2c Load Balancer
Private subnet
EC2 Private subnet
Applica2on Applica2on
Auto scaling
Auto scaling
Auto scaling
Internet Gateway
ELBs will balance traffic in an AZ and redirect in case of failure
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Elas2c Load Balancer
Avai
labi
lity
Zone
B
Web
Public subnet
EC2
EC2
Private subnet
Private subnet
Web Auto scaling
Applica2on Applica2on
Elas2c Load Balancer
Private subnet
Elas2c Load Balancer Public subnet
Web
Private subnet
Web
Elas2c Load Balancer
Private subnet
EC2 Private subnet
Applica2on Applica2on
Auto scaling
Auto scaling
Auto scaling
Internet Gateway
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
AWS IAM enables you to securely control access to AWS services and resources • Fine grained control of user permissions, resources and acBons • Now includes support for RunInstances • Add mulB factor authenBcaBon
• Hardware token or smartphone apps
• Test out your new policies using the IdenBty and Access Management policy simulator
You have fine grained control of your AWS environment
Segregate du2es between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
You get to choose who can do what in your AWS environment and from where
AWS account owner (master)
Network management
Security management
Server management
Storage management
Manage and operate
Increase your visibility of what happened in your AWS environment • CloudTrail will record access to API calls and save logs in your S3 buckets, no ma_er how those API calls were made
• Who did what and when and from what IP address • Be noBfied of log file delivery using the AWS Simple NoBficaBon Service
• Support for many AWS services including EC2, EBS, VPC, RDS, IAM, STS and RedShik
• Aggregate log informaBon into a single S3 bucket Out of the box integraBon with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic.
Use AWS CloudTrail (beta) to track access to APIs and IAM
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks • Security analysis
• Track changes to AWS resources, for example VPC security groups and NACLs
• Compliance – understand AWS API call history
• Troubleshoot operaBonal issues – quickly idenBfy the most recent changes to your environment
CloudTrail is currently available in US-‐WEST1 and US-‐EAST1
Keep control of who can do what on AWS using your exisBng directory • AWS IAM now supports SAML 2.0 • Federate with on-‐premise directories like AcBve Directory or another SAML 2.0 compliant idenBty provider
• Use AcBve Directory users and groups in AWS for authenBcaBon and authorizaBon
• E.g. ‘Database Administrators’ AD security group can have access to create and manage on-‐premise and AWS RDS instances
Federate AWS IAM with your exis2ng directories
How you can make the maximum use of AWS IAM features
Avoid hard-‐coding You don’t need to put credenBals into applicaBons – access AWS resources using IAM roles for EC2 • Search your source code for hard-‐coded
access keys • Create IAM roles with least-‐privilege
permissions for access to relevant AWS services, e.g. an S3 bucket
• Use IAM roles in your applicaBon and launch your EC2 instance with the role
• You can also use this technique to distribute non-‐AWS creden2als to your applica2ons to avoid checking them into GitHub!
Rotate your AWS access keys regularly Having a shorter period an access key is acBve will reduce the impact if compromised • Create a second access key in addiBon to
the one in use • Update all your applicaBons to use the
new access key and validate that the applicaBons are working
• Change the state of the previous access key to inacBve
• Validate that your applicaBons are sBll working as expected
• Delete the inacBve access key
Integrate AWS IAM with web iden22es in your solu2ons
Use IAM roles to authorise web idenBBes access to AWS resources • Your users can sign-‐in with mulBple authenBcaBon opBons • Roles can be created on-‐the-‐fly to permit AWS resource access • Token validity can be limited • No need to run your own EC2 endpoints
Your applicaBons don’t need to use AWS IAM • Customers retain their own design
choices • Extend internal directories into
AWS over private connecBons • Replicate internal directories into
your VPC or use trust domains • Create new directories within your
VPC
Your solu2ons can also use your exis2ng directories
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
AWS has many different content storage services
EBS
DBA S3 RDS
Redshik
Configure S3 access controls at bucket and object level • Restrict access and rights as Bghtly as possible and regularly review
access logs • Use versioning for important file, with MFA required for delete Use S3 cryptographic features • Use SSL to protect data in transit • S3 server side encrypBon
• AWS will transparently encrypt your objects using AES-‐256 and manage the keys on your behalf
• Use S3 client side encrypBon • Encrypt informaBon before sending it to S3 • Build yourself or use the AWS Java SDK
• Use MD5 checksums to verify the integrity of objects loaded into S3
Making use of available Amazon S3 security features
Encryp2ng EBS volumes on Amazon EC2 instances
Volume encrypBon built into EBS
• Use KMS to control the keys which perform disk encrypBon
• Seamless, transparent to operaBng system
Managing encrypBon keys is cri2cal and difficult!
• How will you manage keys and make sure they are available when required, for example at instance start-‐up?
• How will you keep them available and prevent loss?
• How will you rotate keys on a regular basis and keep them private?
EBS
Tamper-‐resistant, customer controlled hardware security module within your VPC • Industry-‐standard SafeNet Luna devices. Common
Criteria EAL4+, NIST FIPS 140-‐2 cerBfied • No access from Amazon administrators who manage
and maintain the appliance • High availability and replicaBon to on-‐premise HSMs
Reliable & Durable Key Storage • Use for transparent data encrypBon on self-‐
managed databases and naBvely with AWS Redshik • Integrate with applicaBons using Java APIs • IntegraBon with marketplace disk-‐encrypBon and
SSL services coming soon
Use the AWS CloudHSM to store encryp2on keys
Security best prac2ces for AWS
1. Understanding shared responsibility for security
2. Using AWS global reach and availability features
3. Building a secure virtual private cloud
4. Using AWS IdenBty and Access Management
5. ProtecBng your content on AWS
6. Building secure applicaBons on AWS
Controlling and launching your Amazon EC2 instances
You choose the base image They are stored as Amazon Machine Images (AMIs)
AMI catalogue
Amazon maintained images
AWS maintains a catalogue of operaBng system images and regularly refreshes them so you have a known baseline
• Amazon, RedHat, Ubuntu or SUSE Linux
• Microsok Windows 2008 and 2012
Your own images
• You can save your OS configuraBons as private AMIs
• Can reduce Bme to launch new servers, for example save a pre-‐configured web server and use it when auto-‐scaling
Amazon Marketplace images
• Maintained by Amazon’s partner community
Community images
• Images other people have made public
• Many popular free packages and tools
You decide on network placement and security group membership
Launch instance EC2
You choose the instance configuraBon
AMI catalogue Running instance
Host configuraBon
• CPU, memory, architecture type
• You can verBcally scale this anyBme by simply restarBng with a new configuraBon
Network placement
• VPC subnet, or EC2 classic
• Choose whether to automaBcally a_ach an Internet IP address
Security groups
• Add up to five security groups at launch, or anyBme
Access keys and IAM roles
You decide how to configure your instance environment
Launch instance EC2
AMI catalogue Running instance Your instance
Hardening and configuraBon
Audit and logging
Vulnerability management
Malware and IPS
WhitelisBng and integrity
User administraBon
OperaBng system
Configure instance
You take responsibility for final configuraBon Harden operaBng system and pla[orms • Use standard hardening guides and techniques • Apply latest security patches – Amazon maintains repositories
Use host-‐based protecBon sokware • Think of how they will work in an elasBc environment -‐ hosts may only
be in use for hours before being replaced
Think about how you will manage administraBve users • Restrict access as much as possible
Build out the rest of your standard security environment
You need to apply the same secure coding principles as you currently do • Build secure applicaBons that can defend
against common threats like XSS and SQL InjecBon
• Implement the OWASP Top 10 for web apps • Perform regular penetraBon and web
applicaBon security tests • Don’t wait for Li_le Bobby Tables to find your
applicaBon!
Run through AWS best pracBces, audit and operaBonal checklists before release
Test the security of your solu2ons before go-‐live
Frequent patching is one of the most effecBve controls • Design applicaBons that can survive regular recycling and
rebuilding of hosts – queues and workers • Customers are responsible for patching their EC2 instances • Keep track of patch levels and dependencies which mean
applicaBons can’t be patched • Aim to patch criBcal vulnerabiliBes in hours or days, not weeks • Subscribe to security mailing lists and news sources AWS ElasBc Beanstalk can help reduce patching burden for most web applicaBon pla[orms
Patch applica2ons and plaborms regularly
Is your soluBon sBll configured the way you intended? • Are you using CloudTrail to monitor changes made through APIs? • Is the configuraBon of your AWS services correct?
• VPC networks, Security groups and NACLs • IAM policies and rights – who has access and why
Script and automate describing your enBre AWS environment and compare the results on an ongoing basis • Consider using configuraBon integrity checking for EC2 instances
– Tripwire, Chef and Puppet
• Have uncontrolled changes been applied? • If so, how did it happen? Can you prevent reoccurrence?
• Try and whitelist what can be installed and ran on hosts
Perform these checks on a regular basis
Check the integrity of configura2ons and plaborms
TradiBonal network intrusion detecBon and prevenBon is less relevant now • A_ackers have moved to layer 7 (HTTP) so we need to follow them there • You can sBll build an effecBve DMZ within the VPC using a wide-‐range of
open source or AWS technology partner soluBons
Drop bad traffic before it hits your applicaBon and databases • Can be deployed in two-‐way configuraBon to implement simple
DLP, for example scan outgoing traffic for Credit Card Numbers • Design for scale and high-‐availability using ELBs • Scale fast and wide to cope with huge traffic volumes • Build a soluBon designed to cope with volumetric a_acks Lets build an example in the next slides
Block threats to your applica2on
Customers are responsible for detecBng and responding to security incidents within their soluBons • What sources of informaBon, logging and data are available to you? AWS CloudTrail
will capture and log API and IAM acBvity • How do you plan to monitor these? AWS CloudWatch can help you monitor your AWS
resources and noBfy you when alarms go off • How will you know if an incident has taken place? • What will you do if you detect an incident? • What data may have been accessed and what would be the impact of disclosure?
Monitor for security incidents and have a plan to respond
Software as a Service
Self Managed
BYOL -‐ AMI’s Available on AWS Marketplace
Hunk for EMR – Available hourly as AWS OEM
Splunk and AWS Integration
AWS CloudTrail
AWS Config
Amazon EMR
Amazon S3
Amazon Kinesis
Amazon CloudWatch
Splunk Provides Search, Visualiza2on, Analy2cs & Aler2ng for
h_p://aws.amazon.com • /security • /compliance • /support
For more info
Shaun Norris @shaunnorris
Thanks!