3. Why AWS?
No Up-Front
Capital Expense
Low Cost Only Pay For What
You Use
Self Service Easily Scale Up
and Down
Agility and
Flexibility
Go Global in
Minutes
Security &
Compliance
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client and Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is shared between AWS and customers
Customers are
responsible for
their security IN
the Cloud
AWS looks after
the security of
the platform
8. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client and Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
• Culture of security and
continual improvement
• Ongoing audits and
assurance
• Protection of large-scale
service endpoints
• Customers configure AWS
security features
• Get access to a mature
vendor marketplace
• Can implement and
manage their own controls
as well as configure AWS
features
Security is shared between AWS and customers
10. Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
Auth & acct management
Authorization policies
Customers
What does the customer do in the Shared
Responsibility Model?
11. Shared Responsibility – The Total Package
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct
management
Authorization policies
+ =
More secure and
compliant systems than
any one entity could
achieve on its own.
Customers
12. Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly
scalable infrastructure
Specify your private IP address range into one or more public or
private subnets
Control inbound and outbound access to and from individual
subnets
Protect your instances with stateful filters for inbound and
outbound traffic
Expose instances in your VPC for public internet access
Bridge your VPC and your onsite IT infrastructure with an
industry standard encrypted IPSEC VPN connection
13. VPC Component overview
Access Control Lists
Firewall controlling traffic in and out of a subnet
Separate inbound and outbound rules
Rules can allow or deny traffic
Stateless (inbound and outbound rules evaluated differently)
Route Tables
Rules to determine where network traffic is routed
VPC provides default table to cover private traffic in your VPC
Create additional tables to control subnet routing
Subnets
Sub network within your VPC
Tied to one Availability Zone
Public and Private Subnets
14. VPC Component overview
Security Groups
Control inbound and outbound traffic to EC2 instances
Assign one or many Security groups to one or many instances
Internet Gateway
Target for internet routable traffic
Virtual Private Gateway
VPN concentrator on the Amazon side of the VPN connection
15. VPC Peering
Connect two VPCs in the same
Region
No IP address conflicts
Bridged by routing table entries
(both sides of peering
relationship)
Offer & Accept model
Customer B receives request from ACustomer A initiates peer to B
16. • Establish a dedicated network connection from
your premises to AWS
• Reduces bandwidth costs for high volume data
transfers
• Offers consistent network performance
• 1Gbps and 10Gbps connection speeds
corporate data
center
Amazon Direct Connect
Dedicated Network Connections
18. region
Availability Zone
security group
security group
10.0.0.0/16
10.0.1.0/24
10.0.2.0/24
VPC
Router
Internet
Gateway
Availability Zone
security group
security group
10.0.3.0/24
10.0.4.0/24
Web Web
DB DB
VPC Architecture – Basic Components
19. region
Availability Zone
security group
security group
10.0.0.0/16
10.0.1.0/24
10.0.2.0/24
VPC
Router
Virtual Private
Gateway
Internet
Gateway
Availability Zone
security group
security group
10.0.3.0/24
10.0.4.0/24
Web Web
DB DB
Customer
Gateway
Your premises
VPC – Hybrid Connection
20. Palo Alto Networks on AWS….Use Cases
Hybrid Cloud
VPC to VPC Security
Internet Facing Application
Global Protect
21. region
Availability Zone
security group
security group
10.0.0.0/16
10.0.1.0/24
10.0.2.0/24
VPC
Router
Virtual Private
Gateway
Internet
Gateway
Availability Zone
security group
security group
10.0.3.0/24
10.0.4.0/24
Web Web
DB DB
Customer
Gateway
Your premises
VPC – Hybrid Connection with Palo Alto
22. region
Availability Zone
security group
security group
10.0.0.0/16
10.0.1.0/24
10.0.2.0/24
VPC
Router
Internet
Gateway
Availability Zone
security group
security group
10.0.3.0/24
10.0.4.0/24
Web Web
DB DB
Customer
Gateway
Your premises
VPC – Hybrid Connection with Palo Alto v2
VM
Series
23. region
Availability Zone
security group
security group
10.0.0.0/16
10.0.1.0/24
10.0.2.0/24
VPC
Router
Internet
Gateway
Availability Zone
security group
10.0.3.0/24
Web
DB
B
Elastic
IP
54.x.x.x
VPC – Palo Alto in Public Subnet
VM
Series
24. EC2 Security
Host operating system (below the hypervisor)
Individual SSH keyed logins via bastion host for AWS admins
All accesses logged and audited – in near real time
Guest (a.k.a. Instance) operating system
Customer controlled (customer owns root/administrator)
AWS admins cannot log in
Customer-generated key-pairs
Signed API calls
Require X.509 certificate or customer’s secret AWS key
Stateful firewall
Mandatory inbound firewall, default deny mode (also outbound firewall in VPC)
Customer controls configuration via Security Groups
25. Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1 Customer 2 Customer n…
…
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
Hypervisor
Virtual Interfaces
26. Controlling your EC2 instances
You choose and control your image
• AWS Catalog
• Your own
• Marketplace
• Community
You determine network placement
• VPC
• Subnet
• Security Groups
• Public IP address
You configure your instance
• Harden operating system
• Host based firewall
• Control admin/user access
• Logging
Launch
instance EC
2
AMI catalogue Running
instance
Your instance
Configure
instance
28. Customers retain ownership of their intellectual
property and content
• AWS personnel have no access to customer content or guest
OS
• Customers manage their privacy objectives how they choose
to – read AWS privacy whitepapers on our Compliance
website
• Select the AWS geographical Region and no automatic
replication elsewhere
• Customers can encrypt their content, retain management and
ownership of keys and implement additional controls to protect
their content within AWS
Customers retain full ownership and control of their
content
29. AWS Key Management Service
• A managed service that makes it easy for you to create,
control, rotate, and use your encryption keys, integrated
with Amazon EBS, Amazon S3, Amazon Redshift, and
Amazon RDS– more services coming soon
• Integrated with AWS CloudTrail to provide auditable logs to
help your regulatory and compliance activities
• Two-tiered key hierarchy using envelope encryption
• Unique data keys used to encrypt customer data, AWS
KMS master keys encrypt data keys
• Benefits of envelope encryption:
• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master keys than
millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
30. Tamper-evident customer controlled hardware security
module within the AWS Region for your VPC
• Industry-standard SafeNet Luna devices. Common
Criteria EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who
manage and maintain the appliance
• High availability and replication to on-premise
HSMs
Reliable & Durable Key Storage
• Use for transparent data encryption on self-
managed databases and natively with AWS
Redshift
• Integrate with applications using Java APIs
• Integration with marketplace disk-encryption and
configuration guides for SSL certificate storage
AWS CloudHSM for storing your encryption keys
31. Encryption & Best Practices with AWS
• Managed key encryption
• Key storage with AWS
CloudHSM
• Customer-supplied key
encryption
• DIY on Amazon EC2
• Create, store, & retrieve keys
securely
• Rotate keys regularly
• Securely audit access to keys
• Partner enablement of
crypto
First class security and compliance
starts (but doesn’t end!) with encryption
32. Storage Protection
Amazon Simple Storage Service
(S3)
Access controls at bucket and object
level
Restrict access and rights
Versioning
S3 Cryptographic Features
HTTPS for in transit data
S3 Server Side Encryption
S3 Client Side Encryption
MD5 Checksums to verify file
integrity
Amazon Elastic Block Store (EBS)
Implement AWS managed
encryption
Implement your own encryption
AWS Partner solutions to help with
encryption management and
implementation
EBS
34. AWS Compliance
AWS maintains a formal control environment
• SOC 1 Type II report published every six months
• SOC 2 Security and Availability report every six months
• ISO 27001 Certification
• ISO 9001 Certification
• Certified PCI DSS 3.0 Level 1 Service Provider
• FedRAMP Certification
• HIPAA BAAs
• DoD CSM Levels 1-2, 3-5
GxP
ISO 13485
AS9100
ISO/TS 16949
+ Many more
35. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Your own
compliant
solutions
• Culture of security and
continual improvement
• Ongoing audits and
assurance
• Protection of large-scale
service endpoints
You can build end-to-end compliant solutions
Your own 27001
and 9001
certifications
Your own financial
or SOC audits if
you are a service
provider
• Achieve PCI, HIPAA and
MPAA compliance
• Certify against ISO27001
with a reduced scope
• Have key controls audited
or publish your own
independent attestations
Customers
36. AWS Config
AWS Config is a fully managed service that provides you
with an inventory of your AWS resources, lets you audit the
resource configuration history and notifies you of resource
configuration changes.
38. AWS CLOUDTRAIL
You are making
API calls...
On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
39. AWS CloudTrail logs …….powerful use cases
CloudTrail can help you achieve many tasks
• Security analysis
• Track changes to AWS resources, for example
VPC security groups and NACLs
• Compliance – understand AWS API call
history
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
41. Security is Job Zero
What our customers and analysts are saying
“Based on our experience, I believe that we can be even more secure in the AWS
cloud than in our own data centers.”
-CTO – Large US Space Agency
Nearly 60% of organizations agreed that CSPs [cloud service providers] provide
better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
42. AWS Security and Compliance Centers
http://aws.amazon.com/security/
http://aws.amazon.com/compliance/
• Answers to many security & privacy questions
• Security whitepaper
• Risk and Compliance whitepaper
• Auditing Security whitepaper
• Security at Scale: Governance in AWS whitepaper
• Security at Scale: Logging in AWS whitepaper
• Security bulletins
• Customer penetration testing
• Security best practices
• More information on:
• AWS Identity & Access Management (AWS IAM)
• AWS Multi-Factor Authentication (AWS MFA)
43. Thank you for your time.
scotward@amazon.com
aws.amazon.com
Editor's Notes
AWS is a comprehensive cloud services platform, offering compute power, storage, content delivery, and other functionality that enables businesses to cost-effectively deploy applications and services.
At AWS we hold Security as our number one priority. We take if very seriously to ensure that our customers are always protected and that they feel they are operating in a safe environment.
Security starts at the top in Amazon with a dedicated CISO and strong cultural focus through operational excellence and root cause analysis
Dedicated internal security teams constantly looking at the security of our services and how we better can help our customers secure themselves
Talk about how you can improve your security footprint
AWS security gives you a security model that is familiar.
It is important to call out that security at AWS continues to evolve. One of the best things for AWS is a tough set of customers. You can see some of the customer logos in the middle of this slide.
When big institutions submit stringent security requirements to us, and review the audit findings of our compliance auditors, we frequently build their requirements and incorporate their feedback into the platform. EVERYBODY benefits from them. We don’t build “one off” solutions for anyone, so everybody benefits from the improvements made for any customer. In many cases, this results in a better security profile than what each individual firm could accomplish on their own.
Within AWS security is shared. It’s not all on AWS and not all on the customer.
Security at AWS is based on the Shared Responsibility model.
We look after the security OF the cloud, which is the platform that customers use to run their AWS solutions.
Customers look after security IN the cloud.
Some deeper insight into the shared responsibility model.
For the customer portion of the responsibility model they implement the features that they need to ensure that their workloads are secure and meet any compliance requirements that are relevant to their workloads. First they can configure many AWS security features to help them out with securing their workloads. On top of that there is a rich partner eco-system that has products and solutions to assist with the security aspect. Finally, customers have full control to manage their own account and configure things as they see fit for their security needs.
This model allows your security professionals to focus on a subset of the problem.
Dedicated Global Security team
Physical data center security
Within the data center we own security of the actual Compute, Storage, and Network infrastructure which are managed to security best practices as well as a variety of security compliance standards. --Talk about separation of duties
Storage Device Decommission
Virtualization Layer (EC2)
Hardened Service Endpoints
Rich IAM capabilities
Auditors
Patch OS
Enforce Network rules
Control host OS access
Control AWS Resource access
Control application functionality and security
Deploy additional security mechanisms
Protect data
Combine the AWS side and the Customer side of the model and you have a more secure and compliant system than any one entity could achieve on its own.
So let’s move onto the networking portion of AWS and the security features that exist.
It all starts with the Virtual Private Cloud (VPC). VPC is …..
Your private network in the AWS cloud.
You define the IP address space
You control the configuration
You can define what is public and what is private
Levels of filtering to control traffic into and out of your VPC
Link your VPC with your on-premise infrastructure via IPSEC VPN connection.
From a networking standpoint much of this should be familiar. You should feel warm and fuzzy and right at home with many of these items.
These are the items that are delivered and available for you to use when you create a VPC.
Access Control Lists, Route Tables, Subnets, and Security Groups are available for you to customize to your needs.
VPC peering is another feature that allows you to extend your VPC to be able to communicate with other VPCs. Prior to VPC peering you would have to implement an IPSEC tunnel into each VPC in order to be able to communicate between VPCs.
Use cases where this would be relevant.
Offering Peering between a test/dev account and production.
Offering peering between a management account and the VPC of a customer
Keep in mind that this functionality is only for VPCs within the same region. If you want to go VPC to VPC in different regions you are still going to need to do the IPSEC tunnel.
Direct connect is your dedicated pipe into the AWS data center.
Offers up consistent performance and you are not relying on open internet networks for your data transfers.
You establish a connection at one of your co-location partners who will then establish the connection to AWS.
Good for a long term pipe where you want a dedicated connection. Also good for short term where you just want to do a large data transfer.
Available at speeds of 1GPBS and 10GPBS.
This type of solution plays well into the Hybrid architecture which we will be talking about a little later on.
Here we have another representation that outlines the different layers that exist with a VPC and where they sit in relation to the traffic flow in and out of a VPC.
Example without a Virtual Private gateway
This is not showing components like load balancers or how traffic is coming in but we are trying to represent the breakdown between VPC, AZ, and Subnet.
Example with a Virtual Private Gateway
Make point about the VPG being a fully resilient regional service and you can create two high-availability VPNs into the AWS region.
The customer gateway is YOUR VPN endpoint – we publish configuration guides for most popular VPN terminators on our website, to help you get set up quickly.
We have covered a lot of different security aspects within AWS. Now let’s take a look at how Palo Alto fits into that equation as part of the customer portion of the shared responsibility model.
Internet Facing
VPC with one VM series protecting one or more internal subnets
For anyone who was part of the hands on labs this is what we built out in lab 2
Hybrid Cloud
Extend or Burst your private Data center into AWS
VPC to VPC security.
Similar to a Hybrid cloud but facilitating the connection between two AWS VPCs
This could be for VPCs within the same region and account or could be across multiple AWS regions an possibly multiple AWS accounts
Global Protect
Solution that is providing you a remote access for VPN sessions running on PC/Mac/iOS/Android
Example with a Virtual Private Gateway connecting to Palo Alto Networks. This covers our Hybrid use case.
Example with a Virtual Private Gateway connecting to Palo Alto Networks. This covers our Hybrid use case.
In this example you get access to all your loved Palo Alto Series features, running in AWS.
This covers our hybrid example but is a fair representation of what would happen in the VPC to VPC option as well. Just replace the on-premise piece with another VPC.
Internet Facing Application
Here we have a Palo Alto EC2 instance sitting in a public instance which has a public IP Address tied to it. This allows the Palo Alto device to take in traffic and do its job to examine and route the traffic to the appropriate instances in the other, hopefully private, subnets.
Now this is publicly facing but you can still control what type of traffic comes in via ACLs and Security Groups before they even hit your Palo Also device.
Let’s dive more into how security is implemented for EC2
So with virtual infrastructure how do we make sure that each instance is secure and isolated from other instances running on the same physical infrastructure.
AWS Personnel have no access to customer content or the guest operating system
Customers manage their own data access policies
Customers choose the region they want to operate in and AWS does not automatically replicate the data outside of that region. A customer must enable configuration or run code/commands to move the data outside of the region.
Customers have many ways that they can encrypt and protect their data to make it secure at the levels they need (More on this one later).
Key management is a managed service that makes it easy for you to create, control, and use your encryption Keys.
It is integrated with several AWS services now and with more soon.
With this service you have a way to centrally and securely store YOUR keys and use those keys to protect data within AWS services or to utilize within your custom application.
You get to utilize a secure service to act as your keystore which allows you to protect your data but not have to focus on the task of managing or building that key store, thus allowing you to focus more on your applications. You can actually use this regardless of where your applications are running and can integrate with it via an AWS provided SDK.
KMS is scaleable, durable and highly available. Allowing you to just use it without having to focus on all the components required to make this happen.
Good reference: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
For those of you who are using an HSM on site today this should seem familiar.
This is the same hardened hardware security model you are used to but available in the AWS cloud. Why would someone want to use this? Compliance is one good reason if your compliance requires a dedicated security device.
Key benefits:
Using AWS CloudHSM means you can now run high-assurance encryption within your AWS VPC without the need for on-premise integration
CloudHSM gives customers a high level of assurance that their sensitive encryption keys are protected within their AWS VPC, in a manner that protects them from unauthorized disclosure
So along with control goes the ability to protect your data in the way that you want.
What we are trying to represent here on this slide is that you have a lot of flexibility when it comes to protecting your data on AWS. You can use AWS managed solutions or bring/implement your own solutions in order to meet your needs.
S3 is a service intended for object storage. This could be data backups, log files, configuration files, or documents.
EBS is network block storage which is attached to your EC2 instance. Good use case for constantly changing data such as things like a database.
Many customers have workloads that require that they meet strict audit and control requirements. With AWS it is still possible to achieve these compliance requirements, by leveraging the work that AWS has done around compliance.
AWS does this by doing the following:
• Obtaining industry certifications and independent third party attestations described in this document
• Publishing information about the AWS security and control practices in whitepapers and web site content
• Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)
With this work AWS is obtaining the compliance certification for the AWS portion of the shared responsibility model. The customer is still responsible for maintaining the compliance in their portion of the shared responsibility model, most often the same things that they may already be doing in their on-premise environment. The big thing here is that the customer no longer needs to devote time and attention to the compliance steps associated with securing the infrastructure as that is what AWS takes responsibility for. So those people who used to focus on security of the infrastructure get to go focus on something that is more important to the customer’s business
When we take the shared responsibility model, add in the compliance and security work that AWS does on the platform, you get the ability to build an end to end compliant solution.
AWS config is one of our newer services.
With this service you get an inventory of your AWS resources, the ability to audit resource configuration history, and receive notifications when resource configuration changes.
Quick overview of AWS Config and its integration possibilities. What this is representing is changes to various resources, with details of those changes being fed through AWS config and then recorded and notified on.
Use Cases enabled by Config
Security Analysis: Ami I Safe?
Audit Comopliance: where is the evidence?
Change Management: What will this change affect?
Troubleshooting: What has Changed?
From a security professional perspective CloudTrail is an exciting service. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
Cloud Trail captures API calls made against your AWS resources and then places the log files into an S3 bucket for you to analyze. It tells you who did what and from what IP.
Emphasize that these API calls could be coming from the management console as well as CLI and SDK calls.
Use Cases enabled by CloudTrail
Security Analysis – Use log files as input into log management and anlysis solutions to perform security analysis and to detect user behavior patterns.
Track Changes to AWS Resources – Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC Security groups and Amazon EBS Volumes.
Troubleshoot Operational Issues – Identify the most recent actions made to resources in your AWS account
Compliance AID – Easier to demonstrate compliance with internal policies and regulatory standards.
Wrapping up.
Once again Security is Job Zero at AWS. We take this seriously and work very hard to make sure that everything is secure.
Through our efforts and the work we have done around the shared responsibility model you have a more secure environment than you could enable on your own.
Quick pointer to a couple of key areas.
The AWS Security site and the AWS compliance site. Lots of good and detailed information on these sites. On the security site is our security whitepaper which covers in depth many of the items I talked about, as well as security for each of the AWS services.