AWS provides comprehensive security capabilities to support workloads on its cloud platform. It emphasizes that security is a shared responsibility between AWS and customers, with AWS responsible for security of the cloud and customers responsible for security in the cloud. AWS offers more visibility into environments, auditability of actions, and control over identity and access than customers can achieve on their own through services like CloudTrail, IAM, and encryption options. Customers can choose the right level of security for their needs.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
The 2014 AWS Enterprise Summit - Understanding AWS Security
1. AWS Security
Bill Shinn billshin@amazon.com
Principal Solutions Architect - Security, Amazon Web Services
Sami Zuhuruddin, samiz@amazon.com
Solutions Architect, Amazon Web Services
2. Different customer viewpoints on security
PR exec
keep out of the news
CEO
protect shareholder
value
CI{S}O
preserve the
confidentiality, integrity
and availability of data
3. Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
Customer
Ecosystem
Partner
Ecosystem
Every Customer
Benefits
Physical
Security
People &
Procedures
Network
Security
Platform
Security
23. You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
24. Security Analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational Issues
Quickly identify the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.
25. ‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files.
33. Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security
34. AWS Security Delivers More Control & Granularity
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
Customize the implementation based on your business needs
47. Amazon DynamoDB Fine Grained Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify access permissions at table, item
and attribute levels
With Web Identity Federation, completely
remove the need for proxy servers to
perform authorization
52. It’s Not Just Having Services in a Couple of Regions
Hundreds of thousands of customers
across 190 countries
800+ government agencies
3,000+ educational institutions
10 regions
26 availability zones
52 edge locations
Everyday, AWS adds enough new server capacity to support
Amazon.com when it was a $7 billion global enterprise.
53. Use Multiple AZs
Amazon S3
Amazon DynamoDB
Amazon RDS Multi-AZ
Amazon EBS snapshots
Best Practice
54. Data Encryption
Choose what’s right for you…
• Automated – AWS manages encryption
• Enabled – user manages encryption using AWS
• Client-side – user manages encryption using
their own mean
55. AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
56. Encrypt Your Data
AWS CloudHSM
Amazon S3 SSE
Amazon Glacier
Amazon Redshift
Amazon RDS
…
Best Practice
58. IDC Survey
• Attitudes and perceptions around security and cloud services
• Nearly 60% of organizations agreed that CSPs [Cloud Service
Providers] provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud security survey
Doc #242836, September 2013
We give you the tools to do the same:
USE IAM(otherwise it’s like logging as root)
…Each user can have a specific policy which defines what she can do with AWS. You can pick a policy from the list of predefined ones we offer …
There’s been recent additions to IAM
And IAM can also be used to define roles, so the same restrictions you apply to your “human” users can also be applied to your “software” users.
Here you can define that those EC2 instances can only access S3 and DynamoDB. And even go fine grained into those
Who
Developers wanting to get more lower level control over their data in DynamoDB
Mobile Developers using Social Login and using DynamoDB as a scalable store for their user data
What
Ability to directly and securely access application data in DynamoDB
Apps running on mobile devices / web platforms can send workloads to a DynamoDB table, row, or even a column without going through an intervening proxy layer.
Using access control this way involves a setup phase of authenticating the user (step 1) and obtaining IAM credentials (step 2). After these steps, the mobile app may directly perform permitted operations on DynamoDB (step 3).
Where / When
One of the pieces of a mobile infrastructure that developers have to build and maintain is the fleet of proxy servers that authorize requests coming from millions of mobile devices. This proxy tier allows vetted requests to continue to DynamoDB and then filters responses so the user only receives permitted items and attributes. So, if I am building a mobile gaming app, I must run a proxy fleet that ensures “johndoe@gmail.com” only retrieves his game state and nothing else. While Web Identity Federation, which we introduced a few months back, allowed using public identity providers such as Login with Amazon, Facebook, or Google for authentication, it still required a developer to build and deploy a proxy layer in front of DynamoDB for this type of authorization
Why
Speed of development, scalability, and simplicity of management are among the critical needs of mobile developers. With the proliferation of mobile devices and users, and small agile teams that are tasked with building successful mobile apps that can grow from 100 users to 1 million users in a few days, scalability of the underlying infrastructure and simplicity of management are more important than ever.
We are further simplifying mobile app development. Now you can eliminate the middleware proxy layer needed for authorization
Additional Readings
Werner Blog -> http://www.allthingsdistributed.com/2013/10/mobile-app-data-management-dynamodb.html
Jeff Barr Blog -> http://aws.typepad.com/aws/2013/10/fine-grained-access-control-for-amazon-dynamodb.html