SlideShare ist ein Scribd-Unternehmen logo

Accelerating YourBusiness with Security

Amazon Web Services
Amazon Web Services

Find out more about how to accelerate your business with security

Software
1 von 108
Dave Walker, Specialist Solutions Architect, Security and Compliance 23/05/17 Accelerating your Business with Security
What to expect from the session • Existing Multi-Account Strategies, and Multi-Account Planning • Organizations • Compliance and Scoping (and Artifact) • EC2 Systems Manager • DDoS and Mitigation with Shield
“Start Here”
Existing Multi-Account Strategies, and Multi-Account Planning
The Story So Far MASCOT • fully role- and identity-managed implementation from ProServe • Presented at Re:Invent 2016 SAC319 (https://www.youtube.com/watch?v=pqq39mZKQXU ), SAC320 (https://www.youtube.com/watch?v=xjtSWd8z_bE ) • Bertram Dorn's work from 2014 • similar structure, but a number of differences • https://youtu.be/CNSaJs7pWjA • Neither covers Organizations (yet) • MASCOT had some coverage for KMS
What Needs Segregating from What? Obvious cases first: • Read access to Billing and Log records from everyone, except Auditors and Security • ...and even then, access should be limited to appropriate cases • consider evidential weight • Prod from Dev, Test and Staging • remember Knight Capital? • also "bug ringfencing" • Compliance in-scope from out-of-scope • auditors need to see a hard scope boundary • you will want to keep in-scope as small as possible • use both AWS Accounts and VPCs for this
Less obvious cases: • Look at your org chart and body of policies • Consider how Separation of Duty and Need to Know operate • both in and between departments • Within org charts, policy, compliance scoping, and the need to ringfence dev accounts where bugs could impact API access, lies the answers to "how many • AWS Organizations • KMS CMKs • AWS accounts ...do I need?" What Needs Segregating from What?
Organizations
In the beginning… Your AWS Account You
Today Jump Account Your Cloud Team Dev Account Prod Account Data Science Account Audit Account Cross Account Trusts Cross Account Resource Access You
What do customers want to do? Use AWS account boundaries for isolation. Centrally manage policies across many accounts. Delegate permissions, but maintain guardrails. See combined view of all charges.
Introducing AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts. Consolidate billingAutomate AWS account creation
Typical Use Cases Control the use of AWS services to help comply with corporate security and compliance policies. • Service Control Policies (SCPs) help you centrally control AWS service use across multiple AWS accounts. • Ensure that entities in your accounts can use only the services that meet your corporate security and compliance policy requirements.
Automate the creation of AWS accounts for different resources. • API driven AWS account creation. • Use APIs to add the new account to a group and attach service control policies. • Use API response to trigger additional automation (eg deploy CloudFormation template) Typical Use Cases
Create different groups of accounts for development and production resources. • Organise groups into a hierarchy. • Apply different policies to each group. • Alternatively, group according to lines-of- business or other desired dimensions. Typical Use Cases
Key Features • Policy framework for multiple AWS accounts. • Group-based account management. • Account creation and management APIs. • Consolidated billing for all AWS accounts in your organization. • Enable Consolidated Billing Only or All Features.
How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach SCPs to those groups to centrally control AWS service use. • Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.
How to get started? • Revisit or create your account segmentation strategy. • Decide which type of organization is right for you. • Organize your AWS accounts according to it. • Test & begin to apply SCPs slowly. • Iterate on SCPs to achieve your desired state.
Pricing & Availability • Available at no additional charge. • Global service. • Accessed through endpoint in N. Virginia region.
Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
Best practices – AWS Organizations 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
Compliance and Scoping (and Artifact)
The Artifact Service
The Artifact Service { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" ] } ] }
The Artifact Service • C5 (Germany) • FedRAMP Partner package • Global Financial Services Regulatory Principles • IRAP Package (Australia) • ISO 27001 Certification, Statement of Applicability • ISO 27017 Certification, Statement of Applicability • ISO 27018 Certification, Statement of Applicability • ISO 9001 Certification • MAS TRM Guidelines Workbook (Singapore) • PCI DSS Attestation of Compliance and Responsibility Summary - Current and Previous • PSN Connection Compliance Certificate (UK) • PSN Service Provision Compliance Certificate (UK) • Quality Management System Overview • SOC 1 Reports (Current and Previous) • SOC 2 Reports (Current and Previous) • SOC 2 Report for Confidentiality • SOC 3 • SOC Continued Operations Letter
EC2 Systems Manager
Amazon EC2 Systems Manager • Announced at Re:Invent 2016 • See sessions WIN401 (https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402 (https://www.youtube.com/watch?v=L5TglwWI5Yo )
Systems Manager Capabilities Run Command Maintenance Windows Inventory State Manager Parameter Store Patch Manager Automation Configuration, Administration Update and Track Shared Capabilities
Inventory
Inventory What we heard: • Accurate software inventory is critical for understanding fleet configuration and license usage • Legacy solutions not optimised for cloud • Self-hosting requires additional overhead
Inventory Introducing Inventory • End-to-end inventory collection (EC2/on-premises/Workspaces) • Linux / Windows • Powerful query syntax • Extensible inventory schema • Integrated with AWS services
Inventory – System Diagram SSMAgent EC2 Windows Instance SSMAgent EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager EC2 Inventory SSM document Inventory Store EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
Inventory – Getting Started 1. Configure Inventory policy 2Apply Inventory policy 3Query inventory
Inventory – Configuration Create an Inventory association 1. Select instances (by instance ID or tag) 2. Select scan frequency (hours, minutes, days, NOW) 3. Select Inventory Types to gather • Instance information • Applications • AWS Components • Network configuration • Windows Updates • Custom Inventory
Inventory – Custom Inventory Type Custom Inventory Collection • Extensible: record any attribute for a given instance • On-premise Examples: rack location, BIOS version, firewall settings Two ways to record custom inventory types 1. Agent/on-instance: Write a cron job to record custom inventory files to a predefined path 2. API: Use PutInventory API
Inventory Manager Query • Search by inventory attribute • Partial and inverse searches • eg "Windows 2012 r2 instances running SQL Server 2016 where Windows Update KB112342 is not installed" Integration with AWS Config • Record inventory changes over time • Use AWS Config Rules to monitor changes, notify
State Manager
State Manager • Maintain consistent state of instances • Reapply to keep instances from drifting • Easily view status of configuration changes • Define schedule – ad hoc, periodic • Track aggregate status for your fleet
State Manager – Getting started • Document: Author your intent • Target: Instances or tag queries • Association: Binding between a document and a target • Schedule: When to apply your association • Status: Check the state of your association at an aggregate or instance level
Creating an Association aws ssm create-association --document-name WebServerDocument --document-version $DEFAULT --schedule-expression cron(0 */30 * * * ? *) --targets “Key=tag:Name;Values=WebServer” --output-location "{ "S3Location": { "OutputS3Region": “us-east-1", "OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" } }“ Configures all instances that match the tag query and reapplies every 30 minutes
Automation
CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
Version Control CI Server Package Builder Promote Process Validate Dev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
Automation – What we heard Automation pain point: AMI building • Triggers: patching, hardening, application bake-in • Never-ending • Time consuming, especially when builds fail • Overhead of maintaining build service
Automation Introducing Automation • Simplified automation solution • Perfect for AMI updates, instance deployment & config • Pro-active event notifications • AWS optimized (EC2 Run Command, AWS Lambda, AWS CloudTrail, IAM, and Amazon CloudWatch integrations)
Automation – Getting Started 1. Create an automation document 2. Run automation 3. Monitor your automation
Automation - Documents Input & output parameters • Create default values, or assign at run-time • Parameter Store integration • System Variables (DATE, DATE_TIME, REGION, EXECUTION_ID) Demo examples Document Parameter Name Default Value sourceAMIid “{{ssm:sourceAMI}}” targetAMIname “patchedAMI-{{global:DATE_TIME}}”
Automation - Documents Automation Steps • Action types: • runInstances, changeInstanceState, createAMI • runCommand, invokeLambdaFunction • Flow control: retries, timeouts, continue/abort Public Automation Documents • AWS-UpdateWindowsAmi • AWS-UpdateLinuxAmi
Automation – IAM Setup 1. Create a Service Role for Automation • Permission for Automation service to operate in your account 2. Attach PassRole policy to user’s account 3. Launch instances with SSM role (AmazonEC2RoleforSSM)
Automation – Monitoring • Amazon CloudWatch Events • Publish notifications to an Amazon SNS topic • Step-level & automation-level notifications
Parameter Store
Parameter Store • Centrally store and find configuration data • Repeatable, automatable management (e.g. SQL connection strings, passwords, cryptographic keys) • Granular access control – view, use and edit values • Encrypt sensitive data using your own AWS KMS keys
Parameter Store – Getting started • Parameter: Key-value pair • Secure Strings: Encrypt sensitive parameters with your own KMS or default account encryption key • Reuse: In Documents and easily reference at runtime across EC2 Systems Manager using {{ssm:parameter- name}} • Access Control: Create an IAM policy to control access to specific parameter
Creating and using a parameter $ aws ssm put-parameter --name myprivatekey --type securestring --value “-----BEGIN RSA PRIVATE KEY----- WtcUTC+57cf…” --key <KMS keyID> $ aws ssm send-command --name Insert-Websvr-Private-Key --parameters commands=[“cat {{ssm:myprivatekey}} > /etc/apache2/keys/private.key ; chmod 400 /etc/apache2/keys/private.key ; chown webserver:webserver /etc/apache2/keys/private.key”] --target Key=tag:Name,Values=WebServer
DDoS and Mitigation with Shield Distributed Denial Of Service
Types of DDoS attacks
Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)
Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)
DDoS attack trends Volumetric State exhaustion Application layer 65% Volumetric 18% State exhaustion 18% Application layer
Challenges in mitigating DDoS attacks
Challenges in mitigating DDoS attacks Difficult to enable Complex set-up Provision bandwidth capacity Application re-architecture
DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centers
DDoS protections built into AWS  Protection against most common infrastructure attacks  SYN/ACK Floods, UDP Floods, Refection attacks etc.  No additional cost DDoS mitigation systems DDoS Attack Users
AWS Shield A Managed DDoS Protection Service
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
AWS Shield Standard
AWS Shield Standard Layer 3/4 protection  Automatic detection & mitigation  Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)  Built into AWS services Layer 7 protection  AWS WAF for Layer 7 DDoS attack mitigation  Self-service & pay-as-you-go
AWS Shield Standard Better protection than ever for your applications running on AWS • Improved mitigations using proprietary BlackWatch systems • Additional mitigation capacity • Commitment to continuously improve detection and mitigation • Still at no additional cost
AWS Shield Advanced Managed DDoS Protection
AWS Shield Advanced Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 Available today on …
AWS Shield Advanced Available today in … US East (N. Virginia) us-east-1 US West (Oregon) us-west-2 EU (Ireland) eu-west-1 Asia Pacific (Tokyo) ap-northeast-1
AWS Shield Advanced Announcing AWS WAF for Application Load Balancer Application Load BalancerAWS WAF Valid users Attackers X
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
Always-on monitoring and detection Network flow monitoring Application traffic monitoring
Always-on monitoring and detection Signature based detection Heuristics-based anomaly detection Baselining
Always-on monitoring and detection Detects anomalies based on attributes such as: • Source IP • Source ASN • Traffic levels • Validated sources Heuristics-based anomaly detection
Always-on monitoring and detection Continuously baselining normal traffic patterns • HTTP Requests per second • Source IP Address • URLs • User-Agents Baselining
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
Layer 3/4 infrastructure protection Advanced mitigation techniques Deterministic filtering Traffic prioritization based on scoring Advanced routing policies
Layer 3/4 infrastructure protection Automatically filters malformed TCP packets • IP checksum • TCP valid flags • UDP payload length • DNS request validation Deterministic filtering
Low suspicion attributes • Normal packet or request header • Traffic composition and volume is typical given its source • Traffic valid for its destination High suspicion attributes • Suspicious packet or request headers • Entropy in traffic by header attribute • Entropy in traffic source and volume • Traffic source has a poor reputation • Traffic invalid for its destination • Request with cache-busting attributes Layer 3/4 infrastructure protection Traffic prioritization based on scoring
Layer 3/4 infrastructure protection • Inline inspection and scoring • Preferentially discard lower priority (attack) traffic • False positives are avoided and legitimate viewers are protected Traffic prioritisation based on scoring High-suspicion packets dropped Low-suspicion packets retained
Layer 3/4 infrastructure protection • Distributed scrubbing and bandwidth capacity • Automated routing policies to absorb large attacks • Manual traffic engineering Advanced routing policies
Layer 3/4 infrastructure protection • Advanced routing capabilities • Additional mitigation capacity Additional protections against larger and more sophisticated attacks
Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
AWS WAF – Layer 7 application protection Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning
AWS WAF – Layer 7 application protection Three modes of operation Self-service Engage DDoS experts Proactive DRT engagement
AWS WAF – Layer 7 application protection 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules Engage DDoS experts
AWS WAF – Layer 7 application protection 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required) Proactive DRT engagement
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
Attack notification and reporting Attack monitoring and detection • Real-time notification of attacks via Amazon CloudWatch • Near real-time metrics and packet captures for attack forensics • Historical attack reports
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
24x7 access to DDoS Response Team Critical and urgent priority cases are answered quickly and routed directly to DDoS experts Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
24x7 access to DDoS Response Team Before Attack Proactive consultation and best practice guidance During Attack Attack mitigation After Attack Post-mortem analysis
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
AWS cost protection AWS absorbs scaling cost due to DDoS attack • Amazon CloudFront • Elastic Load Balancer • Application Load Balancer • Amazon Route 53
• No commitment • No additional cost AWS DDoS Shield: Pricing • 1 year subscription commitment • Monthly base fee: $3,000 • Data transfer fees Data Transfer Price ($ per GB) CloudFront ELB First 100 TB $0.025 0.050 Next 400 TB $0.020 0.040 Next 500 TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5 PB Contact Us Contact Us Standard Protection Advanced Protection
For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS DDoS Shield: How to choose For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
You get it automatically AWS Shield: Getting started Enable via the AWS Console Standard Protection Advanced Protection
The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U Encryption on AWS: https://youtu.be/DXqDStJ4epE Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8 Security Webinar Series: https://www.brighttalk.com/webcast/9019/260695 https://www.brighttalk.com/webcast/9019/261915 IoT Security: https://www.brighttalk.com/webcast/9019/229025?utm_campaign=CampaignPage Helpful Videos
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and- compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/ AWS Audit Training: awsaudittraining@amazon.com Helpful Resources
Accelerating YourBusiness with Security

Empfohlen

Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Accelerating innovation and reducing cost using cloud based software procurement
Accelerating innovation and reducing cost using cloud based software procurementAccelerating innovation and reducing cost using cloud based software procurement
Accelerating innovation and reducing cost using cloud based software procurement
Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
AWS Application Discovery Service
AWS Application Discovery ServiceAWS Application Discovery Service
AWS Application Discovery Service
Amazon Web Services
 
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
Amazon Web Services
 
Application Migrations
Application MigrationsApplication Migrations
Application Migrations
Amazon Web Services
 
Key Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessKey Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - Business
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 

Empfohlen

Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Accelerating innovation and reducing cost using cloud based software procurement
Accelerating innovation and reducing cost using cloud based software procurementAccelerating innovation and reducing cost using cloud based software procurement
Accelerating innovation and reducing cost using cloud based software procurement
Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
AWS Application Discovery Service
AWS Application Discovery ServiceAWS Application Discovery Service
AWS Application Discovery Service
Amazon Web Services
 
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
AWS re:Invent 2016: [JK REPEAT] The Enterprise Fast Lane - What Your Competit...
Amazon Web Services
 
Application Migrations
Application MigrationsApplication Migrations
Application Migrations
Amazon Web Services
 
Key Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - BusinessKey Steps for Setting up your AWS Journey for Success - Business
Key Steps for Setting up your AWS Journey for Success - Business
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
Amazon Web Services
 
Running Enterprise Workloads on AWS
Running Enterprise Workloads on AWSRunning Enterprise Workloads on AWS
Running Enterprise Workloads on AWS
Amazon Web Services
 
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
Amazon Web Services
 
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Amazon Web Services
 
Cloud is the New Normal, So How Do I Get Started? - Business
Cloud is the New Normal, So How Do I Get Started? - BusinessCloud is the New Normal, So How Do I Get Started? - Business
Cloud is the New Normal, So How Do I Get Started? - Business
Amazon Web Services
 
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
Amazon Web Services
 
Application Migrations at Scale
Application Migrations at ScaleApplication Migrations at Scale
Application Migrations at Scale
Amazon Web Services
 
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
Amazon Web Services
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies
Amazon Web Services
 
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Amazon Web Services
 
New Achitectures
New AchitecturesNew Achitectures
New Achitectures
Amazon Web Services
 
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Amazon Web Services
 
Microsoft on AWS - AWS Summit SG 2017
Microsoft on AWS - AWS Summit SG 2017Microsoft on AWS - AWS Summit SG 2017
Microsoft on AWS - AWS Summit SG 2017
Amazon Web Services
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
Helen Rogers
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification Masterclass
Amazon Web Services
 
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Amazon Web Services
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
Amazon Web Services
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
Amazon Web Services
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Amazon Web Services
 
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Amazon Web Services
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification Masterclass
Amazon Web Services
 
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Amazon Web Services
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Was ist angesagt? (20)

AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
 
Running Enterprise Workloads on AWS
Running Enterprise Workloads on AWSRunning Enterprise Workloads on AWS
Running Enterprise Workloads on AWS
 
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
AWS re:Invent 2016: Cost Optimization at Scale (ENT209)
 
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301Compute Without Servers – Building Applications with AWS Lambda - Technical 301
Compute Without Servers – Building Applications with AWS Lambda - Technical 301
 
Cloud is the New Normal, So How Do I Get Started? - Business
Cloud is the New Normal, So How Do I Get Started? - BusinessCloud is the New Normal, So How Do I Get Started? - Business
Cloud is the New Normal, So How Do I Get Started? - Business
 
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
AWS re:Invent 2016: Evolving an Enterprise-Level Compliance Framework with Am...
 
Application Migrations at Scale
Application Migrations at ScaleApplication Migrations at Scale
Application Migrations at Scale
 
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
AWS re:Invent 2016: Partner-Led Migrations to AWS Starting with the Enterpris...
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies
 
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
Is AWS GovCloud (US) Right for Your Regulated Workload? | AWS Public Sector S...
 
New Achitectures
New AchitecturesNew Achitectures
New Achitectures
 
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
Hybrid IT Approach and Technologies with the AWS Cloud | AWS Public Sector Su...
 
Microsoft on AWS - AWS Summit SG 2017
Microsoft on AWS - AWS Summit SG 2017Microsoft on AWS - AWS Summit SG 2017
Microsoft on AWS - AWS Summit SG 2017
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification Masterclass
 
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
 
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
AWS January 2016 Webinar Series - Cloud Data Migration: 6 Strategies for Gett...
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
 

Ähnlich wie Accelerating YourBusiness with Security

Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Amazon Web Services
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
Amazon Web Services
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management ToolsENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS
Amazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Amazon Web Services
 
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanDay 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Amazon Web Services
 

Ähnlich wie Accelerating YourBusiness with Security (20)

Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management ToolsENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS(DVO303) Scaling Infrastructure Operations with AWS
(DVO303) Scaling Infrastructure Operations with AWS
 
AWS Management Tools Deep Dive - DevDay Los Angeles 2017
AWS Management Tools Deep Dive - DevDay Los Angeles 2017AWS Management Tools Deep Dive - DevDay Los Angeles 2017
AWS Management Tools Deep Dive - DevDay Los Angeles 2017
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management ToolsRaleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
 
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
Automated Compliance and Governance with AWS Config and AWS CloudTrail - June...
 
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanDay 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
Driving Business Agility with AWS Serverless -Atlanta
Driving Business Agility with AWS Serverless -AtlantaDriving Business Agility with AWS Serverless -Atlanta
Driving Business Agility with AWS Serverless -Atlanta
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by Design
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 

Kürzlich hochgeladen (20)

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 

Accelerating YourBusiness with Security

  • 1. Dave Walker, Specialist Solutions Architect, Security and Compliance 23/05/17 Accelerating your Business with Security
  • 2. What to expect from the session • Existing Multi-Account Strategies, and Multi-Account Planning • Organizations • Compliance and Scoping (and Artifact) • EC2 Systems Manager • DDoS and Mitigation with Shield
  • 4. Existing Multi-Account Strategies, and Multi-Account Planning
  • 5. The Story So Far MASCOT • fully role- and identity-managed implementation from ProServe • Presented at Re:Invent 2016 SAC319 (https://www.youtube.com/watch?v=pqq39mZKQXU ), SAC320 (https://www.youtube.com/watch?v=xjtSWd8z_bE ) • Bertram Dorn's work from 2014 • similar structure, but a number of differences • https://youtu.be/CNSaJs7pWjA • Neither covers Organizations (yet) • MASCOT had some coverage for KMS
  • 6. What Needs Segregating from What? Obvious cases first: • Read access to Billing and Log records from everyone, except Auditors and Security • ...and even then, access should be limited to appropriate cases • consider evidential weight • Prod from Dev, Test and Staging • remember Knight Capital? • also "bug ringfencing" • Compliance in-scope from out-of-scope • auditors need to see a hard scope boundary • you will want to keep in-scope as small as possible • use both AWS Accounts and VPCs for this
  • 7. Less obvious cases: • Look at your org chart and body of policies • Consider how Separation of Duty and Need to Know operate • both in and between departments • Within org charts, policy, compliance scoping, and the need to ringfence dev accounts where bugs could impact API access, lies the answers to "how many • AWS Organizations • KMS CMKs • AWS accounts ...do I need?" What Needs Segregating from What?
  • 9. In the beginning… Your AWS Account You
  • 10. Today Jump Account Your Cloud Team Dev Account Prod Account Data Science Account Audit Account Cross Account Trusts Cross Account Resource Access You
  • 11. What do customers want to do? Use AWS account boundaries for isolation. Centrally manage policies across many accounts. Delegate permissions, but maintain guardrails. See combined view of all charges.
  • 12. Introducing AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts. Consolidate billingAutomate AWS account creation
  • 13. Typical Use Cases Control the use of AWS services to help comply with corporate security and compliance policies. • Service Control Policies (SCPs) help you centrally control AWS service use across multiple AWS accounts. • Ensure that entities in your accounts can use only the services that meet your corporate security and compliance policy requirements.
  • 14. Automate the creation of AWS accounts for different resources. • API driven AWS account creation. • Use APIs to add the new account to a group and attach service control policies. • Use API response to trigger additional automation (eg deploy CloudFormation template) Typical Use Cases
  • 15. Create different groups of accounts for development and production resources. • Organise groups into a hierarchy. • Apply different policies to each group. • Alternatively, group according to lines-of- business or other desired dimensions. Typical Use Cases
  • 16. Key Features • Policy framework for multiple AWS accounts. • Group-based account management. • Account creation and management APIs. • Consolidated billing for all AWS accounts in your organization. • Enable Consolidated Billing Only or All Features.
  • 17. How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach SCPs to those groups to centrally control AWS service use. • Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.
  • 18. How to get started? • Revisit or create your account segmentation strategy. • Decide which type of organization is right for you. • Organize your AWS accounts according to it. • Test & begin to apply SCPs slowly. • Iterate on SCPs to achieve your desired state.
  • 19. Pricing & Availability • Available at no additional charge. • Global service. • Accessed through endpoint in N. Virginia region.
  • 20. Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  • 21. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
  • 22. Best practices – AWS Organizations 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principal of “Least privilege” 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization 8. Create new AWS accounts for the right reasons
  • 23. Compliance and Scoping (and Artifact)
  • 25. The Artifact Service { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" ] } ] }
  • 26. The Artifact Service • C5 (Germany) • FedRAMP Partner package • Global Financial Services Regulatory Principles • IRAP Package (Australia) • ISO 27001 Certification, Statement of Applicability • ISO 27017 Certification, Statement of Applicability • ISO 27018 Certification, Statement of Applicability • ISO 9001 Certification • MAS TRM Guidelines Workbook (Singapore) • PCI DSS Attestation of Compliance and Responsibility Summary - Current and Previous • PSN Connection Compliance Certificate (UK) • PSN Service Provision Compliance Certificate (UK) • Quality Management System Overview • SOC 1 Reports (Current and Previous) • SOC 2 Reports (Current and Previous) • SOC 2 Report for Confidentiality • SOC 3 • SOC Continued Operations Letter
  • 28. Amazon EC2 Systems Manager • Announced at Re:Invent 2016 • See sessions WIN401 (https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402 (https://www.youtube.com/watch?v=L5TglwWI5Yo )
  • 29. Systems Manager Capabilities Run Command Maintenance Windows Inventory State Manager Parameter Store Patch Manager Automation Configuration, Administration Update and Track Shared Capabilities
  • 31. Inventory What we heard: • Accurate software inventory is critical for understanding fleet configuration and license usage • Legacy solutions not optimised for cloud • Self-hosting requires additional overhead
  • 32. Inventory Introducing Inventory • End-to-end inventory collection (EC2/on-premises/Workspaces) • Linux / Windows • Powerful query syntax • Extensible inventory schema • Integrated with AWS services
  • 33. Inventory – System Diagram SSMAgent EC2 Windows Instance SSMAgent EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager EC2 Inventory SSM document Inventory Store EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
  • 34. Inventory – Getting Started 1. Configure Inventory policy 2Apply Inventory policy 3Query inventory
  • 35. Inventory – Configuration Create an Inventory association 1. Select instances (by instance ID or tag) 2. Select scan frequency (hours, minutes, days, NOW) 3. Select Inventory Types to gather • Instance information • Applications • AWS Components • Network configuration • Windows Updates • Custom Inventory
  • 36. Inventory – Custom Inventory Type Custom Inventory Collection • Extensible: record any attribute for a given instance • On-premise Examples: rack location, BIOS version, firewall settings Two ways to record custom inventory types 1. Agent/on-instance: Write a cron job to record custom inventory files to a predefined path 2. API: Use PutInventory API
  • 37. Inventory Manager Query • Search by inventory attribute • Partial and inverse searches • eg "Windows 2012 r2 instances running SQL Server 2016 where Windows Update KB112342 is not installed" Integration with AWS Config • Record inventory changes over time • Use AWS Config Rules to monitor changes, notify
  • 39. State Manager • Maintain consistent state of instances • Reapply to keep instances from drifting • Easily view status of configuration changes • Define schedule – ad hoc, periodic • Track aggregate status for your fleet
  • 40. State Manager – Getting started • Document: Author your intent • Target: Instances or tag queries • Association: Binding between a document and a target • Schedule: When to apply your association • Status: Check the state of your association at an aggregate or instance level
  • 41. Creating an Association aws ssm create-association --document-name WebServerDocument --document-version $DEFAULT --schedule-expression cron(0 */30 * * * ? *) --targets “Key=tag:Name;Values=WebServer” --output-location "{ "S3Location": { "OutputS3Region": “us-east-1", "OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" } }“ Configures all instances that match the tag query and reapplies every 30 minutes
  • 43. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
  • 44. Version Control CI Server Package Builder Promote Process Validate Dev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
  • 45. Automation – What we heard Automation pain point: AMI building • Triggers: patching, hardening, application bake-in • Never-ending • Time consuming, especially when builds fail • Overhead of maintaining build service
  • 46. Automation Introducing Automation • Simplified automation solution • Perfect for AMI updates, instance deployment & config • Pro-active event notifications • AWS optimized (EC2 Run Command, AWS Lambda, AWS CloudTrail, IAM, and Amazon CloudWatch integrations)
  • 47. Automation – Getting Started 1. Create an automation document 2. Run automation 3. Monitor your automation
  • 48. Automation - Documents Input & output parameters • Create default values, or assign at run-time • Parameter Store integration • System Variables (DATE, DATE_TIME, REGION, EXECUTION_ID) Demo examples Document Parameter Name Default Value sourceAMIid “{{ssm:sourceAMI}}” targetAMIname “patchedAMI-{{global:DATE_TIME}}”
  • 49. Automation - Documents Automation Steps • Action types: • runInstances, changeInstanceState, createAMI • runCommand, invokeLambdaFunction • Flow control: retries, timeouts, continue/abort Public Automation Documents • AWS-UpdateWindowsAmi • AWS-UpdateLinuxAmi
  • 50. Automation – IAM Setup 1. Create a Service Role for Automation • Permission for Automation service to operate in your account 2. Attach PassRole policy to user’s account 3. Launch instances with SSM role (AmazonEC2RoleforSSM)
  • 51. Automation – Monitoring • Amazon CloudWatch Events • Publish notifications to an Amazon SNS topic • Step-level & automation-level notifications
  • 53. Parameter Store • Centrally store and find configuration data • Repeatable, automatable management (e.g. SQL connection strings, passwords, cryptographic keys) • Granular access control – view, use and edit values • Encrypt sensitive data using your own AWS KMS keys
  • 54. Parameter Store – Getting started • Parameter: Key-value pair • Secure Strings: Encrypt sensitive parameters with your own KMS or default account encryption key • Reuse: In Documents and easily reference at runtime across EC2 Systems Manager using {{ssm:parameter- name}} • Access Control: Create an IAM policy to control access to specific parameter
  • 55. Creating and using a parameter $ aws ssm put-parameter --name myprivatekey --type securestring --value “-----BEGIN RSA PRIVATE KEY----- WtcUTC+57cf…” --key <KMS keyID> $ aws ssm send-command --name Insert-Websvr-Private-Key --parameters commands=[“cat {{ssm:myprivatekey}} > /etc/apache2/keys/private.key ; chmod 400 /etc/apache2/keys/private.key ; chown webserver:webserver /etc/apache2/keys/private.key”] --target Key=tag:Name,Values=WebServer
  • 56. DDoS and Mitigation with Shield Distributed Denial Of Service
  • 57. Types of DDoS attacks
  • 58. Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
  • 59. Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)
  • 60. Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)
  • 61. DDoS attack trends Volumetric State exhaustion Application layer 65% Volumetric 18% State exhaustion 18% Application layer
  • 62. Challenges in mitigating DDoS attacks
  • 63. Challenges in mitigating DDoS attacks Difficult to enable Complex set-up Provision bandwidth capacity Application re-architecture
  • 64. DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centers
  • 65. DDoS protections built into AWS  Protection against most common infrastructure attacks  SYN/ACK Floods, UDP Floods, Refection attacks etc.  No additional cost DDoS mitigation systems DDoS Attack Users
  • 66. AWS Shield A Managed DDoS Protection Service
  • 67. AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
  • 68. AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
  • 70. AWS Shield Standard Layer 3/4 protection  Automatic detection & mitigation  Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)  Built into AWS services Layer 7 protection  AWS WAF for Layer 7 DDoS attack mitigation  Self-service & pay-as-you-go
  • 71. AWS Shield Standard Better protection than ever for your applications running on AWS • Improved mitigations using proprietary BlackWatch systems • Additional mitigation capacity • Commitment to continuously improve detection and mitigation • Still at no additional cost
  • 72. AWS Shield Advanced Managed DDoS Protection
  • 73. AWS Shield Advanced Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 Available today on …
  • 74. AWS Shield Advanced Available today in … US East (N. Virginia) us-east-1 US West (Oregon) us-west-2 EU (Ireland) eu-west-1 Asia Pacific (Tokyo) ap-northeast-1
  • 75. AWS Shield Advanced Announcing AWS WAF for Application Load Balancer Application Load BalancerAWS WAF Valid users Attackers X
  • 76. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 77. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 78. Always-on monitoring and detection Network flow monitoring Application traffic monitoring
  • 79. Always-on monitoring and detection Signature based detection Heuristics-based anomaly detection Baselining
  • 80. Always-on monitoring and detection Detects anomalies based on attributes such as: • Source IP • Source ASN • Traffic levels • Validated sources Heuristics-based anomaly detection
  • 81. Always-on monitoring and detection Continuously baselining normal traffic patterns • HTTP Requests per second • Source IP Address • URLs • User-Agents Baselining
  • 82. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 83. Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
  • 84. Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
  • 85. Layer 3/4 infrastructure protection Advanced mitigation techniques Deterministic filtering Traffic prioritization based on scoring Advanced routing policies
  • 86. Layer 3/4 infrastructure protection Automatically filters malformed TCP packets • IP checksum • TCP valid flags • UDP payload length • DNS request validation Deterministic filtering
  • 87. Low suspicion attributes • Normal packet or request header • Traffic composition and volume is typical given its source • Traffic valid for its destination High suspicion attributes • Suspicious packet or request headers • Entropy in traffic by header attribute • Entropy in traffic source and volume • Traffic source has a poor reputation • Traffic invalid for its destination • Request with cache-busting attributes Layer 3/4 infrastructure protection Traffic prioritization based on scoring
  • 88. Layer 3/4 infrastructure protection • Inline inspection and scoring • Preferentially discard lower priority (attack) traffic • False positives are avoided and legitimate viewers are protected Traffic prioritisation based on scoring High-suspicion packets dropped Low-suspicion packets retained
  • 89. Layer 3/4 infrastructure protection • Distributed scrubbing and bandwidth capacity • Automated routing policies to absorb large attacks • Manual traffic engineering Advanced routing policies
  • 90. Layer 3/4 infrastructure protection • Advanced routing capabilities • Additional mitigation capacity Additional protections against larger and more sophisticated attacks
  • 91. Advanced DDoS protection Layer 7 application protection Layer 3/4 infrastructure protection
  • 92. AWS WAF – Layer 7 application protection Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning
  • 93. AWS WAF – Layer 7 application protection Three modes of operation Self-service Engage DDoS experts Proactive DRT engagement
  • 94. AWS WAF – Layer 7 application protection 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules Engage DDoS experts
  • 95. AWS WAF – Layer 7 application protection 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required) Proactive DRT engagement
  • 96. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 97. Attack notification and reporting Attack monitoring and detection • Real-time notification of attacks via Amazon CloudWatch • Near real-time metrics and packet captures for attack forensics • Historical attack reports
  • 98. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 99. 24x7 access to DDoS Response Team Critical and urgent priority cases are answered quickly and routed directly to DDoS experts Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
  • 100. 24x7 access to DDoS Response Team Before Attack Proactive consultation and best practice guidance During Attack Attack mitigation After Attack Post-mortem analysis
  • 101. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 102. AWS cost protection AWS absorbs scaling cost due to DDoS attack • Amazon CloudFront • Elastic Load Balancer • Application Load Balancer • Amazon Route 53
  • 103. • No commitment • No additional cost AWS DDoS Shield: Pricing • 1 year subscription commitment • Monthly base fee: $3,000 • Data transfer fees Data Transfer Price ($ per GB) CloudFront ELB First 100 TB $0.025 0.050 Next 400 TB $0.020 0.040 Next 500 TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5 PB Contact Us Contact Us Standard Protection Advanced Protection
  • 104. For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS DDoS Shield: How to choose For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
  • 105. You get it automatically AWS Shield: Getting started Enable via the AWS Console Standard Protection Advanced Protection
  • 106. The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U Encryption on AWS: https://youtu.be/DXqDStJ4epE Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8 Security Webinar Series: https://www.brighttalk.com/webcast/9019/260695 https://www.brighttalk.com/webcast/9019/261915 IoT Security: https://www.brighttalk.com/webcast/9019/229025?utm_campaign=CampaignPage Helpful Videos
  • 107. Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and- compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/ AWS Audit Training: awsaudittraining@amazon.com Helpful Resources