Amazon Web Services (AWS) approaches security using a shared responsibility model with our customers. We manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. As part of that model, our customers are responsible for building secure applications. We will provide a complete walkthrough from a blank canvas to a secure architecture from a development perspective. No matter the size of your team, you can implement your IT solutions using industry wide best security practices.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Building Secure Architectures on AWS
1. A Walk through the AWS Cloud: Building
Secure Architectures on AWS
Oyvind Roti
Solutions Architect
Amazon Web Services
2.
3. Migrate existing apps &
data to the cloud
Build new apps, sites,
services & lines of
businesses
Augment On-Premises
resources with cloud
capacity
How customers use AWS
4. No Up-Front Capital Expense Pay Only for What You Use
Easily Scale Up and Down Improve Agility & Time-to-Market
Low Cost
Deploy
Self-Service Infrastructure
11. • Security Groups
• Inbound traffic must be explicitly
specified by protocol, port, and
security group
• VPC adds outbound filters
• VPC also adds Network Access Control
Lists (ACLs): inbound and outbound
stateless filters
• OS Firewall (e.g., iptables) may be
implemented
• user controlled security layer
• granular access control of
discrete hosts
• logging network events
Encrypted
File System
Encrypted
Swap File
OSFirewall
AmazonSecurityGroups
VPCNetworkACL
Inbound Traffic
Network Security Layers
12.
13.
14.
15.
16. Virtual Private Cloud – an extension of your DC
AWS Direct
Connect
AWS Virtual Private Cloud
17. Identity and Access Management (IAM)
• Users and Groups within Accounts
• Unique security credentials
• Access keys
• Login/Password
• optional MFA device
• Policies control access to AWS APIs
• API calls must be signed by either:
• X.509 certificate
• secret key
• Deep integration into some Services
• S3: policies on objects and buckets
• Simple DB: domains
• AWS Management Console supports User log on
• Not for Operating Systems or Applications
• use LDAP, Active Directory/ADFS, etc...
19. • Access controls at bucket and
object level:
– Read, Write, Full
• Owner has full control
• Customer Encryption
• SSL Supported
• Durability 99.999999999%
• Availability 99.99%
• Versioning (MFA Delete)
• Detailed Access Logging
Amazon S3 Security
20. • Secure Key Storage: Tamper-resistant, customer controlled
hardware security module within your VPC
• Only you have access to your keys (including Amazon
administrators who manage and maintain the appliance).
• Common Criteria EAL4+, NIST FIPS 140-2.
• Reliable & Durable Key Storage: available in multiple AZs and
Regions, or replicate to on-premise HSMs
http://aws.amazon.com/cloudhsm/
CloudHSM (new in 2013)
21. • Answers to many security & privacy questions
• Security whitepaper
• Risk and Compliance whitepaper
• Security bulletins
• Customer penetration testing
• Security best practices
• More information on:
• AWS Identity & Access Management (AWS IAM)
• AWS Multi-Factor Authentication (AWS MFA)
AWS Security and Compliance Centre
http://aws.amazon.com/security