Weitere ähnliche Inhalte Ähnlich wie AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda (20) Mehr von Amazon Web Services (20) AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 4:
Secure your cloud applications
Donnie Prakoso
Technical Evangelist
Amazon Web Services
S e s s i o n I D
2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is our top priority
Designed for
security
Constantly
monitored
Highly
automated
Highly
available
Highly
accredited
4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the cloud
• Hosts, network, software, facilities
• Protection of the AWS global infrastructure is top priority
• Availability of third-party audit reports
Foundation services
Compute Storage Database Network
AWS global
infrastructure
RegionsAvailability zones Edge locations
AWS
5. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the cloud
Considerations
• What you should store
• Which AWS services you
should use
• Which region to store in
• In what content format and
structure
• Who has access
Client-side data encryption &
Data integrity authentication
Platform, applications, identity & access management
Operating system, network & firewall configuration
Customer data
Customer
Server-side encryption
(File system and/or data)
Network traffic protection
(Encryption/integrity/identity)
6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model
Client-side data encryption &
Data integrity authentication
Platform, applications, identity & access management
Operating system, network & firewall configuration
Customer data
Customer
Server-side encryption
(File system and/or data)
Network traffic protection
(Encryption/integrity/identity)
Foundation services
Compute Storage Database Network
AWS global
infrastructure
RegionsAvailability zones Edge locations
AWS
7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Discussion: Who’s responsible
for what?
Unmanaged services
Amazon EC2
Amazon EBS
Managed services
• Amazon RDS
• Amazon S3
• Amazon DynamoDB
Operations
• Guest OS patching
• Database patching
• Firewall configuration
• Disaster recovery
• User data
8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security, identity, and compliance products
AWS Artifact
AWS Certificate Manager
Amazon Cloud Directory
AWS CloudHSM
Amazon Cognito
AWS Directory Service
AWS Firewall Manager
Amazon GuardDuty
AWS Identity and Access Management
Amazon Inspector
AWS Key Management Service
Amazon Macie
AWS Organizations
AWS Shield
AWS Secrets Manager
AWS Single Sign-On
AWS WAF
AWS Artifact
AWS Certificate Manager
Amazon Cloud Directory
AWS CloudHSM
Amazon Cognito
AWS Directory Service
AWS Firewall Manager
Amazon GuardDuty
AWS Identity and Access Management
Amazon Inspector
AWS Key Management Service
Amazon Macie
AWS Organizations
AWS Shield
AWS Secrets Manager
AWS Single Sign-On
AWS WAF
9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Manage authentication and
authorization
10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Temporary privileges
that an entity can assume
GROUP ROLEIAM USER
Collection of users
with identical permissions
A person or application
that interacts with AWS
Securely control access to AWS resources
11. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication: Who are you?
$ aws
IAM GROUPIAM USER
IAM
AWS
CLI
AWS
SDKS
AWS
Management
Console
12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authorization: What can you do?
IAM policies
Full
access
Read only
$ aws
AWS
CLI
Amazon
S3 BucketIAM USER,
GROUP OR ROLE
13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM roles
• IAM users, applications, and
services may assume IAM roles
• Roles uses an IAM policy
for permissionsIAM ROLE
14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
IAM Role IAM Policy
17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy
18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy
19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS account root user
Account root user has complete access to all AWS services
Recommendations
Delete root user access keys
Create an IAM user
Grant administrator access
Use IAM credentials to interact with AWS
Enable MFA
20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices
• Delete access keys for the
AWS account root user
• Activate multi-factor
authentication (MFA)
• Only give IAM users
permissions they need
• Use roles for applications
• Rotate credentials regularly
• Remove unnecessary users
and credentials
• Monitor activity in your
AWS account
21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access your security and compliance
22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of threat assessment
• Expensive
• Complex
• Time-consuming
• Difficult to track IT changes
23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon Inspector?
Automated security
assessment as a service
• Assesses applications for
vulnerabilities
• Produces a detailed list of
security findings
• Leverages security best
practices
24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector findings
25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediation recommendation
26. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect your infrastructure from
Distributed Denial of Service (DDoS) attacks
27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is DDoS?
DDoS
DDoSDDoS
28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS mitigation challenges
Manual
Degraded
performance
Limited
bandwidth
Involves
rearchitecting
Time-
consuming Expensive
Complex
29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is AWS Shield? • A managed DDoS protection service
• Always-on detection and mitigations
• Seamless integration and deployment
• Cost-efficient and customizable protection
DDoS
DDoSDDoS
30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Standard and AWS Shield Advanced
AWS Shield Standard
(Included)
• Quick detection
• Inline attack mitigation
AWS Shield Advanced
(Optional)
• Enhanced detection
• Advanced attack mitigation
• Visibility and attack notification
• DDoS cost protection
• Specialized support
31. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS security compliance
32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Assurance programs
33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How AWS helps customers achieve compliance
Sharing information
• Industry certifications
• Security and control practices
• Compliance reports directly
under NDA
Assurance program
• Certifications/attestations
• Laws, regulations, and privacy
• Alignments/frameworks
34. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer responsibility
Review – Design – Identify – Verify
35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.