Weitere ähnliche Inhalte Ähnlich wie Infrastructure Security: Your Minimum Security Baseline (20) Mehr von Amazon Web Services (20) Infrastructure Security: Your Minimum Security Baseline3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
All customers benefit from the same security
Certified by independent experts
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
Compute Storage Database Network
AWS Global
Infrastructure Regions
Availability Zones CloudFront
edge
locations
AWS Foundation Services
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
Infrastructure Services
Such as Amazon EC2, Amazon EBS, and Amazon VPC
Managed by
Managed by
Client-Side Data encryption
& Data Integrity
Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWS IAMCustomer IAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Abstracted Services
Such as Amazon S3 and Amazon DynamoDB Managed by
Managed by
Optional – Opaque Data: 1’s and
0’s
(in flight / at rest)
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
Client-Side Data Encryption
& Data Integrity Authentication
AWS IAM
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security in the cloud is familiar.
“Security in the cloud is familiar. The
increase in agility and the ability to
perform actions faster, at a larger
scale and at a lower cost, does not
invalidate well-established principles
of information security.”
- Security Perspective of the AWS
Cloud Adoption Framework
Whitepaper
Security Perspective
Directive
Preventative Detective
Responsive
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Hide ‘n Go Seek
• ~>nslookup www.buildabeer.com
• Server: 10.43.23.72
• Address: 10.43.23.72#53
• Non-authoritative answer:
• www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
• Name: d3u9qbug2y23to.cloudfront.net
• Address: 52.84.20.173
• <snip>
• Name: d3u9qbug2y23to.cloudfront.net
• Address: 52.84.20.85
• ~>nslookup ftp.buildabeer.com
• Server: 10.43.23.72
• Address: 10.43.23.72#53
• Non-authoritative answer:
• ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
• Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
• Address: 54.148.117.41
• <snip>
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
§ Control configuration details such as anti-virus settings, iptables, etc.
§ Define your own schedules for deployment reviews
§ Compare actual deployments against specified configuration policy
§ State Manager reapplies policies if state drift is detected
§ Query State Manager to view status of deployments
State Manager: Overview
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Summary
• Ingress filtering capability: use VPC design in combination with security groups and NACLs to establish
boundaries
• Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC endpoints
• Detection and response capabilities use: Config, Cloudtrail, Cloudwatch & VPC flow logs in combination with
Inspector & SSM
• DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks
• Vulnerability & Patch management capability: use Inspector and SSM
• Use SSM for:
– Configuration and patch compliance
– Secure privileged access to instances
– Automated patch management
– Software inventory & licensing compliance
– Secrets vaulting