Weitere ähnliche Inhalte
Ähnlich wie New AWS Security Solutions to Protect Your Workload (20)
Mehr von Amazon Web Services (20)
New AWS Security Solutions to Protect Your Workload
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Recap
James Chiang(蔣宗恩), Solution Architect
Amazon Web Services
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
239 new security features
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Behind the scenes - SecOps on-call
AWS Security Ticket - Port Scanning abuse case created …
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management,
security, and
monitoring
Storage
Customer instances
Network
Hypervisor
Original Amazon EC2 host architecture
SERVER
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Improved performance by isolating functions within the
hypervisor; moving them away from hardware
• Offloaded network processing to dedicated hardware
within the system, decoupling from hardware that
managed the hypervisor, saving significant CPU time
through more efficient network packet processing
• Offloaded storage, requiring Amazon EC2 host software
to validate, encrypt and route storage requests
Amazon EC2 - C3 & C4 instances launched
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management,
security, and
monitoring
Storage
Customer instances
Network
Nitro hypervisor
2017: Amazon EC2 C5 instances launched
SERVER
NITRO
SYSTEM
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource-based
policies
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN
Connection
Network Load
Balancer
Inter-Region
VPC Peering
Bring Your
Own IP
Address
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous
changeRecordingChanging
resources
AWS Config - Overview
History
Stream
Snapshot
(ex. 2018-06-05)
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Store the compliance
history of AWS resources
evaluated by Config rules
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now offers agentless
network assessments
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty adds three new threat detections
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
CryptoCurrency:EC2/BitcoinTool.B.
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Processes an average
92.7million/sec
flow log records
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty = automatic cost savings
• Travel company | 44% reduction in GuardDuty spend
• Financial services company | 82% reduction
• Automotive company | 79% reduction
• Social media company | 86% reduction
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing: Amazon S3 block public access
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 block public access
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From reactive to proactive
Pace of innovation: 1800+ updates
Meets pace of protection: 239 security updates
… through automation
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pattern for automated remediation
Detection
Alerting
Remediation
Countermeasures
Forensics
VPC
Flow logs
APIs
Team
collaboration
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch + AWS Lambda + AWS Systems Manager
Amazon EC2
instance contents
Amazon EC2 instance:
ec2-user$ top
ec2-user$ pcap
Event
Documents
Amazon EBS
Volume
Amazon EBS
snapshot
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSsecurityworkflow
ArchiveSnapshot
Protect Detect Respond RecoverIdentify
Investigate
Automate
Amazon
Macie
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Problemstatement
Largevolume of
alerts and the need
to prioritize
13
Dozensof security
tools with different
data formats
2
Ensurethat your
AWSinfrastructure
meets compliance
requirements
1
PrioritizationMultiple formats VisibilityCompliance
Lackof asingle
pane of glassacross
security and
compliance tools
4
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSSecurityHuboverview
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partnerintegrations
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner integration examples—CrowdStrike
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setupandmulti-account
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliancechecks
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Insights
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Responseandremediation
Event(event-
based)
Rule
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers end up with Multi-account Challenges
Paradox of Choice
Too many design
decisions
Setup Complexity
Granular AWS policies
across multiple accounts
& services
Ongoing management
Centrally managing
compliance and security of
multiple accounts
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-Account Recommended Approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Optional Network Path
Network Path Log Flow
Data CenterDeveloper Accounts
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Control Tower (preview)
Consistent and simple multi account management.
Automated AWS Setup
Launch an automated
landing zone with best-
practices blueprints
Policy Enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for Oversight
Continuous visibility into
workload compliance with
controls
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Control Tower (preview)
Consistent and simple multi account management.
Automated AWS Setup
Launch an automated
landing zone with best-
practices blueprints
Policy Enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for Oversight
Continuous visibility into
workload compliance with
controls
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Features / Benefits
Account Setup
Automated, secure, and scalable
landing zone
Multi-account management using
AWS Organizations
Central logging and multi-account
configuration consistency
Built-in best practices
Multi-account preventive and
detective guardrails
Easy to use dashboard and
notifications
Curated rules in plain EnglishAccount provisioning wizard
Guardrails
Landin
g Zone
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Control Tower - Building Blocks
AWS Control Tower
Account Management Guardrail Enforcement
AWS Security
Hub
Landing
Zone
AWS Landing Zone AWS Organizations
- 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Control Tower’s automated landing zone
AWS Organizations with a master
and pre-created accounts for
central log archive, cross-account
audit, and shared services
Pre-configured directory and single
sign-on using AWS SSO (with Active
Directory custom option*)
Centralized monitoring and alerts
using AWS Config, AWS CloudTrail,
and AWS CloudWatch
Control Tower Master Account
AWS Control Tower
*Active Directory support is a roadmap feature post GA
- 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Factory
• Account factory for controls on account provisioning
• Pre-approved account baselines with VPC options
• Pre-approved configuration options
• End user configuration and provisioning through AWS Service Catalog
• Create/update AWS accounts under organizational units
- 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Factory - AWS Service Catalog
- 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog: Simplifying Provisioning
End UsersOrganizations
Curation
Compliance
Standardization
Agility
Self-Service
Time to Market
SpeedSecurity
Service Catalog enables organizations to deploy
and manage AWS infrastructure and applications
that reflect the organization’s security and
operational policies
- 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service Catalog: Simplified Provisioning
Constraint
Security, governance and
deployment controls
Product
IT service or resource
Products list
User see which products they can launch
Portfolio
Admins create collections
of products
Provisioned products
Users can update or perform service actions
Service Catalog Administrator
Service Catalog End User
- 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Key Management Service
• A service that enables you to provision and use encryption keys to protect
your data
• Allows you to create, use, and manage encryption keys from within…
– Your own applications via AWS SDK
– Supported AWS services (S3, EBS, RDS, Redshift)
• Available in all commercial regions
- 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How AWS Key Management Service
Works 1
Client AuthN
5
Data
Client
(Customer or
AWS Service)
4
Data Key Encrypted Data Key
+
and AuthZ
KMS Service
Endpoint
AWS
Authorization
Crypto
operations on
customer
master keys
2
3
Durable, Encrypted Key
Store
1. Client makes authenticated request of KMS for data key
2. KMS generates data key
3. KMS pulls encrypted customer master key from durable storage; decrypts in the
KMS crypto module
4. KMS encrypts data key with named customer master key and returns plaintext
data key and encrypted data key
5. Client uses data key to encrypt data, stores encrypted data key.
To decrypt: client submits encrypted data key to KMS for decryption; data key is
needed to decrypt data
KMS crypto module
- 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How AWS Services Integrate with KMS
• 2-tiered key hierarchy using envelope
encryption
• Data keys encrypt customer data
• KMS master keys encrypt data keys
• Benefits:
• Limits blast radius of compromised
resources and their keys
• Better performance
Data Key 1
Master Key(s)
Keys encrypted
Data Key 2 Data Key 3
Data encrypted
KMS
Data Key 4 Data Key 5
• Easier to manage a small number of master
keys than billions of resource keys
S3 Object EBS
Volume
RDS
Instance
Redshift
Cluster
Your
Application
- 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does a custom key store work