New AWS Security Solutions to Protect Your Workload

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Recap
James Chiang(蔣宗恩), Solution Architect
Amazon Web Services

239 new security features

Behind the scenes - SecOps on-call
AWS Security Ticket - Port Scanning abuse case created …

Management,
security, and
monitoring
Storage
Customer instances
Network
Hypervisor
Original Amazon EC2 host architecture
SERVER

• Improved performance by isolating functions within the
hypervisor; moving them away from hardware
• Offloaded network processing to dedicated hardware
within the system, decoupling from hardware that
managed the hypervisor, saving significant CPU time
through more efficient network packet processing
• Offloaded storage, requiring Amazon EC2 host software
to validate, encrypt and route storage requests
Amazon EC2 - C3 & C4 instances launched

Management,
security, and
monitoring
Storage
Customer instances
Network
Nitro hypervisor
2017: Amazon EC2 C5 instances launched
SERVER
NITRO
SYSTEM

Resource-based
policies

VPN
Connection
Network Load
Balancer
Inter-Region
VPC Peering
Bring Your
Own IP
Address

Continuous
changeRecordingChanging
resources
AWS Config - Overview
History
Stream
Snapshot
(ex. 2018-06-05)

Store the compliance
history of AWS resources
evaluated by Config rules

Now offers agentless
network assessments

Amazon GuardDuty adds three new threat detections
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
CryptoCurrency:EC2/BitcoinTool.B.

Processes an average
92.7million/sec
flow log records

Amazon GuardDuty = automatic cost savings
• Travel company | 44% reduction in GuardDuty spend
• Financial services company | 82% reduction
• Automotive company | 79% reduction
• Social media company | 86% reduction

Introducing: Amazon S3 block public access

Amazon S3 block public access

From reactive to proactive
Pace of innovation: 1800+ updates
Meets pace of protection: 239 security updates
… through automation

Pattern for automated remediation
Detection
Alerting
Remediation
Countermeasures
Forensics
VPC
Flow logs
APIs
Team
collaboration

Amazon CloudWatch + AWS Lambda + AWS Systems Manager
Amazon EC2
instance contents
Amazon EC2 instance:
ec2-user$ top
ec2-user$ pcap
Event
Documents
Amazon EBS
Volume
Amazon EBS
snapshot

AWSsecurityworkflow
ArchiveSnapshot
Protect Detect Respond RecoverIdentify
Investigate
Automate
Amazon
Macie
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Problemstatement
Largevolume of
alerts and the need
to prioritize
13
Dozensof security
tools with different
data formats
2
Ensurethat your
AWSinfrastructure
meets compliance
requirements
1
PrioritizationMultiple formats VisibilityCompliance
Lackof asingle
pane of glassacross
security and
compliance tools
4
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

AWSSecurityHuboverview
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Partnerintegrations
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Partner integration examples—CrowdStrike
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Setupandmulti-account
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Compliancechecks
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Insights
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Responseandremediation
Event(event-
based)
Rule
©
2
0
1
8
,
A
m
a
z
o
n
W
e
b
S
e
r
v
i
c
e
s
,
I
n
c
.
o
r
i
t
s
a
f
f
i
l
i
a
t
e
s
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.

Customers end up with Multi-account Challenges
Paradox of Choice
Too many design
decisions
Setup Complexity
Granular AWS policies
across multiple accounts
& services
Ongoing management
Centrally managing
compliance and security of
multiple accounts

Multi-Account Recommended Approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Optional Network Path
Network Path Log Flow
Data CenterDeveloper Accounts
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

Introducing AWS Control Tower (preview)
Consistent and simple multi account management.
Automated AWS Setup
Launch an automated
landing zone with best-
practices blueprints
Policy Enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for Oversight
Continuous visibility into
workload compliance with
controls

Key Features / Benefits
Account Setup
Automated, secure, and scalable
landing zone
Multi-account management using
AWS Organizations
Central logging and multi-account
configuration consistency
Built-in best practices
Multi-account preventive and
detective guardrails
Easy to use dashboard and
notifications
Curated rules in plain EnglishAccount provisioning wizard
Guardrails
Landin
g Zone

AWS Control Tower - Building Blocks
AWS Control Tower
Account Management Guardrail Enforcement
AWS Security
Hub
Landing
Zone
AWS Landing Zone AWS Organizations

AWS Control Tower’s automated landing zone
 AWS Organizations with a master
and pre-created accounts for
central log archive, cross-account
audit, and shared services
 Pre-configured directory and single
sign-on using AWS SSO (with Active
Directory custom option*)
 Centralized monitoring and alerts
using AWS Config, AWS CloudTrail,
and AWS CloudWatch
Control Tower Master Account
AWS Control Tower
*Active Directory support is a roadmap feature post GA

Account Factory
• Account factory for controls on account provisioning
• Pre-approved account baselines with VPC options
• Pre-approved configuration options
• End user configuration and provisioning through AWS Service Catalog
• Create/update AWS accounts under organizational units

Account Factory - AWS Service Catalog

AWS Service Catalog: Simplifying Provisioning
End UsersOrganizations
Curation
Compliance
Standardization
Agility
Self-Service
Time to Market
SpeedSecurity
Service Catalog enables organizations to deploy
and manage AWS infrastructure and applications
that reflect the organization’s security and
operational policies

Service Catalog: Simplified Provisioning
Constraint
Security, governance and
deployment controls
Product
IT service or resource
Products list
User see which products they can launch
Portfolio
Admins create collections
of products
Provisioned products
Users can update or perform service actions
Service Catalog Administrator
Service Catalog End User

Introducing AWS Key Management Service
• A service that enables you to provision and use encryption keys to protect
your data
• Allows you to create, use, and manage encryption keys from within…
– Your own applications via AWS SDK
– Supported AWS services (S3, EBS, RDS, Redshift)
• Available in all commercial regions

How AWS Key Management Service
Works 1
Client AuthN
5
Data
Client
(Customer or
AWS Service)
4
Data Key Encrypted Data Key
+
and AuthZ
KMS Service
Endpoint
AWS
Authorization
Crypto
operations on
customer
master keys
2
3
Durable, Encrypted Key
Store
1. Client makes authenticated request of KMS for data key
2. KMS generates data key
3. KMS pulls encrypted customer master key from durable storage; decrypts in the
KMS crypto module
4. KMS encrypts data key with named customer master key and returns plaintext
data key and encrypted data key
5. Client uses data key to encrypt data, stores encrypted data key.
To decrypt: client submits encrypted data key to KMS for decryption; data key is
needed to decrypt data
KMS crypto module

How AWS Services Integrate with KMS
• 2-tiered key hierarchy using envelope
encryption
• Data keys encrypt customer data
• KMS master keys encrypt data keys
• Benefits:
• Limits blast radius of compromised
resources and their keys
• Better performance
Data Key 1
Master Key(s)
Keys encrypted
Data Key 2 Data Key 3
Data encrypted
KMS
Data Key 4 Data Key 5
• Easier to manage a small number of master
keys than billions of resource keys
S3 Object EBS
Volume
RDS
Instance
Redshift
Cluster
Your
Application

How does a custom key store work

Thank you!

New AWS Security Solutions to Protect Your Workload

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie New AWS Security Solutions to Protect Your Workload

Ähnlich wie New AWS Security Solutions to Protect Your Workload (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

New AWS Security Solutions to Protect Your Workload