Understand encryption on AWS using
KMS for simplified encryption
AWS CloudHSM
Partner solutions
Understand how to configure S3 polcies to lock down to for example Edge services
Understand how to validate and audit you security policies using for example.
AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.
Let’s start with the transport side…
!Verify!
Customer actions replicated
Lifecycle actions not replicated
Sometimes you want to prevent any access from external resources
Key items:
Deny
VPCE
Can also point to specific VPC if you have multiple VPC Endpoints
You can also restrict a bucket to only allow traffic from a specific CloudFront distributionCloudFront
You can also restrict a bucket to only allow traffic from a specific CloudFront distributionCloudFront
Even though S3 provides 11 9’s of durability out of a single AWS region, some of our customers were asking us to automate replication of objects between regions to help them achieve their compliance objectives, lower latency and enhance access security.
Low Latency: Certain use cases where the volume of data delivered isn’t high enough to benefit from from use of a CDN, simply replicating your data closer to your end users can provide an improved low latency experience.
Compliance: Some of our customers were replicating their data across different regions to meet internal compliance and best practice guidelines that required them to move data hundreds of miles apart.
Security: Many customers told us they plan to use this feature to enhance access security by replicating data between buckets with separate owners.
Customer actions replicated
Lifecycle actions not replicated
Everyone has databases – in most companies it’s where all that data sits and
… it’s what we are really trying to protect after all.
Focus on the benefit of all the security controls we manage on behalf of the customer.
No network attack surface outside of the single SQL port
Certifications
Data availability in multiple ways (Multi-AZ, snapshots)
Patching
Security Groups
Cross region snapshot copy is available for Amazon RDS engines, Amazon Redshift and you can use DynamoDB streams . You can copy snapshots of any size. Copies can be moved between any of the public AWS regions, and you can copy the same snapshot to multiple Regions simultaneously by initiating more than one transfer. There is no charge for the copy operation itself; you pay only for the data transfer out of the source region and for the data storage in the destination region.
Exciting service – OK, exciting if you’re a security professional like me, perhaps not exciting as my kids view the world. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.