SlideShare ist ein Scribd-Unternehmen logo

Secure your AWS Account and your Organization's Accounts

Amazon Web Services
Amazon Web Services

The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.

1 von 100
Downloaden Sie, um offline zu lesen
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Brad Dispensa Specialist, Security / Compliance AWS Public Sector SID202 Secure Your AWS Account and Your Organization’s Accounts
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is going on here? You want to know: • How can I better secure my AWS environment? • How can I make sure all the accounts in our organization are following the rules? • How can I detect threats in one or many accounts? • What tools should I be using? • How can I know that new accounts are secure by default?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM Protection of data in transit SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM Protection of data at rest AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION File System and/or Data NETWORK TRAFFIC PROTECTION Encryption / Integrity / Identity OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA CUSTOMERIAM MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION NETWORK TRAFFIC PROTECTION Encryption / Integrity / Identity OPERATING SYSTEM, NETWORK CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA CUSTOMERIAM MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES FIREWALL CONFIGURATION Shared responsibility model Infrastructure services Containers services Abstract services
Set a standard to follow 1. Map your infrastructure against control frameworks 1. NIST 2. PCI 3. CIS Benchmark 4. CJIS 5. HIPAA
CIS example Example: OSS validation for CIS AWS Foundation Framework $ git clone https://github.com/awslabs/aws-security-benchmark.git $ cd aws-security-benchmark/aws_cis_foundation_framework $ python aws-cis-foundation-benchmark-checklist.py
Report this way…
Or this…
Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]} Control output based on consumer of data and post-processing of result
Goals Supplement active security events with automation • Automation doesn’t sleep, eat, or need coffee in the morning Prevent bad configurations before they are implemented Autocorrect / remediate violations where possible Daily / instant benchmark validation of infrastructure • Validate against industry frameworks • Extend to remediation
OSS code to learn from git-secrets – Prevents you from committing passwords and other sensitive information to a git repository aws-security-benchmark – Benchmark scripts mapped against trusted security frameworks aws-config-rules – [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey – Monitors policy changes and alerts on insecure configurations in an AWS account Netflix/edda – Edda is a service to track changes in your cloud deployments ThreatResponse – Open Source Security Suite for hardening and responding in AWS CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure Capitalone/cloud-custodian – Rules engine for AWS fleet management
Amazon EC2 Systems Manager Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
Amazon EC2 Systems Manager Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
Amazon EC2 Systems Manager Run Command
AWS CloudTrail Run Command Data flow example client AWS API Amazon S3 bucket Security account Amazon EC2
Run Command Data flow example client AWS API Amazon EC2
Automatic remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Events Lambda function AWS Lambda
import boto3 import json def lambda_handler(event, context): try: if event['detail']['type'] in [‘Backdoor:EC2/C&CActivity.B!DNS’]: response =‘<do something here>’ except Exception, e: print e
Run Command Data flow example Client AWS API Amazon EC2 Lambda function
VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to Amazon CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Logs group CloudWatch alarm Source IP
Let’s go even further
Security threats via IP ranges IP-threats.json SG-ALB Amazon SNS AWS Lambda
Account A Account B Account B Security account Amazon S3 bucket1.2.3.4/32 1.2.3.4/32 1.2.3.4/32
Port scanning?
Use the API instead
Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B Internal customers Private route table Destination Target 10.1.0.0/16 Local Corp CIDR VGW VPC Internal application to VPC Customer network
Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B You really don’t want to do this: Amazon S3 Internet Customer border router Customer VPN Internet VPC Customer network
Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway Intranet app Intranet app Availability Zone B So do this instead: Amazon S3 VPC VPN connection VPC Endpoints • No IGW • No NAT • No public IPs • Free • Robust access control Customer network
Private subnet Private subnet AWS Region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps Private subnet Private subnet Private subnet
AWS PrivateLink Share AWS, customer and partner services privately between VPCs and on-premises networks Secure. Scalable. Reliable. On-Premises Resources Service VPC Network Load- Balancer AWS Direct Connect Client VPC 1 Client VPC 2 Client VPC 3 VPC Endpoint VPC Endpoint VPC Endpoint
AWS Config Rules • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
AWS Config Rule Amazon CloudWatch Rule AWS Lambda 1. Delete the security group change 2. Lock users account
AWS CloudTrail Web service that records AWS API calls for your account and delivers logs Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 127.0.0.1 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.176
Access Advisor is cool, but today it’s GUI access only
select useridentity.sessioncontext.sessionIssuer.userNa me as uid, eventsource, eventname from cloudtrail_logs Where useridentity.sessioncontext.sessionIssuer.userNa me = ‘target-name’ GROUP BY useridentity.sessioncontext.sessionIssuer.userNa me, eventsource, eventname Query cloud trail data for the target user or role with Athena
https://github.com/Netflix-Skunkworks/aardvark https://github.com/Netflix/Repokid
Event (event-based) Amazon CloudWatch AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313) https://youtu.be/x4GkAGe65vE Adversary Responder
Adversary cloudtrail:StopLogging CloudTrail
CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
Adversary Responder cloudtrail.start_logging
Restrict an IAM role to a region { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "rds:Describe*", "iam:ListRolePolicies", "iam:ListRoles", "iam:GetRole", "iam:ListInstanceProfiles", "iam:AttachRolePolicy", "lambda:GetAccountSettings" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "rds:CreateDBCluster", "lambda:CreateFunction", "lambda:InvokeFunction" ], "Resource": "*", "Condition": {"StringEquals": {"aws:RequestedRegion": ”us-east-1"}} }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account- id:role/Please-use-a-specific-role" } ] }
Amazon Inspector • Vulnerability Assessment Service • Built from the ground-up to support DevSecOps • Automatable via APIs • Integrates with CI/CD tools • On-Demand Pricing model • Static & Dynamic Rules Packages • Generates Findings
Assessments and results
Amazon Inspector Rules • Rules packages • Common vulnerabilities & exposures • Center for Internet Security (CIS) Benchmarks • Security best practices • Runtime behavior analysis
Amazon Inspector security best practices • Authentication • Network security • Operating system • Application security • Disable root login over SSH • Password complexity • Permissions for system directories • Secure protocols • Data execution prevention enabled
Example Corp. AWS Organizations Compliance accounts Research accounts HIPAA PCI Clinical Non-Clinical A B C D E F
OCP supported in Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Must be used in unison with IAM policy • IAM policy simulator is SCP aware
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
Security Audit account ec2 describe-instances ec2 describe-security-groups … Account A Security Account B user Read only Audit AWS CloudTrail AWS CloudTrail Log-DataAmazon S3 Amazon CloudWatch Amazon CloudWatch Amazon SNS Alarm Topic SNSTopic SNSTopic MFA token long-term security credential Log Analysis Amazon EC2
Example Corp. Compliance accounts Research accounts HIPAA PCI Clinical Non-Clinical A B C D E F Security account Read only Audit
GuardDuty account relationships • Adding accounts to the services is simple and done via the console or API • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account Member account ……. . 1 Member account 1000 (max) Master account Can do the following to all accounts: • Generate sample findings • Configure and view/manage findings • Suspend guardduty service • Upload and manage trusted IP and threat IP lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account Member Account actions and visibility is limited to the member account Each Account Billed Separately.
Enforce consistency
From To
AWS CloudFormation + AWS Organizations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. That’s just the first part
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Default Security group example Account A Security Account B AWS CloudFormation stack TemplatesAmazon S3 AWS Lambda AWS Lambda AWS Lambda
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Default security group example Account A Security Account B AWS CloudFormation Stack TemplatesAmazon S3 AWS Lambda AWS Lambda AWS Lambda
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog DevelopersOrganizations Standardize Control Govern Agility Self-service Time to market …allows organizations to create and manage catalogs of IT services and software on AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone https://aws.amazon.com/answers/aws-landing-zone/
Control AWS provisioning (cost, security, governance) self-service portal – one-stop shop Standardized deployments Version control for AWS users Enforce governance and compliance proactively Integrate with ITSM tools Centrally manage IT service lifecycle Use cases Why use an AWS Service Catalog?
Summary
Submit Session Feedback 1. Tap the Schedule icon. 2. Select the session you attended. 3. Tap Session Evaluation to submit your feedback.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!

Empfohlen

Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
AWS Systems Manage: Bridging Operational Models
AWS Systems Manage: Bridging Operational Models AWS Systems Manage: Bridging Operational Models
AWS Systems Manage: Bridging Operational Models Amazon Web Services
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless AppsAmazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step FunctionsAmazon Web Services
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAmazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 

Empfohlen

Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
AWS Systems Manage: Bridging Operational Models
AWS Systems Manage: Bridging Operational Models AWS Systems Manage: Bridging Operational Models
AWS Systems Manage: Bridging Operational Models Amazon Web Services
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless AppsAmazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step FunctionsAmazon Web Services
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAmazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
Building Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWSBuilding Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWSAmazon Web Services
 
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018Amazon Web Services
 
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Amazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
Deep dive - AWS Fargate
Deep dive - AWS FargateDeep dive - AWS Fargate
Deep dive - AWS FargateAmazon Web Services
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogAmazon Web Services
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Amazon Web Services
 
Container Scheduling
Container SchedulingContainer Scheduling
Container SchedulingAmazon Web Services
 
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...Amazon Web Services
 
SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWS SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWSAmazon Web Services
 
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
Building Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWSBuilding Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWSAmazon Web Services
 
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018Amazon Web Services
 
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Amazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogAmazon Web Services
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Amazon Web Services
 
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...Amazon Web Services
 
SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWS SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWSAmazon Web Services
 
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 

Was ist angesagt? (20)

Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica Hive
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
 
Building Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWSBuilding Microservices with the Twelve Factor App Pattern on AWS
Building Microservices with the Twelve Factor App Pattern on AWS
 
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
A Chronicle of Airbnb Architecture Evolution (ARC407) - AWS re:Invent 2018
 
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
 
Deep dive - AWS Fargate
Deep dive - AWS FargateDeep dive - AWS Fargate
Deep dive - AWS Fargate
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
 
Container Scheduling
Container SchedulingContainer Scheduling
Container Scheduling
 
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
Deep Dive on Cloud File System Offerings: What to Use, Where, and Why (STG392...
 
SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWS SRV205 Architectures and Strategies for Building Modern Applications on AWS
SRV205 Architectures and Strategies for Building Modern Applications on AWS
 
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
Increase the Value of Video with ML & Media Services - SRV322 - New York AWS ...
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
Optimizing Costs as You Scale on AWS (ENT302) - AWS re:Invent 2018
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 

Ähnlich wie Secure your AWS Account and your Organization's Accounts

Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenBATbern
 
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayPragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Amazon Web Services
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWSAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 

Ähnlich wie Secure your AWS Account and your Organization's Accounts (20)

Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
DevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassenDevSecOps-Teams das Security-Steuer überlassen
DevSecOps-Teams das Security-Steuer überlassen
 
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayPragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
 
Secure your critical workload on AWS
Secure your critical workload on AWSSecure your critical workload on AWS
Secure your critical workload on AWS
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Secure your AWS Account and your Organization's Accounts

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Brad Dispensa Specialist, Security / Compliance AWS Public Sector SID202 Secure Your AWS Account and Your Organization’s Accounts
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is going on here? You want to know: • How can I better secure my AWS environment? • How can I make sure all the accounts in our organization are following the rules? • How can I detect threats in one or many accounts? • What tools should I be using? • How can I know that new accounts are secure by default?
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM Protection of data in transit SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM Protection of data at rest AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION File System and/or Data NETWORK TRAFFIC PROTECTION Encryption / Integrity / Identity OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA CUSTOMERIAM MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES AWS ENDPOINTS AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS FOUNDATION SERVICES STORAGE DATABASES NETWORKINGCOMPUTE AWSIAM OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest) CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION NETWORK TRAFFIC PROTECTION Encryption / Integrity / Identity OPERATING SYSTEM, NETWORK CONFIGURATION PLATFORM & APPLICATION MANAGEMENT CUSTOMER DATA CUSTOMERIAM MANAGED BY AWS CUSTOMERS MANAGED BY AMAZON WEB SERVICES FIREWALL CONFIGURATION Shared responsibility model Infrastructure services Containers services Abstract services
  • 7. Set a standard to follow 1. Map your infrastructure against control frameworks 1. NIST 2. PCI 3. CIS Benchmark 4. CJIS 5. HIPAA
  • 8. CIS example Example: OSS validation for CIS AWS Foundation Framework $ git clone https://github.com/awslabs/aws-security-benchmark.git $ cd aws-security-benchmark/aws_cis_foundation_framework $ python aws-cis-foundation-benchmark-checklist.py
  • 11. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
  • 12. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]} Control output based on consumer of data and post-processing of result
  • 13. Goals Supplement active security events with automation • Automation doesn’t sleep, eat, or need coffee in the morning Prevent bad configurations before they are implemented Autocorrect / remediate violations where possible Daily / instant benchmark validation of infrastructure • Validate against industry frameworks • Extend to remediation
  • 14. OSS code to learn from git-secrets – Prevents you from committing passwords and other sensitive information to a git repository aws-security-benchmark – Benchmark scripts mapped against trusted security frameworks aws-config-rules – [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey – Monitors policy changes and alerts on insecure configurations in an AWS account Netflix/edda – Edda is a service to track changes in your cloud deployments ThreatResponse – Open Source Security Suite for hardening and responding in AWS CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure Capitalone/cloud-custodian – Rules engine for AWS fleet management
  • 15.
  • 16.
  • 17. Amazon EC2 Systems Manager Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  • 18.
  • 19. Amazon EC2 Systems Manager Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  • 20. Amazon EC2 Systems Manager Run Command
  • 21.
  • 22.
  • 23. AWS CloudTrail Run Command Data flow example client AWS API Amazon S3 bucket Security account Amazon EC2
  • 24.
  • 25.
  • 27. Automatic remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Events Lambda function AWS Lambda
  • 28.
  • 29. import boto3 import json def lambda_handler(event, context): try: if event['detail']['type'] in [‘Backdoor:EC2/C&CActivity.B!DNS’]: response =‘<do something here>’ except Exception, e: print e
  • 30. Run Command Data flow example Client AWS API Amazon EC2 Lambda function
  • 31.
  • 32. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to Amazon CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  • 33. VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Logs group CloudWatch alarm Source IP
  • 34. Let’s go even further
  • 35. Security threats via IP ranges IP-threats.json SG-ALB Amazon SNS AWS Lambda
  • 36. Account A Account B Account B Security account Amazon S3 bucket1.2.3.4/32 1.2.3.4/32 1.2.3.4/32
  • 37.
  • 39. Use the API instead
  • 40.
  • 41. Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B Internal customers Private route table Destination Target 10.1.0.0/16 Local Corp CIDR VGW VPC Internal application to VPC Customer network
  • 42. Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B You really don’t want to do this: Amazon S3 Internet Customer border router Customer VPN Internet VPC Customer network
  • 43. Availability Zone A Private subnet Private subnet AWS Region Virtual Private Gateway Intranet app Intranet app Availability Zone B So do this instead: Amazon S3 VPC VPN connection VPC Endpoints • No IGW • No NAT • No public IPs • Free • Robust access control Customer network
  • 44. Private subnet Private subnet AWS Region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps Private subnet Private subnet Private subnet
  • 45. AWS PrivateLink Share AWS, customer and partner services privately between VPCs and on-premises networks Secure. Scalable. Reliable. On-Premises Resources Service VPC Network Load- Balancer AWS Direct Connect Client VPC 1 Client VPC 2 Client VPC 3 VPC Endpoint VPC Endpoint VPC Endpoint
  • 46.
  • 47. AWS Config Rules • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  • 48.
  • 49.
  • 50.
  • 51. AWS Config Rule Amazon CloudWatch Rule AWS Lambda 1. Delete the security group change 2. Lock users account
  • 52. AWS CloudTrail Web service that records AWS API calls for your account and delivers logs Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 127.0.0.1 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.176
  • 53.
  • 54. Access Advisor is cool, but today it’s GUI access only
  • 55. select useridentity.sessioncontext.sessionIssuer.userNa me as uid, eventsource, eventname from cloudtrail_logs Where useridentity.sessioncontext.sessionIssuer.userNa me = ‘target-name’ GROUP BY useridentity.sessioncontext.sessionIssuer.userNa me, eventsource, eventname Query cloud trail data for the target user or role with Athena
  • 57. Event (event-based) Amazon CloudWatch AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313) https://youtu.be/x4GkAGe65vE Adversary Responder
  • 59. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
  • 61.
  • 62. Restrict an IAM role to a region { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "rds:Describe*", "iam:ListRolePolicies", "iam:ListRoles", "iam:GetRole", "iam:ListInstanceProfiles", "iam:AttachRolePolicy", "lambda:GetAccountSettings" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "rds:CreateDBCluster", "lambda:CreateFunction", "lambda:InvokeFunction" ], "Resource": "*", "Condition": {"StringEquals": {"aws:RequestedRegion": ”us-east-1"}} }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account- id:role/Please-use-a-specific-role" } ] }
  • 63.
  • 64. Amazon Inspector • Vulnerability Assessment Service • Built from the ground-up to support DevSecOps • Automatable via APIs • Integrates with CI/CD tools • On-Demand Pricing model • Static & Dynamic Rules Packages • Generates Findings
  • 66.
  • 67. Amazon Inspector Rules • Rules packages • Common vulnerabilities & exposures • Center for Internet Security (CIS) Benchmarks • Security best practices • Runtime behavior analysis
  • 68. Amazon Inspector security best practices • Authentication • Network security • Operating system • Application security • Disable root login over SSH • Password complexity • Permissions for system directories • Secure protocols • Data execution prevention enabled
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 76. OCP supported in Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Must be used in unison with IAM policy • IAM policy simulator is SCP aware
  • 77. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
  • 78. Security Audit account ec2 describe-instances ec2 describe-security-groups … Account A Security Account B user Read only Audit AWS CloudTrail AWS CloudTrail Log-DataAmazon S3 Amazon CloudWatch Amazon CloudWatch Amazon SNS Alarm Topic SNSTopic SNSTopic MFA token long-term security credential Log Analysis Amazon EC2
  • 79. Example Corp. Compliance accounts Research accounts HIPAA PCI Clinical Non-Clinical A B C D E F Security account Read only Audit
  • 80.
  • 81. GuardDuty account relationships • Adding accounts to the services is simple and done via the console or API • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account Member account ……. . 1 Member account 1000 (max) Master account Can do the following to all accounts: • Generate sample findings • Configure and view/manage findings • Suspend guardduty service • Upload and manage trusted IP and threat IP lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account Member Account actions and visibility is limited to the member account Each Account Billed Separately.
  • 84. AWS CloudFormation + AWS Organizations
  • 85.
  • 86.
  • 87.
  • 88.
  • 89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. That’s just the first part
  • 90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Default Security group example Account A Security Account B AWS CloudFormation stack TemplatesAmazon S3 AWS Lambda AWS Lambda AWS Lambda
  • 91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Default security group example Account A Security Account B AWS CloudFormation Stack TemplatesAmazon S3 AWS Lambda AWS Lambda AWS Lambda
  • 94. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 95. AWS Service Catalog DevelopersOrganizations Standardize Control Govern Agility Self-service Time to market …allows organizations to create and manage catalogs of IT services and software on AWS
  • 96. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone https://aws.amazon.com/answers/aws-landing-zone/
  • 97. Control AWS provisioning (cost, security, governance) self-service portal – one-stop shop Standardized deployments Version control for AWS users Enforce governance and compliance proactively Integrate with ITSM tools Centrally manage IT service lifecycle Use cases Why use an AWS Service Catalog?
  • 99. Submit Session Feedback 1. Tap the Schedule icon. 2. Select the session you attended. 3. Tap Session Evaluation to submit your feedback.
  • 100. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!