Weitere ähnliche Inhalte Ähnlich wie Security & Compliance in the Cloud (20) Mehr von Amazon Web Services (20) Security & Compliance in the Cloud1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jarkko Hirvonen
Manager, Solutions Architecture, AWS Nordics
Petri Kallberg
Cloud Solution Architect, Sanoma Group
Security & Compliance in the Cloud
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Content
• AWS Shared Responsibility Model
• AWS Security Solutions
• Identity & Access Management
• Detective Controls
• Infrastructure Security
• Data Protection
• Incident Response
• Customer – Sanoma Group
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Every AWS Cloud journey is unique.
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Migrating or extending
existing infrastructure
and applications.
Building customer
facing cloud-native
applications.
Going all-in on cloud
solutions across the
organization.
Using the scale of the
AWS Cloud to solve new
challenges.
Deploying cloud-based
business solutions.
Managing governance
at scale.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is a Shared Responsibility
AWS foundation services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability zones
Edge locations
Client-side data encryption
Server-side data
encryption
Network traffic protection
Platform, applications, Identity and Access Management
Operating system, network, and firewall configuration
Customer content
AWS is responsible
for the security OF
the Cloud
Customers are
responsible for their
security and
compliance IN the
Cloud
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Services
Customer Content
Platform and application management
Operating system, network, and firewall configuration
Client-side data
encryption and data
integrity authentication
Network traffic
protection encryption/
integrity/identity
Server-side encryption
file system and/or data
Optional – Opaque data: 0’s and 1’s (in transit/at rest)
CustomerIAM
AWS
endpoints
AWSIAM
NetworkingDatabasesStorageCompute
Edge
locations
Availability
ZonesRegions
AWS Global
Infrastructure
Foundation
services
Managed by
customers
Managed by
AWS
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container Services
Customer Content
Client-side data encryption and
data integrity authentication
Network traffic protection
encryption/integrity/identity
Optional—opaque data: 0’s and 1’s (in transit/at rest)
Customer
IAM
AWS
endpoints
AWSIAM
NetworkingDatabasesStorageCompute
Edge
locations
Availability
Zones
Regions
AWS Global
Infrastructure
Foundation
services
Managed by
customers
Managed by
AWS
Platform and application management
Firewall
configuration
Operating system and network configuration
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Abstracted Services
Customer Content
Client-side data encryption and data integrity
authentication
AWS
endpoints
AWSIAM
NetworkingDatabasesStorageCompute
Edge
locations
Availability
Zones
Regions
AWS Global
Infrastructure
Foundation
services
Managed by
customers
Managed by
AWS
Optional—opaque data: 0’s
and 1’s (in transit/at rest)
Data protection provided by the platform for
data at rest
Network traffic protection provided by the
platform protection of data in transit
Platform and application management
Operating system, network, and firewall configuration
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Solutions
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (AWS WAF)
Amazon Inspector
Amazon VPC
AWS KMS
AWS CloudHSM
Amazon Macie
ACM
Server-Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
controls
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity & Access Management
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Fine-grained access management for AWS resources
AWS Organizations
Policy-based management for multiple AWS accounts
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications
Define, enforce, and audit
user permissions across
AWS services, actions,
and resources
Identity & access
management
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective Controls
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Track user activity and API usage. Enable governance, compliance,
and operational/risk auditing of your AWS account
AWS Config
Record configurations of your AWS resources. Enable compliance
auditing, security analysis, resource change tracking, and
troubleshooting
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect
your AWS accounts and workloads
VPC Flow Logs
Capture information about the IP traffic going to and from network
interfaces in your VPC.
Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment.
Detective
control
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Security
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems
to apply OS patches, create secure system images, and configure
secure operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS Web Application Firewall (AWS WAF)
Protects your web applications from common web exploits ensuring
availability and security
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Amazon VPC
Provision a logically isolated section of AWS where you can launch
AWS resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Protection
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
AWS Certificate Manager (ACM)
Easily provision, manage, and deploy SSL/TLS certificates for use
with AWS services
Server-Side Encryption
Flexible data encryption options using AWS service-managed keys,
AWS managed keys via AWS KMS, or customer-managed keys
In addition to our automatic
data encryption and
management services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident Response
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or
managing servers so you can scale your programmed, automated
response to incidents
During an incident, containing
the event and returning to a
known good state are important
elements of a response plan.
AWS provides tools to automate
aspects of this best practice.
Incident
response
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch Events
Amazon
CloudWatch
CloudWatch
Event
Lambda
Lambda
Function
AWS Lambda
GuardDuty
Amazon
GuardDuty
Automated Threat Remediation
Automate with Integrated Services
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer – Sanoma Group
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sanoma Group
• Newspapers
• Magazines
• TV and radio
• Events
• is.fi +600M
montly pageviews
Operations in Finland,
Netherlands, Belgium,
Poland and Sweden
Sanoma Media Finland
• Magazines
• Events
• E-commerce sites
• Apps
• nu.nl +800M
monthly pageviews
Net sales 1.4 billion euros
Sanoma Media BeNe
• Print, digital and hybrid
• Primary, secondary and
vocational education
+4400 Employees
Sanoma Learning
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our History with AWS
• Production services in AWS since 2012
• Usual challenges and motivations of media company
• Spiky workloads
• OPEX vs. CAPEX
• Stressful deployments
• We are doing the 3rd iteration of organizing our AWS assets
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Iterations of AWS Management
Gen1 - ”VMs as Code” Gen2 - ”Infrastructure as Code”
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of Shared Accounts
• Use tags for cost allocation.
• IAM polices separate teams
and define roles within team.
• Teams depend on IT when
IAM doesn’t support resource
based policies.
Shared Accounts
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Solution: More Accounts
• Single payer for all costs.
• IAM policies define roles
within team, but teams are
separated by accounts.
• Omnipotent teams don’t
depend on central IT.
Single Owner Accounts Gen3 - ”Accounts as Code”
+100
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
AWS -version Corporate -version
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations - Local Control, Global View
• Automating account creation process
• Standard IAM Roles, Cloudtrail, Network infrastructure
• Global view using IAM roles from ”master” –account
• Limit local control with Service Control Policies
• Deny Cloudtrail changes
• Select AWS regions
• Deny Reserved capacity purchase
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing Account Root -user
• Securing the root user on new account
• Setup Root password (and throw it away)
• Attach phone# for your account
• Setup Root Virtual MFA (and stored it)
• Simply not setting Root password doesn’t mean someone
with access to registration email can not reset it. That’s
why you must always enable Root MFA.
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Whats Next
• Continue work on global view.
• Sanoma CCoE to help and verify
teams do the right thing.
• Watch re:Invent 2017 (SID331)
”Architecting Security and Governance
Across a Multi-Account Strategy”
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security & Compliance in the Cloud
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recommended Next Sessions
• 15:00 Let’s Start! - Creating Your Virtual Data Center: VPC
Fundamentals and Connectivity Options
• 15:45 Cloud Operations - Enabling Governance
Compliance and Operational and Risk Auditing with AWS
Management Tools
• 15:45 Move IT! - Navigating GDPR Compliance on AWS
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in the
summit mobile app.
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!