SlideShare ist ein Scribd-Unternehmen logo
1 von 69
Understanding AWS Security 
James Bromberger 
Solutions Architect, Amazon Web Services 
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Agenda 
• Our Security 
– Compliance 
• Your Security 
– Account Management (the keys to the kingdom) 
– Service Isolation 
– Visibility and Auditing
Security is our #1 priority
Shared security responsibility
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastructure** 
Customer 
• Operating System 
• Application 
• Security Groups 
• OS Firewalls 
• Network 
Configuration 
• Account Management
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastructure** 
Customer 
• Operating System 
• Application 
• Security Groups 
• OS Firewalls 
• Network 
Configuration 
• Account Management
How does AWS get security? 
• Physical access is recorded, videoed, 
stored, reviewed 
• Multi-factor authentication for physical 
access 
• Segregation of duties: staff with 
physical access versus staff with 
logical access 
And every 90 days…
How does AWS get security?
How does AWS get security?
Prove what AWS does! 
• Certifications 
• Audits & Attestations 
– Independent 3rd parties 
– Regularly refreshed 
– Available to customers 
aws.amazon.com/compliance
Certifications & Approving Industry Bodies
What does AWS do for its security? 
June 2014 
68 pages 
freely available 
aws.amazon.com/security/
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastructure** 
Customer 
• Operating System 
• Application 
• Security Groups 
• OS Firewalls 
• Network 
Configuration 
• Account Management
Secure your account
Identity and Access Management 
• Users & Groups
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Policies & Permissions
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Policies & Permissions 
• Roles
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Policies & Permissions 
• Roles 
• Multi-factor Authentication
ProTip #1: Account Security
Identity and Access Management 
1. Secure your Master account with MFA 
2. Create an IAM Group for your Admin team 
3. Create IAM Users for your Admin staff, as 
members of your Admin group 
4. Turn on MFA for these users!
Identity and Access Management 
New: 
• Enhanced password 
management 
– Expiry 
– reuse check 
– change on next log in 
• Credential Report
ProTip #2: 
No hard-coded Credentials
EC2 Roles for Temporary Credentials 
• Remove hard-coded 
credentials from scripts 
and config files 
• Create an IAM Role and 
assign restricted policy 
• Launch instance into Role 
• AWS SDKs transparently 
get temporary credentials 
GET http://169.254.169.254/ 
latest/meta-data/iam/security-credentials/ 
{ 
"Code" : "Success", 
"LastUpdated" s3access 
: "2012-04-26T16:39:16Z", 
"Type" : "AWS-HMAC", 
"AccessKeyId" : 
"AKIAIOSFODNN7EXAMPLE", 
"SecretAccessKey" : "wJalrXUtnFEMI/ 
K7MDENG/bPxRfiCYEXAMPLEKEY", 
"Token" : "token", 
"Expiration" : "2012-04-27T22:39:16Z" 
}
ProTip #3: Least Privilege Policies
IAM Policies 
• )Gro$ up* “D'NS-Admins”, Policy: 
) %$
#$* 
) %$
$* 
) %$
# % $#* 
( 
“Resource” : { 
“arn:aws:route53:::hostedzone/ZONEID” 
}
IAM Policies 
Use Conditions to restrict key exposure 
) $ *' 
!##' 
# %!
				

	 
( 
}
ProTip #4: Test Your Policies
Identity and Access Management 
• Test your policies in 
the Policy Simulator!
API Credentials 
Credentials for talking to AWS APIs via REST: 
• ACCESS KEY 
– An identifier 
• SECRET KEY 
– Used to sign requests 
– Shouldn’t traverse the network again 
• Not retrievable from AWS again – you lose it, 
generate a new pair
Secure your data in flight
Secure your data in flight 
Use SSL / TLS for all your traffic, 
just like you do for your API access 
ProTip: Validate the SSL Certificate!
Secure your data in flight 
SSL offload to the Elastic 
Load Balancing Service
Secure your data in flight 
• RDS connections 
– MySQL 
– PostgreSQL 
– Oracle 
• Get Public Key from AWS: 
https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem 
https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
Secure your data at rest
Secure your data at rest 
Amazon S3
S3 – Server Side Encryption (SSE) 
• Available Since 2011 
• AES 256-bit 
• Totally transparent to 
customers 
• AWS Key Management
S3 – NEW: SSE with customer keys 
• Available Since June 2014 
• AES 256-bit, but encryption/decryption on AWS 
• Customer Key Management
S3 – Client-side encryption (CSE) 
• Customer key management 
• Customer premise encryption/ 
decryption 
• Keys never sent to AWS 
• Support in the Java AWS SDK: 
AmazonS3EncryptionClient
Secure your data at rest 
Amazon RDS
RDS 
• Secure data at rest in your database 
– RDS Oracle (EE) 
• Transparent Data Encryption 
– SQL Server (EE BYOL) 
• Transparent Data Encryption
Secure your data at rest 
Amazon EBS 
AWS Storage 
Gateway
EBS  Storage Gateway 
• Use encrypted file systems on block storage (EBS, Storage 
Gateway…) 
– dm-crypt/LUKS 
– Windows BitLocker (whole disk), EFS (file level) 
– Products from Partners: Trend, Safenet, etc 
– and…
EBS – NEW: Encrypted Volumes 
• Available since May 2014 
• AWS’ rigid key management 
• Encryption on server 
hosting the EC2 instance 
• Snapshots of encrypted 
volumes also encrypted 
– cannot be shared with other 
customers 
• Only on supported instance 
types
Securing your data at rest 
Amazon 
Redshift
Redshift 
• By Default: 
– Full disk encryption 
– Uses SSL to talk to S3 
• Optionally you can: 
– Set S3 backups to be encrypted 
– Limit S3 bucket access 
– Connect using SSL 
– Run within VPC 
– Use CloudHSM key store 
– Backup access logs to S3 
• Redshift retains 1 week
Secure your data at rest 
CloudHSM: Hardware Security 
Modules in the cloud 
• Single Tenancy 
• Private key material never 
leaves the HSM 
• AWS provisioned, customer 
managed
Understanding AWS Security
Isolate your services
Isolate your services 
One application per instance 
• Simplify forensics 
• Simplify Security Groups 
• Swim-lane capacity overloads 
• Limit blast radius
Isolate your services 
Virtual Private Cloud 
• Security Groups 
– Don’t use 0.0.0.0/0 
• Subnet separation of instances with: 
– Network ACLs, and IAM policy to prevent changes 
– Routing tables, and IAM policy to prevent changes 
– No Internet Gateway, and IAM policy to prevent changes
VPC Peering
VPC Peering 
• Connect two VPCs in the 
same Region 
– No IP address conflicts 
• Bridged by routing table 
entries (both sides of 
peering relationship) 
• Offer  Accept model 
Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
Log ( review) your API calls
CloudTrail 
Your staff or scripts 
make calls… 
on AWS API 
endpoints… 
CloudTrail logs this 
to an S3 bucket… 
so you can 
review this log
CloudTrail 
• Who made the API call? 
• When was the API call made? 
• What was the API call? 
• What were the resources that were acted up on in the API call? 
• Where was the API call made from?
CloudTrail 
• May: Includes 
CloudFront events 
• June: Available in all 
standard Regions 
• July: Includes ASG  
SQS events 
• July: Covers AWS 
Console sign-in events 
{ 
eventVersion: 1.01, 
userIdentity: { 
type: IAMUser, 
principalId: AIDAJDPLRKLG7UEXAMPLE, 
arn: arn:aws:iam::123456789012:Alice, 
accountId: 123456789012 
}, 
eventTime: 2014-07-08T17:36:04Z, 
eventSource: signin.amazonaws.com, 
eventName: ConsoleLogin, 
awsRegion: us-east-1, 
sourceIPAddress: 10.0.0.1, 
userAgent: AWS Console Access, 
requestParameters: null, 
responseElements: { 
ConsoleLogin: Success 
}, 
additionalEventData: { 
MobileVersion: No, 
LoginTo: https://console.aws.amazon.com/sns, 
MFAUsed: Yes 
}, 
eventID: example-even-tide-xamp-123456789012 
}
CloudTrail Partners
Support: Trusted Advisor
Understanding AWS Security
Understanding AWS Security
Billing Alerts
Bonus Australian Information
Australian Privacy Considerations Whitepaper
https://aws.amazon.com/whitepapers/ 
Auditing 
Logging 
Risk 
Compliance 
Security

Weitere ähnliche Inhalte

Was ist angesagt?

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinAmazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS Amazon Web Services
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key ManagementMongoDB
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 

Was ist angesagt? (20)

IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWS
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow Dublin
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS Key Management
AWS Key ManagementAWS Key Management
AWS Key Management
 
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
Account Separation and Mandatory Access Control on AWS | Security Roadshow Du...
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS
 
Simplified Encryption and Key Management
Simplified Encryption and Key ManagementSimplified Encryption and Key Management
Simplified Encryption and Key Management
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
 
Federation
Federation Federation
Federation
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the Cloud
 

Andere mochten auch

AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAmazon Web Services
 
Why Scale Matters and How the Cloud Really is Different
Why Scale Matters and How the Cloud Really is Different Why Scale Matters and How the Cloud Really is Different
Why Scale Matters and How the Cloud Really is Different Amazon Web Services
 
Backup and Recovery for Linux With Amazon S3
Backup and Recovery for Linux With Amazon S3Backup and Recovery for Linux With Amazon S3
Backup and Recovery for Linux With Amazon S3Amazon Web Services
 
Understanding AWS Storage Options
Understanding AWS Storage OptionsUnderstanding AWS Storage Options
Understanding AWS Storage OptionsAmazon Web Services
 
Welcome - Keynote - AWSome Day Helsinki 2017
Welcome - Keynote - AWSome Day Helsinki 2017Welcome - Keynote - AWSome Day Helsinki 2017
Welcome - Keynote - AWSome Day Helsinki 2017Amazon Web Services
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014Amazon Web Services
 
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...Amazon Web Services
 
AWS re:Invent 2016: AWS Database State of the Union (DAT320)
AWS re:Invent 2016: AWS Database State of the Union (DAT320)AWS re:Invent 2016: AWS Database State of the Union (DAT320)
AWS re:Invent 2016: AWS Database State of the Union (DAT320)Amazon Web Services
 
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012Amazon Web Services
 
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012Amazon Web Services
 
(DEV303) Practical DynamoDB Programming in Java
(DEV303) Practical DynamoDB Programming in Java(DEV303) Practical DynamoDB Programming in Java
(DEV303) Practical DynamoDB Programming in JavaAmazon Web Services
 
Everything You Need to Develop Apps Faster and Scale to Millions of Users
Everything You Need to Develop Apps Faster and Scale to Millions of UsersEverything You Need to Develop Apps Faster and Scale to Millions of Users
Everything You Need to Develop Apps Faster and Scale to Millions of UsersAmazon Web Services
 
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWS
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWSAWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWS
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWSAmazon Web Services
 
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...Amazon Web Services
 

Andere mochten auch (20)

AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh VariaAWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
AWS Architecting Cloud Apps - Best Practices and Design Patterns By Jinesh Varia
 
Why Scale Matters and How the Cloud Really is Different
Why Scale Matters and How the Cloud Really is Different Why Scale Matters and How the Cloud Really is Different
Why Scale Matters and How the Cloud Really is Different
 
AWS Architecting In The Cloud
AWS Architecting In The CloudAWS Architecting In The Cloud
AWS Architecting In The Cloud
 
Backup and Recovery for Linux With Amazon S3
Backup and Recovery for Linux With Amazon S3Backup and Recovery for Linux With Amazon S3
Backup and Recovery for Linux With Amazon S3
 
Introduction to CloudFront
Introduction to CloudFrontIntroduction to CloudFront
Introduction to CloudFront
 
Understanding AWS Storage Options
Understanding AWS Storage OptionsUnderstanding AWS Storage Options
Understanding AWS Storage Options
 
Welcome - Keynote - AWSome Day Helsinki 2017
Welcome - Keynote - AWSome Day Helsinki 2017Welcome - Keynote - AWSome Day Helsinki 2017
Welcome - Keynote - AWSome Day Helsinki 2017
 
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014
 
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...
Introduction to Amazon Web Services - How to Scale your Next Idea on AWS : A ...
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
AWS re:Invent 2016: AWS Database State of the Union (DAT320)
AWS re:Invent 2016: AWS Database State of the Union (DAT320)AWS re:Invent 2016: AWS Database State of the Union (DAT320)
AWS re:Invent 2016: AWS Database State of the Union (DAT320)
 
What's New
What's NewWhat's New
What's New
 
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
 
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012
BDT305 Transforming Big Data with Spark and Shark - AWS re: Invent 2012
 
(DEV303) Practical DynamoDB Programming in Java
(DEV303) Practical DynamoDB Programming in Java(DEV303) Practical DynamoDB Programming in Java
(DEV303) Practical DynamoDB Programming in Java
 
Everything You Need to Develop Apps Faster and Scale to Millions of Users
Everything You Need to Develop Apps Faster and Scale to Millions of UsersEverything You Need to Develop Apps Faster and Scale to Millions of Users
Everything You Need to Develop Apps Faster and Scale to Millions of Users
 
Building mobile apps on aws
Building mobile apps on awsBuilding mobile apps on aws
Building mobile apps on aws
 
Go Global Right Now (Yes Now!)
Go Global Right Now (Yes Now!)Go Global Right Now (Yes Now!)
Go Global Right Now (Yes Now!)
 
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWS
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWSAWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWS
AWS Webcast - AWS 101 - Journey to the AWS Cloud: Introduction to AWS
 
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
Empowering Publishers - Unlocking the power of Amazon Web Services - May-15-2...
 

Ähnlich wie Understanding AWS Security

Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_awssaifam
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & ComplianceAmazon Web Services
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWSAmazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...Amazon Web Services
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - TorontoAmazon Web Services
 
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAmazon Web Services
 

Ähnlich wie Understanding AWS Security (20)

Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Securing Your Data in AWS
Securing Your Data in AWSSecuring Your Data in AWS
Securing Your Data in AWS
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
 
Protecting Your Data in AWS
 Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - Toronto
 
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Kürzlich hochgeladen (20)

Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

Understanding AWS Security

  • 1. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Agenda • Our Security – Compliance • Your Security – Account Management (the keys to the kingdom) – Service Isolation – Visibility and Auditing
  • 3. Security is our #1 priority
  • 5. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 6. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 7. How does AWS get security? • Physical access is recorded, videoed, stored, reviewed • Multi-factor authentication for physical access • Segregation of duties: staff with physical access versus staff with logical access And every 90 days…
  • 8. How does AWS get security?
  • 9. How does AWS get security?
  • 10. Prove what AWS does! • Certifications • Audits & Attestations – Independent 3rd parties – Regularly refreshed – Available to customers aws.amazon.com/compliance
  • 11. Certifications & Approving Industry Bodies
  • 12. What does AWS do for its security? June 2014 68 pages freely available aws.amazon.com/security/
  • 13. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 15. Identity and Access Management • Users & Groups
  • 16. Identity and Access Management • Users & Groups • Unique Security Credentials
  • 17. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  • 18. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  • 19. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  • 20. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  • 21. ProTip #1: Account Security
  • 22. Identity and Access Management 1. Secure your Master account with MFA 2. Create an IAM Group for your Admin team 3. Create IAM Users for your Admin staff, as members of your Admin group 4. Turn on MFA for these users!
  • 23. Identity and Access Management New: • Enhanced password management – Expiry – reuse check – change on next log in • Credential Report
  • 24. ProTip #2: No hard-coded Credentials
  • 25. EC2 Roles for Temporary Credentials • Remove hard-coded credentials from scripts and config files • Create an IAM Role and assign restricted policy • Launch instance into Role • AWS SDKs transparently get temporary credentials GET http://169.254.169.254/ latest/meta-data/iam/security-credentials/ { "Code" : "Success", "LastUpdated" s3access : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  • 26. ProTip #3: Least Privilege Policies
  • 27. IAM Policies • )Gro$ up* “D'NS-Admins”, Policy: ) %$
  • 30. # % $#* ( “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  • 31. IAM Policies Use Conditions to restrict key exposure ) $ *' !##' # %! ( }
  • 32. ProTip #4: Test Your Policies
  • 33. Identity and Access Management • Test your policies in the Policy Simulator!
  • 34. API Credentials Credentials for talking to AWS APIs via REST: • ACCESS KEY – An identifier • SECRET KEY – Used to sign requests – Shouldn’t traverse the network again • Not retrievable from AWS again – you lose it, generate a new pair
  • 35. Secure your data in flight
  • 36. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip: Validate the SSL Certificate!
  • 37. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  • 38. Secure your data in flight • RDS connections – MySQL – PostgreSQL – Oracle • Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
  • 39. Secure your data at rest
  • 40. Secure your data at rest Amazon S3
  • 41. S3 – Server Side Encryption (SSE) • Available Since 2011 • AES 256-bit • Totally transparent to customers • AWS Key Management
  • 42. S3 – NEW: SSE with customer keys • Available Since June 2014 • AES 256-bit, but encryption/decryption on AWS • Customer Key Management
  • 43. S3 – Client-side encryption (CSE) • Customer key management • Customer premise encryption/ decryption • Keys never sent to AWS • Support in the Java AWS SDK: AmazonS3EncryptionClient
  • 44. Secure your data at rest Amazon RDS
  • 45. RDS • Secure data at rest in your database – RDS Oracle (EE) • Transparent Data Encryption – SQL Server (EE BYOL) • Transparent Data Encryption
  • 46. Secure your data at rest Amazon EBS AWS Storage Gateway
  • 47. EBS Storage Gateway • Use encrypted file systems on block storage (EBS, Storage Gateway…) – dm-crypt/LUKS – Windows BitLocker (whole disk), EFS (file level) – Products from Partners: Trend, Safenet, etc – and…
  • 48. EBS – NEW: Encrypted Volumes • Available since May 2014 • AWS’ rigid key management • Encryption on server hosting the EC2 instance • Snapshots of encrypted volumes also encrypted – cannot be shared with other customers • Only on supported instance types
  • 49. Securing your data at rest Amazon Redshift
  • 50. Redshift • By Default: – Full disk encryption – Uses SSL to talk to S3 • Optionally you can: – Set S3 backups to be encrypted – Limit S3 bucket access – Connect using SSL – Run within VPC – Use CloudHSM key store – Backup access logs to S3 • Redshift retains 1 week
  • 51. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud • Single Tenancy • Private key material never leaves the HSM • AWS provisioned, customer managed
  • 54. Isolate your services One application per instance • Simplify forensics • Simplify Security Groups • Swim-lane capacity overloads • Limit blast radius
  • 55. Isolate your services Virtual Private Cloud • Security Groups – Don’t use 0.0.0.0/0 • Subnet separation of instances with: – Network ACLs, and IAM policy to prevent changes – Routing tables, and IAM policy to prevent changes – No Internet Gateway, and IAM policy to prevent changes
  • 57. VPC Peering • Connect two VPCs in the same Region – No IP address conflicts • Bridged by routing table entries (both sides of peering relationship) • Offer Accept model Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
  • 58. Log ( review) your API calls
  • 59. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  • 60. CloudTrail • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  • 61. CloudTrail • May: Includes CloudFront events • June: Available in all standard Regions • July: Includes ASG SQS events • July: Covers AWS Console sign-in events { eventVersion: 1.01, userIdentity: { type: IAMUser, principalId: AIDAJDPLRKLG7UEXAMPLE, arn: arn:aws:iam::123456789012:Alice, accountId: 123456789012 }, eventTime: 2014-07-08T17:36:04Z, eventSource: signin.amazonaws.com, eventName: ConsoleLogin, awsRegion: us-east-1, sourceIPAddress: 10.0.0.1, userAgent: AWS Console Access, requestParameters: null, responseElements: { ConsoleLogin: Success }, additionalEventData: { MobileVersion: No, LoginTo: https://console.aws.amazon.com/sns, MFAUsed: Yes }, eventID: example-even-tide-xamp-123456789012 }
  • 70. James’ Recommendations Turn on your MFA access for your Root account Use IAM Users, Groups and Policies Never use Root Account API keys Scope limit your policies
  • 71. Visit the Solution Architecture Team today, Please fill in feedback forms! Questions on AWS security, risk and compliance: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger
  • 72. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.