Weitere ähnliche Inhalte Ähnlich wie AWS - Security & Compliance (20) Mehr von Amazon Web Services LATAM (20) Kürzlich hochgeladen (20) AWS - Security & Compliance1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leandro Bennaton
LATAM Compliance Strategist
March 2018
AWS – Security & Compliance
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits
all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
AWS Security is Job Zero
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18 Regions – 53 Availability Zones – +101 Edge Locations
AWS Global Infrastructure Worldwide
Global Standardization
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18 Regions – 53 Availability Zones – +101 Edge Locations
AWS Global Infrastructure
Availability
Zone A
Availability
Zone B
Availability
Zone C
AZ
DataCenter 1
DataCenter 2
DataCenter n
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Freedom of choice
Compute
Microsoft Windows Server 2016, 2012, 2008, and 2003
Red Hat Enterprise Linux
Amazon Linux
SUSE Linux
Ubuntu
Database
Microsoft SQL Server
Oracle
Amazon Aurora
PostgreSQL
MySQL
MariaDB
Amazon DynamoDB
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Your
Datacenter
Fully Featured
Compute
Resource &
Deployment
Management
Common Controls
for Security &
Access
Integrated
Networking
Data Integration &
Life Cycle
Management
Flexible hybrid options
AWS Different forms of implementation
Amazon Web
Services
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Different forms of implementation
Your
Datacenter
Amazon Web
Services
Comcast’s IT strategy focuses on combining its own data centers and AWS
as the cornerstone of its next-generation TV service, X1. This has allowed
them to rapidly scale interactive, on-demand content to millions of viewers.
Data Integration
Network Integration
Integrated Identity & Access
Resource & Deployment Management
Devices & Edge Systems
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You are in control of privacy
You retain full ownership and control of your content
§ Choose the AWS Sao Paulo Region and AWS will not
replicate it elsewhere unless you choose to do so.
§ Control format, accuracy, and encryption any way
that you choose.
§ Control who can access content.
§ Control content lifecycle and disposal.
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption Data at Transit and Rest
EBS
Volume Encryption
EBS Encryption Filesystem Tools AWS Marketplace/Partner
Object Encryption
S3 Server Side
Encryption (SSE)
S3 SSE w/ Customer
Provided Keys Client-Side Encryption
Database Encryption
Redshift
Encryption
RDS
PostgreSQL
KMS
RDS MYSQL
KMS
RDS ORACLE
TDE/HSM
RDS MSSQL
TDE
AWS Whitepaper Securing Data at Rest with Encryption
End-to-end SSL/TLS
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Control access and
segregate duties everywhere
You get to control who can do what in your
AWS environment when and from where
Fine-grained control of your AWS cloud
with multi-factor authentication
Integrate with an existing Active Directory
using federation and single sign-on
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure
security
Logging
& monitoring
Identity &
access control
Configuration
& vulnerability
analysis
Data
protection
Largest ecosystem
of security partners and solutions
Infrastructure
security
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
engineering
Governance, risk &
compliance
Security operations
& automation
Consulting competency partners
with demonstrated expertise
Security
engineering
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS – Capital One DEVOPS
https://developer.capitalone.com/opensource-projects/cloud-custodian/
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I have come to realize that as a relatively small organization, we can be far more secure in the cloud
and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested.
We determined that security in AWS is superior to our on-premises data center across several
dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over
nearly 6 billion shares traded in U.S. equities
markets every day
• Processes approximately 6 terabytes of data
and 37 billion records on an average day
• Went from 3–4 weeks for server hardening
to 3–4 minutes
• DevOps teams focus on automation and tools to raise
the compliance bar and simplify controls
• Achieved incredible levels of assurance for
consistencies of builds and patching via rebooting
with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Reference architecture
https://aws.amazon.com/architecture/
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://example.com
AWS Edge Locations
AWS
WAF
Amazon
Route 53
Amazon
CloudFront
AWS Shield Advanced
CloudTrail
us-east-1a
us-east-1bProxies
NAT
RDS
DB
DMZSubnet
PrivateSubnet
PrivateSubnet
Proxies
Bastion
RDS
DB
AWS
Config
CloudWatch Alarms
Archive
Logs
Bucket
S3
Lifecycle
Policies
to Glacier
PrivateSubnet
PrivateSubnet
AWS Account
Virtual Private Cloud (VPC)
Cyber Security
Well-Architected via a NIST High Quick Start
High availability with multi-AZ deployments - fault tolerance solution
Failover occurs automatically in response to the most important failure scenarios
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Capacitación de Seguridad
https://aws.amazon.com/es/training/
Reglas básicas de seguridad de AWS
(curso gratuito – 4 horas)
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Worldwide | N. America | LATAM | UK/IR | EMEA | APAC | Japan | China
Leandro Bennaton
LATAM Compliance Strategist
bennaton@amazon.com