Start the session off with this question to engage the audience, and spark discussion. Get a sense of where their understanding of cloud security is. This will also give you (the presenter) a sense of the areas to focus on during the presentation
There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.
We look after the security OF the cloud, and you look after your security IN the cloud.
Segway to talk about FedRAMP potentially and share your experiences from around the world!
This is a quick quiz to keep the audience engaged, and test their understanding of the AWS Shared Responsibility Model which is one of the most important take-aways we want attendees to have.
If they get any answer wrong, use that opportunity to further clarify why the answer is a wrong one.
This is a quick quiz to keep the audience engaged, and test their understanding of the AWS Shared Responsibility Model which is one of the most important take-aways we want attendees to have.
If they get any answer wrong, use that opportunity to further clarify why the answer is a wrong one.
IAM allows you to implement a comprehensive access control on AWS resources.
IAM is giving you the ability to Authenticate, Authorize, Log all access.
-> Authenticate, including regular credentials or with strong authentication for your privilege users (or everybody), as well authenticate an other AWS accounts or even trust other Identity Providers
-> Authorize with granularity who can do what. Therefore you can implement Least Privilege and Segregation of Duties.
-> And finally, Log every allow and deny in CloudTrail, for troubleshoot or audit purposes.
Basically when you think Access control with AWS resources then think IAM… Every time.
Key takeaway here is: Identities for Applications and Operating Systems are outside of the scope of AWS IAM
Temporary credentials duration lasts from 15 minutes to 12 hours
The key takeaway here is that you use different approaches to login to the Console vs API access.
Account Owner
Can do anything
IAM Policies
User Level
Resource Level
A username for each user
Groups to manage multiple users
Centralized access control
Optional provisions:
Password for console access
Policies to control access to AWS APIs
Two methods to sign API calls:
X.509 certificate
Access Key ID + Secret Access Key
Multifactor Authentication
LDAP Directories:
EC2 instances access on-premise directory servers via VPN.
Directory servers replicated to AWS as read-only or read/write directory servers on EC2 instance(s).
Create federation via one-way trust or Active Directory Federation Services.
Leverage AWS Directory Services for Samba-based directory services.
Use this question as a conversation starter to discuss the value of encryption, why it’s not just for financial services and healthcare, and how AWS not only provides for encryption, but makes it easier.
For customers with HIPAA compliance requirements. Keep hidden otherwise.
This slide is not about teaching what encryption is or the differences between transit and rest. It is about mentioning that not only do we provide our customers the ability to encrypt their data as it sits and flows through and in/out of our environment, but that we provide many services and features that make it easier. You should call out KMS, CloudHSM, VGW, EBS encryption, ELB SSL offloading, RDS Oracle TDE, MSSQL TDE, S3 object encryption, etc.
If the customer is currently not encrypting data (either in transit or at rest), this might be a good place to discuss the differences and emphasis the need to do so under the shared responsibility model.
Provision trusted SSL/TLS certificates from AWS for use with AWS resources:
Elastic Load Balancing
Amazon CloudFront distributions
AWS handles the muck
Key pair and CSR generation
Managed renewal and deployment
Domain validation (DV) through email
Available through AWS Management console, CLI, or API
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Integrated with AWS SDKs and AWS services:
S3, EBS, AWS Import/Export Snowball, RDS, Redshift, CodeCommit, CloudTrail, EMR, Kinesis Firehose, Elastic Transcoder, SES, WorkSpaces, WorkMail
Centralized control.
Easy and automatic key rotation (KMS keeps track of old keys for decryption)
*New Feature*: Bring your own keys to KMS
The most important part about the CloudHSM service is that you and only you control the keys stored on the HSM. Because of the properties of the HSM that we discussed earlier, separation of duties and physical protection of the keys, and third party validation, you can trust that the HSM is securely storing your keys so that you and only you have access to the keys.
AWS manages and monitors the HSM appliances, but does not have access to the keys. In fact, if you lose the access to your credentials, AWS can’t help you recover your key material. You can recover from your own backup if you have a backup with the required credentials.
The CloudHSM appliances are inside your VPC, so you can use familiar network security groups and ACLs to limit access to the HSM.
We use SafeNet Luna SA HSMs with the service today.
CloudHSM customers are using it to protect master keys for database encryption such as Oracle TDE or MS SQL Server TDE, With Apache to protect the private key used to set up SSL connections, for Digital Rights Management (DRM), and for document signing.
You can find out more about CloudHSM at aws.amazon.com/cloudhsm
Inspector is an automated security assessment service to help improve the security and compliance of applications deployed on AWS.
Let’s talk about why we built the WAF based on customer feedback.
WAF was initially a CDN offering, but now integrates with ELB as well
WAFs help protect web sites & applications against attacks that cause data breaches and downtime.
General WAF use cases
Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
Prevent Web Site Scraping, Crawlers, and BOTs
Mitigate DDoS (HTTP/HTTPS floods)
Gartner reports that main driver of WAF purchase (25-30%) is PCI compliance
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
Stored durably in S3
Discuss ways to consume CloudTrail logs (Console, CLI, Splunk, SumoLogic, AlertLogic, Loggly, DataDog, etc.)
You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.
No Agents! Just Turn it on. No really, Ill wait.
Enable per ENI, per Subnet or per VPC
All network traffic data is logged to CloudWatch logs so you get durable storage but also all the analysis features such as filter queries and metric creation
And then Create Alarms on those metrics
Collected, processed and stored in ~10 minute capture windows into Cloudwatch Logs
Or roll your own real time network dashboard with the new Amazon Elasticsearch Service
Also based on a CloudWatch Logs Subscription filter that tees Flow Log data into a Kinesis stream and a stream reader then takes data and puts it into Elasticsearch
See Jeff’s blog post where he details how to setup this VPC Flow Dashboard in a few clicks
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Use Cases:
Security analysis: Am I safe?
Audit compliance: Where is the evidence?
Change management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?
A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recoded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
Notes: This slide is very similar to the previous one. It adds the concept of Config Rules. It should be noted that although the “Changing Resources” are moved off the page with the animation, they are still important and not being replaced. We’re just making room. It’s probably a good idea to read all the Config Rule faqs from the public page to make sure you’re comfortable discussing the different elements.
Discuss the Four Pillars of being Well Architected and how TA helps you with this.
These are the reasons most of our customers use AWS.
Give some examples of some of the checks in at least two pillars.
Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides customers with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.
Amazon Macie utilizes machine learning to automatically classify and provide visibility to understand where important business data exists across an AWS environment. Features include: automated content classification, data access and context about whether a user account or group of user accounts are exhibiting unusual behavior.
Amazon Macie starts by identifying and protecting the data that attackers are likely to target. Amazon Macie automatically learns jargon, internal project names, and estimates the business value for each object and file across a company's network within S3. For large organizations, this can be hundreds of millions of documents.
AWS Security Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
Infrastructure Security
Designed to identify and protect your applications and data from cyber-attacks and other advanced threats vectors.
Logging & Monitoring
Maintain visibility and auditability of activity in your application infrastructure, while providing policy-driven alerting, and reporting.
Identity & Access Control
Help define and manage access policies to enforce business governance including, user authentication, SSO, and enforcement.
Configuration & Vulnerability Analysis
Help inspect your application deployments for security risks and vulnerabilities, while providing priorities and advice to assist with for remediation.
Data Protection
Assist with safeguarding your data from unauthorized disclosure and modification, through encryption, key management, and policy-driven controls.
Discuss the importance of hardening the EC2 instances.
Discuss the lifecycle of creating an instance, hardening, and then creating a reusable AMI again. Stress the importance of AMI management and bootstrapping.
Your security posture is determined by the “whole” of the mechanisms you employ.
This slide should serve as a review, but be sure to address any questions here.
The main point of this slide is to introduce the fact that AWS takes security very seriously. We dedicate an entire section of our website to the Security and Compliance Center to communicate with our customers providing things like:
Security and Compliance whitepapers
Security best practice whitepapers
Security bulletins
Requests for customer penetration testing
This presentation is a brief overview of the information on this site, please be aware of it and check out the site for more details and information.