Weitere ähnliche Inhalte Ähnlich wie AWS November meetup Slides Ähnlich wie AWS November meetup Slides (20) Kürzlich hochgeladen (20) 3. What’s On Tonight
6:00 pm
1. PolarSeven
“AWS Secrets Manager” - Kishore Pandian
6:20 pm
2. Palo Alto Networks
“AI Driven Cloud Security” - Craig Dent
6:40 pm
Break
Have some pizza & beer, on us!
7:20 pm
3. CloudHealth
“Best Practices for Cloud Management” - Nick Cannone
7:40 pm Networking
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sydney Nov 20 &Melbourne Nov 21, AWS Offices
• AWS TechShift - exclusive event for software companies, independent
software vendors (ISVs), application developers and SaaS businesses
• Over 14 Business & Technical sessions – Learn how to improve the way
you build and deliver software for global success
• Guest Speakers: TechnologyOne, SafetyCulture, Atlassian
• Network, visit AWS booths & have the opportunity to win an Amazon
Echo, AWS DeepLens, AWS credits & more….
REGISTER TODAY!
https://aws.amazon.com/events/techshift/australia/
7. Secrets Manager
What is a Secret?
● Passwords
● Encryption keys
● SSH Keys
● Access and Secret Access key ID
● Any data you want to be secret..
8. Secrets Manager
Challenges with traditional method
● Available solution too complex and expensive
● Unreliable rotation leading to outages
● Too many users with unnecessary access to
secrets
9. Secrets Manager
Key Features
● Rotate Secrets safely: Built in for RDS, Extensible
with lambda, has versioning for roll back
● Fine-grained IAM policies
● Encrypted by default
● Pay as you go
10. Secrets Manager
AWS Secrets manager allows customers to rotate,
manage, retrieve database credentials,API keys and
other secrets throughout the lifecycle
● IT Admins: Store and manage secrets securely and
at scale
● Security Admins: Audit and monitor the use of
secrets and rotate secrets
● Developers: Avoid credentials in the application
13. Secrets Manager
Use-case
Connect to database from application code
● DBA loads application specific credentials to secrets
manager
● DevOps engineer deploys application with an IAM role
● Application bootstrapping retrieves secret from secrets
manger and connects to the database
19. Pricing
PER SECRET PER MONTH
● $0.40 per secret per month. For secrets that are stored
for less than a month, the price is prorated (based on the
number of hours.)
PER 10,000 API CALLS
● $0.05 per 10,000 API calls.
20. Pricing
Monthly Cost
$6.00 :
15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web
servers + 2 SSH keys * 2 app servers + 5 database credentials
* 1 database) @ $0.40 / secret / month
$0.02 :
4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
+ 5 database credentials * 1 database * 24 API calls/day * 30 days
+ 5 database credentials * 1 database * 7 API calls/week * 4 weeks)
@ $0.05/10,000 calls
$6.02 Total (per month)
21. As you get started
Things to keep in mind
● No plain text secrets
● Unique secrets per region, per environment, per account
● Rotate secrets regularly
● Control permissions
● Monitor and audit use, Delete unused secrets
● No charges for versioning of a secret, no charge for default encryption
24. AI Driven Cloud Security
for AWS Meetup
Craig Dent
Systems Engineer Specialist
25. Security in Public Cloud is a Shared Responsibility
2 | © 2018, Palo Alto Networks. All Rights Reserved.
The Shared Responsibility Model
Hubs
Switches
Routers
Hypervisor
Data Center
Responsible
for security “of”
the cloud
Cloud Service Provider
Resource Configurations
Users & Credentials
Networks
Hosts & Containers
Data Security
Responsible
for security “in”
the cloud
Organization
26. The Problems We Can Help You Solve
3 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Network
Security
Real-time network visibility and incident investigations
Suspicious/malicious traffic detection
Virtual firewall for in-line protection
Data Security
Users &
Credentials
Account & access key compromise detection
Anomalous insider activity detection
Privileged activity monitoring
Configurations /
Control Plane
Compliance scanning (CIS, PCI, GDPR, etc.)
Storage, snapshots, & image configuration monitoring
VPC, security groups & firewall configuration monitoring
IAM configuration monitoring
Hosts &
Containers
Runtime security
Configuration monitoring (for cloud native)
Vulnerable image detection
Visibility,Detection&Response DLP / Storage scanning
27. Advanced API-Based Offering
4 | © 2016, Palo Alto Networks. Confidential and Proprietary.
APIs
Resource
Configurations
User
Activity
Network
Traffic
Host Activity &
Vulnerabilities
THIRD PARTY FEEDS
APIs
COLLECTION, AGGREGATION & NORMALIZATION SERVICE
DETECTIONSignature Based ML Assisted
Cloud CMDB
Compliance
Reporting
Threat Detection
& Response
3rd Party AppsStorage DLP
Scanning
29. UEBA Example
6 | © 2018, Palo Alto Networks. All Rights Reserved.
Developer
accidentally leaks
cloud access keys on
GitHub.
Hacker attempts to
log in and steal data
from the cloud
account.
RedLock detects key
usage from an unusual
location, performing
unusual activities.
RedLock alerts the
SOC team and also
provides full history of
all activities
associated with this
key.
30. User & Entity Behavior Monitoring (UEBA)
7 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
App Servers
Cloud Configuration
settings RedLock CSP
admin baseline
(modelling) DB
CSP audit
trail logs
RedLock alerting and analytics
Unusual admin
activity / location
CI/CD pipeline
tools / automation
CSP admins
31. Network Monitoring Example
8 | © 2018, Palo Alto Networks. All Rights Reserved.
User creates a
security group but
leaves it open.
RedLock discovers it, sees it is associated with a VM running
MongoDB, and then determines the database is receiving
internet traffic coming from a known malicious IP address.
RedLock
automatically moves
the database to a
private security group
to remediate risk.
32. Network Monitoring & Analytics
9 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
App Servers
Malicious users
Misconfigured
App Servers
CSP
Flow
Logs
RedLock alerting and analytics
End users
33. Configuration Monitoring
10 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
End users
App Servers
Cloud Configuration
settings
CI/CD pipeline
tools / automation
Un-authorized change
Authorized change
RedLock alerting, analytics & remediation
Non CI/CD
pipeline user
34. RedLock Query Language (RQL)
11 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
Find all EC2 instances with a public IP address
Find all DB instances receiving traffic from public IP addresses
Find suspicious user activities in the last 30 days
Find VM’s with no tags
Find VPCs with internet Gateway attached
Find changes done by non-authorized pipeline user.
Find public exposed storage buckets
Identify application workloads receiving traffic from suspicious
IP addresses.
RQL examples
Question
Answer
35. Break & Networking
• Refresh your drink
• Grab some pizza
• Make new contacts
• Enter the prize draw!
37. Best Practices for Cloud
Management
Developing a mature Cloud Operations Framework
Nick Cannone
38. 2 © 2018 CLOUDHEALTH®
TECHNOLOGIES INC.
The Leader in Multicloud Management
Enterprise scale & global presence
GLOBAL OFFICES
HQ: Boston, MA
SAN FRANCISCO
SYDNEY
AMSTERDAM
LONDON
TEL AVIV
SINGAPORE
PARIS
FORRESTER CLOUD COST MONITORING & OPTIMIZATION WAVE
LEADER
VMWARE + CHT: FORRESTER HYBRID CLOUD MANAGEMENT WAVE
LEADER / STRONG PERFORMER
VMWARE ANNOUCES CH ACQUISITION
AUG. 27, 2018
“We will make
CloudHealth the
cloud operations
platform of choice
for the industry.”
- Pat Gelsinger, CEO VMware
ANNUAL CLOUD SPEND MANAGED
$5B+
DAILY ASSETS MANAGED
1.8B
MONTHLY AVERAGE SAVINGS
25%+
DAILY REPORTS GENERATED
14K
CUSTOMERS | PARTNERS
3,800+ | 150+
39. 3 © 2018 CLOUDHEALTH®
TECHNOLOGIES INC.
Driving increased value at each stage of the your customer’s cloud adoption journey.
Your Business Partner for Customer Success
Support business KPIs
Increase ROI
Facilitate stakeholder collaboration
Drive continuous optimization
Deliver enterprise-class,
Cloud Financial showback Increase predictability & improve TCO
40. 4 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
When initially embarking on the journey of
developing mature cloud operations you start
with the basics of Cost & Visibility:
• Accurately allocate costs & find unused
resources (Zombie infrastructure)
• Before you can worry about anything else
you need to know what you have, where
it came from and if it’s actually being
used
• This could be tying costs back to a
project, business unit, or the team that
spun that resource up
Stage 1 - Beginning the Journey
41. 5 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
Now that we know where the resources came
from, and allocate costs back we can look at
the next stage encompassing two areas:
• Cost and Visibility:
• Optimize costs & Infrastructure
-
• Security Compliance:
• We’ve addressed misconfiguration of
Infrastructure; what about security
Stage 2 - Establishing Cloud Operations
42. 6 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
Scalability of best practices:
• Cost & Visibility
• Giving responsibility back to the teams
-
• Security Compliance
• Different environments/applications
have different requirements
-
• Governance
• Proactive, not reactive
Stage 3 - Developing a Framework
43. 7 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
These final stages are typically seen only
amongst the most advanced users globally
• Cost & Visibility
• Business wide strategy
-
• Security Compliance
• Automated remediation
-
• Governance
• Cloud Center of Excellence
-
• Service Integration
• KPIs
Stage 4 - Mastery of Best Practices
44. 8 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
47. Thanks For Coming
Join Us Next Month for our final Meetup of 2018!
We will be hosting an open panel night, with speakers from our sponsors,
amazon and more.
Be sure to come along!
>> Register @ http://www.meetup.com/AWS-Sydney/ <<
