SlideShare a Scribd company logo
1 of 161
AWS Security:
A Practitioner’s Perspective
                Jason Chan
            chan@netflix.com
     San Francisco AWS Users Group
              April 17, 2012
Jason Chan
• Cloud Security Architect @ Netflix
• Previously:
    •   Most recently led security team at VMware

    •   Primarily security consulting at @stake, iSEC
        Partners

•   Some presentations at:

    •   http://www.slideshare.net/netflix
Agenda
•   Goals and non-goals
•   AWS on one slide
•   Netflix in the cloud
•   AWS security: Overview
•   AWS security: Gotchas
•   AWS security: Recommendations
•   Takeaways
Non-Goals
Non-Goals

• Primer on general cloud security issues
Non-Goals

• Primer on general cloud security issues
• AWS how-to
Non-Goals

• Primer on general cloud security issues
• AWS how-to
• Comprehensive guide to AWS security
Non-Goals

• Primer on general cloud security issues
• AWS how-to
• Comprehensive guide to AWS security
• Info on designing for high-availability
AWS Overview
AWS on a Slide
AWS on a Slide
AWS on a Slide

          “The cloud lets its users
          focus on delivering
          differentiating business
          value instead of wasting
          valuable resources on the
          undifferentiated heavy
          lifting that makes up most
          of IT infrastructure.”
           - Werner Vogels (AWS
             CTO)
      
      August 25, 2009, ‘All Things
AWS on a Slide

          “The cloud lets its users
          focus on delivering
          differentiating business
          value instead of wasting
          valuable resources on the
          undifferentiated heavy
          lifting that makes up most
          of IT infrastructure.”
           - Werner Vogels (AWS
             CTO)
      
      August 25, 2009, ‘All Things
Netflix in the Cloud
Outgrowing Data Center
  http://techblog.netflix.com/2011/02/redesigning-netflix-api.html


    Netflix API: Growth in Requests
Outgrowing Data Center
  http://techblog.netflix.com/2011/02/redesigning-netflix-api.html


    Netflix API: Growth in Requests




         37x Growth 1/10 - 1/11
Outgrowing Data Center
  http://techblog.netflix.com/2011/02/redesigning-netflix-api.html


    Netflix API: Growth in Requests




         37x Growth 1/10 - 1/11
Outgrowing Data Center
        http://techblog.netflix.com/2011/02/redesigning-netflix-api.html


          Netflix API: Growth in Requests




               37x Growth 1/10 - 1/11

Datacenter(
Capacity(
Netflix Deployed on
                  AWS
 2009          2009            2010          2010         2010          2011

Content&       Logs&           Play&         WWW&         API&&           CS&
   Video&                                                               InternaAonal&
  Masters&         S3&            DRM&        SignEup&    Metadata&       CS&Lookup&


                                                           Device&      DiagnosAcs&
    EC2&       EMR&Hadoop&     CDN&RouAng&     Search&&    Config&       and&AcAons&


                                               Movie&     TV&Movie&      Customer&
    S3&           Hive&        Bookmarks&     Choosing&   Choosing&       Call&Log&


                 Business&                                 Social/
   CDN&        Intelligence&     Logging&     RaAngs&     Facebook&     CS&AnalyAcs&




  EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
AWS Security
 Overview
     Shared Responsibility
AWS Credentials and Identifiers
Services, Actions, and Resources
  Controlling Network Traffic
AWS Security-Related Services
Shared
Responsibility
YOU


   Shared
Responsibility
YOU


   Shared
Responsibility
YOU


   Shared
Responsibility

          AWS
YOU


   Shared
Responsibility

          AWS
YOU


   Shared
Responsibility

           AWS

        http://aws.amazon.com/security/
AWS Credentials and
    Identifiers
AWS Credentials and
    Identifiers
                    Account Identifiers
   Account ID                            12 digit identifier
Canonical User ID                  Used for S3 permissioning
AWS Credentials and
          Identifiers
                         Account Identifiers
        Account ID                             12 digit identifier
     Canonical User ID                    Used for S3 permissioning

                         Resource Identifier

Amazon Resource Name (ARN)                Unique resource identifier:
                                 arn:aws:sns:us-east-1:1234567890123456:mytopic
AWS Credentials and
          Identifiers
                          Account Identifiers
         Account ID                              12 digit identifier
     Canonical User ID                      Used for S3 permissioning

                          Resource Identifier

Amazon Resource Name (ARN)                  Unique resource identifier:
                                   arn:aws:sns:us-east-1:1234567890123456:mytopic


                       Sign-In Credentials
  Main Account E-Mail/PW                   Console access
  IAM Account Name/PW                      Console access
        MFA Token                 HW/SW token for additional security
AWS Credentials and
          Identifiers
                          Account Identifiers
         Account ID                              12 digit identifier
     Canonical User ID                      Used for S3 permissioning

                          Resource Identifier

Amazon Resource Name (ARN)                  Unique resource identifier:
                                   arn:aws:sns:us-east-1:1234567890123456:mytopic


                       Sign-In Credentials
  Main Account E-Mail/PW                   Console access
  IAM Account Name/PW                      Console access
        MFA Token                 HW/SW token for additional security

                          Access Credentials
         Access Keys                               REST API
      X.509 Certificates                        SOAP API, EC2 tools
          Key Pairs                             CloudFront, EC2
AWS Credentials and
                    Identifiers
                                   Account Identifiers
                   Account ID                             12 digit identifier
               Canonical User ID                     Used for S3 permissioning

                                   Resource Identifier

         Amazon Resource Name (ARN)                  Unique resource identifier:
                                            arn:aws:sns:us-east-1:1234567890123456:mytopic


                                Sign-In Credentials
           Main Account E-Mail/PW                   Console access
           IAM Account Name/PW                      Console access
                 MFA Token                 HW/SW token for additional security

                                    Access Credentials
                  Access Keys                               REST API
               X.509 Certificates                        SOAP API, EC2 tools
                   Key Pairs                             CloudFront, EC2
http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
AWS Services, Actions,
  and Resources
AWS Services, Actions,
  and Resources
  Service        Action                  Resource

               Get Object,
    S3                                  Bucket, Object
              Delete Bucket

            Terminate Instances,
   EC2                             Instance, AMI, EBS Volume
             Associate Address
AWS Services, Actions,
  and Resources
  Service        Action                  Resource

               Get Object,
    S3                                  Bucket, Object
              Delete Bucket

            Terminate Instances,
   EC2                             Instance, AMI, EBS Volume
             Associate Address
AWS Services, Actions,
  and Resources
  Service        Action                  Resource

               Get Object,
    S3                                  Bucket, Object
              Delete Bucket

            Terminate Instances,
   EC2                             Instance, AMI, EBS Volume
             Associate Address
AWS Services, Actions,
     and Resources
        Service          Action                  Resource

                       Get Object,
          S3                                    Bucket, Object
                      Delete Bucket

                    Terminate Instances,
         EC2                               Instance, AMI, EBS Volume
                     Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
AWS Services, Actions,
     and Resources
           Service                   Action                  Resource

                                   Get Object,
              S3                                            Bucket, Object
                                  Delete Bucket

                               Terminate Instances,
             EC2                                       Instance, AMI, EBS Volume
                                Associate Address


AWS policies can be applied to actions and resources.
     Compatibility is service-dependent.
  http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
Policies - Example
{
    "Statement": [
      {
        "Action": [
           "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::testbucket/files/*",
        "Condition": {
           "DateLessThanEquals": {
              "aws:CurrentTime": "2012-05-31T12:00:00Z"
           },
           "IpAddress": {
              "aws:SourceIp": "1.1.1.1"
           }
        },
        "Principal": {
           "AWS": [
              "123456789012"
           ]
        }
      }
    ]
}
Policies - Example
           {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"
                 ],
                 "Effect": "Allow",
                 "Resource": "arn:aws:s3:::testbucket/files/*",
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {
                       "aws:SourceIp": "1.1.1.1"
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"
                    ]
                 }
               }
             ]
           }
Policies - Example
           {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"              Which actions?
                 ],
                 "Effect": "Allow",
                 "Resource": "arn:aws:s3:::testbucket/files/*",
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {
                       "aws:SourceIp": "1.1.1.1"
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"
                    ]
                 }
               }
             ]
           }
Policies - Example
           {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"              Which actions?
                 ],
                 "Effect": "Allow",          Allow or deny?
                 "Resource": "arn:aws:s3:::testbucket/files/*",
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {
                       "aws:SourceIp": "1.1.1.1"
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"
                    ]
                 }
               }
             ]
           }
Policies - Example
           {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"              Which actions?
                 ],
                 "Effect": "Allow",          Allow or deny?
                 "Resource": "arn:aws:s3:::testbucket/files/*",    Which resource?
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {
                       "aws:SourceIp": "1.1.1.1"
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"
                    ]
                 }
               }
             ]
           }
Policies - Example
          {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"              Which actions?
                 ],
                 "Effect": "Allow",          Allow or deny?
                 "Resource": "arn:aws:s3:::testbucket/files/*", Which resource?
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {                              Any conditions?
                       "aws:SourceIp": "1.1.1.1"                  (optional)
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"
                    ]
                 }
               }
             ]
           }
Policies - Example
          {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"              Which actions?
                 ],
                 "Effect": "Allow",          Allow or deny?
                 "Resource": "arn:aws:s3:::testbucket/files/*", Which resource?
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {                              Any conditions?
                       "aws:SourceIp": "1.1.1.1"                  (optional)
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"     To whom does the policy apply?
                    ]
                 }
               }
             ]
           }
Policies - Example
           {
             "Statement": [
               {
                 "Action": [
Which   service? "s3:GetObject"               Which actions?
                 ],
                 "Effect": "Allow",            Allow or deny?
                 "Resource": "arn:aws:s3:::testbucket/files/*", Which resource?
                 "Condition": {
                    "DateLessThanEquals": {
                       "aws:CurrentTime": "2012-05-31T12:00:00Z"
                    },
                    "IpAddress": {                                 Any conditions?
                       "aws:SourceIp": "1.1.1.1"                      (optional)
                    }
                 },
                 "Principal": {
                    "AWS": [
                       "123456789012"       To whom does the policy apply?
                    ]
                 }
               }
             ]
           }      http://awspolicygen.s3.amazonaws.com/policygen.html
Controlling Network
  Traffic in AWS
App Server   TCP 3306   DB Server
Controlling Network
        Traffic in AWS
      App Server    TCP 3306   DB Server



               Cisco Configuration
permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
Controlling Network
        Traffic in AWS
      App Server        TCP 3306   DB Server



               Cisco Configuration
permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306

                   AWS Configuration
 ec2-authorize db -P tcp -p 3306 -s app
Security Groups & ACLs
                                                          Cross-    Dynamic
   Type        Stateful   Ingress   Egress   EC2   VPC
                                                         Account   Membership



EC2 Security
                  Y         Y         N       Y    N        Y          N
  Group



VPC Security
                  Y         Y         Y      N      Y      N           Y
  Group



DB Security
                  Y         Y         N       Y     Y       Y          Y
  Group



VPC Network
                  N         Y         Y      N      Y      N/A        N/A
    ACL
Security Groups & ACLs
                                                          Cross-    Dynamic
   Type        Stateful   Ingress   Egress   EC2   VPC
                                                         Account   Membership



EC2 Security
                  Y         Y         N       Y    N        Y          N
  Group



VPC Security
                  Y         Y         Y      N      Y      N           Y
  Group



DB Security
                  Y         Y         N       Y     Y       Y          Y
  Group



VPC Network
                  N         Y         Y      N      Y      N/A        N/A
    ACL
Security Groups & ACLs
                                                          Cross-    Dynamic
   Type        Stateful   Ingress   Egress   EC2   VPC
                                                         Account   Membership



EC2 Security
                  Y         Y         N       Y    N        Y          N
  Group



VPC Security
                  Y         Y         Y      N      Y      N           Y
  Group



DB Security
                  Y         Y         N       Y     Y       Y          Y
  Group



VPC Network
                  N         Y         Y      N      Y      N/A        N/A
    ACL
Security Groups & ACLs
                                                          Cross-    Dynamic
   Type        Stateful   Ingress   Egress   EC2   VPC
                                                         Account   Membership



EC2 Security
                  Y         Y         N       Y    N        Y          N
  Group



VPC Security
                  Y         Y         Y      N      Y      N           Y
  Group



DB Security
                  Y         Y         N       Y     Y       Y          Y
  Group



VPC Network
                  N         Y         Y      N      Y      N/A        N/A
    ACL
AWS Security-Related
     Services
• Identity and Access Management (IAM)
 • Multi-Factor Authentication (MFA)
 • Security Token Service (STS)
• Virtual Private Cloud (VPC)
AWS Security Gotchas
               AWS Limits
           IP Addresses in EC2
     Elastic Load Balancing Security
   S3 Policies and Object Ownership
         AWS Resource Logging
   Delivering Credentials to Instances
AWS Limits
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits

    •   Some of which are easily discoverable
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits

    •   Some of which are easily discoverable

•   AWS services also have throttling (i.e. max RPS)
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits

    •   Some of which are easily discoverable

•   AWS services also have throttling (i.e. max RPS)

•   Beware of self DoS via automation and autoscaling
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits

    •   Some of which are easily discoverable

•   AWS services also have throttling (i.e. max RPS)

•   Beware of self DoS via automation and autoscaling

•   NOTE: http://aws.amazon.com/contact-us/ for
    limit increase requests
AWS Limits
•   “Because the cloud is infinite if your requirements
    are moderate”

•   Many AWS services have a variety of limits

    •   Some of which are easily discoverable

•   AWS services also have throttling (i.e. max RPS)

•   Beware of self DoS via automation and autoscaling

•   NOTE: http://aws.amazon.com/contact-us/ for
    limit increase requests

•   NOTE: Track limits and inspect error messages
EC2 IP Addresses
EC2 IP Addresses
• Each instance has two IPs - private and public
EC2 IP Addresses
• Each instance has two IPs - private and public
   # ec2-metadata

   ...

   local-hostname: ip-10-245-134-152.ec2.internal

   local-ipv4: 10.245.134.152

   ...

   public-hostname:
   ec2-72-44-52-70.compute-1.amazonaws.com

   public-ipv4: 72.44.52.70

   ...
EC2 IP Addresses
• Name resolution depends on client location
EC2 IP Addresses
• Name resolution depends on client location
  # ec2-metadata -o

  local-ipv4: 10.245.134.152

  # dig +short ec2-72-44-52-70.compute-1.amazonaws.com

  10.245.134.152

  # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com

  72.44.52.70
EC2 IP Addresses
• Name resolution depends on client location
  # ec2-metadata -o

  local-ipv4: 10.245.134.152

  # dig +short ec2-72-44-52-70.compute-1.amazonaws.com

  10.245.134.152

  # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com

  72.44.52.70
EC2 IP Addresses
EC2 IP Addresses
•   Both public and private IPs are dynamic
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs

•   Across regions & for Internet traffic, the public IP is used
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs

•   Across regions & for Internet traffic, the public IP is used

•   NOTE: Traffic to the public IP/EIP:
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs

•   Across regions & for Internet traffic, the public IP is used

•   NOTE: Traffic to the public IP/EIP:

     •   Incurs regional data transfer costs
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs

•   Across regions & for Internet traffic, the public IP is used

•   NOTE: Traffic to the public IP/EIP:

     •   Incurs regional data transfer costs

     •   Is less performant in-region
EC2 IP Addresses
•   Both public and private IPs are dynamic

     •   Elastic IPs can be used for persistent public IPs

•   Within a region, instances use their private IPs

•   Across regions & for Internet traffic, the public IP is used

•   NOTE: Traffic to the public IP/EIP:

     •   Incurs regional data transfer costs

     •   Is less performant in-region

     •   Does not preserve source security group info
Elastic Load Balancers
• Service availability and
  traffic balancing across EC2              Internet

  instances

• Stable DNS for publicly-
  facing services
                                            ELB


    • Alias to the ELB DNS
       CNAME                    Instance   Instance   Instance


 • SSL termination, session
    stickiness, etc.
Elastic Load Balancers
Elastic Load Balancers
•   ELB intercepts and forwards traffic
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP

     •   Client IP is accessible via X-Forwarded For
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP

     •   Client IP is accessible via X-Forwarded For

•   Backend instances must allow traffic from the ELB
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP

     •   Client IP is accessible via X-Forwarded For

•   Backend instances must allow traffic from the ELB

     • Traffic from ELB == Traffic from Internet
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP

     •   Client IP is accessible via X-Forwarded For

•   Backend instances must allow traffic from the ELB

     • Traffic from ELB == Traffic from Internet
•   Without additional (non security group) filtering, ELBs should
    only be used for public use cases
Elastic Load Balancers
•   ELB intercepts and forwards traffic

•   Traffic loses source IP

     •   Client IP is accessible via X-Forwarded For

•   Backend instances must allow traffic from the ELB

     • Traffic from ELB == Traffic from Internet
•   Without additional (non security group) filtering, ELBs should
    only be used for public use cases

•   NOTE:VPC ELBs can use security groups for limiting access
S3 Policies and Object
     Ownership
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file

•   Access control can be applied via bucket policy, bucket
    ACL, and object ACLs
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file

•   Access control can be applied via bucket policy, bucket
    ACL, and object ACLs

•   NOTE: Objects only inherit bucket-level permissions if
    written by bucket owner
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file

•   Access control can be applied via bucket policy, bucket
    ACL, and object ACLs

•   NOTE: Objects only inherit bucket-level permissions if
    written by bucket owner

     •   Default ACL is “object creator: full control”
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file

•   Access control can be applied via bucket policy, bucket
    ACL, and object ACLs

•   NOTE: Objects only inherit bucket-level permissions if
    written by bucket owner

     •   Default ACL is “object creator: full control”

     •   Objects written by non bucket owner are
         inaccessible by bucket owner
S3 Policies and Object
           Ownership
•   S3 bucket similar to container, object similar to a file

•   Access control can be applied via bucket policy, bucket
    ACL, and object ACLs

•   NOTE: Objects only inherit bucket-level permissions if
    written by bucket owner

     •   Default ACL is “object creator: full control”

     •   Objects written by non bucket owner are
         inaccessible by bucket owner

•   Use “x-amz-acl” header on write to fix permissions
AWS Resource Logging
AWS Resource Logging
•   AWS APIs and resources are publicly (Internet)
    accessible
AWS Resource Logging
•   AWS APIs and resources are publicly (Internet)
    accessible

•   So, your management interfaces, file store,
    databases, etc. are publicly addressable
AWS Resource Logging
•   AWS APIs and resources are publicly (Internet)
    accessible

•   So, your management interfaces, file store,
    databases, etc. are publicly addressable

•   Preventing access is generally possible through
    policy configuration
AWS Resource Logging
•   AWS APIs and resources are publicly (Internet)
    accessible

•   So, your management interfaces, file store,
    databases, etc. are publicly addressable

•   Preventing access is generally possible through
    policy configuration

• NOTE: AWS provides no capability for
    logging or auditing resource access
Delivering Credentials
  to EC2 Instances
Delivering Credentials
  to EC2 Instances
•   AWS becomes more valuable when leveraging
    multiple services (e.g. EC2 + SQS, S3, etc.)
Delivering Credentials
  to EC2 Instances
•   AWS becomes more valuable when leveraging
    multiple services (e.g. EC2 + SQS, S3, etc.)

•   Access to resources will generally require
    credentials
Delivering Credentials
  to EC2 Instances
•   AWS becomes more valuable when leveraging
    multiple services (e.g. EC2 + SQS, S3, etc.)

•   Access to resources will generally require
    credentials

•   Secure delivery and storage of credentials
    becomes difficult with scale and automation
Delivering Credentials
  to EC2 Instances
•   AWS becomes more valuable when leveraging
    multiple services (e.g. EC2 + SQS, S3, etc.)

•   Access to resources will generally require
    credentials

•   Secure delivery and storage of credentials
    becomes difficult with scale and automation

•   Some ideas:
Delivering Credentials
  to EC2 Instances
•   AWS becomes more valuable when leveraging
    multiple services (e.g. EC2 + SQS, S3, etc.)

•   Access to resources will generally require
    credentials

•   Secure delivery and storage of credentials
    becomes difficult with scale and automation

•   Some ideas:

    •   http://shlomoswidler.com/2009/08/how-to-keep-
        your-aws-credentials-on-ec2.html
AWS Security
Recommendations
Systematic Approach to AWS Security
       Shared Responsibility
         AWS Management
 AWS Security Features and Services
         Resource Security
        Operations Security
Systematic Approach to
     AWS Security
Systematic Approach to
     AWS Security
• Understand shared responsibility model
Systematic Approach to
     AWS Security
• Understand shared responsibility model
• Management of AWS
Systematic Approach to
     AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
Systematic Approach to
     AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
• AWS resource security
Systematic Approach to
     AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
• AWS resource security
• Secure AWS operations
Shared
                Responsibility
           •   Analyze what each side
               provides in terms of
               security controls

           •   Understand legal/
               contractual aspects

           •   Make plans to bridge any
               gaps


https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework
                http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
AWS Management
AWS Management
•   No longer any reason to not use IAM
AWS Management
•   No longer any reason to not use IAM

•   Enable:
AWS Management
•   No longer any reason to not use IAM

•   Enable:

    •   IAM
AWS Management
•   No longer any reason to not use IAM

•   Enable:

    •   IAM

    •   MFA (for account and IAM accounts)
AWS Management
•   No longer any reason to not use IAM

•   Enable:

    •   IAM

    •   MFA (for account and IAM accounts)

•   Create groups and assign permissions appropriate
    for organizational model
AWS Management
•   No longer any reason to not use IAM

•   Enable:

    •   IAM

    •   MFA (for account and IAM accounts)

•   Create groups and assign permissions appropriate
    for organizational model

•   Consider using separate top-level accounts for
    compartmentalization
AWS Security Features
   and Services
AWS Security Features
   and Services
• Understand security features, limitations,
  and options of the features you use
AWS Security Features
   and Services
• Understand security features, limitations,
  and options of the features you use
  • S3 - encryption, MFA delete, versioning
AWS Security Features
   and Services
• Understand security features, limitations,
  and options of the features you use
  • S3 - encryption, MFA delete, versioning
  • EC2 - dedicated instances, disabling API
    termination
AWS Security Features
   and Services
• Understand security features, limitations,
  and options of the features you use
  • S3 - encryption, MFA delete, versioning
  • EC2 - dedicated instances, disabling API
    termination
• Consider VPC based on use cases and
  requirements
AWS Resource Security
AWS Resource Security

•   Review access requirements for AWS resources
AWS Resource Security

•   Review access requirements for AWS resources

    •   S3 buckets, SimpleDB domains, SQS queues
AWS Resource Security

•   Review access requirements for AWS resources

    •   S3 buckets, SimpleDB domains, SQS queues

•   Apply resource policies to control access
    appropriately
AWS Resource Security

•   Review access requirements for AWS resources

    •   S3 buckets, SimpleDB domains, SQS queues

•   Apply resource policies to control access
    appropriately

•   Use policy conditions to enhance security
AWS Resource Security

•   Review access requirements for AWS resources

    •   S3 buckets, SimpleDB domains, SQS queues

•   Apply resource policies to control access
    appropriately

•   Use policy conditions to enhance security

    •   SourceIP, CurrentTime, SecureTransport
Secure AWS
Operations
Secure AWS
            Operations
•   Understand security group/ACL differences
Secure AWS
              Operations
•   Understand security group/ACL differences

    •   Design and implement according to architectural
        requirements
Secure AWS
              Operations
•   Understand security group/ACL differences

    •   Design and implement according to architectural
        requirements

•   Actively manage and monitor accounts and
    credentials
Other
Recommendations
Other
     Recommendations
•   Tools like boto are useful for security monitoring and analysis
Other
     Recommendations
•   Tools like boto are useful for security monitoring and analysis

•   Keep an eye on:
Other
        Recommendations
•   Tools like boto are useful for security monitoring and analysis

•   Keep an eye on:

    •   http://aws.typepad.com/
Other
        Recommendations
•   Tools like boto are useful for security monitoring and analysis

•   Keep an eye on:

    •   http://aws.typepad.com/

    •   @jeffbarr
Other
        Recommendations
•   Tools like boto are useful for security monitoring and analysis

•   Keep an eye on:

    •   http://aws.typepad.com/

    •   @jeffbarr

    •   AWS Endpoints: http://docs.amazonwebservices.com/
        general/latest/gr/rande.html
Other
        Recommendations
•   Tools like boto are useful for security monitoring and analysis

•   Keep an eye on:

    •   http://aws.typepad.com/

    •   @jeffbarr

    •   AWS Endpoints: http://docs.amazonwebservices.com/
        general/latest/gr/rande.html

    •   EC2 IP Ranges: https://forums.aws.amazon.com/
        forum.jspa?forumID=30
Takeaways
Takeaways

•   AWS provides an array of services that allow you to
    construct and operate large scale web services in a self-
    service, pay as you go model
Takeaways

•   AWS provides an array of services that allow you to
    construct and operate large scale web services in a self-
    service, pay as you go model

•   The cloud operating model requires you to understand
    the security responsibilities of both provider and
    consumer
Takeaways

•   AWS provides an array of services that allow you to
    construct and operate large scale web services in a self-
    service, pay as you go model

•   The cloud operating model requires you to understand
    the security responsibilities of both provider and
    consumer

•   Understanding AWS’ security features and capabilities
    and taking a systematic approach to AWS security will
    help ensure optimized and secure service use
Thanks!
Questions?
 chan@netflix.com
Backup Slides
Cloud and Platform
   Engineering
 Engineering'Tools'    •  Orchestra*on,.build.and.deployment.

  Cloud'Solu0ons'      •  Monitoring,.consul*ng,.Simian.Army.

       CORE''          •  24/7.site.reliability.

Pla5orm'Engineering'   •  Core.shared.components.and.libraries.

      Security'        •  Applica*on,.engineering,.and.opera*onal.
  Cloud'Database'
                       •  Cassandra,.SDB,.RDS.
    Engineering'
 Cloud'Performance'    •  Tes*ng,.op*miza*on,.cost.

 Cloud'Architecture'   •  Overall.design.paFerns.
Netflix PaaS
•   Supports all AWS               •   Dynamic and fine-grained
    regions and availability           security
    zones
                                   •   Automatic scaling to
•   Supports multiple AWS              thousands of instances
    accounts
                                   •   Monitoring for millions of
•   One-click deployment and           metrics
    load balancing across three
    datacenters                    •   Base server and client

•   Cross-region and account       •   I18n, L10n, geo IP routing
    data replication and archive

        http://www.slideshare.net/netflix
Security Monkey
http://techblog.netflix.com/2011/07/netflix-simian-army.html
Security Monkey
     http://techblog.netflix.com/2011/07/netflix-simian-army.html




• Centralized framework for cloud security
  monitoring and analysis
Security Monkey
     http://techblog.netflix.com/2011/07/netflix-simian-army.html




• Centralized framework for cloud security
  monitoring and analysis
• Leverages AWS APIs and common security
  tools
Security Monkey
•   Certificate monitoring

•   Security group monitoring

•   Exposed instances/applications

•   Web application vulnerability scanning

•   Upcoming:

    •   Policy analysis (firewall, user, S3, etc.)
References


• http://www.slideshare.net/netflix
• http://techblog.netflix.com
• https://cloudsecurityalliance.org/

More Related Content

What's hot

Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the EnterpriseAmazon Web Services
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelAmazon Web Services
 
Security best practices on AWS cloud
Security best practices on AWS cloudSecurity best practices on AWS cloud
Security best practices on AWS cloudMartin Yan
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 

What's hot (20)

Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the Cloud
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security Model
 
Security best practices on AWS cloud
Security best practices on AWS cloudSecurity best practices on AWS cloud
Security best practices on AWS cloud
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 

Viewers also liked

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Introduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesIntroduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesAmazon Web Services
 
Practical Cloud Security
Practical Cloud SecurityPractical Cloud Security
Practical Cloud SecurityJason Chan
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...Amazon Web Services
 
Getting Started with AWS Security
 Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Defending Netflix from Abuse
Defending Netflix from AbuseDefending Netflix from Abuse
Defending Netflix from AbuseJason Chan
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennaivinoth kumar
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application SecurityJason Chan
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Resilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedJason Chan
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
Resilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleResilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleJason Chan
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityJason Chan
 

Viewers also liked (20)

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Introduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar SeriesIntroduction to Three AWS Security Services - November 2016 Webinar Series
Introduction to Three AWS Security Services - November 2016 Webinar Series
 
Practical Cloud Security
Practical Cloud SecurityPractical Cloud Security
Practical Cloud Security
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
Getting Started with AWS Security
 Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
Defending Netflix from Abuse
Defending Netflix from AbuseDefending Netflix from Abuse
Defending Netflix from Abuse
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
 
Real World Cloud Application Security
Real World Cloud Application SecurityReal World Cloud Application Security
Real World Cloud Application Security
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
Resilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons Learned
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
Resilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and ScaleResilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and Scale
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
 

Similar to AWS Security: A Practitioner's Perspective

SID201 Overview of AWS Identity, Directory, and Access Services
 SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyAmazon Web Services
 
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012MED303 Addressing Security in Media Workflows - AWS re: Invent 2012
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...Amazon Web Services
 
SID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWSSID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWSAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT OperationsAWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT OperationsAmazon Web Services
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Amazon Web Services
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarAmazon Web Services
 
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...himanipatel524244
 
Accelerating SharePoint for Mobile Solutions on AWS
Accelerating SharePoint for Mobile Solutions on AWSAccelerating SharePoint for Mobile Solutions on AWS
Accelerating SharePoint for Mobile Solutions on AWSAmazon Web Services
 
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Amazon Web Services
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
 

Similar to AWS Security: A Practitioner's Perspective (20)

SID201 Overview of AWS Identity, Directory, and Access Services
 SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
 
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012MED303 Addressing Security in Media Workflows - AWS re: Invent 2012
MED303 Addressing Security in Media Workflows - AWS re: Invent 2012
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
SID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWSSID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWS
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
AWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT OperationsAWS Black Belt Tips for IT Operations
AWS Black Belt Tips for IT Operations
 
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent...
 
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - WebinarRunning Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
Running Microsoft SharePoint On AWS - Smartronix and AWS - Webinar
 
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
awsomedaymodules14gettingstartedwithaws161013161135convertedpptx__2022_01_10_...
 
Accelerating SharePoint for Mobile Solutions on AWS
Accelerating SharePoint for Mobile Solutions on AWSAccelerating SharePoint for Mobile Solutions on AWS
Accelerating SharePoint for Mobile Solutions on AWS
 
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
Gestire la sicurezza nel Cloud: come iniziare ad implementare un processo Dev...
 
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Getting Started on AWS
Getting Started on AWSGetting Started on AWS
Getting Started on AWS
 
Technical Track
Technical TrackTechnical Track
Technical Track
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
AWSome Day | Tech Track
AWSome Day | Tech TrackAWSome Day | Tech Track
AWSome Day | Tech Track
 

More from Jason Chan

The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
Careers in Security
Careers in SecurityCareers in Security
Careers in SecurityJason Chan
 
Practical Security Automation
Practical Security AutomationPractical Security Automation
Practical Security AutomationJason Chan
 
Cloud Security @ Netflix
Cloud Security @ NetflixCloud Security @ Netflix
Cloud Security @ NetflixJason Chan
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 

More from Jason Chan (7)

The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
 
Practical Security Automation
Practical Security AutomationPractical Security Automation
Practical Security Automation
 
Cloud Security @ Netflix
Cloud Security @ NetflixCloud Security @ Netflix
Cloud Security @ Netflix
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 

Recently uploaded

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 

Recently uploaded (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 

AWS Security: A Practitioner's Perspective

  • 1. AWS Security: A Practitioner’s Perspective Jason Chan chan@netflix.com San Francisco AWS Users Group April 17, 2012
  • 2. Jason Chan • Cloud Security Architect @ Netflix • Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners • Some presentations at: • http://www.slideshare.net/netflix
  • 3. Agenda • Goals and non-goals • AWS on one slide • Netflix in the cloud • AWS security: Overview • AWS security: Gotchas • AWS security: Recommendations • Takeaways
  • 5. Non-Goals • Primer on general cloud security issues
  • 6. Non-Goals • Primer on general cloud security issues • AWS how-to
  • 7. Non-Goals • Primer on general cloud security issues • AWS how-to • Comprehensive guide to AWS security
  • 8. Non-Goals • Primer on general cloud security issues • AWS how-to • Comprehensive guide to AWS security • Info on designing for high-availability
  • 10. AWS on a Slide
  • 11. AWS on a Slide
  • 12. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  • 13. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  • 15. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests
  • 16. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  • 17. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  • 18. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11 Datacenter( Capacity(
  • 19. Netflix Deployed on AWS 2009 2009 2010 2010 2010 2011 Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Config& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
  • 20. AWS Security Overview Shared Responsibility AWS Credentials and Identifiers Services, Actions, and Resources Controlling Network Traffic AWS Security-Related Services
  • 22. YOU Shared Responsibility
  • 23. YOU Shared Responsibility
  • 24. YOU Shared Responsibility AWS
  • 25. YOU Shared Responsibility AWS
  • 26. YOU Shared Responsibility AWS http://aws.amazon.com/security/
  • 27. AWS Credentials and Identifiers
  • 28. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning
  • 29. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic
  • 30. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security
  • 31. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2
  • 32. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2 http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
  • 33. AWS Services, Actions, and Resources
  • 34. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • 35. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • 36. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • 37. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent.
  • 38. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 39. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 40. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 41. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 42. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 43. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 44. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address AWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • 45. Policies - Example { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 46. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 47. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 48. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 49. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 50. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • 51. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }
  • 52. Policies - Example { "Statement": [ { "Action": [ Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html
  • 53. Controlling Network Traffic in AWS App Server TCP 3306 DB Server
  • 54. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configuration permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
  • 55. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configuration permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app
  • 56. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account Membership EC2 Security Y Y N Y N Y N Group VPC Security Y Y Y N Y N Y Group DB Security Y Y N Y Y Y Y Group VPC Network N Y Y N Y N/A N/A ACL
  • 57. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account Membership EC2 Security Y Y N Y N Y N Group VPC Security Y Y Y N Y N Y Group DB Security Y Y N Y Y Y Y Group VPC Network N Y Y N Y N/A N/A ACL
  • 58. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account Membership EC2 Security Y Y N Y N Y N Group VPC Security Y Y Y N Y N Y Group DB Security Y Y N Y Y Y Y Group VPC Network N Y Y N Y N/A N/A ACL
  • 59. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account Membership EC2 Security Y Y N Y N Y N Group VPC Security Y Y Y N Y N Y Group DB Security Y Y N Y Y Y Y Group VPC Network N Y Y N Y N/A N/A ACL
  • 60. AWS Security-Related Services • Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS) • Virtual Private Cloud (VPC)
  • 61. AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances
  • 63. AWS Limits • “Because the cloud is infinite if your requirements are moderate”
  • 64. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits
  • 65. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable
  • 66. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS)
  • 67. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling
  • 68. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling • NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
  • 69. AWS Limits • “Because the cloud is infinite if your requirements are moderate” • Many AWS services have a variety of limits • Some of which are easily discoverable • AWS services also have throttling (i.e. max RPS) • Beware of self DoS via automation and autoscaling • NOTE: http://aws.amazon.com/contact-us/ for limit increase requests • NOTE: Track limits and inspect error messages
  • 71. EC2 IP Addresses • Each instance has two IPs - private and public
  • 72. EC2 IP Addresses • Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...
  • 73. EC2 IP Addresses • Name resolution depends on client location
  • 74. EC2 IP Addresses • Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  • 75. EC2 IP Addresses • Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  • 77. EC2 IP Addresses • Both public and private IPs are dynamic
  • 78. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs
  • 79. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs
  • 80. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used
  • 81. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP:
  • 82. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs
  • 83. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region
  • 84. EC2 IP Addresses • Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs • Within a region, instances use their private IPs • Across regions & for Internet traffic, the public IP is used • NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info
  • 85. Elastic Load Balancers • Service availability and traffic balancing across EC2 Internet instances • Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.
  • 87. Elastic Load Balancers • ELB intercepts and forwards traffic
  • 88. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP
  • 89. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For
  • 90. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB
  • 91. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet
  • 92. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet • Without additional (non security group) filtering, ELBs should only be used for public use cases
  • 93. Elastic Load Balancers • ELB intercepts and forwards traffic • Traffic loses source IP • Client IP is accessible via X-Forwarded For • Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet • Without additional (non security group) filtering, ELBs should only be used for public use cases • NOTE:VPC ELBs can use security groups for limiting access
  • 94. S3 Policies and Object Ownership
  • 95. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file
  • 96. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs
  • 97. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner
  • 98. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”
  • 99. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner
  • 100. S3 Policies and Object Ownership • S3 bucket similar to container, object similar to a file • Access control can be applied via bucket policy, bucket ACL, and object ACLs • NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner • Use “x-amz-acl” header on write to fix permissions
  • 102. AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible
  • 103. AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable
  • 104. AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable • Preventing access is generally possible through policy configuration
  • 105. AWS Resource Logging • AWS APIs and resources are publicly (Internet) accessible • So, your management interfaces, file store, databases, etc. are publicly addressable • Preventing access is generally possible through policy configuration • NOTE: AWS provides no capability for logging or auditing resource access
  • 106. Delivering Credentials to EC2 Instances
  • 107. Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
  • 108. Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials
  • 109. Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation
  • 110. Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation • Some ideas:
  • 111. Delivering Credentials to EC2 Instances • AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.) • Access to resources will generally require credentials • Secure delivery and storage of credentials becomes difficult with scale and automation • Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html
  • 112. AWS Security Recommendations Systematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security
  • 113. Systematic Approach to AWS Security
  • 114. Systematic Approach to AWS Security • Understand shared responsibility model
  • 115. Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS
  • 116. Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services
  • 117. Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services • AWS resource security
  • 118. Systematic Approach to AWS Security • Understand shared responsibility model • Management of AWS • AWS security features and services • AWS resource security • Secure AWS operations
  • 119. Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gaps https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
  • 121. AWS Management • No longer any reason to not use IAM
  • 122. AWS Management • No longer any reason to not use IAM • Enable:
  • 123. AWS Management • No longer any reason to not use IAM • Enable: • IAM
  • 124. AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts)
  • 125. AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts) • Create groups and assign permissions appropriate for organizational model
  • 126. AWS Management • No longer any reason to not use IAM • Enable: • IAM • MFA (for account and IAM accounts) • Create groups and assign permissions appropriate for organizational model • Consider using separate top-level accounts for compartmentalization
  • 127. AWS Security Features and Services
  • 128. AWS Security Features and Services • Understand security features, limitations, and options of the features you use
  • 129. AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning
  • 130. AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination
  • 131. AWS Security Features and Services • Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination • Consider VPC based on use cases and requirements
  • 133. AWS Resource Security • Review access requirements for AWS resources
  • 134. AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues
  • 135. AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately
  • 136. AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately • Use policy conditions to enhance security
  • 137. AWS Resource Security • Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues • Apply resource policies to control access appropriately • Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport
  • 139. Secure AWS Operations • Understand security group/ACL differences
  • 140. Secure AWS Operations • Understand security group/ACL differences • Design and implement according to architectural requirements
  • 141. Secure AWS Operations • Understand security group/ACL differences • Design and implement according to architectural requirements • Actively manage and monitor accounts and credentials
  • 143. Other Recommendations • Tools like boto are useful for security monitoring and analysis
  • 144. Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on:
  • 145. Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/
  • 146. Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr
  • 147. Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html
  • 148. Other Recommendations • Tools like boto are useful for security monitoring and analysis • Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30
  • 150. Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model
  • 151. Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model • The cloud operating model requires you to understand the security responsibilities of both provider and consumer
  • 152. Takeaways • AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model • The cloud operating model requires you to understand the security responsibilities of both provider and consumer • Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
  • 155. Cloud and Platform Engineering Engineering'Tools' •  Orchestra*on,.build.and.deployment. Cloud'Solu0ons' •  Monitoring,.consul*ng,.Simian.Army. CORE'' •  24/7.site.reliability. Pla5orm'Engineering' •  Core.shared.components.and.libraries. Security' •  Applica*on,.engineering,.and.opera*onal. Cloud'Database' •  Cassandra,.SDB,.RDS. Engineering' Cloud'Performance' •  Tes*ng,.op*miza*on,.cost. Cloud'Architecture' •  Overall.design.paFerns.
  • 156. Netflix PaaS • Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to • Supports multiple AWS thousands of instances accounts • Monitoring for millions of • One-click deployment and metrics load balancing across three datacenters • Base server and client • Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix
  • 158. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html • Centralized framework for cloud security monitoring and analysis
  • 159. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html • Centralized framework for cloud security monitoring and analysis • Leverages AWS APIs and common security tools
  • 160. Security Monkey • Certificate monitoring • Security group monitoring • Exposed instances/applications • Web application vulnerability scanning • Upcoming: • Policy analysis (firewall, user, S3, etc.)

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. \n
  89. \n
  90. \n
  91. \n
  92. \n
  93. \n
  94. \n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n
  103. \n
  104. \n
  105. \n
  106. \n
  107. \n
  108. \n
  109. \n
  110. \n
  111. \n
  112. \n
  113. \n
  114. \n
  115. \n
  116. \n
  117. \n
  118. \n
  119. \n
  120. \n
  121. \n
  122. \n
  123. \n
  124. \n
  125. \n
  126. \n
  127. \n
  128. \n
  129. \n
  130. \n
  131. \n
  132. \n
  133. \n
  134. \n
  135. \n
  136. \n