Security in Cloud Workshop
Security in Cloud Workshop
Security in Cloud Workshop
March 8, 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Schedule
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Job Zero at
AWS
SYSTEM
NETWORK
PHYSICAL
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model: for Infrastructure
Services
Customer IAM
Customer content
Platform & Applications Management Managed by
Mgmt
Protocol
Customers
Operating System, Network & Firewall Configuration s
AWS IAM
Client-Side Data encryption Server-Side Encryption Network Traffic Protection
& Data Integrity Authentication Fire System and/or Data Encryption / Integrity / Identity
API
Optional – Opaque data: 1’s and 0’s (in transit/at rest) Calls
API Endpoints
Networkin
Compute Storage
g
Database
Availability Zones
AWS Global Edge Locations
Infrastructur
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
e
Infrastructure Service Example –
EC2 • Customer Data • High Availability, Scaling
Customers
RESPONSIBILITIES
AWS
• AWS Global Infrastructure
• AWS API Endpoints
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model:for Container
Services Managed by
Customers
Customer IAM AWS IAM
Customer content
n
Configuratio
Firewall
Client-Side Data encryption Network Traffic Protection Mgmt
& Data Integrity Authentication Encryption / Integrity / Identity
Protocol
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
s
API
Calls
Platform & Applications Management
API Endpoints
AWS Foundation Services
Managed by
Networkin
Compute Storage
g
Database
Availability Zones
AWS Global Edge Locations
Infrastructur
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
e
Infrastructure Service Example –
RDS
RESPONSIBILITIES
AWS
• Operating System
• AWS Global Infrastructure • Platform / Application
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility
Model: for Abstract Services Managed by
Customers
Customer content
AWS IAM
Client-Side Data Encryption API Calls
(optional) & Data Integrity Authentication
API Endpoints
Operating System, Network & Firewall Configuration Managed by
AWS Foundation Services
Networkin
Compute Storage Database g
A u re
ffilia te s. All rights reserved.
Infrastructure Service Example –
S3
• Customer Data
Customers
AWS
• AWS API Endpoints • High Availability / Scaling
• Operating System
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary of Customer Responsibility in the
Cloud
Applications Firewall
Operating System
Networking/Firewall
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Identity Management?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Principals
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.
Optional Configurations:
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
• X.509 certificate
• Access/Secret Keys
• Multi-factor Authentication (MFA)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assurance Programs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Artifacts - Compliance
reports
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Responsibilities
• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
One last thing about data
sanitization
To This
From this
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global
Infrastructure
20 Regions – 60 Availability Zones – 160 Points of Regions and Availability Zones
presence US East China
N. Virginia (6) Beijing (2)
Ohio (3) Ningxia (3)
US West Europe
N. California (3) Frankfurt (3)
Oregon (3) Ireland (3)
Asia Pacific London (3)
Mumbai (2) Paris (3)
Seoul (2) Stockholm (3)
Singapore (3) South America
Sydney (3) São Paulo (3)
Tokyo (4) GovCloud (US)
Osaka-Local US-East (3)
(1) US-West (3)
Canada
Central (2)
New Region (coming soon)
Bahrain, Cape Town, Hong Kong SAR, Milan
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
VPC = Virtual Private Cloud
Your virtual data center on
AWS
Block of IPs that define your
network (typically RFC
Availability Zone A Availability Zone B
1918) VPCs
Default Can span multiple
VPC CIDR: 10.1.0.0 /16 AZs
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
subnet
Range of IPs in your VPC
IP range
Lives inside an AZ
Can provide security at the
10.1.10.0/24
subnet or network level
10.1.1.0/24
Subnet Subnet
with access control lists
Availability Zone A Availability Zone B
(ACLs)
VPC CIDR: 10.1.0.0 /16
Can route at the subnet
level Default VPC subnets
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internet
gateway
AWS Public
API Endpoints
Internet
Internet Gateway
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route table
AWS Public
API Endpoints
Internet Contains a set of rules, called
routes, that are used to
determine where network traffic
Internet Gateway
is directed
Subnets have one route table
10.1.1.0/24 10.1.10.0/24
Controls routing for the subnet
Subnet
Availability Zone A
Subnet
to the IGW and VGW
Availability Zone B
0.0.0.0/0 igw
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VGW and VPN
connection
VPN over
the Internet
Customer Gateway
Internal
User
Corporate Data
Center
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC VPC 10.1.0.0/16
security EC2
EC2 EC2
controls Instance 1
10.1.1.6
Instance 2
10.1.1.7
Instance 3
10.1.10.20
Virtual Router
Route Route
Table Table
Web Layer
Application Layer
Database Layer
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network ACLs = Stateless Firewall
Rules
Can be applied on a subnet basis
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DDoS
Attack?
Distributed Denial Of
Service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS
attacks
Application-layer DDoS attacks
Protect from most common attacks AWS WAF for Layer 7 DDoS attack
(SYN/UDP Floods, Reflection Attacks, mitigation
etc.)
Self-service & pay-as-you-go
Automatically detect & mitigate
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield
Advanced
Always-on monitoring &
detection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF – Layer 7 application
protection
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor Demo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Logs – Centralization of
logs
Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow
Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS Accept or
account reject
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs – CloudWatch Alarms
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Full visibility and logging
features
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
example
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate actions on
events
Amazon Amazon
CloudWatc
h Lambda
Amazon SNS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWS Config
EC2 EBS
VPC CloudTrail
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Encryption At-
Rest
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key handling questions for any
solution
Where are keys generated and stored?
• Hardware you own?
• Hardware the cloud provider owns?
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift,
WorkSpaces, Amazon Kinesis Firehose, CloudTrail
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (AWS
KMS)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS is fully integrated with AWS
IAM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS integration with AWS
services
Download
Download a public
wrapping key
RSA public key
KMS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudHSM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Security
Partners
Identity and Configuration & Logs and
Infrastructure security Access Vulnerability Analysis monitoring
control
Protección de
datos
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Demo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You
Herman Mak
Solutions Architect
Twitter: @hermanmakHK
Github: hermanmak
Submit your Feedback to get
25$ AWS Credit
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.