AWS Summit Tel Aviv - Security Keynote

AWS Summit 2013 Tel Aviv Oct 16 – Tel Aviv, Israel

Carlos Conde

Sr. Mgr. Solutions Architecture

AWS CLOUD SECURITY

SECURITY IS UNIVERSAL

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

AWS GOV CLOUD

ITAR COMPLIANT

SECURITY IS VISIBLE

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

AWS API + CLOUDFORMER ENVIRONMENT ARCHITECTURE DEFINITION

AND CHANGE DETECTION

SECURITY IS TRANSPARENT

SOC 1 SOC 2 SOC 3 PCI DSS L1 ISO 27001

ITAR FIPS FedRAMP HIPAA

SECURITY IS FAMILIAR

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

3. LOGICAL SECURITY

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO A SPECIFIC WORK

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT IN

YOUR AWS ACCOUNT

IAM USERS & ROLES

ACCESS TO

SERVICE APIs

NO PASSWORDS

USE SEPARATE SETS OF

CREDENTIALS

ROTATE YOUR AWS SECURITY

CREDENTIALS

3. LOGICAL SECURITY

YOUR DATA IS YOUR

MOST IMPORTANT ASSET IF YOUR DATA IS NOT SECURE, YOU’RE NOT SECURE

MFA DELETE PROTECTION

ENCRYPT YOUR DATA

AMAZON S3 SSE DATA AT REST

AWS CLOUDHSM

3. LOGICAL SECURITY

NEED TO KNOW

CCTV, GUARDS, MAN TRAPS,

FENCES, ETC…

3. LOGICAL SECURITY

CHANGES IN PRODUCTION

HAVE TO BE AUTHORIZED

DEV & TEST ENVIRONMENT

AWS ACCOUNT A

PRODUCTION ENVIRONMENT

AWS ACCOUNT B

DEPLOYMENT PROCESS

HAS TO BE CONSTRAINED

3. LOGICAL SECURITY

CONTINUOUS DELIVERY MODEL

CONTINUOUS DEPLOYMENT

SESSION 13:30 START-UP TRACK

REDUNDANCY & INTEGRITY

CHECKS

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

3. LOGICAL SECURITY

“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

SECURITY IS AUDITABLE

VULNERABILITY / PENETRATION

TESTING

VULNERABILITY / PENETRATION

TESTING

OBTAINED, RETAINED, ANALYZED

OBTAIN, RETAIN, ANALYSE

YOUR LOGS

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

TRUSTED ADVISOR

SECURITY IS SHARED

NETWORK SECURITY:

SPOOFING

NETWORK SECURITY:

PORT SCANNING

AMAZON EC2 SECURITY:

HOST OS SSH KEYED LOGINS VIA BASTION HOST

ALL ACCESSES LOGGED AND AUDITED

GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL

AWS ADMINS CANNOT LOG IN

CUSTOMER-GENERATED KEYPAIRS

“If you need to SSH into your

instance, your deployment process

is broken.”

STATEFUL & STATELESS FIREWALL MANDATORY INBOUND

DEFAULT DENY MODE

SECURITY IS

UNIVERSAL

VISIBLE

TRANSPARENT

FAMILIAR

AUDITABLE

SHARED

AWS.AMAZON.COM / SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS MARKETPLACE

SECURITY SOLUTIONS

AWS Summit Tel Aviv - Security Keynote

Technology

Transcript of AWS Summit Tel Aviv - Security Keynote

Best of reI:nvent Tel Aviv 2015 - Keynote

Serverless Architectures on AWS - Pop-up Loft Tel Aviv

AWS Partner Summit London 2015 - Keynote

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014

AWS Summit Tel Aviv - Enterprise Track - Data Warehouse

BrainSINS and AWS meetup Keynote

Cost Optimization on AWS - Pop-up Loft Tel Aviv

AWS Summit Barcelona - Security Keynote

Keynote AWS Roadshow Campinas 2013

Introduction to AWS: keynote

AWS IoT - Best of re:Invent Tel Aviv

AWS Summit Benelux 2013 - AWS Cloud Security Keynote

TEL AVIV AVIV ©2015, Amazon Web Services, Inc. or its affiliates. ... Deep Dive: AWS Command Line Interface ... Intro to the AWS CLI FOUNDATION ADVANCED …

HIPAA Workloads on AWS - Pop-up Loft Tel Aviv

AWS Summit Tel Aviv - Opening Keynote

AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv

AWS Summit Tel Aviv - Startup Track - Backend Use Cases

Digital Advertising on AWS - Pop-up Loft Tel Aviv

Closing keynote migrating amazon.com to aws

ABOF keynote session @ AWS Summit 2016