Security Day What's (nearly) New
-
Upload
amazon-web-services -
Category
Business
-
view
1.013 -
download
7
Transcript of Security Day What's (nearly) New
![Page 1: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham, Dave Walker
16/03/16
What’s (nearly) New?Manchester
![Page 2: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/2.jpg)
Cloud Security Principles Complianceo Issued 1 Apr 2014 by the CESGo They replace the Business Impact Levels model (BIL: IL1-IL5+)o Distributed certification modelo Risk-based approach: suitability for purposeo New protective marking mechanismso AWS Whitepaper Available
![Page 3: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/3.jpg)
Cyber Essentials Plus Compliance in DublinCyber Essentials Plus is a UK Government-backed, industry-supported certification scheme that helps organisations demonstrate security against common cyber attacks.
The ‘Plus’ scheme benefits from independent testing and validation compared to the baseline ‘Cyber Essentials’ scheme that is self-attested.
![Page 4: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/4.jpg)
ISO 27018
o Customers control their content.o Customers' content will not be used for any
unauthorized purposes.o Physical media is destroyed prior to leaving
AWS data centers.o AWS provides customers the means to
delete their content.o AWS doesn’t disclose customers' content
![Page 5: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/5.jpg)
ISO 27017
o Newest ISO code of practiceo Builds on top of ISO 27002o Information security controls specific to
Cloud serviceso Scope includes all AWS Regions and edge
locations
![Page 6: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/6.jpg)
AWS Security Tools
AWS Trusted Advisor
AWS Config Rules
Amazon Inspector
Periodic evaluation of alignment with AWS Best Practices. Not just Security-related.
Create rules that govern configuration of your AWS resources. Continuous evaluation.
Security insights into your applications.Runs on EC2 instances; on-demand scans
AWS Compliance AWS: Security of the cloud
Customer: Security in the cloud
![Page 7: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/7.jpg)
Cloud Config Rules
![Page 8: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/8.jpg)
AWS Config Rules features
Flexible rules evaluated continuously and retroactively
Dashboard and reports for common goals
Customizable remediation
API automation
![Page 9: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/9.jpg)
AWS Config Rules
Broad ecosystem of solutions
![Page 10: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/10.jpg)
AWS Config Rules benefits
Continuous monitoring for unexpected changes
Shared compliance across your organization
Simplified management of configuration changes
![Page 11: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/11.jpg)
Security by Design - SbD
• Systematic approach to ensure security
• Formalizes AWS account design• Automates security controls• Streamlines auditing
• Provides control insights throughout the IT management process
AWS CloudTrailAWS
CloudHSM
AWS IAMAWS KMS
AWS Config
![Page 12: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/12.jpg)
GoldBase - Scripting your governance policy
Set of CloudFormation Templates & Reference Arhcitectures that accelerate compliance with PCI, EU Personal Data Protection, HIPAA, FFIEC, FISMA, CJISResult: Reliable technical implementation of administrative controls
![Page 13: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/13.jpg)
What is Inspector?
• Application security assessment• Selectable built-in rules• Security findings
• Guidance and management• Automatable via APIs
![Page 14: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/14.jpg)
Rule packages
• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness
![Page 15: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/15.jpg)
Getting started
![Page 16: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/16.jpg)
Prioritized findings
![Page 17: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/17.jpg)
Detailed remediation recommendations
![Page 18: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/18.jpg)
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWSWAF
AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.
Types of conditions in rules:1: Source IP/range2: String Match3: SQL Injection
![Page 19: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/19.jpg)
Why AWS WAF?
Application DDoS, Vulnerabilities, Abuse
Good users
Bad guys
Web server Database
![Page 20: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/20.jpg)
AWS WAF Partner integrations
• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection
![Page 21: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/21.jpg)
S2N – AWS Implementation of TLS
• Small: • ~6,000 lines of code, all audited• ~80% less memory consumed
• Fast: • 12% faster
• Simple: • Avoid rarely used options/extensions
![Page 22: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/22.jpg)
VPC Flow Logs
![Page 23: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/23.jpg)
Flow Log Record Structure
Event-Version
Account Number
ENI-ID
Source-IP
Destination-IP
SourcePort
Destination-Port
Protocol Number
Number of Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
![Page 24: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/24.jpg)
AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform.
Introducing AWS Certificate Manager
![Page 25: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/25.jpg)
AWS Certificate Manager
• Provision trusted SSL/TLS certificates from AWS for use with AWS resources:• Elastic Load Balancing • Amazon CloudFront distributions
• AWS handles the “maths and maintenance” • Key pair and CSR generation• Managed renewal and deployment
• Domain validation (DV) through email• Available through AWS Management console, CLI, or API
![Page 26: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/26.jpg)
AWS Certificate Manager (ACM) Benefits
• Protect and secure websites and applications • Provision certificates quickly and easily • Free• Managed certificate renewal• Secure key management• Centrally manage certificates on the AWS Cloud• Integrated with other AWS Cloud Services
![Page 27: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/27.jpg)
ACM Use Cases
• Help meet regulatory compliance requirements for encryption of data in transit
• PCI, FedRAMP and HIPAA
• Minimize downtime and outages
• Improve search rankings by using SSL/TLS
![Page 28: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/28.jpg)
ACM-Provided Certificates
Domain names• Single domain name: www.example.com• Wildcard domain names: *.example.com• Combination of wildcard and non-wildcard names• Multiple domain names in the same certificate (up to 10)
ACM-provided certificates are managed• Private keys are generated, protected, and managed• ACM-provided certificates cannot be used on EC2 instances or on-premises servers• Can be used with AWS services, such as ELB and CloudFront
Algorithms• RSA 2048 and SHA-256
![Page 29: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/29.jpg)
What is available at launch?
• SSL/TLS certificates for use with AWS services (ELB and CloudFront)
• Availability in US-East (N. Virginia)• Domain validation via email • Console, API, CLI• Integration with ELB and CloudFront• Managed renewal and deployment
![Page 30: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/30.jpg)
What is NOT available at launch?
• Availability in additional regions• Certificates for use on EC2 • “Take home” certificates that can be used anywhere• Cross-region certificates• Cross-account access to certificates• CloudTrail logging of ACM API calls• Tagging• Certificates for email, code signing, or any other purpose except
SSL/TLS termination
![Page 31: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/31.jpg)
Certification & Education
• Security Fundamentals on AWS• free, online course for security auditors and
analysts• Security Operations on AWS
• 3-day class for Security engineers, architects, analysts, and auditors
• AWS Certification• Security is part of all AWS exams
![Page 32: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/32.jpg)
Rich Security Capabilities in the Cloud
Prepare
Prevent
Detect
Respond
![Page 33: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/33.jpg)
o AWS Security Solutions Architectso AWS Professional Serviceso AWS Secure by Design & GoldBaseo AWS Security Best Practiceso Partner Professional Serviceso AWS Training and Certificationo Understand Compliance Requirements
Prepare
![Page 34: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/34.jpg)
o Use IAM – consider MFA, roles, federation, SSOo Implement Amazon WAFo Leverage S2N for secure TLS connectionso Implement Config Rules to enforce complianceo Implement Amazon Inspector to identify
vulnerabilities early on
Prevent
![Page 35: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/35.jpg)
o CloudTrail enabled across all accounts and serviceso Consider Config & Config Rules logso Inspector can be used as a detective toolo Trusted Advisor goes beyond just securityo Use CloudWatch logso VPC Flow Logs give insight into intended and
unintended communication taking place into your VPCo Look at partner log management and security
monitoring solutions
Detect
![Page 36: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/36.jpg)
o Be Prepared: o Develop, acquire or hire Security Incident Response
capabilitieso Test preparedness via game days
o Automated response and containment is always better than manual response
o AWS supports forensic investigationso Leverage AWS Support for best resultso Talk to our security partners
Respond
![Page 37: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/37.jpg)
![Page 38: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/38.jpg)
Be Secure & Compliant in the Cloud!
![Page 39: Security Day What's (nearly) New](https://reader036.fdocuments.us/reader036/viewer/2022070514/588157541a28abb0508b751f/html5/thumbnails/39.jpg)
Thank you!