Embed Size (px)
Citation preview
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Best PracticesFor the Three Layers of Compute
Osemeke Isibor
Partner Solutions Architect, AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Layers of Compute..
Virtual server instances
in the cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Layers of Compute..
Virtual server instances
in the cloud
Services for running Docker
containers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Layers of Compute..
Virtual server instances
in the cloud
Services for running Docker
containers
Serverless execution in response to
events
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield
AWS Identity and
Access Management
AWS Well-Architected
Tool AWS WAF
AWS Key Management
Service
AWS Security Services (Preventative)
AWS Control Tower
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield AWS Well-Architected
Tool AWS WAF
AWS Security Services (Preventative)
AWS Identity and
Access Management
AWS Control Tower AWS Key Management
Service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Well-Architected
Tool AWS Shield AWS WAF
AWS Security Services (Preventative)
AWS Identity and
Access Management
AWS Control Tower AWS Key Management
Service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Well-Architected
Tool AWS Shield AWS WAF
AWS Security Services (Preventative)
AWS Identity and
Access Management
AWS Control Tower AWS Key Management
Service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
AWS CloudTrail
AWS Config
Amazon CloudWatch
Amazon GuardDuty
AWS Security Services (Detective)
AWS Security Hub
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted AdvisorAmazon GuardDuty AWS Config
AWS Security Services (Detective)
AWS Security Hub AWS CloudTrail Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted AdvisorAWS Config
AWS Security Services (Detective)
AWS Security Hub
Amazon GuardDuty
AWS CloudTrail Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
AWS Security Services (Detective)
AWS Security Hub
Amazon GuardDuty
AWS CloudTrail
AWS Config
Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Services (Detective)
AWS Security Hub
AWS Trusted AdvisorAmazon GuardDuty
AWS CloudTrail
AWS Config
Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Security Activities (App Layer)
What? Why?
Solution design review Ensure application design adequately protects valuable
resources and information
Threat modeling Understand attacker & impact of control failures
Security unit tests Ensure expected security functionality operates as expected
Code review (manual peer review) Look for malicious code, style and standards
Code scan (static/dynamic) Look for code vulnerabilities
Penetration testing Make sure nothing obvious has been missed
Manage risks and vulnerabilities Ensure that known issues are resolved in a timely manner
Operate solution Manage and monitor application to identify technical and
business anomalies
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Securing the Compute Layers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Virtual server instances
in the cloud
Infrastructure Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global
Infrastructure
Customer Data
Platform & Application Management
Operating System, Network & Firewall Configuration
Client-side encryption
Data integrity
Authentication
Server-side encryption
File system and/or dataNetwork traffic protectionEncryption, integrity, identity
(Optional) Opaque Data: 0s and 1s
Foundation
Services
AWS Endpoints
Compute Storage Databases Networking
RegionsAvailability
ZonesEdge Locations
Customer IAM
AWS IAM
Managed By AWS
Customers
Managed By Amazon
Web Services
Shared Security Model (Infra Services)Example: Amazon EC2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure Services
Select, install, configure, harden, patch, monitor, perform
break/fix, upgrade and eventually decommission:
• Operating system
• Operating system components (example: sshd)
• Operating system permissions (example: sudo)
• Application container (example: Jboss)
• Application dependencies (example: NodeJS packages)
• Business application
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Achieve Security for Infrastructure
Amazon EC2 Auto Scaling
AWS Systems Manager
AWS OpsWorks
AWS Well-Architected Tool
Amazon GuardDuty
AWS Config
+
Scan machines
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Services
Services for running Docker
containers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global
Infrastructure
Customer Data
Application Management
Operating System, Network & Platform Management
Client-side encryption
Data integrity
Authentication
Server-side encryption
File system and/or dataNetwork traffic protectionEncryption, integrity, identity
(Optional) Opaque Data: 0s and 1s
Foundation
Services
AWS Endpoints
Compute Storage Databases Networking
RegionsAvailability
ZonesEdge Locations
Customer IAM
AWS IAM
Managed By AWS
Customers
Managed By Amazon
Web Services
Firewall Configuration
Shared Security Model (Container Services)Examples: Amazon ECS, Amazon EKS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Services
Select, install, configure, harden, patch, monitor, perform
break/fix, upgrade and eventually decommission:
• Container assembly
• Application dependencies (example: NodeJS packages)
• Business application
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Container Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Achieve Security for Containers
Amazon EC2 Auto Scaling AWS OpsWorks
AWS Well-Architected Tool
Amazon GuardDutyAWS Config
+
Scan Images
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Abstract / Serverless Services
Serverless execution in response to
events
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Security Model (Serverless Services)
Customer Data
(Optional) Opaque Data: 0s
and 1s
Operating System, Network & Firewall Configuration
Foundation
Services
AWS Global
Infrastructure
AWS Endpoints
Compute Storage Databases Networking
RegionsAvailability
ZonesEdge Locations
AWS IAM
Managed By AWS
Customers
Managed By Amazon
Web Services
Platform & Application Management
Client-side encryption, data integrity and authentication
Server-side encryption provided by the platform
Network traffic protection provided by the platform
Example: AWS Lambda
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Services for Serverless
AWS Well-Architected Tool
Amazon GuardDuty AWS Config
+
Scan code
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High-level Services Are Better
Serverless
Containers
Infrastructure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS Security Hub
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Control Tower
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
IdentityDetective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
https://trendmicro.com/aws
https://aws.amazon.com/security/
