Embed Size (px)
Citation preview
Securing Media Content and Applications in the Cloud
Amazon Web Services
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities
Application
OS firewalls
Security groups
Operating system
Account management
Network configuration
Certifications and Compliances
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2 & SOC 3 (SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US federal government), DIACAP MAC III sensitive ATO, International Traffic in Arms Regulations (ITAR)
AWS Services Stack in a Media Workflow
AWS Direct Connect
Elastic LoadBalancing
AWS Import/
Export
Amazon
Simple
Storage
Service (S3)
AWS Storage
Gateway
Amazon
Elastic Block
Storage
(EBS)
Amazon CloudFront
Amazon CloudSearch
Amazon Simple Queue Service
(SQS)
Amazon Elastic Transcoder
Amazon EC2Amazon
Elastic Map Reduce (EMR)
Amazon Virtual Private
Cloud (VPC)
Ingest/Create Store
Amazon Relational Database Services
(RDS)
Amazon
ElastiCache Amazon Route 53
DeliverProcess
Amazon Elastic Compute
Cloud (EC2)
AWS Physical Infrastructure Security
AWS Security Controls
• Access points
• HTTP or HTTPS using SSL access
• Amazon VPC allows VPN access as well
• Redundant connection to more than one communication service at each Internet-facing edge
• API requests
• SOAP – must be signed (using X.509 certs with an RSA public key)
• Query – SHA1 and SHA-256 cryptographic hash signature
• SSH to Amazon EC2 instances – Require a public/private key pair or RDP certificate
• AWS multi-factor authentication (MFA)
• Key management and rotation
AWS Identity and Access Management (IAM)
Unique security credentials
• Access keys, login/password, MFA device
• Federated authentication (AWS Security Token Service STS)
Policies control access to AWS APIs
• API calls must be signed by either: X.509 certificate or secret key
Deep integration with other AWS services
• Amazon S3: policies on objects and buckets
• Amazon SimpleDB: domains
• Amazon EC2 resource permissions
Amazon EC2 Security Controls
EC2 (guest) operating system
• Controlled by YOU
• YOU have admin/root
• AWS has NO visibility
• YOU generate the key pairsSecurity Group
Availability Zone A
Instance
AWS Cloud
Security groups (stateful filters)
• YOU control the mandatory inbound firewall
• Default is deny all
• +Egress in the case of Amazon VPC
Signed API calls
Security Group Adobe_FMS Configuration
Protocol Port range Source
TCP 80 0.0.0.0/0
TCP 1111 0.0.0.0/0
TCP 1935 0.0.0.0/0
UDP 1935 0.0.0.0/0
SSH 22 192.168.0.41/10
Amazon Virtual Private Cloud (VPC)
Virtual Private Cloud
VPC Public Subnet
Instances
Security
Group
• Isolated environment
• Access via VPN
• Access via Direct Connect
• Optional Internet Access
• Ingress and egress filters
• Network ACLs
• Routing rulesVPC Private Subnet
Instances
Security
Group
VPN Gateway
Internet Gateway
VPN Connection
Corporate Data Center
Elastic IPDirect Connect
Amazon S3 Security Controls
• Bucket- and object-level permissions
• Owner only access (by default)
• Signed URLs/query string authentication
• IAM policies
• Versioning (MFA delete)
• Detailed access logging
✔S3 Logs
S3 Encryption
S3 Client Side Encryption
Client Master KeyAWS SDK for Java
Content
Envelope Key
Customer provided key
Encrypted Stored Key
101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010
Encrypted Stored Data
S3 Server Side Encryption
S3 Master Key
Amazon S3
(Media Storage)
Amazon CloudFront
Amazon CloudFront Security
End User
HTTP
• CloudFront’s private content featureOnly deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verificationPolicy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content (NEW)
• Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Reference Architecture – Key Management & Content Encryption
Key Management Service
Provide CPK for S3
encryption at rest
EC2, ETS can request
the data-key on behalf
of customer Store and deliver object
specific keys in Dynamo
S3 Ingest For Source, Renditions, Metadata Sidecar Files
Ingest
AWS Elastic
Beanstalk
Content Consumption
CloudFront
Distribution
Amazon
DynamoDB
Individual Key Storage
Other Media
processing on EC2Elastic
Transcoder
Processing
Authentication/
Authorization
Content owner provides
the master key
Edge Locations
Availability Zone
Region
Dallas (2)
St.Louis
Miami
JacksonvilleLos Angeles (2)
Seattle
Ashburn (3)
Newark
New York (3)
Dublin
London (2)
Amsterdam (2)
Stockholm
Frankfurt (2)Paris (2)
Singapore(2)
Hong Kong (2)
Tokyo (2)
Sao Paulo
South Bend
San JosePalo AltoHayward
OsakaMilan
Sydney
MadridSeoul
Mumbai
Chennai
Where is my Content !
You are making API calls...
On a growing set of services around the
world..
CloudTrail is continuously
recording API calls…
And delivering log files to you…
AWS CloudTrail (Log all your AWS API calls ever made)
Content Access | Transfer
Content Creation/Ingest
Process/Manage Distribution
Graphic Artist
workstation
Remote ServerAppstream
Archive
Storage
Internal Users
Vendors/Partners
Other On-Prem
Apps
Amazon CloudFront
Media Consumers
Direct Connect Workspaces
Encryption, Access, Recycle
• Encrypt– Client Side encryption via API– Use SSL– S3 Server Side Encryption– Manage your own keys– EBS Encryption– RDS (Database) Encryption– Use HTTPs on CloudFront
• IAM User Management and IAM Roles– Access Rights and Policies
• Automate and Recycle your infrastructure– Avoid Old, long running instances in your applications
Log, Monitor, Act Proactively
You are making API calls and accessing your content ...
On a growing set of services around the world accessing your content
CloudTrail is continuously recording API calls…
And delivering log files to you…
ELBAmazon S3 Amazon
Glacier
CloudFront
S3 /App
Logs
Access Logs
Feed Logs in Cloudwatch or monitor patterns on Logs
Act Fast or automate based on realtimenotifications and alerts
Path to MPAA Best Practices Alignment
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities
SOC 1/2
ISO 27001
Application
Security groups
Operating system
Access management
Network configuration
Third-Party
Auditor
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
