Upload
amazon-web-services
View
413
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Learn how to increase the effectiveness of your security operations as you move to the Cloud. We will discuss how your current incident response, monitoring, and audit response tactics have to change in the Cloud. Drawing from experiences helping clients move to the Cloud, industry research, and the 'school of hard knocks', this talk will help provide practical advice you can apply today. This session is recommended for technical users who want to know how the day-to-day work of securing their on-premises workloads should change when moving to the Cloud.
Citation preview
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Security Features of AWS Services in AWS GovCloud (US)
Alice Rison [email protected] Ryland [email protected]
Mai-Lan Tomsen Bukovec [email protected] Moses [email protected]
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
To enable businesses,
governments,
educational
institutions, and
developers to use
web services to build
scalable, sophisticated
applications.
g o v c l o u d
p
c
f e d r a m p
s
s
c
r
i
t
y
t a r
w
3
e
m a
iThe AWS Mission
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS GovCloud (US)AWS exclusive government community cloud restricted to vetted U.S. Government and U.S. commercial entities with government oriented and regulated workloads
g o v c l o u d
e
s
c
r
i
t
y
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Compliance Regimes• International Traffic in Arms Regulations (ITAR):
– 3rd Party ITAR attestation letter– US Persons only physical/ logical access– ITAR boundary defined in the AWS GovCloud
Users Guide for all AWS services
• FedRAMP: – FedRAMP Agency ATO with HHS– NIST 800-53 Security Controls– Boundary includes EC2, VPC, IAM, EBS, and S3
f e d r a m p
i
r
t
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Shared Responsibility Model• Security is a shared responsibility model• AWS – responsible for physical security of data centers
through the virtualization level up to the host operating system
• Customers – responsible for building secure applications• AWS services provide you with the features you need to
create a reliable, secure, scalable, highly available and cost-efficient IT system
a w
t
u
c
s
r
m
o
e
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Identity & Access Management• AWS GovCloud (US): the IAM you know and love,
except:– Disjoint principal database– Disjoint resource/ARN namespace (including S3)– No console access for root identity– Challenges for cross-region features
• SAML Federation!• EC2 resource permissions: status and plans
m
a
i
i t r
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Amazon S3 Features• Data confidentiality, integrity, and availability• Data access restricted by default:
– Object: IAM policies, ACLs, Bucket Policies– Log access to buckets and objects
• Plethora of encryption options:– data in transit: FIPS 140-2 validated endpoints in AWS GovCloud (US)
and SSL options– data at rest: 256-bit Advanced Encryption Option (AES-256) with S3
SSE
• Designed for 99.9% availability and up to eleven 9’s of durability• Amazon S3 Versioning’s MFA Delete feature
r
3
t
s
o
a
g
e
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Master Security Group
Amazon S3
Web AppServer
Virtual Private Cloud
Corporate Data center
Slave Security Group
1
1
2
5
7VPN
Gateway
2
3
4
5
6
6
3
4
Store your input and output data in S3 using S3 Server Side Encryption
EMR reads and writes to S3 using httpsEMR creates security groups for the master and slaves. You can configure them to only allow certain ports/IPs
Encrypt data stored on disk (optional)
Encrypt data in transit between nodes (optional)
Launch the cluster in a VPC
7 Connect to your own data center using VPN
Amazon EMR
EMR Cluster
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Amazon EMR Features • EC2 Security Groups• Data is transferred to and from Amazon
S3 using the FIPS validated endpoint• Cluster specific access control• Integration with VPC• Cohesive with data at rest encryption
u
e
s
c
r
i
t
y
me
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Customer’snetwork
AmazonWeb Services
cloud
Secure VPN connection over
the Internet
Subnets
Customer’s isolated AWS
resources
Amazon VPC Architecture
RouterVPN
gateway
Internet
Interne
t
NAT
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Amazon VPC Features• AWS GovCloud (US) – mandatory VPC• Firewall/ Security Groups• Network Access Control Lists• Subnets and Route Tables• Virtual Private Gateways• Internet Gateways
g o v c l o u d
p
c
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Web & Mobile Applications
Big Data & High Performance Computing
Mission Oriented Applications
Disaster Recovery & Archive
Ideal Workloads
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Case Study Organizational Benefits
• The US Centers for Disease Control and Prevention’s (CDC) mission is to improve public health.
• With the BioSense 2.0 program, the CDC is tasked with providing awareness for all health-related threats and to support responses to these threats at the national, state, and local level.
• The CDC re-launched BioSense 2.0 on Amazon Web Services in AWS GovCloud (US) and other Regions using Amazon EC2, Amazon S3, Amazon EMR, and Amazon SES.
• Needing to avoid purchasing expensive hardware and software, the organization turned to AWS for its low cost, pay-per-use model, high availability, as well as security and compliance practices.
• The CDC leveraged service level security features in AWS GovCloud (US) to meet the confidentiality, availability and integrity security controls needed to obtain a FISMA Moderate Level ATO
CDC BioSense 2.0
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Learn More• Security White Papers:
http://aws.amazon.com/security/security-resources/ – AWS Security Overview– AWS Security Best Practices– Securing Data Rest With Encryption– Amazon VPC Connectivity Options– Auditing Security Checklist – Security at Scale: Logging in AWS
• AWS GovCloud (US) User Guide: http://docs.aws.amazon.com/govcloud-us
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank You!!http://aws.amazon.com/govcloud-us
g o v c l o u d
p
c
f e d r a m p
s
s
c
r
i
t
y
t a r
w
3
e
m a
i