Amazon Web Services offers a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. Amazon Web Services provides security-specific tools and features across network security, configuration management, access control and data security. In addition, Amazon Web Services provides monitoring and logging tools to provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that Amazon Web Services offers, and the latest security innovations coming from Amazon Web Services.
Andrew Watts-Curnow, Cloud Architect - Professional Services, ASEAN
8. VPC: Private, isolated network on the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private
Cloud
• Private and logically isolated
section of the AWS cloud
• You choose a private IP range for
your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security
• AWS network will prevent spoofing
and other common layer 2 attacks
• You cannot sniff anything but your
own EC2 host network interface
• Control all external routing and
connectivity
9. VPC = Virtual Private Cloud
Your virtual data center on AWS
Block of IPs that define your
network (typically RFC 1918)
Can span multiple AZs
Default VPCs
VPC
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
10. Range of IPs in your VPC IP
range
Lives inside an AZ
Can provide security at the
subnet or network level with
access control lists (ACLs)
Can route at the subnet level
Default VPC subnets
VPC subnet
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
11. NACL = network access control list
An optional layer of security that
acts as a firewall for a subnet
A numbered list of rules that we
evaluate in order
ACLs are stateless and have
separate inbound and outbound
rules
Network access control list
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL
12. A security group acts as a virtual
firewall for your EC2 instance
An EC2 instance can have up to
five security groups
Security groups act at the
instance level, not the subnet
level
Security groups are stateful
Security groups
Availability Zone A Availability Zone B
Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24
Security Group
EC2 EC2EC2EC2
18. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices
21. AWS Key Management Service
Encryption key management and compliance made easy
One-click Encryption of server and database storage
Centralized key management
(create, delete, view, set policies)
Enforced, automatic key rotation
Visibility into any changes via CloudTrail
23. CloudWatch Logs: Centralize Your Logs
Send existing system, application, and
custom log files to CloudWatch Logs via
our agent, and monitor these logs in near
real-time.
This can help you better understand and
operate your systems and applications,
and you can store your logs using highly
durable, low-cost storage for later access
24. AWS Config: Record AWS Environment Changes
AWS Config records AWS environment
configuration and changes information for
your account.
Snapshots answer the question “What did
my environment look like, at time x?”
History answers the question “What
changes have happened, to infrastructure
element I over time?”
Continuous ChangeRecordingChanging
Resources
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
25. CloudTrail: Record AWS API Calls
AWS CloudTrail records AWS API calls for your
account and delivers log files to you.
The recorded information includes caller
identity, time, the source IP address,
parameters, and the response returned by the
AWS service.
The AWS API call history produced by
CloudTrail enables security analysis, resource
change tracking, and compliance auditing.
26. IAM: Identity and Access Management
With AWS IAM you get to control who can do
what in your AWS environment and from where
Fine-grained control of your AWS cloud with
two-factor authentication
Integrated with your existing corporate
directory using SAML 2.0 and single sign-on
AWS account
owner
Network
management
Security
management
Server
management
Storage
management
27. Compliance at AWS
AWS is Level 1 compliant under the Payment Card Industry (PCI)
Data Security Standard (DSS). Customers can run applications on
our PCI-compliant technology infrastructure for storing, processing,
and transmitting credit card information in the cloud.
Singapore Multi-Tier Cloud Security Standard
(MTCS SS 584) Level-3 (CSP) certification.
This certification gives organizations the clarity to utilize AWS to host
and process their highly confidential data in Singapore.
The Multi-Tier Cloud Security (MTCS) Singapore standard is
developed under the Information Technology Standards Committee
(ITSC).
31. AWS Training & Certification
Certification
aws.amazon.com/certification
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new skills,
and get hands-on practice
working with AWS technologies
aws.amazon.com/training
Training
Validate your proven skills and
expertise with the AWS platform
Build technical expertise to
design and operate scalable,
efficient applications on AWS
32. “Based on our experience, I believe that we can be even
more secure in the AWS cloud than in our own data
centers.”
-Tom Soderstrom, CTO, NASA JPL