01 aws track 1
- 2. www.cloudsec.com | #CLOUDSEC AWS Security Best Practices For the Three Layers of Compute Anand Iyer | Principal Solutions Architect
- 3. Three Layers of Compute.. Virtual server instances in the cloud
- 4. Three Layers of Compute.. Virtual server instances in the cloud Services for running Docker containers
- 5. Three Layers of Compute.. Virtual server instances in the cloud Services for running Docker containers Serverless execution in response to events
- 6. AWS Shield AWS Identity and Access Management AWS Well-Architected Tool AWS WAF AWS Key Management Service AWS Security Services (Preventative) AWS Control Tower
- 7. AWS Shield AWS Well-Architected Tool AWS WAF AWS Security Services (Preventative) AWS Identity and Access Management AWS Control Tower AWS Key Management Service
- 8. AWS Well-Architected Tool AWS Shield AWS WAF AWS Security Services (Preventative) AWS Identity and Access Management AWS Control Tower AWS Key Management Service
- 9. AWS Well-Architected Tool AWS Shield AWS WAF AWS Security Services (Preventative) AWS Identity and Access Management AWS Control Tower AWS Key Management Service
- 10. AWS Trusted Advisor AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty AWS Security Services (Detective) AWS Security Hub
- 11. AWS Trusted Advisor Amazon GuardDuty AWS Config AWS Security Services (Detective) AWS Security Hub AWS CloudTrail Amazon CloudWatch
- 12. AWS Trusted Advisor AWS Config AWS Security Services (Detective) AWS Security Hub Amazon GuardDuty AWS CloudTrail Amazon CloudWatch
- 13. AWS Trusted Advisor AWS Security Services (Detective) AWS Security Hub Amazon GuardDuty AWS CloudTrail AWS Config Amazon CloudWatch
- 14. AWS Security Services (Detective) AWS Security Hub AWS Trusted Advisor Amazon GuardDuty AWS CloudTrail AWS Config Amazon CloudWatch
- 15. Other Security Activities (App Layer) What? Why? Solution design review Ensure application design adequately protects valuable resources and information Threat modeling Understand attacker & impact of control failures Security unit tests Ensure expected security functionality operates as expected Code review (manual peer review) Look for malicious code, style and standards Code scan (static/dynamic) Look for code vulnerabilities Penetration testing Make sure nothing obvious has been missed Manage risks and vulnerabilities Ensure that known issues are resolved in a timely manner Operate solution Manage and monitor application to identify technical and business anomalies
- 16. The Things AWS Isn’t Doing Protect your customer data and applications with • Configuration of access controls • Configuring encryption • Application monitoring • Intrusion detection/prevention • Application runtime analysis • Backups • Disaster Recovery
- 17. Virtual server instances in the cloud Infrastructure Services
- 18. AWS Global Infrastructure Customer Data Platform & Application Management Operating System, Network & Firewall Configuration Client-side encryption Data integrity Authentication Server-side encryption File system and/or data Network traffic protection Encryption, integrity, identity (Optional) Opaque Data: 0s and 1s Foundation Services AWS Endpoints Compute Storage Databases Networking Regions Availability Zones Edge Locations Customer IAM AWS IAM Managed By AWS Customers Managed By Amazon Web Services Shared Security Model (Infra Services) Examples: Amazon EC2, Amazon EBS, and Amazon VPC
- 19. AWS Security Services for Infrastructure Amazon EC2 Auto Scaling AWS Systems Manager AWS OpsWorks AWS Well-Architected Tool Amazon GuardDuty AWS Config
- 21. AWS Global Infrastructure Customer Data Application Management Operating System, Network & Platform Management Client-side encryption Data integrity Authentication Server-side encryption File system and/or data Network traffic protection Encryption, integrity, identity (Optional) Opaque Data: 0s and 1s Foundation Services AWS Endpoints Compute Storage Databases Networking Regions Availability Zones Edge Locations Customer IAM AWS IAM Managed By AWS Customers Managed By Amazon Web Services Firewall Configuration Shared Security Model (Container Services) Examples: Amazon ECS, Amazon EKS and AWS Fargate
- 22. Container Services Select, install, configure, harden, patch, monitor, perform break/fix, upgrade and eventually decommission: • Container assembly • Application dependencies (example: NodeJS packages) • Business application
- 23. AWS Security Services for Containers Amazon EC2 Auto Scaling AWS OpsWorks AWS Well-Architected Tool Amazon GuardDuty AWS Config
- 24. Abstract / Serverless Services Serverless execution in response to events
- 25. Shared Security Model (Serverless Services) Customer Data (Optional) Opaque Data: 0s and 1s Operating System, Network & Firewall Configuration Foundation Services AWS Global Infrastructure AWS Endpoints Compute Storage Databases Networking Regions Availability Zones Edge Locations AWS IAM Managed By AWS Customers Managed By Amazon Web Services Platform & Application Management Client-side encryption, data integrity and authentication Server-side encryption provided by the platform Network traffic protection provided by the platform Examples:AWS Lambda,Amazon S3 and Amazon DynamoDB
- 26. AWS Security Services for Serverless AWS Well-Architected Tool Amazon GuardDuty AWS Config
- 27. High-level Services Are Better Serverless Containers Infrastructure
- 28. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS Security Hub AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs AWS Control Tower Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS Security Solutions
- 29. #CLOUDSEC www.cloudsec.com THANK YOU! Anand Iyer | Principal Solutions Architect, AISPL