AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
3 likes859 views
The document outlines AWS's security framework, emphasizing the shared responsibility model between AWS and its customers. It details AWS's foundation services, various encryption methods, and how they meet regulatory requirements, particularly through a case study involving Nasdaq's data warehouse migration to AWS. The importance of cloud security, compliance monitoring, and agile self-service for developers is also highlighted.
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
- 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. December 8, 2014 | Korea 양승도 솔루션스 아키텍트 re:
- 2. JOB ZERO
- 3. Job Zero Network Security Physical Security Platform Security People & Procedures
- 4. SHARED
- 5. constantly improving AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud GxP ISO 13485 AS9100 ISO/TS 16949
- 6. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & content Customers shared responsibility Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
- 7. FAMILIAR
- 8. familiar
- 9. VISIBILITY
- 13. Visible
- 14. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
- 15. Use cases enabled by CloudTrail
- 16. AUDITABILITY
- 22. Changing Recording Continuous Change Resource s AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
- 24. Integrated Support from Our Partner Ecosystem
- 29. CONTROL
- 30. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
- 31. Encryption & Best Practices with AWS Managed key encryption Key storage with AWS CloudHSM Customer-supplied key encryption DIY on Amazon EC2 Create, store, & retrieve keys securely Rotate keys regularly Securely audit access to keys Partner enablement of crypto
- 32. DIY AWS Marketplace Partner Solution AWS CloudHSM AWS Key Management Service Where are keys generated and stored Your network or in AWS Your network or in AWS In AWS, on an HSM that you control AWS Where keys are used Your network or your EC2 instance Your network or your EC2 instance AWS or your applications AWS services or your applications How to control key use Config files, Vendor-specific management Vendor-specific management Customer code + Safenet APIs Policy you define; enforced in AWS Responsibility for Performance/Scale You You You AWS Integration with AWS services? Limited Limited Limited Yes Pricing model Variable Per hour/per year Per hour Per key/usage
- 41. How AWS Services Integrate with AWS Key Management Service • Two-tiered key hierarchy using envelope encryption • Unique data key encrypt customer data • AWS KMS master keys encrypt data keys • Benefits of envelope encryption: • Limits risk of a compromised data key • Better performance for encrypting large data • Easier to manage a small number of master keys than millions of data keys Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
- 42. AWS Key Management Service Reference Architecture Application or AWS Service + Data Key Encrypted Data Key Encrypted Data Master Key(s) in Customer’s Account AWS Key Management Service 1.Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account. 2.Client request is authenticated based on whether they have access to use the master key. 3.A new data encryption key is created and a copy of it is encrypted under the master key. 4.Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data and then deleted as soon as is practical. 5.Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be decrypted.
- 43. Nasdaq is a great example of security excellence in the cloud
- 44. Nasdaq Use Case Requirement Replace on-premises data warehouse while keeping equivalent schemas and data Only one year of capacity remaining 4-8 billion rows of new information stored daily stock trading Must cost less than existing system Must satisfy multiple security and regulatory audits Must perform similarly to legacy warehouse under concurrent query load AWS’s ability to satisfy multiple security and regulatory audits was critical to Nasdaq’s migrating its data warehouse to AWS
- 45. Nasdaq Data Warehouse Implementation Pull data from numerous sources, validate data, and securely load into Redshift
- 46. AWS CloudTrail to monitor and audit environment Network isolation with Amazon VPC and AWS Direct Connect Encryption in flight using TLS and Amazon Redshift JDBC connections Encryption at rest with Amazon S3 (client-side, AES-256) with Amazon Redshift cluster encryption enabled and AWS CloudHSM Nasdaq Security Best Practices AWS CloudHSM integration was critical to Nasdaq adoption of AWS
- 47. AGILITY
- 50. Agility Self-service Time to market IT Developers Control Visibility Compliance
- 52. Use a personalized portal to find & launch services IT Developers Create custom services and grant access to developers
- 53. Providing Developers fast provisioning Create and manage Portfolio Add custom products and services Grant access to developers
- 54. Achieving self-service with IT approval Find and launch services Automate provisioning Manage AWS resources
- 55. Creates portfolio Adds constraints and grant access 1 4 5 Administrator Portfolio Users Browse Products 6 Launch Products AWS CloudFormation template Creates product 3 Authors template 2 ProductX ProductY ProductZ 7 Deploys stacks Notifications Notifications 8 8
- 58. BETTER OFF IN AWS