SlideShare a Scribd company logo
Jeff Westphal - Milwaukee and Madison AWS uGroup Leader
AWS Security 101: Understanding the Shared Security Model
@ClashofCoders
PROD-VPC
Public Subnet
Instances
IGW
Private Subnet
Instances
DEV-VPC
Public Subnet
Instances
IGW
Private Subnet
Instances
Security Group
RDS
USEast
S3 Buckets
Fundamental Concepts in AWS
Network
• VPC
• Public/Private Subnets
• Security Groups
• NACLs
• Availability Zones
Identity and Access
• IAM
• Users/Groups
• Permissions
• MFA
Data and Compute
• EC2
• EBS
• S3
• CloudTrail
• CloudWatch
ELB
USEast-1A
Route 53Al Gore Shield
DDOS Protection
WAF
Demand Increases
Clash of Coders
VPC-A
Public Subnet
Instances
IGW
Private Subnet
Instances
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
IAM Account A
Services VPC
Private Subnet
Instances
Availability Zone
Security Group
RDS
Private Subnet
Security Group
Elastic IP
AutoscalingVPC NAT Gateway
ELB
VPC Peer
VPC Peer
AWS Region A
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
AWS Region B
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
AWS Region C IAM Account B
VPC Peer
VPN Gateway
S3 Buckets
VPC-A
Public Subnet
Instances
IGW
Private Subnet
Instances
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
IAM Account A
Services VPC
Private Subnet
Instances
Availability Zone
Security Group
RDS
Private Subnet
Security Group
Elastic IP
AutoscalingVPC NAT Gateway
ELB
VPC Peer
VPC Peer
AWS Region A
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
AWS Region B
VPC-B
Public Subnet
Instances
IGW
Private Subnet
Instances
AWS Region C IAM Account B
VPC Peer
VPN Gateway
S3 Buckets
What’s Missing?
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications, Operating Systems & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data Encryption
Copyright 2018 Trend Micro Inc.10
Why do I need additional security in the cloud?
Threats:
• Network attack
• Vulnerabilities
• Malware
• Insider threats
Compliance:
• PCI DSS
• HIPAA
• NIST
• Internal
Route 53Al Gore Shield
Security at Scale
WAF
Copyright 2018 Trend Micro Inc.12
The 7 Security Domains of the Cloud Security Model
1. Network
2. Identity & Access Mgmt
3. Data
4. Visibility
5. Governance Rick & Compliance
6. Threat & Vulnerability Protection
7. Application Security
Copyright 2018 Trend Micro Inc.13
Security Domain 1 – Network Security
Native Services
• VPC
• NACLs, Security Groups
• VPN, Direct Connect
• VPC Peering
• Public/Private Subnets
• ELB/ALB
Third-Party Services:
• Next-Gen Firewall
• CASB
• Software Defined Perimeter
Copyright 2018 Trend Micro Inc.14
Security Domain 2 – Identity and Access Management
Native Services
• IAM
• MFA
• SAML
• STS
• Directory Services
• AWS Organizations
Third-Party Services:
• LDAP
• SAML
• SSO
Copyright 2018 Trend Micro Inc.15
Security Domain 3 – Data
Native Services
• Encryption- KMS
• Cloud HSM
• Macie
• Guard Duty
Third-Party Services:
• DLP
• Integrity Monitoring
• Log Inspection
Copyright 2018 Trend Micro Inc.16
Security Domain 4 – Visibility
Native Services
• CloudTrail
• CloudWatch
• SNS
• Trusted Advisor
Third-Party Services:
• SIEM
• Log Intelligence
• Perimeter Assessments
Copyright 2018 Trend Micro Inc.17
Security Domain 5 – Governance & Compliance
Native Services
• CloudTrail
• CloudWatch
• Config
• AWS Quick Starts
Third-Party Services:
• Best-Practice Checks
• Charge Monitoring
• Customized Alerts
Copyright 2018 Trend Micro Inc.18
Security Domain 6 – Threat and Incident Detection and Response
Native Services
• VPC
• Security Groups, NACLs
• WAF
• Shield
• Inspector
Third-Party Services:
• Intrusion Prevention
• Deep Packet Inspection
• Malware, Antivirus
• Zero Day/Hour Protection
• Case Management
Copyright 2018 Trend Micro Inc.19
Security Domain 7 – Application Security
Native Services
• Inspector
• WAF
• API Gateway
• Cognito
Third-Party Services:
• CVE Checks
• Host-Based Security Controls
• Application Control
• Vulnerability Scanning
Clash
of Coders
CloudFront
DynamoDB
SNS
Mobile
Notifications
ALB
ECR Kinesis Streams Lambda
Functions
ElastiCache
Cluster
Lambda
Functions
Game Updates
Mobile Users
S3 Bucket
Static Content
Internet
Gateway
CodeCommit
ECR
CodeBuild
Lambda
Functions
Developer
Serverless and Event Driven Architectures
CloudFront
DynamoDB
SNS
Mobile
Notifications
ALB
ECR Kinesis Streams Lambda
Functions
ElastiCache
Cluster
Lambda
Functions
Game Updates
Mobile Users
S3 Bucket
Static Content
Internet
Gateway
CodeCommit
ECR
CodeBuild
Lambda
Functions
Developer
Serverless and Event Driven Architectures
Copyright 2017 Trend Micro Inc.23
Integrated Protection through the entire Application Lifecycle
BuildCommit Scan Alert DeployPush
Sign/Promote
Examine
• Malware
• Vulnerabilities
• Custom IOCs
APIs
Signed
Copyright 2018 Trend Micro Inc.24
7 Security Domains
OSI Model
• Physical
• Data Link
• Network
• Transport
• Session
• Presentation
• Application
Cloud Security Model
• Network
• Identity & Access Mgmt
• Data
• Visibility
• Governance Rick/Compliance
• Threat, Vulnerability Protection
• Application Security
Please
Do
Not
Throw
Sausage
Pizza
Away
?
?
?
?
?
?
?
@mkeaws
Thank you!!! Hope to see everyone at Happy Hour!

More Related Content

PDF
Why Isn't the Cloud Cheaper - John Merline, Milwaukee
PDF
Nested Beanstalk Deployment - Brett Sutter, Minneapolis
PDF
Learn about AWS Certifications - Andrew May, Columbus
PDF
Elastic.co's ELK Stack - Platform Agnostic Immutable Infrastructure & Analys...
PPTX
Enabling High Performance IT with 2nd Watch, Docker & AWS
PDF
Multi-Account Strategy At Scale - Nick Bausch, Chicago
PPTX
Containers on AWS
PPTX
2nd Watch CTO - Kris Blisner
Why Isn't the Cloud Cheaper - John Merline, Milwaukee
Nested Beanstalk Deployment - Brett Sutter, Minneapolis
Learn about AWS Certifications - Andrew May, Columbus
Elastic.co's ELK Stack - Platform Agnostic Immutable Infrastructure & Analys...
Enabling High Performance IT with 2nd Watch, Docker & AWS
Multi-Account Strategy At Scale - Nick Bausch, Chicago
Containers on AWS
2nd Watch CTO - Kris Blisner

What's hot (9)

PDF
Amazon relational database service (rds)
PPTX
AWS Kinesis
PPTX
EC2 and S3 Level 100
PDF
Big data and Analytics on AWS
PDF
Cloud comparison - AWS vs Azure vs Google
PPTX
AWS re:Invent 2021 Recap by APN Ambassador
PPTX
Reinvent recap
PPT
AWS Summit Berlin 2013 - Big Data Analytics
PPTX
Introduction to Alibaba Cloud
Amazon relational database service (rds)
AWS Kinesis
EC2 and S3 Level 100
Big data and Analytics on AWS
Cloud comparison - AWS vs Azure vs Google
AWS re:Invent 2021 Recap by APN Ambassador
Reinvent recap
AWS Summit Berlin 2013 - Big Data Analytics
Introduction to Alibaba Cloud
Ad

Similar to AWS Security 101: Understanding the Shared Security Model - Jeff Westphal, Milwaukee (20)

PDF
The AWS Shared Responsibility Model: Presented by Amazon Web Services
PDF
AWS Architecture Fundamentals - Houston
PPTX
AWS Spotlight Series - Modernization and Security with AWS
PDF
The AWS Shared Responsibility Model in Practice
PPTX
Security on AWS
PPTX
Managing Security on AWS
PDF
The AWS Shared Responsibility Model in Practice
PPTX
5 minutes on security
PPTX
Introduction to Network Security TITU.pptx
PPTX
01 aws track 1
PPTX
Cloudifying your Security Operations on AWS
PDF
Practical AWS Security - Scott Hogg
PDF
Information Security in AWS - Dave Walker
PDF
The AWS Shared Responsibility Model in Practice
PDF
The AWS Shared Responsibility Model in Practice
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
PPTX
Pitt Immersion Day Module 5 - security overview
PDF
AWS Cloud Security
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
PDF
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
The AWS Shared Responsibility Model: Presented by Amazon Web Services
AWS Architecture Fundamentals - Houston
AWS Spotlight Series - Modernization and Security with AWS
The AWS Shared Responsibility Model in Practice
Security on AWS
Managing Security on AWS
The AWS Shared Responsibility Model in Practice
5 minutes on security
Introduction to Network Security TITU.pptx
01 aws track 1
Cloudifying your Security Operations on AWS
Practical AWS Security - Scott Hogg
Information Security in AWS - Dave Walker
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Hackproof Your Cloud: Responding to 2016 Threats
Pitt Immersion Day Module 5 - security overview
AWS Cloud Security
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Ad

More from AWS Chicago (20)

PPTX
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
PDF
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
PDF
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
PDF
Ben Blair Operating Safely in a Vibe Coding World
PPTX
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
PPTX
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
PDF
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
PDF
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
PDF
Bob Fornal The Impact of Testing on a DevOps Pipeline
PDF
Jason Butz Chaos Engineering with FIS and Lambda Functions
PPTX
Automated VPC migration into centralized inspection architecture with AWS Gat...
PDF
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
PDF
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
PDF
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
PPTX
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
PDF
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
PDF
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
PPTX
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
Ben Blair Operating Safely in a Vibe Coding World
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
Bob Fornal The Impact of Testing on a DevOps Pipeline
Jason Butz Chaos Engineering with FIS and Lambda Functions
Automated VPC migration into centralized inspection architecture with AWS Gat...
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
PPTX
Big Data Technologies - Introduction.pptx
PDF
Machine learning based COVID-19 study performance prediction
PDF
Advanced Soft Computing BINUS July 2025.pdf
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Chapter 3 Spatial Domain Image Processing.pdf
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PPTX
MYSQL Presentation for SQL database connectivity
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PDF
Network Security Unit 5.pdf for BCA BBA.
PDF
NewMind AI Monthly Chronicles - July 2025
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
NewMind AI Weekly Chronicles - August'25 Week I
Dropbox Q2 2025 Financial Results & Investor Presentation
The Rise and Fall of 3GPP – Time for a Sabbatical?
Big Data Technologies - Introduction.pptx
Machine learning based COVID-19 study performance prediction
Advanced Soft Computing BINUS July 2025.pdf
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
“AI and Expert System Decision Support & Business Intelligence Systems”
Chapter 3 Spatial Domain Image Processing.pdf
Reach Out and Touch Someone: Haptics and Empathic Computing
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Understanding_Digital_Forensics_Presentation.pptx
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
MYSQL Presentation for SQL database connectivity
Diabetes mellitus diagnosis method based random forest with bat algorithm
Network Security Unit 5.pdf for BCA BBA.
NewMind AI Monthly Chronicles - July 2025
Bridging biosciences and deep learning for revolutionary discoveries: a compr...

AWS Security 101: Understanding the Shared Security Model - Jeff Westphal, Milwaukee

  • 1. Jeff Westphal - Milwaukee and Madison AWS uGroup Leader AWS Security 101: Understanding the Shared Security Model
  • 3. PROD-VPC Public Subnet Instances IGW Private Subnet Instances DEV-VPC Public Subnet Instances IGW Private Subnet Instances Security Group RDS USEast S3 Buckets Fundamental Concepts in AWS Network • VPC • Public/Private Subnets • Security Groups • NACLs • Availability Zones Identity and Access • IAM • Users/Groups • Permissions • MFA Data and Compute • EC2 • EBS • S3 • CloudTrail • CloudWatch ELB USEast-1A
  • 4. Route 53Al Gore Shield DDOS Protection WAF
  • 6. VPC-A Public Subnet Instances IGW Private Subnet Instances VPC-B Public Subnet Instances IGW Private Subnet Instances IAM Account A Services VPC Private Subnet Instances Availability Zone Security Group RDS Private Subnet Security Group Elastic IP AutoscalingVPC NAT Gateway ELB VPC Peer VPC Peer AWS Region A VPC-B Public Subnet Instances IGW Private Subnet Instances AWS Region B VPC-B Public Subnet Instances IGW Private Subnet Instances AWS Region C IAM Account B VPC Peer VPN Gateway S3 Buckets
  • 7. VPC-A Public Subnet Instances IGW Private Subnet Instances VPC-B Public Subnet Instances IGW Private Subnet Instances IAM Account A Services VPC Private Subnet Instances Availability Zone Security Group RDS Private Subnet Security Group Elastic IP AutoscalingVPC NAT Gateway ELB VPC Peer VPC Peer AWS Region A VPC-B Public Subnet Instances IGW Private Subnet Instances AWS Region B VPC-B Public Subnet Instances IGW Private Subnet Instances AWS Region C IAM Account B VPC Peer VPN Gateway S3 Buckets
  • 9. AWS and you share responsibility for security AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications, Operating Systems & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption
  • 10. Copyright 2018 Trend Micro Inc.10 Why do I need additional security in the cloud? Threats: • Network attack • Vulnerabilities • Malware • Insider threats Compliance: • PCI DSS • HIPAA • NIST • Internal
  • 11. Route 53Al Gore Shield Security at Scale WAF
  • 12. Copyright 2018 Trend Micro Inc.12 The 7 Security Domains of the Cloud Security Model 1. Network 2. Identity & Access Mgmt 3. Data 4. Visibility 5. Governance Rick & Compliance 6. Threat & Vulnerability Protection 7. Application Security
  • 13. Copyright 2018 Trend Micro Inc.13 Security Domain 1 – Network Security Native Services • VPC • NACLs, Security Groups • VPN, Direct Connect • VPC Peering • Public/Private Subnets • ELB/ALB Third-Party Services: • Next-Gen Firewall • CASB • Software Defined Perimeter
  • 14. Copyright 2018 Trend Micro Inc.14 Security Domain 2 – Identity and Access Management Native Services • IAM • MFA • SAML • STS • Directory Services • AWS Organizations Third-Party Services: • LDAP • SAML • SSO
  • 15. Copyright 2018 Trend Micro Inc.15 Security Domain 3 – Data Native Services • Encryption- KMS • Cloud HSM • Macie • Guard Duty Third-Party Services: • DLP • Integrity Monitoring • Log Inspection
  • 16. Copyright 2018 Trend Micro Inc.16 Security Domain 4 – Visibility Native Services • CloudTrail • CloudWatch • SNS • Trusted Advisor Third-Party Services: • SIEM • Log Intelligence • Perimeter Assessments
  • 17. Copyright 2018 Trend Micro Inc.17 Security Domain 5 – Governance & Compliance Native Services • CloudTrail • CloudWatch • Config • AWS Quick Starts Third-Party Services: • Best-Practice Checks • Charge Monitoring • Customized Alerts
  • 18. Copyright 2018 Trend Micro Inc.18 Security Domain 6 – Threat and Incident Detection and Response Native Services • VPC • Security Groups, NACLs • WAF • Shield • Inspector Third-Party Services: • Intrusion Prevention • Deep Packet Inspection • Malware, Antivirus • Zero Day/Hour Protection • Case Management
  • 19. Copyright 2018 Trend Micro Inc.19 Security Domain 7 – Application Security Native Services • Inspector • WAF • API Gateway • Cognito Third-Party Services: • CVE Checks • Host-Based Security Controls • Application Control • Vulnerability Scanning
  • 21. CloudFront DynamoDB SNS Mobile Notifications ALB ECR Kinesis Streams Lambda Functions ElastiCache Cluster Lambda Functions Game Updates Mobile Users S3 Bucket Static Content Internet Gateway CodeCommit ECR CodeBuild Lambda Functions Developer Serverless and Event Driven Architectures
  • 22. CloudFront DynamoDB SNS Mobile Notifications ALB ECR Kinesis Streams Lambda Functions ElastiCache Cluster Lambda Functions Game Updates Mobile Users S3 Bucket Static Content Internet Gateway CodeCommit ECR CodeBuild Lambda Functions Developer Serverless and Event Driven Architectures
  • 23. Copyright 2017 Trend Micro Inc.23 Integrated Protection through the entire Application Lifecycle BuildCommit Scan Alert DeployPush Sign/Promote Examine • Malware • Vulnerabilities • Custom IOCs APIs Signed
  • 24. Copyright 2018 Trend Micro Inc.24 7 Security Domains OSI Model • Physical • Data Link • Network • Transport • Session • Presentation • Application Cloud Security Model • Network • Identity & Access Mgmt • Data • Visibility • Governance Rick/Compliance • Threat, Vulnerability Protection • Application Security Please Do Not Throw Sausage Pizza Away ? ? ? ? ? ? ? @mkeaws
  • 25. Thank you!!! Hope to see everyone at Happy Hour!