SlideShare a Scribd company logo

AWS Spotlight Series - Modernization and Security with AWS

Download as PPTX, PDF
C
CloudHesive

CloudHesive is a professional services company that provides various cloud consulting and managed services using AWS. Their services include cloud assessments, migration strategies, implementation of solutions, ongoing management and support, security services, and next-generation managed services. They leverage AWS services and follow frameworks like the NIST Cybersecurity Framework and AWS Well Architected Framework to help customers with cloud adoption and security. The presentation discussed how to identify assets and risks, implement security controls for protection, leverage AWS services for detection of issues, and develop response and recovery plans.

Technology
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
AWS Spotlight Series Modernization and Security with AWS July 16th, 2020
Who am I? • Who am I?
Who is CloudHesive? • Professional Services • Assessment (Current environment, datacenter or cloud) • Strategy (Getting to the future state) • LandingZone (Pre-Migration) • Migration (Environment-to-cloud, Datacenter-to-cloud) • Implementation (Point solutions) • Support (Break/fix and ongoing enhancement) • DevOps Services • Assessment • Strategy • Implementation (Point solutions) • Management (Supporting infrastructure, solutions or ongoing enhancement) • Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) • Encryption as a Service (EaaS) – encryption at rest/in flight • End Point Security as a Service • Threat Management • SOC IIType 2Validated • Next Generation Managed Services (MSP) • Leveraging our Professional, DevOps and Managed Security Services • Single payer billing • Intelligent operations and automation • AWS Audited • Cost Management
Agenda • Through the lens of the NIST Cybersecurity Framework we will look at frameworks developed by, and services available onAWS. • AWS services can either/both play a supporting role in your security posture, supporting both non-AWS resources andAWS resources alike but secure configuration ofAWS resources can also play a role in supporting your security posture. • The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks.
Introduction
NIST Cybersecurity Framework • Identify • Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. • Protect • Develop and implement appropriate safeguards to ensure delivery of critical services. • Detect • Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. • Respond • Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. • Recover • Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Data Breach Discovery/ContainmentTime has DecreasedYoY Verizon 2020 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
Public Cloud Revenue has/is forecasted to increaseYoY
CustomerWorkload Personas • Migrated • Server Based • Migrated & Optimized • Blends of Server and Service Based • Serverless/Native • Service Based • Orchestrated • ECS, EKS, K8s • Inherited • Wildcard! • Hybrid • Wildcard!
Service Categories • Analytics • Application Integration • AR &VR • AWS Cost Management • Blockchain • Business Applications • Compute • Customer Engagement • Database • Developer Tools • End User Computing • GameTech • Internet ofThings • Machine Learning • Management & Governance • Media Services • Migration &Transfer • Mobile • Networking & Content Delivery • QuantumTechnologies • Robotics • Satellite • Security, Identity, & Compliance • Storage
Shared Responsibility Model
CloudWorkload Lifecycle Management Framework • Workload • Architecture • Monitoring • Automation • Processes
Workload + Architecture Drives Service Selection • Virtual Machines • AMI • Patching • Multi-threaded/Multi-task • Hours to Months • PerVM/Per Hour • Functions/Services • Code • Versioning • Single-threaded/Single-task • Microseconds to Seconds • Per Memory/Second/Per Request • Containers • Container File • Versioning • Multi-threaded/Single-task • Minutes to Days • PerVM/Per Hour
Automation + Processes Drives Lifecycle Management Selection • Organizations • Cross-AccountAsset Management + Governance • ControlTower • Account vending/default standardization • Service Catalog • Workload platform vending/default standardization • CloudFormation • IaC • Ephemeral Compute + API Managed Data/Control Plane for PersistenceTiers • Hands off/Lights out
Identify
Cloud Adoption Framework (CAF) • Perspectives • Business • Value Realization • People • Roles & Readiness • Governance • Prioritization & Control • Platform • Applications & Infrastructure • Security • Risk & Compliance • Operations • Manage & Scale
CAF – Security Perspective • Directive • Account Ownership and contact information • Change and asset management • Least privilege access • Preventive • Identity and access • Infrastructure protection • Data protection • Detective • Logging and monitoring • Asset inventory • Change detection • Responsive • Vulnerabilities • Privilege escalation • DDoS attack
Well Architected Framework (WAF) • General • Event-Triggered • Workload-Focused • General Design Principals • Pillars • Design Principals • Best Practices • Lenses
WAF – Pillars • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
WAF – Lenses • Financial Services Industry • Analytics • Machine Learning • Internet ofThings (IOT) • Serverless • High Performance Computing (HPC)
WAF – General Design Principals • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
WAF – Game Days • Prepare • Is the process/are the processes to be tested during the game day well defined? Is access in place? Has training been performed? • Define • Workload, Personnel, Scenario, Environment, Schedule • Execute • Start, Middle, End • Analyze • Debrief, Examine, Document, Root Cause Analysis (RCA), Correction of Error (CoE)
WAF – Security Pillar • Design Principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events • Best Practices • Identity and Access Management • Detection • Infrastructure Protection • Data Protection • Incident Response
Identify • Cost Management Services (Individual Services) • Certificate Manager (Public + Private) • Firewall Manager (WAF + SecurityGroups) • Directory Service + Identity and Access Management (+ Services with their own Policies) • AccessAdvisor, AccessAnalyzer, Organization Activity • Inspector • Key Management Service + Secrets Manager • Macie • Premium Support +Trusted Advisor + Personal Health Dashboard • Systems Manager • Security Hub + Config + Config Rules • Tags
Identify – Organizations • Tag policies • Artifact • Backup • CloudFormation StackSets • CloudTrail • Config • Directory Service • Firewall Manager • Resource Access Manager • Service Catalog • Single Sign-On • Systems Manager
Protect/Detect
Protect • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • WAF: Layer 7WAF • Shield +AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • VPC:VGW (Point to Point and IPSECConnectivity) + Peering (VPC toVPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • ACM: Public and Private PKI Certificate Authority • Secure Credential Storage: Secrets Manager, Systems Manager
Protect • AWS Auto Scaling: EC2, Dynamo,Aurora Autoscaling • Code Commit/ECS (Image Scanning): Secure Application andArtifact Repository + dedicated account • Code Deploy/RunCommand: “Hands off” OS and configuration management + application deployment • EC2: Systems Manager (OS and above patching + auditing) • AWS Backup: EC2, RDS, EFS, Dynamo Backups + dedicated account • Workspaces: Secure Bastion • CloudFormation + OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Host Based Security
Detect • Guard Duty • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • VPC: Flow Logs (NetFlow) + Port Mirroring • CloudWatch Logs: OS and above log management • CloudTrail: AuditTrail, Exportable as JSON to idempotent storage • Cloudfront, ALB andWAF: All log (CloudFront and ALB in S3,WAF in Kinesis) • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention + dedicated account
Respond/Recover
Respond • Detective • Disk Snapshots • Don’t forget to remove from retention policy • Automated withThreatResponse,GRR • Memory Snapshots • Automated withThreatResponse,GRR,Volatility, Rekall • Logs • Don’t forget to remove from retention policy • Query and Correlate with Athena • Measure
Recover • Block Access • Revert to Known Good State • Identify/Correct Root Cause • Rotate Credentials (people and things) • Measure
Conclusion
Conclusion • Iterate introduction of your security controls – some in the short term is better than none in the long term. • Detective Controls are just as important as Preventative Controls, they play a significant response in incident detection and response. • Whether your workload is onAWS or not,AWS services can be used to supplement your controls. • There is no lack of frameworks – pick and choose from them to make a framework that works best for your organization’s needs.
Q&A

More Related Content

PDF
Monitoring on Amazon AWS Cloud
8KMiles Software Services
 
PPTX
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
PDF
Aws cloud adoption_framework
IBM India Pvt Ltd
 
PPTX
Security on AWS, 2021 Edition Meetup
CloudHesive
 
PPTX
5 minutes on security
CloudHesive
 
PPTX
Security on AWS
CloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
CloudHesive
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
Monitoring on Amazon AWS Cloud
8KMiles Software Services
 
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
Aws cloud adoption_framework
IBM India Pvt Ltd
 
Security on AWS, 2021 Edition Meetup
CloudHesive
 
5 minutes on security
CloudHesive
 
Security on AWS
CloudHesive
 
Security on AWS, 2021 Edition Meetup
CloudHesive
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 

Similar to AWS Spotlight Series - Modernization and Security with AWS (20)

PPTX
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
PPTX
Winning Governance Strategies for the Technology Disruptions of our Time
CloudHesive
 
PPTX
Cloud computing and innovations
SPIN Chennai
 
PPTX
Dutch Oracle Architects Platform - Reviewing Oracle OpenWorld 2017 and New Tr...
Lucas Jellema
 
PPTX
Serverless without Code (Lambda)
CloudHesive
 
PPTX
AI needs Hybrid Cloud - TEC conference 2025.pptx
Shikha Srivastava
 
KEY
Cloud Security at Netflix
Jason Chan
 
PPTX
Azure_Cloud_Foundations_Presentation.pptx
fredsonbarbosa1
 
PPTX
A tale of two clouds
Andrew Siemer
 
PPTX
AWS Security Architecture - Overview
Sai Kesavamatham
 
PDF
SecureKloud_Corporate Deck.pdf
SrinivasMahankali3
 
PPTX
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
PDF
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
PPTX
Microservices in Azure
Doug Vanderweide
 
PDF
Tour to Azure Security Center
Lalit Rawat
 
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
PPTX
Microservices in Azure
Doug Vanderweide
 
PPTX
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
PDF
NaviSite Services - SnapShot
Vikram Somani
 
PDF
KoprowskiT_session1_SDNEvent_WASDforBeginners
Tobias Koprowski
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Winning Governance Strategies for the Technology Disruptions of our Time
CloudHesive
 
Cloud computing and innovations
SPIN Chennai
 
Dutch Oracle Architects Platform - Reviewing Oracle OpenWorld 2017 and New Tr...
Lucas Jellema
 
Serverless without Code (Lambda)
CloudHesive
 
AI needs Hybrid Cloud - TEC conference 2025.pptx
Shikha Srivastava
 
Cloud Security at Netflix
Jason Chan
 
Azure_Cloud_Foundations_Presentation.pptx
fredsonbarbosa1
 
A tale of two clouds
Andrew Siemer
 
AWS Security Architecture - Overview
Sai Kesavamatham
 
SecureKloud_Corporate Deck.pdf
SrinivasMahankali3
 
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Microservices in Azure
Doug Vanderweide
 
Tour to Azure Security Center
Lalit Rawat
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Microservices in Azure
Doug Vanderweide
 
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
NaviSite Services - SnapShot
Vikram Somani
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
Tobias Koprowski
 
Ad

More from CloudHesive (20)

PPTX
CloudHesive x Datadog Multi Generational Observability
CloudHesive
 
PPTX
Modernization of your AWS based SaaS platform - Short
CloudHesive
 
PPTX
Modernization of your AWS based SaaS platform
CloudHesive
 
PPTX
Serverless Generative AI on AWS, AWS User Groups of Florida
CloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
PPTX
Accelerating Business and Research Through Automation and Artificial Intellig...
CloudHesive
 
PPTX
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
PPTX
ConnectPath Introduction
CloudHesive
 
PDF
Modernize your contact center with ConnectPath CX v2.pdf
CloudHesive
 
PDF
Modernize your contact center with ConnectPath CX — Chart.pdf
CloudHesive
 
PPTX
End User Computing at CloudHesive.pptx
CloudHesive
 
PPTX
Analytics at CloudHesive
CloudHesive
 
PPTX
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
PDF
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
CloudHesive
 
PPTX
Serverless data and analytics on AWS for operations
CloudHesive
 
PPTX
reInvent reCap 2022
CloudHesive
 
PDF
AWS Advanced Analytics Automation Toolkit (AAA)
CloudHesive
 
PDF
AWS Control Tower
CloudHesive
 
PDF
Meetup Protect from Ransomware Attacks
CloudHesive
 
CloudHesive x Datadog Multi Generational Observability
CloudHesive
 
Modernization of your AWS based SaaS platform - Short
CloudHesive
 
Modernization of your AWS based SaaS platform
CloudHesive
 
Serverless Generative AI on AWS, AWS User Groups of Florida
CloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
Accelerating Business and Research Through Automation and Artificial Intellig...
CloudHesive
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
ConnectPath Introduction
CloudHesive
 
Modernize your contact center with ConnectPath CX v2.pdf
CloudHesive
 
Modernize your contact center with ConnectPath CX — Chart.pdf
CloudHesive
 
End User Computing at CloudHesive.pptx
CloudHesive
 
Analytics at CloudHesive
CloudHesive
 
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
CloudHesive
 
Serverless data and analytics on AWS for operations
CloudHesive
 
reInvent reCap 2022
CloudHesive
 
AWS Advanced Analytics Automation Toolkit (AAA)
CloudHesive
 
AWS Control Tower
CloudHesive
 
Meetup Protect from Ransomware Attacks
CloudHesive
 
Ad

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Advanced IT Governance
University of Hertfordshire
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

AWS Spotlight Series - Modernization and Security with AWS

  • 1. AWS Spotlight Series Modernization and Security with AWS July 16th, 2020
  • 2. Who am I? • Who am I?
  • 3. Who is CloudHesive? • Professional Services • Assessment (Current environment, datacenter or cloud) • Strategy (Getting to the future state) • LandingZone (Pre-Migration) • Migration (Environment-to-cloud, Datacenter-to-cloud) • Implementation (Point solutions) • Support (Break/fix and ongoing enhancement) • DevOps Services • Assessment • Strategy • Implementation (Point solutions) • Management (Supporting infrastructure, solutions or ongoing enhancement) • Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) • Encryption as a Service (EaaS) – encryption at rest/in flight • End Point Security as a Service • Threat Management • SOC IIType 2Validated • Next Generation Managed Services (MSP) • Leveraging our Professional, DevOps and Managed Security Services • Single payer billing • Intelligent operations and automation • AWS Audited • Cost Management
  • 4. Agenda • Through the lens of the NIST Cybersecurity Framework we will look at frameworks developed by, and services available onAWS. • AWS services can either/both play a supporting role in your security posture, supporting both non-AWS resources andAWS resources alike but secure configuration ofAWS resources can also play a role in supporting your security posture. • The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks.
  • 6. NIST Cybersecurity Framework • Identify • Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. • Protect • Develop and implement appropriate safeguards to ensure delivery of critical services. • Detect • Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. • Respond • Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. • Recover • Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
  • 7. Data Breach Discovery/ContainmentTime has DecreasedYoY Verizon 2020 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
  • 8. Public Cloud Revenue has/is forecasted to increaseYoY
  • 9. CustomerWorkload Personas • Migrated • Server Based • Migrated & Optimized • Blends of Server and Service Based • Serverless/Native • Service Based • Orchestrated • ECS, EKS, K8s • Inherited • Wildcard! • Hybrid • Wildcard!
  • 10. Service Categories • Analytics • Application Integration • AR &VR • AWS Cost Management • Blockchain • Business Applications • Compute • Customer Engagement • Database • Developer Tools • End User Computing • GameTech • Internet ofThings • Machine Learning • Management & Governance • Media Services • Migration &Transfer • Mobile • Networking & Content Delivery • QuantumTechnologies • Robotics • Satellite • Security, Identity, & Compliance • Storage
  • 12. CloudWorkload Lifecycle Management Framework • Workload • Architecture • Monitoring • Automation • Processes
  • 13. Workload + Architecture Drives Service Selection • Virtual Machines • AMI • Patching • Multi-threaded/Multi-task • Hours to Months • PerVM/Per Hour • Functions/Services • Code • Versioning • Single-threaded/Single-task • Microseconds to Seconds • Per Memory/Second/Per Request • Containers • Container File • Versioning • Multi-threaded/Single-task • Minutes to Days • PerVM/Per Hour
  • 14. Automation + Processes Drives Lifecycle Management Selection • Organizations • Cross-AccountAsset Management + Governance • ControlTower • Account vending/default standardization • Service Catalog • Workload platform vending/default standardization • CloudFormation • IaC • Ephemeral Compute + API Managed Data/Control Plane for PersistenceTiers • Hands off/Lights out
  • 16. Cloud Adoption Framework (CAF) • Perspectives • Business • Value Realization • People • Roles & Readiness • Governance • Prioritization & Control • Platform • Applications & Infrastructure • Security • Risk & Compliance • Operations • Manage & Scale
  • 17. CAF – Security Perspective • Directive • Account Ownership and contact information • Change and asset management • Least privilege access • Preventive • Identity and access • Infrastructure protection • Data protection • Detective • Logging and monitoring • Asset inventory • Change detection • Responsive • Vulnerabilities • Privilege escalation • DDoS attack
  • 18. Well Architected Framework (WAF) • General • Event-Triggered • Workload-Focused • General Design Principals • Pillars • Design Principals • Best Practices • Lenses
  • 19. WAF – Pillars • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
  • 20. WAF – Lenses • Financial Services Industry • Analytics • Machine Learning • Internet ofThings (IOT) • Serverless • High Performance Computing (HPC)
  • 21. WAF – General Design Principals • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
  • 22. WAF – Game Days • Prepare • Is the process/are the processes to be tested during the game day well defined? Is access in place? Has training been performed? • Define • Workload, Personnel, Scenario, Environment, Schedule • Execute • Start, Middle, End • Analyze • Debrief, Examine, Document, Root Cause Analysis (RCA), Correction of Error (CoE)
  • 23. WAF – Security Pillar • Design Principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events • Best Practices • Identity and Access Management • Detection • Infrastructure Protection • Data Protection • Incident Response
  • 24. Identify • Cost Management Services (Individual Services) • Certificate Manager (Public + Private) • Firewall Manager (WAF + SecurityGroups) • Directory Service + Identity and Access Management (+ Services with their own Policies) • AccessAdvisor, AccessAnalyzer, Organization Activity • Inspector • Key Management Service + Secrets Manager • Macie • Premium Support +Trusted Advisor + Personal Health Dashboard • Systems Manager • Security Hub + Config + Config Rules • Tags
  • 25. Identify – Organizations • Tag policies • Artifact • Backup • CloudFormation StackSets • CloudTrail • Config • Directory Service • Firewall Manager • Resource Access Manager • Service Catalog • Single Sign-On • Systems Manager
  • 27. Protect • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • WAF: Layer 7WAF • Shield +AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • VPC:VGW (Point to Point and IPSECConnectivity) + Peering (VPC toVPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • ACM: Public and Private PKI Certificate Authority • Secure Credential Storage: Secrets Manager, Systems Manager
  • 28. Protect • AWS Auto Scaling: EC2, Dynamo,Aurora Autoscaling • Code Commit/ECS (Image Scanning): Secure Application andArtifact Repository + dedicated account • Code Deploy/RunCommand: “Hands off” OS and configuration management + application deployment • EC2: Systems Manager (OS and above patching + auditing) • AWS Backup: EC2, RDS, EFS, Dynamo Backups + dedicated account • Workspaces: Secure Bastion • CloudFormation + OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Host Based Security
  • 29. Detect • Guard Duty • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • VPC: Flow Logs (NetFlow) + Port Mirroring • CloudWatch Logs: OS and above log management • CloudTrail: AuditTrail, Exportable as JSON to idempotent storage • Cloudfront, ALB andWAF: All log (CloudFront and ALB in S3,WAF in Kinesis) • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention + dedicated account
  • 31. Respond • Detective • Disk Snapshots • Don’t forget to remove from retention policy • Automated withThreatResponse,GRR • Memory Snapshots • Automated withThreatResponse,GRR,Volatility, Rekall • Logs • Don’t forget to remove from retention policy • Query and Correlate with Athena • Measure
  • 32. Recover • Block Access • Revert to Known Good State • Identify/Correct Root Cause • Rotate Credentials (people and things) • Measure
  • 34. Conclusion • Iterate introduction of your security controls – some in the short term is better than none in the long term. • Detective Controls are just as important as Preventative Controls, they play a significant response in incident detection and response. • Whether your workload is onAWS or not,AWS services can be used to supplement your controls. • There is no lack of frameworks – pick and choose from them to make a framework that works best for your organization’s needs.
  • 35. Q&A