Taking Security Responsibility in the AWS Cloud
1 like349 views
The document outlines security responsibilities for AWS cloud users, emphasizing the importance of applying security at all layers and implementing a principle of least privilege. It discusses AWS services such as IAM, CloudTrail, and KMS for managing access and data protection. Additionally, it highlights the AWS well-architected framework as a guideline for evaluating security measures.
![AWS Identity and Access
Management (IAM)
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<BUCKET-NAME>"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::<BUCKET-NAME>/*"]
}
]
}](https://image.slidesharecdn.com/aws-security-171013170258/85/Taking-Security-Responsibility-in-the-AWS-Cloud-20-320.jpg)
Taking Security Responsibility in the AWS Cloud
- 1. Taking Security Responsibility in AWS Cloud Franklin Mosley Principal Application Security Engineer AWS Certified Solutions Architect
- 2. Who Am I? Software Engineer Information Security Application Security/Cloud Security DevSecOps Practitioner Open source contributor Competed in AWS Chatbot Challenge
- 3. The Cloud On demand delivery of IT resources and applications via the Internet Benefits Pricing (Utilizing economies of scale) Pay-as-you-go Global Flexible Spend less time planning
- 5. "You cannot escape the responsibility of tomorrow by evading it today." Abraham Lincoln
- 6. AWS Shared Responsibility Model
- 7. AWS Well-Architected Framework Reliability Performance Efficiency Cost Optimization Operational Excellence Security https://aws.amazon.com/architecture/well-architected/
- 9. Apply Security at All Layers Don't protect just the perimeter Use security controls on all of your resources
- 10. Enable Traceability Log and audit all action and changes AWS CloudTrail Amazon CloudWatch AWS Config
- 11. Implement a Principle of Least Privilege Strong logical access control Authorization AWS Identity and Access Management (IAM)
- 12. Automate Security Best Practices Software-based security mechanisms Use "Golden" AMIs Infrastructure as Code AWS Lambda Auto-Scaling Group
- 13. "Golden" AMI and IAC Use Case
- 14. Automate Remediation of Amazon Inspector Findings
- 15. Elastic Load Balancing Amazon S3 Amazon EBS Amazon RDS AWS Key Management Service Amazon Inspector AWS Config AWS CloudTrail Amazon CloudWatch Data Protection Detective Controls Amazon VPC Infrastructure Protection
- 17. AWS Identity and Access Management (IAM) Service for controlling access to AWS resources
- 18. AWS Identity and Access Management (IAM) Principals Root User IAM User Roles/Temporary Security Tokens
- 19. AWS Identity and Access Management (IAM) Authentication User Name/Password Access Key Access Key/Session Token
- 20. AWS Identity and Access Management (IAM) Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::<BUCKET-NAME>"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": ["arn:aws:s3:::<BUCKET-NAME>/*"] } ] }
- 21. AWS Identity and Access Management (IAM) Policy Evaluation
- 22. Encryption Data in Transit Data at Rest
- 23. Data in Transit CloudFront SSL Elastic Load Balancing API Communication over HTTPs
- 25. Data at Rest Client-Side Encryption Server-Side Encryption RDS TDE
- 26. AWS Key Management Service (KMS) Managed Encryption Service
- 27. AWS Key Management Service (KMS) Features Customer Master Key (CMK) Data Key Uses Envelope Encryption
- 28. AWS Key Management Service (KMS)
- 29. AWS Key Management Service (KMS)
- 31. How are you encrypting and protecting your data at rest? Security Questions
- 32. How are you encrypting and protecting your data in transit? Security Questions
- 33. How are you protecting access to and use of the AWS root account credentials? Security Questions
- 34. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? Security Questions
- 35. How are you limiting automated access to AWS resources? Security Questions
- 36. How are you enforcing network and host-level boundary protection? Security Questions
- 37. How are you enforcing AWS service level protection? Security Questions
- 38. How are you capturing and analyzing AWS logs? Security Questions
- 39. TL;DR Operate under least privilege Practice defense in depth Evaluate using the Well-Architected Framework