simple security for startups - amazon simple storage …€¦ · · 2015-10-28simple security for...

Simple Security for Startups

Mark Bate Solutions Architect

Shared Responsibility

Foundation ServicesCompute

Customer Data

Server-side Encryption (File System and/or Data)

Platform, Applications, Identity & Access Management

Storage Database

Client-side Encryption & Data Integrity Authentication

Am

azon

You

Networking

AWS Global Infrastructure

Operating System, Network & Firewall Configuration

Network Traffic Protection (Encryption/Integrity/Identity)

Regions Availability Zones

Edge Locations


Customer Data



Storage Database


Am

azon

You

Networking





Edge Locations

OF


Customer Data



Storage Database


Am

azon

You

Networking





Edge Locations

OF

IN


Customer Data



Storage Database


Am

azon

You

Networking





Edge Locations

Your Cloud Environment

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)


US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)

RegionAn independent collection of AWS resources in a defined geography

A solid foundation for meeting location-dependent privacy and compliance requirements


Availability ZoneDesigned as independent failure zones

Physically separated within a typical metropolitan region

Virtual Private Cloud Security Layers

Security Group

Subnet 10.0.0.0/24

Routing Table

Network ACL

Security Group

Subnet 10.0.1.0/24

Routing Table

Network ACL

Security Group

Virtual Private Gateway Internet Gateway

Lockdown at instance level

Isolate network functions

Lockdown at network level

Route restrictively

Router

Availability Zone A Availability Zone B

Best Practice: Service Isolation

• Security Groups • Don’t use 0.0.0.0/0

• Subnet separation of instances with: • Network ACLs • Routing tables • No Internet Gateway

Identity and Access Management


• Users & Groups


• Users & Groups • Unique Security Credentials


• Users & Groups • Unique Security Credentials • Temporary Security

Credentials



Credentials • Policies & Permissions



Credentials • Policies & Permissions • Roles



Credentials • Policies & Permissions • Roles • Multi-factor Authentication

IAM Best Practices

Best PracticesLock away your AWS root account access keys


Create individual IAM users



Use groups to assign permissions to IAM users




Grant least privilege





Configure a strong password policy for your users






Enable MFA for privileged users







Use roles for applications that run on Amazon EC2 instances








Delegate by using roles instead of by sharing credentials









Rotate credentials regularly










Remove unnecessary credentials











Use policy conditions











Use policy conditions

Keep a history of activity

Protecting your Data: Simplified

Securing Data at Rest

Amazon RDS Redshift

Amazon S3GlacierAmazon EBS

> AES-256 keys

> KMS integration

> Easy one-click encryption


Amazon S3 Glacier

> AES-256 keys

> Each object is encrypted

> Each key is encrypted with a master key

> Master key is rotated regularly

> KMS integration

Amazon RDS


> AES-256 keys

> Logs, backups, and snapshots

> Read replicas

> Archives and backups

> CloudHSM (Oracle TDE only)

> KMS integration

Redshift


> AES-256 keys

> Data blocks

> Metadata

> Archives and backups

> CloudHSM integration

> 4-tier encryption architecture

Amazon EBS


> AES-256 keys

> Encryption done on EC2 host

> Snapshots

> KMS integrated


CloudHSM

> Hardware Security Module

> Single tenancy

> Private key material never leaves the HSM

> AWS provisioned, customer managed

Whitepaper: Encrypting Data at Resthttp://bit.ly/1VVY1H4

http://bit.ly/1VVY1H4

Securing data in flight

Use SSL/TLS for all of your trafficjust like you do for your API access

Pro Tip: Validate the SSL Certificate!


Amazon ELB

> SSL offloading

> Perfect Forward Secrecy

> SSL Security Policies


> RDS Connections (all databases supported)

> Public key for all regions: http://bit.ly/1G9fE4D

http://bit.ly/1G9fE4D

Auditing Made Easy

AWS CloudTrail

AWS CloudTrail

Developers or scripts make calls…

AWS CloudTrail


EC2 RedShift

IAM

VPCRDS

on AWS API endpoints…

AWS CloudTrail


EC2 RedShift

IAM

VPCRDS


CloudTrail logs this to an S3 bucket…

AWS CloudTrail


EC2 RedShift

IAM

VPCRDS


CloudTrail logs this to an S3 bucket…

User Action Time

Tim Created 1:30pm

Sue Deleted 2:40pm

Kay Created 3:30pm

so you can review this log

AWS CloudTrail

Who made the API call?

When was the API call made?

What was the API call?

What were the resources that were acted up on in the API call?

Where was the API call made from?

CloudTrail Partners

Trusted Advisor

Amazon Trusted Advisor

https://console.aws.amazon.com/trustedadvisor/

https://console.aws.amazon.com/trustedadvisor/

Amazon Trusted Advisor

Well-Architected Framework

Well-Architected Framework• Core strategies & best practices for architecting in the cloud

• Designed around 4 pillars: – Security – Reliability – Performance Efficiency – Cost Optimisation

• https://aws.amazon.com/blogs/aws/are-you-well-architected/

Links

Micro-sites https://aws.amazon.com/security https://aws.amazon.com/compliance

Security Bulletins https://aws.amazon.com/security/security-bulletins/ https://alas.aws.amazon.com/

Blogs https://blogs.aws.amazon.com/security/ https://medium.com/aws-activate-startup-blog

https://aws.amazon.com/compliance

https://alas.aws.amazon.com/

https://medium.com/aws-activate-startup-blog

Thank You

Mark Bate Solutions Architect [email protected] @markbate

simple security for startups - amazon simple storage …€¦ · · 2015-10-28simple security for...

Documents