what's (nearly) new | aws security roadshow
TRANSCRIPT
![Page 1: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham, Dave Walker
17/03/16
What’s (nearly) New?Edinburgh
![Page 2: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/2.jpg)
Cloud Security Principles Compliance
o Issued 1 Apr 2014 by the CESG
o They replace the Business Impact Levels model (BIL: IL1-IL5+)
o Distributed certification model
o Risk-based approach: suitability for purpose
o New protective marking mechanisms
o AWS Whitepaper Available
![Page 3: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/3.jpg)
Cyber Essentials Plus Compliance in DublinCyber Essentials Plus is a UK
Government-backed, industry-
supported certification scheme
that helps organisations
demonstrate security against
common cyber attacks.
The ‘Plus’ scheme benefits from
independent testing and validation
compared to the baseline ‘Cyber
Essentials’ scheme that is self-
attested.
![Page 4: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/4.jpg)
ISO 27018
Based on cert ificat ion examination in conformity with defined
requirements in ISO/ IEC17021:2011 and ISO/ IEC 27006:2011,
the Information Security Management System
as defined and implemented by
headquartered in Seatt le, Washington, United States of America,
cert ified under cert ificat ion number [2013-009],
is also compliant with the requirements as stated in the standard:
EY Cert ifyPoint will, according to the cert ificat ion agreement
dated October 23, 2014, perform surveillance audits and acknowledge the
cert ificate until the expirat ion date of this cert ificate or the expirat ion of the
related ISMS cert ificate with number [2013-009].
*This cert if icate is applicable for the assets, services and locations as described in the
scoping section on the back of this cert ificate, with regard to the specific requirements
for information security and protection of personally identif iable information (PII)
as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.
ISO/ IEC 27018:2014
Issue date of certificate: October 1, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Cert ificate Cert ificate number: 2015-016
Cert ified by EY Cert ifyPoint since:
October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at
Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY 1/3
o Customers control their content.
o Customers' content will not be used for any
unauthorized purposes.
o Physical media is destroyed prior to leaving
AWS data centers.
o AWS provides customers the means to
delete their content.
o AWS doesn’t disclose customers' content
![Page 5: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/5.jpg)
ISO 27017
Based on cert ificat ion examination in conformity with defined
requirements in ISO/ IEC17021:2011 and ISO/ IEC 27006:2011,
the Information Security Management System
as defined and implemented by
headquartered in Seatt le, Washington, United States of America,
cert ified under cert ificat ion number [2013-009],
is also compliant with the requirements as stated in the standard:
EY Cert ifyPoint will, according to the cert ificat ion agreement
dated October 23, 2014, perform surveillance audits and acknowledge the
cert ificate until the expirat ion date of this cert ificate or the expirat ion of the
related ISMS cert ificate with number [2013-009].
*This cert if icate is applicable for the assets, services and locations as described in the
scoping section on the back of this cert ificate, with regard to the specific requirements
for information security and protection of personally identif iable information (PII)
as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.
ISO/ IEC 27018:2014
Issue date of certificate: October 1, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Cert ificate Cert ificate number: 2015-016
Cert ified by EY Cert ifyPoint since:
October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at
Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY 1/3
o Newest ISO code of practice
o Builds on top of ISO 27002
o Information security controls specific to
Cloud services
o Scope includes all AWS Regions and edge
locations
![Page 6: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/6.jpg)
AWS Security Tools
AWS Trusted Advisor
AWS Config Rules
Amazon Inspector
Periodic evaluation of alignment with AWS Best
Practices. Not just Security-related.
Create rules that govern configuration of your
AWS resources. Continuous evaluation.
Security insights into your applications.
Runs on EC2 instances; on-demand scans
AWS Compliance AWS: Security of the cloud
Customer: Security in the cloud
![Page 7: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/7.jpg)
Cloud Config Rules
![Page 8: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/8.jpg)
AWS Config Rules features
Flexible rules evaluated continuously and retroactively
Dashboard and reports for common goals
Customizable remediation
API automation
![Page 9: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/9.jpg)
AWS Config Rules
Broad ecosystem of solutions
![Page 10: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/10.jpg)
AWS Config Rules benefits
Continuous monitoring for unexpected changes
Shared compliance across your organization
Simplified management of configuration changes
![Page 11: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/11.jpg)
![Page 12: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/12.jpg)
Security by Design - SbD
• Systematic approach to
ensure security• Formalizes AWS account design
• Automates security controls
• Streamlines auditing
• Provides control insights
throughout the IT
management process
AWS
CloudTrailAWS
CloudHSM
AWS IAMAWS KMS
AWS
Config
![Page 13: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/13.jpg)
GoldBase - Scripting your governance policy
Set of CloudFormation Templates & Reference
Arhcitectures that accelerate compliance with PCI, EU
Personal Data Protection, HIPAA, FFIEC, FISMA, CJIS
Result: Reliable technical implementation of administrative
controls
![Page 14: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/14.jpg)
What is Inspector?
• Application security assessment
• Selectable built-in rules
• Security findings
• Guidance and management
• Automatable via APIs
![Page 15: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/15.jpg)
Rule packages
• CVE (common vulnerabilities and exposures)
• Network security best practices
• Authentication best practices
• Operating system security best practices
• Application security best practices
• PCI DSS 3.0 readiness
![Page 16: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/16.jpg)
Getting started
![Page 17: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/17.jpg)
Prioritized findings
![Page 18: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/18.jpg)
Detailed remediation recommendations
![Page 19: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/19.jpg)
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.
Types of conditions in rules:
1: Source IP/range
2: String Match
3: SQL Injection
![Page 20: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/20.jpg)
Why AWS WAF?
Application DDoS, Vulnerabilities, Abuse
Good users
Bad guys
Web server Database
![Page 21: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/21.jpg)
AWS WAF Partner integrations
• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF
• Offer additional detection and threat intelligence
• Dynamically modify rulesets of AWS WAF for increased protection
![Page 22: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/22.jpg)
S2N – AWS Implementation of TLS
• Small:
• ~6,000 lines of code, all audited
• ~80% less memory consumed
• Fast:
• 12% faster
• Simple:
• Avoid rarely used options/extensions
![Page 23: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/23.jpg)
VPC Flow Logs
![Page 24: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/24.jpg)
Flow Log Record Structure
Event-Version
Account Number
ENI-ID
Source-IP
Destination-IP
SourcePort
Destination-Port
Protocol Number
Number of Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
![Page 25: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/25.jpg)
AWS Certificate Manager (ACM) makes it easy to
provision, manage, deploy, and renew SSL/TLS certificates
on the AWS platform.
Introducing AWS Certificate Manager
![Page 26: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/26.jpg)
AWS Certificate Manager
• Provision trusted SSL/TLS certificates from AWS for use
with AWS resources:
• Elastic Load Balancing
• Amazon CloudFront distributions
• AWS handles the “maths and maintenance”
• Key pair and CSR generation
• Managed renewal and deployment
• Domain validation (DV) through email
• Available through AWS Management console, CLI, or API
![Page 27: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/27.jpg)
AWS Certificate Manager (ACM) Benefits
• Protect and secure websites and applications
• Provision certificates quickly and easily
• Free
• Managed certificate renewal
• Secure key management
• Centrally manage certificates on the AWS Cloud
• Integrated with other AWS Cloud Services
![Page 28: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/28.jpg)
ACM Use Cases
• Help meet regulatory compliance requirements for
encryption of data in transit
• PCI, FedRAMP and HIPAA
• Minimize downtime and outages
• Improve search rankings by using SSL/TLS
![Page 29: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/29.jpg)
ACM-Provided Certificates
Domain names
• Single domain name: www.example.com
• Wildcard domain names: *.example.com
• Combination of wildcard and non-wildcard names
• Multiple domain names in the same certificate (up to 10)
ACM-provided certificates are managed
• Private keys are generated, protected, and managed
• ACM-provided certificates cannot be used on EC2 instances or on-premises servers
• Can be used with AWS services, such as ELB and CloudFront
Algorithms
• RSA 2048 and SHA-256
![Page 30: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/30.jpg)
What is available at launch?
• SSL/TLS certificates for use with AWS services (ELB and
CloudFront)
• Availability in US-East (N. Virginia)
• Domain validation via email
• Console, API, CLI
• Integration with ELB and CloudFront
• Managed renewal and deployment
![Page 31: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/31.jpg)
What is NOT available at launch?
• Availability in additional regions
• Certificates for use on EC2
• “Take home” certificates that can be used anywhere
• Cross-region certificates
• Cross-account access to certificates
• CloudTrail logging of ACM API calls
• Tagging
• Certificates for email, code signing, or any other purpose except
SSL/TLS termination
![Page 32: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/32.jpg)
Certification & Education
• Security Fundamentals on AWS• free, online course for security auditors and
analysts
• Security Operations on AWS• 3-day class for Security engineers, architects,
analysts, and auditors
• AWS Certification• Security is part of all AWS exams
![Page 33: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/33.jpg)
Rich Security Capabilities in the Cloud
Prepare
Prevent
Detect
Respond
![Page 34: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/34.jpg)
o AWS Security Solutions Architects
o AWS Professional Services
o AWS Secure by Design & GoldBase
o AWS Security Best Practices
o Partner Professional Services
o AWS Training and Certification
o Understand Compliance Requirements
Prepare
![Page 35: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/35.jpg)
o Use IAM – consider MFA, roles, federation, SSO
o Implement Amazon WAF
o Leverage S2N for secure TLS connections
o Implement Config Rules to enforce compliance
o Implement Amazon Inspector to identify
vulnerabilities early on
Prevent
![Page 36: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/36.jpg)
o CloudTrail enabled across all accounts and services
o Consider Config & Config Rules logs
o Inspector can be used as a detective tool
o Trusted Advisor goes beyond just security
o Use CloudWatch logs
o VPC Flow Logs give insight into intended and
unintended communication taking place into your VPC
o Look at partner log management and security
monitoring solutions
Detect
![Page 37: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/37.jpg)
o Be Prepared:
o Develop, acquire or hire Security Incident Response
capabilities
o Test preparedness via game days
o Automated response and containment is always
better than manual response
o AWS supports forensic investigations
o Leverage AWS Support for best results
o Talk to our security partners
Respond
![Page 38: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/38.jpg)
![Page 39: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/39.jpg)
Be Secure & Compliant in
the Cloud!
![Page 40: What's (nearly) new | AWS Security Roadshow](https://reader031.vdocuments.site/reader031/viewer/2022030317/586fb4581a28abe57d8b70d9/html5/thumbnails/40.jpg)
Thank you!