AWS SSA AWSome Week - Module 4 - Secure your cloud applications

Transcript

1. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Module 4: Secure your cloud applications Mario Pinho Anti-DDoS, Security Engineer Amazon Web Services

2. Secure your infrastructure

3. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Security is our top priority Designed for security Constantly monitored Highly automated Highly available Highly accredited

4. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Security of the cloud • Hosts, network, software, facilities • Protection of the AWS global infrastructure is top priority • Availability of third-party audit reports Foundation services Compute Storage Database Network AWS global infrastructure Regions Availability Zones Edge Locations AWS

5. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Security in the cloud Considerations • What you should store • Which AWS services you should use • Which Region to store in • In what content format and structure • Who has access Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity)

6. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS shared responsibility model Foundation services Compute Storage Database Network AWS global infrastructure Regions Availability Zones Edge Locations AWS Client-side data encryption & Data integrity authentication Platform, applications, identity & access management Operating system, network & firewall configuration Customer data Customer Server-side encryption (File system and/or data) Network traffic protection (Encryption/integrity/identity)

7. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Discussion: Who’s responsible for what? Unmanaged services • Amazon EC2 • Amazon EBS Managed services • Amazon RDS • Amazon S3 • Amazon DynamoDB Operations • Guest OS patching • Database patching • Firewall configuration • Disaster recovery • User data

8. © 2020, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Security, identity, and compliance products AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF AWS Artifact AWS Certificate Manager Amazon Cloud Directory AWS CloudHSM Amazon Cognito AWS Directory Service AWS Firewall Manager Amazon GuardDuty AWS Identity and Access Management Amazon Inspector AWS Key Management Service Amazon Macie AWS Organizations AWS Shield AWS Secrets Manager AWS Single Sign-On AWS WAF

9. Manage authentication and authorization

10. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Identity and Access Management (IAM) Securely control access to AWS resources A person or application that interacts with AWS Collection of users with identical permissions Temporary privileges that an entity can assume Group Role IAM user

11. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Authentication: Who are you? IAM user IAM group IAM AWS CLI AWS Management Console $ aws AWS SDKs

12. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Authorization: What can you do? IAM user, group or role IAM policies Full access Read only AWS CLI Amazon S3 Bucket $ aws

13. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. IAM roles • IAM users, applications, and services may assume IAM roles • Roles uses an IAM policy for permissions IAM role

14. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket

15. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket

16. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy

17. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy Assume

18. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Using roles for temporary security credentials EC2 instance Application Amazon S3 bucket IAM role IAM policy Assume

19. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS account root user Account root user has complete access to all AWS services Recommendations Delete root user access keys Create an IAM user Grant administrator access Use IAM credentials to interact with AWS Enable MFA

20. Demo

21. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Best practices • Delete access keys for the AWS account root user • Activate multi-factor authentication (MFA) • Only give IAM users permissions they need • Use roles for applications • Rotate credentials regularly • Remove unnecessary users and credentials • Monitor activity in your AWS account

22. Assess your security and compliance

23. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Challenges of threat assessment • Expensive • Complex • Time-consuming • Difficult to track IT changes

24. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What is Amazon Inspector? Automated security assessment as a service • Assesses applications for vulnerabilities • Produces a detailed list of security findings • Leverages security best practices

25. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Inspector findings

26. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Remediation recommendation

27. Proctect your infrastructure from Distributed Denial of Service (DDoS) attacks

28. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What is DDoS? DDoS DDoS DDoS O Legit user

29. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DDoS mitigation challenges Complex Limited bandwidth Involves rearchitecting Manual Degraded performance Time-consuming Expensive

30. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What is AWS Shield? DDoS • A managed DDoS protection service • Always-on detection and mitigations • Seamless integration and deployment • Cost-efficient and customizable protection DDoS DDoS P Legit user

31. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Shield Standard and AWS Shield Advanced AWS Shield Standard (included) • Quick detection • Inline attack mitigation AWS Shield Advanced (Optional) • Enhanced detection • Advanced attack mitigation • Visibility and attack notification • DDoS cost protection • Specialized support

32. AWS security compliance

33. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Assurance programs

34. © 2020, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How AWS helps customers achieve compliance Sharing information • Industry certifications • Security and control practices • Compliance reports directly under NDA Assurance program • Certifications/attestations • Laws, regulations, and privacy • Alignments/frameworks

35. Thank you! © 2020, Amazon Web Services, Inc. or its

    affiliates. All rights reserved.