AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical Evangelist 

Most Robust, Fully-Featured Technology Infrastructure Platform HYBRID ARCHITECTURE Data Backups Integrated App Deployments Direct Connect Identity Federation Integrated Resource Management Integrated Networking VMware Integration MARKETPLACE Business Apps Databases DevOps Tools Networking Security Storage Business Intelligence INFRASTRUCTURE Availability Zones Points of Presence Regions CORE SERVICES Compute VMs, Auto-scaling, Load Balancing, Containers, Cloud functions Storage Object, Blocks, File, Archivals, Import/Export Databases Relational, NoSQL, Caching, Migration CDN Networking VPC, DX, DNS Access Control Identity Management Key Management & Storage Monitoring & Logs SECURITY & COMPLIANCE Resource & Usage Auditing Configuration Compliance Web application firewall Assessment and reporting TECHNICAL & BUSINESS SUPPORT Support Professional Services Account Management Partner Ecosystem Solutions Architects Training & Certification Security & Billing Reports Optimization Guidance ENTERPRISE APPS Backup Corporate Email Sharing & Collaboration Virtual Desktops IoT Rules Engine Registry Device Shadows Device Gateway Device SDKs DEVELOPMENT & OPERATIONS MOBILE SERVICES APP SERVICES ANALYTICS Data Warehousing Hadoop/ Spark Streaming Data Collection Machine Learning Elastic Search Push Notifications Identity Sync Resource Templates One-click App Deployment Triggers Containers DevOps Resource Management Application Lifecycle Management API Gateway Transcoding Queuing & Notifications Email Workflow Search Streaming Data Analysis Business Intelligence Mobile Analytics Single Integrated Console Mobile App Testing Data Pipelines Petabyte-Scale Data Migration Database Migration Schema Conversion Application Migration MIGRATION 

Pace Of Innovation: New Capabilities Daily 1017 

Evolution “Cloud will account for 92 percent of data center traffic by 2020” - Global Cloud Index (GCI) Forecast 

Confidentiality – only authorized users can access data Integrity – data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design 

• Access control on systems and/or data itself • Principal, Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality 

• Physical integrity • Replicate across independent systems • Mitigates risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity 

• Ability to access ANY copy of the data • How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability 

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud 

• Root Account • Enable Multi-Factor Authentication (MFA) • Use it for managing account structure and permissions only • Store its credentials safely • Use AWS Identity and Access Management (IAM) for everything else • Create personal users • Use roles when possible (e.g. EC2 workloads) AWS Account Management 

• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change 

CARE DEEPLY ABOUT DATA SECURITY WE WORK TO GET THIS RIGHT FOR CUSTOMERS AWS COMPLIANCE 

Customers choose where to place their data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP 

AWS Global Infrastructure 

Our Audit and Certification Approach 70+ services 7,710 Audit Artifacts 2,670 Controls 3,030 Audit Requirements 

COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact 

MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM 

MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS 

SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION & VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud § One-click launch § Ready-to-run on AWS § Pay only for what you use 

MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail 

• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change 

AWS IDENTITY AND ACCESS MANAGEMENT (IAM) SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES 

Apply the security principles of “least privilege” and “segregation of responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT 

AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources 

AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations 

SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND ACTIVITY AMAZON INSPECTOR 

Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS 

AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels 

AWS KEY MANAGEMENT SERVICE CONTROL YOUR ENCRYPTION KEYS 

AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM 

• Bring your own keys to AWS Key Management Service using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016 

CONSTRAINT-BASED MONITORING AUTOMATED REASONING 

AWS SOLUTION: CONSTRAINT-BASED MONITORING A TOOL FOR STATIC ANALYSIS OF AMAZON EC2/VPC NETWORKS 

AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, please see session: SEC401 – Automated Formal Reasoning About AWS Systems 

SPEED OF SECURITY GO BIG WITH INSTANCES 

X1 INSTANCES 

P2 INSTANCES 

• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change 

AWS Security – 2016 Pace of Innovation • Reviewed 2,233 services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD 

How AWS handles security at scale • We operate over 2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data 

AWS CloudTrail logs are a treasure trove of information • Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs 

Collecting raw NetFlow-like logs in AWS Scenario: You purchased a company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server" 

Autoticketing • Find and close gaps in security monitoring • Be highly accurate and actionable • Deliver results with low latency 

How AWS handles security at scale Work generator Corp S3 Results processor SNS Lambda (async) Scan target Lambda (sync) 

Change Management • Problem: controlled automated deployment and validation of daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented 

Change Management 1 2 3 4 5 

Change Management QA & Code Review 1 2 3 4 5 6 

Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time: 09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket 

• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change 

AWS Security – re:Invent 2016 Preparation • Reviewed and tested 91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days) 

Recent Announcements AWS Shield AWS Artifact (Compliance Reports) AWS Organizations AWS WAF (CloudFront and ALB) Amazon Certificate Manager (CloudFront and ELB) 

AWS Lambda triggered by “Security Events” Amazon CloudWatch Events AWS WAF AWS Config AWS CloudTrail 

• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change 

The case for change • DevOps, Agile, and Scrum on the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race… 

The DevSecOps mindset • Customer focus • Open and transparent • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org 

Where to start? • Pontificate? • Checklists? • 1-pagers? 6-pagers? Documents? Page 3 of 433 Security as code 

Security as code is easy with AWS AWS provides all the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations 

How can we learn DevSecOps? Security as Code? Security as Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps 

Ready to build your DevSecOps platform? insights security science security tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel 

Evolution Today's "cloud-first" strategy is already moving toward "cloud-only" - IDC, “Industry Predictions for 2017” 

• https://aws.amazon.com/security/ • https://aws.amazon.com/compliance/ • https://aws.amazon.com/blogs/security/ ADDITIONAL RESOURCES 

AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical Evangelist