AWS re:Invent re:Cap - AWS 보안 기능 업데이트 - 이종남

December 4, 2014 | Korea

AWS 보안 기능 업데이트

이종남, AWS Professional Services

re:Cap

http://youtu.be/OEK7mHn4JLs

http://www.slideshare.net/AmazonWebServices/sec201-aws-security-keynote-address-aws-reinvent-2014

http://youtu.be/IT-krK_wI3o

http://www.slideshare.net/AmazonWebServices/sec311-architecting-for-endtoend-security-in-the-enterprise-aws-reinvent-2014

http://youtu.be/mGZZ20wxjrg

http://www.slideshare.net/marknca/updating-security-operations-for-the-cloud-41657619

http://youtu.be/zP5giSxe8fM

http://www.slideshare.net/AmazonWebServices/sec315-new-launch-get-deep-visibility-into-resource-configurations-aws-reinvent-2014

http://youtu.be/nzSrRvADh6g

http://www.slideshare.net/AmazonWebServices/sec404-incident-response-in-the-cloud-aws-reinvent-2014

http://youtu.be/gT6djiVrJxs

http://www.slideshare.net/AmazonWebServices/sec405-enterprise-cloud-security-via-devsecops-aws-reinvent-2014























































































http://youtu.be/nzSrRvADh6g






































http://youtu.be/fIqVS0mI83w

http://www.slideshare.net/AmazonWebServices/sec202-closing-the-gap-moving-critical-regulated-workloads-to-aws-aws-reinvent-

2014

https://www.youtube.com/watch?v=BJprWgompq0

http://www.slideshare.net/AmazonWebServices/sec306-turn-on-cloudtrail-log-api-activity-in-your-aws-account-

aws-reinvent-2014

https://www.youtube.com/watch?v=LUGe0lofYa0

http://www.slideshare.net/AmazonWebServices/sec308-navigating-pci-compliance-in-the-cloud-aws-reinvent-

2014

http://www.slideshare.net/AmazonWebServices/sec202-closing-the-gap-moving-critical-regulated-workloads-to-aws-aws-reinvent-2014




























http://www.slideshare.net/AmazonWebServices/sec306-turn-on-cloudtrail-log-api-activity-in-your-aws-account-aws-reinvent-2014


































http://www.slideshare.net/AmazonWebServices/sec308-navigating-pci-compliance-in-the-cloud-aws-reinvent-2014



















https://www.youtube.com/watch?v=0zJuULHFS6A

http://www.slideshare.net/AmazonWebServices/sec302-delegating-access-to-your-aws-environment-aws-reinvent-2014

https://www.youtube.com/watch?v=0WI5sirOvco

http://www.slideshare.net/AmazonWebServices/sec303-mastering-access-control-policies-aws-reinvent-2014

https://www.youtube.com/watch?v=debJ3o5w0MA

http://www.slideshare.net/AmazonWebServices/sec304

https://www.youtube.com/watch?v=ZhvXW-ILyPs

http://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014

https://www.youtube.com/watch?v=kBCbz7L52-Q

http://www.slideshare.net/AmazonWebServices/sec309-amazon-vpc-configuration-when-least-privilege-meets-the-penetration-tester-aws-reinvent-2014

https://www.youtube.com/watch?v=Y3uSYpFJVvQ

http://www.slideshare.net/AmazonWebServices/sec310-integrating-aws-with-external-identity-management-aws-reinvent-2014

https://www.youtube.com/watch?v=JbmJ4BSpNqE

http://www.slideshare.net/AmazonWebServices/sec403-building-aws-partner-applications-using-iam-roles-aws-reinvent-2014
























































































































































https://www.youtube.com/watch?v=OT2y3DzMEmQ

http://www.slideshare.net/AmazonWebServices/sec307-building-a-ddosresilient-architecture-with-amazon-web-services-aws-

reinvent-2014

https://www.youtube.com/watch?v=WUQNeMhkaco

http://www.slideshare.net/AmazonWebServices/sec402-intrusion-detection-in-the-cloud-aws-reinvent-2014

http://www.slideshare.net/AmazonWebServices/sec307-building-a-ddosresilient-architecture-with-amazon-web-services-aws-reinvent-2014















































https://www.youtube.com/watch?v=bqIYI3mDsd4

http://www.slideshare.net/AmazonWebServices/sec301-encryption-and-key-management-in-aws-aws-reinvent-2014-41572090

https://www.youtube.com/watch?v=8AODa_AazY4

http://www.slideshare.net/AmazonWebServices/sec316-ssl-with-amazon-web-services-aws-reinvent-2014-41572311

https://www.youtube.com/watch?v=0kWpm1FyG_Q

http://www.slideshare.net/AmazonWebServices/sec406-new-launch-building-secure-applications-with-aws-key-management-

service-aws-reinvent-2014





















































http://www.slideshare.net/AmazonWebServices/sec406-new-launch-building-secure-applications-with-aws-key-management-service-aws-reinvent-2014



























https://run.qwiklab.com/



주요 헬스케어 제공사에서 솔루션채택

• “상업용 시설에서 군용 수준의 보안을

확보하기 위해” 작업 중

effective access

“effective access”

“ineffective access”

Singapore

MTCS

{

"configurationItems": [

{

…

-,

"relationships": [

{

"resourceType": "AWS::EC2::NetworkInterface",

"resourceId": "eni-f097eca9",

"relationshipName": "Contains

NetworkInterface"

},

{

"resourceType": "AWS::EC2::SecurityGroup",

"resourceId": "sg-9ddbb9f8",

"relationshipName": "Is associated with

SecurityGroup"

},…

"resourceType": "AWS::EC2::Subnet",

"resourceId": "subnet-62dde924",

"relationshipName": "Is contained in Subnet"

},

{

"resourceType": "AWS::EC2::Volume",

"resourceId": "vol-122ede1d",

"relationshipName": "Is attached to Volume"

},

{

"resourceType": "AWS::EC2::VPC",

"resourceId": "vpc-ba9072df",

"relationshipName": "Is contained in Vpc"

}

-,

"arn": "arn:aws:ec2:us-west-

2:350616417307:instance/i-7a220375",

"version": "1.0",

"configurationItemMD5Hash":

"f62b29193af10e25f713ba6f746de8b1",

AWS CloudTrail

AWS Config AWS CloudTrail

관리 대상 자원 형상

(Resource Configuration)

사용자 행동

(User Activity)

활용 케이스 • 현재시점의 자원 형상 탐지

• 자원들의 상호 연관관계 관리

• 형상 변경을 감사 및

문제해결

• 사용자 행동패턴 탐지 등의

보안 분석

• AWS 자원 변경 이력 추적

• 운영 이슈 해결

• 규제 준수

Customer Master

Key(s)

Data Key 1

Amazon

S3 Object Amazon

EBS

Volume

Amazon

Redshift

Cluster

Data Key 2 Data Key 3 Data Key 4

Custom

Application

AWS KMS

Application or

AWS Service

+

Data Key Encrypted Data Key

Encrypted

Data

Master Key(s) in

Customer’s Account

AWS

Key Management Service

1. 애플리케이션/AWS 서비스는 데이타 암호화 위한 암호화키를 요청. 해당 어카운트의 마스터키에게

참조값을 전달.

2. 클라이언트 요청이 마스터키 접근권한을 가졌는 지 인증.

3. 새 데이타암호화키 생성 후 마스터키를 이용해 해당키를 암호화.

4. 데이타키와 암호화된 데이타키 쌍을 클라이언트에게 반환. 데이타키는 고객데이타를 암호화하는

데 사용한 후 즉시 폐기.

5. 암호화된 데이타키는 나중을 위해 저장해 두었다가, 원천데이타를 복호화(decrypt) 시 AWS

KMS에게 전달해서 데이타키 복호화.

AWS

CloudHSM

AWS Administrator –

manages the appliance

You – control keys and

crypto operations

Amazon Virtual Private Cloud

DIY AWS Marketplace

Partner Solution AWS CloudHSM

AWS Key

Management

Service

Where are keys

generated and

stored

Your network or in

AWS

Your network or in

AWS

In AWS, on an

HSM that you

control

AWS

Where keys are

used

Your network or

your EC2 instance

Your network or

your EC2 instance

AWS or your

applications

AWS services or

your applications

How to control key

use

Config files,

Vendor-specific

management

Vendor-specific

management

Customer code +

Safenet APIs

Policy you define;

enforced in AWS

Responsibility for

Performance/Scale

You You You AWS

Integration with

AWS services?

Limited Limited Limited Yes

Pricing model Variable Per hour/per year Per hour Per key/usage

Creates portfolio

Adds constraints

and grant access

1

4

5

Administrator

Portfolio

Users

Browse Products

6 Launch Products AWS CloudFormation

template

Creates

product 3 Authors template 2 ProductX ProductY ProductZ

7 Deploys

stacks

Notifications Notifications

8 8

re:Cap

AWS re:Invent re:Cap - AWS 보안 기능 업데이트 - 이종남

Technology

Transcript of AWS re:Invent re:Cap - AWS 보안 기능 업데이트 - 이종남