Mitigate Risks Using Cloud-Native Infrastructure Security · AWS Cloud us-east-1a Availability Zone...

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Mitigate Risks Using Cloud-Native

Infrastructure Security


Agenda• Examine on-premises infrastructure security• Are there any issues we want to avoid?

• Examine cloud-native infrastructure security services• Can these help address existing issues?

• Let’s build!


Before we begin

Start this session with a fundamental premise

When you’re tempted to ask “Where is?”, instead ask “Why did I need?”


On-premises architecturesNetwork centric security• Firewalls• Multiple layers of

network-based security services

• Routing & subnet Isolation

Security Services

VPC Connections Web sites and

services

Database Services

Auth Services

Shared Services

Security Services

Web Tier

DMZ

Auth Services

Internal Tier

Internet

Internal Web sites and shared services

Database Services


Security Services


services

Database Services

Auth Services

Shared Services

Security Services

Web Tier

DMZ

Auth Services

Internal Tier

Internet


Database Services

Reality is a little more complicatedMultiples of everything• Multiple firewalls• Multiple services • Multiple shared

dependencies

What does this mean for isolation?


Security Services


services

Database Services

Auth Services

Shared Services

Security Services

Web Tier

DMZ

Auth Services

Internal Tier

Internet


Database Services

When an intrusion happensWhat happens when isolation breaks down?


Security Services


services

Database Services

Auth Services

Shared Services

Security Services

Web Tier

DMZ

Auth Services

Internal Tier

Internet


Database Services


What about your internal architecture? Change Management?


Security Services


services

Database Services

Auth Services

Shared Services

Security Services

Web Tier

DMZ

Auth Services

Internal Tier

Internet


Database Services


What about your internal architecture? Change Management?

Why would we want to copy this?


Reducing risks using cloud-native solutions• Provide granular control• Improve application

isolation• Lower operational

burden• Security insight across

all environments

• Improved admin access

• Security Groups & NACL’s

• Virtual Private Clouds• AWS CloudFormation

• Amazon GuardDuty, AWS CloudTrail, AWS Config

• AWS Systems Manager


Web DB

Cloud-nativearchitecturesIsolation by default• Easier & more

restrictive

Secure insights across the boardNew ways to secure access• What if there was

no SSH or RDP?

13

Web Application VPC10.0.0.0/16

AWS Cloud

us-east-1a Availability Zone

Services VPC10.1.0.0/16

Proof of Concept VPC10.250.0.0/16

Amazon GuardDutyAWS ConfigAWS CloudTrail

Services subnet

Public subnet

Public subnet

AWS Systems Manager

SSM S3IGW IGW

us-east-1b Availability Zone

Private subnet


Let’s Build!

http://tiny.cc/reinforce-fnd203

http://tiny.cc/reinforce-fnd203


What did we learn?• We can see everything going on in our AWS environment• We have more granular, provable control of

communications at a lower operational burden• We can still explicitly deny access, but now in more places• We have detailed logging and advanced monitoring of our

control and data planes• We can solve issues we never thought possible – like

admin port risk


Logging & monitoring

Identity & access control

Configuration & vulnerability

analysis

Data protection

Host basedsecurity

Let’s not forget about partners

Mitigate Risks Using Cloud-Native Infrastructure Security · AWS Cloud us-east-1a Availability Zone...

Documents

Transcript of Mitigate Risks Using Cloud-Native Infrastructure Security · AWS Cloud us-east-1a Availability Zone...