© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Angelo CarvalhoArquiteto de Soluções

22 de Setembro de 2016

Segurança de Ponta a Ponta na AWS

Prescriptive Approach

Understand AWS

Security Practice

Build Strong Compliance Foundations

Integrate Identity & Access

Management

Enable Detective Controls

Establish Network Security

Implement Data

Protection

Optimize Change

Management

Automate Security

Functions

Understand AWS Security Practice

Why is Enterprise Security Traditionally Hard?

Lack of visibility Low degree of automation

AND

Move Fast

Stay Secure

Making life easier

Choosing security does not mean giving up on convenience or introducing complexity

Security ownership as part of DNA

• Promotes culture of “everyone is an owner” for security• Makes security a stakeholder in business success• Enables easier and smoother communication

Distributed Embedded

Strengthen your security posture

Get native functionality and tools

Over 30 global compliancecertifications and accreditations

Leverage security enhancements gleaned from 1M+ customer experiences

Benefit from AWS industry leading security teams 24/7, 365 days a year

Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones Edge

Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Cus

tom

ers

Security is a shared responsibility

Customers are responsible for their security IN

the Cloud

AWS is responsible for the security OF

the Cloud

Build Strong Compliance Foundations

AWS Assurance Programs

AWS maintains a formal control environment• SOC 1 Type II • SOC 2 Type II and public SOC 3 report• ISO 27001, 27017, 27018 Certification• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance

AWS Account Relationship

AWS Account Ownership

AWS Account Contact

Information

AWS Sales

AWS Solutions Architects

AWS Support

AWS Professional Services

AWS Consulting Partners

AWS Trusted Advisor

AWS Trusted Advisor

Integrate Identity & Access Management

AWS Identity & Access Management

IAM Users IAM Groups IAM Roles IAM Policies

Account Governance – New Accounts

InfoSec’s Cross-

Account Roles

AWS Account Credential

Management(“Root Account”)

Federation

Baseline Requirements

Actions &Conditions

Map Enterprise

Roles

Enable Detective Controls

AWS CloudTrail & CloudWatch

AWSCloudTrail

Amazon CloudWatch

ü Enable globally for all AWS Regionsü Encryption & Integrity Validationü Archive & Forward

ü Amazon CloudWatch Logsü Metrics & Filtersü Alarms & Notifications

Establish Network Security

AWS Global Infrastructure

13 AWS Regions• North America (4)• Europe (2)• Asia Pacific (6)• South America (1)

Each Region has at least 2 Availability Zones• 35 Availability Zones (AZs)

56 AWS Edge Locations• North America (21)• Europe (16)• Asia Pacific (17)• South America (2)

Availability Zone A

Availability Zone B

Availability Zone C

VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24

VPC CIDR 10.10.0.0/16

VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24

VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24

AZ A AZ B

Public ELB

Internal ELB

RDSMaster

AutoscalingWeb Tier

AutoscalingApplication Tier

InternetGateway

RDSStandby

Snapshots

Multi-AZ RDSData Tier

ExistingDatacenter

VirtualPrivate

Gateway

CustomerGateway

VPN Connection

Direct Connect

NetworkPartner

Location

Administrators &Corporate Users

Amazon Virtual Private Cloud

Availability Zone A

Private subnet

Public subnet

Private subnet

Availability Zone B

Public subnet

Private subnet

ELB

Web

Back end

VPC CIDR 10.1.0.0/16

ELB

Web

Back end

VPC

sg_ELB_FrontEnd (ELB Security Group)

sg_Web_Frontend (Web Security Group)

Security Groups

sg_Backend (Backend Security Group)

Security Groups

Security Groups

Security Groups

VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics

AWSaccount

Source IP

Destination IP

Source port

Destination port

Interface Protocol Packets

Bytes Start/end time

Accept or reject

VPC Flow Logs

• Amazon ElasticsearchService

• AmazonCloudWatchLogssubscriptions

VPC Flow Logs – CloudWatch Alarms

Implement Data Protection

Cryptographic Services

Amazon CloudHSM

ü Deep integration with AWS Servicesü CloudTrailü AWS SDK for application encryption

ü Dedicated HSM ü Integrate with on-premises HSMsü Hybrid Architectures

AWS KMS

Optimize Change Management

AWS Config & Config Rules

AWSConfig

Amazon ConfigRules

ü Record configuration changes continuously

ü Time-series view of resource changes

ü Archive & Compare

ü Enforce best practicesü Automatically roll-back unwanted

changesü Trigger additional workflow

AWS Config – VPC Example

AWS Config – VPC Example

AWS Config Rules – Tenancy Enforcement Example

AWS Config Rules – Tenancy Enforcement Example

AWS Config Rules – Tenancy Enforcement Example

AWS Config Partners

Automate Security Functions

AWS WAF: Web Application Firewall

AWS WAF in action

AWS Management ConsoleAdmins

Developers AWS APIWeb app in CloudFront

Define rules

Deploy protection

AWS WAF

AWS WAF Partner integrations

• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection

AWS WAF Security Automations

Rate-Based Blacklisting with AWS WAF and AWS Lambda

Amazon Inspector

• Vulnerability Assessment Service• Built from the ground up to support Dev/Ops Model• Automatable via API’s• AWS Context Aware• Static & Dynamic Telemetry• Integrated with CI/CD tools• On-Demand Pricing model• CVE & CIS Rules Packages• AWS AppSec Best Practices

Prioritized findings

Detailed remediation recommendations

AWS Marketplace Security PartnersInfrastructure Security

Logging & Monitoring

Identity & Access Control

Configuration & Vulnerability Analysis

Data Protection

Prescriptive Approach – Get Started!

Understand AWS

Security Approach

Build Strong Compliance Foundations

Integrate Identity & Access

Management

Enable Detective Controls

Establish Network Security

Implement Data

Protection

Optimize Change

Management

Automate Security

Functions

Security Training

Security Fundamentals on AWS(Free online course)

Security Operations on AWS(3-day class)

Details at aws.amazon.com/training

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”

-Tom Soderstrom, CTO, NASA JPL

Obrigado!