Seguranca de Ponta a Ponta na AWS
-
Upload
uoldiveo -
Category
Technology
-
view
707 -
download
2
Transcript of Seguranca de Ponta a Ponta na AWS
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Angelo CarvalhoArquiteto de Soluções
22 de Setembro de 2016
Segurança de Ponta a Ponta na AWS
Prescriptive Approach
Understand AWS
Security Practice
Build Strong Compliance Foundations
Integrate Identity & Access
Management
Enable Detective Controls
Establish Network Security
Implement Data
Protection
Optimize Change
Management
Automate Security
Functions
Making life easier
Choosing security does not mean giving up on convenience or introducing complexity
Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security• Makes security a stakeholder in business success• Enables easier and smoother communication
Distributed Embedded
Strengthen your security posture
Get native functionality and tools
Over 30 global compliancecertifications and accreditations
Leverage security enhancements gleaned from 1M+ customer experiences
Benefit from AWS industry leading security teams 24/7, 365 days a year
Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones Edge
Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Cus
tom
ers
Security is a shared responsibility
Customers are responsible for their security IN
the Cloud
AWS is responsible for the security OF
the Cloud
AWS Assurance Programs
AWS maintains a formal control environment• SOC 1 Type II • SOC 2 Type II and public SOC 3 report• ISO 27001, 27017, 27018 Certification• Certified PCI DSS Level 1 Service Provider • FedRAMP Authorization • Architect for HIPAA compliance
AWS Account Relationship
AWS Account Ownership
AWS Account Contact
Information
AWS Sales
AWS Solutions Architects
AWS Support
AWS Professional Services
AWS Consulting Partners
Account Governance – New Accounts
InfoSec’s Cross-
Account Roles
AWS Account Credential
Management(“Root Account”)
Federation
Baseline Requirements
Actions &Conditions
Map Enterprise
Roles
AWS CloudTrail & CloudWatch
AWSCloudTrail
Amazon CloudWatch
ü Enable globally for all AWS Regionsü Encryption & Integrity Validationü Archive & Forward
ü Amazon CloudWatch Logsü Metrics & Filtersü Alarms & Notifications
AWS Global Infrastructure
13 AWS Regions• North America (4)• Europe (2)• Asia Pacific (6)• South America (1)
Each Region has at least 2 Availability Zones• 35 Availability Zones (AZs)
56 AWS Edge Locations• North America (21)• Europe (16)• Asia Pacific (17)• South America (2)
Availability Zone A
Availability Zone B
Availability Zone C
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDSMaster
AutoscalingWeb Tier
AutoscalingApplication Tier
InternetGateway
RDSStandby
Snapshots
Multi-AZ RDSData Tier
ExistingDatacenter
VirtualPrivate
Gateway
CustomerGateway
VPN Connection
Direct Connect
NetworkPartner
Location
Administrators &Corporate Users
Amazon Virtual Private Cloud
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
Cryptographic Services
Amazon CloudHSM
ü Deep integration with AWS Servicesü CloudTrailü AWS SDK for application encryption
ü Dedicated HSM ü Integrate with on-premises HSMsü Hybrid Architectures
AWS KMS
AWS Config & Config Rules
AWSConfig
Amazon ConfigRules
ü Record configuration changes continuously
ü Time-series view of resource changes
ü Archive & Compare
ü Enforce best practicesü Automatically roll-back unwanted
changesü Trigger additional workflow
AWS WAF in action
AWS Management ConsoleAdmins
Developers AWS APIWeb app in CloudFront
Define rules
Deploy protection
AWS WAF
AWS WAF Partner integrations
• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF• Offer additional detection and threat intelligence• Dynamically modify rulesets of AWS WAF for increased protection
Amazon Inspector
• Vulnerability Assessment Service• Built from the ground up to support Dev/Ops Model• Automatable via API’s• AWS Context Aware• Static & Dynamic Telemetry• Integrated with CI/CD tools• On-Demand Pricing model• CVE & CIS Rules Packages• AWS AppSec Best Practices
AWS Marketplace Security PartnersInfrastructure Security
Logging & Monitoring
Identity & Access Control
Configuration & Vulnerability Analysis
Data Protection
Prescriptive Approach – Get Started!
Understand AWS
Security Approach
Build Strong Compliance Foundations
Integrate Identity & Access
Management
Enable Detective Controls
Establish Network Security
Implement Data
Protection
Optimize Change
Management
Automate Security
Functions
Security Training
Security Fundamentals on AWS(Free online course)
Security Operations on AWS(3-day class)
Details at aws.amazon.com/training
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL