Top 5 Ways to Secure Your Business on the Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
381 -
download
0
Transcript of Top 5 Ways to Secure Your Business on the Cloud
What we will cover today 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
What we will cover today 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
v
AWS looks after the security OF
the platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
Encryption Key Management Client and Server Encryption Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Content C
usto
mer
s Security is shared between AWS and Customers
Customers are responsible for their security IN
the Cloud
v 1. Security is our number one priority
2. Every customer receives the same security
3. We do not have access to your data or guest OS
4. Reduce the scope of your own compliance audits
5. You can focus on securing your own content
To Summarise…….
What we will cover next 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
v Region
US-‐WEST (N. California) EU-‐WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-‐WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-‐EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
Customers can use any AWS region around the world
EU-‐CENTRAL (Frankfurt)
v Availability Zone
Each region offers resilience and high-availability
US-‐WEST (N. California)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-‐WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-‐EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
EU-‐WEST (Ireland)
EU-‐CENTRAL (Frankfurt)
v Edge LocaLons
Dallas(2)
St.Louis Miami
Jacksonville Los Angeles (2)
Palo Alto
Seattle
Ashburn(2)
Newark New York (2)
Dublin
London(2) Amsterdam
Stockholm
Frankfurt Paris(2)
Singapore(2)
Hong Kong (2)
Tokyo
Sao Paulo
South Bend
San Jose
Osaka Milan
Sydney
Chennai Mumbai
Use edge locations to serve content close to your customers
Rio de Janeiro
Melbourne
Taipei Manila
v
Build your own resilient, fault tolerant solutions
AWS delivers scalable, fault tolerant services • Build resilient solutions operating in multiple datacenters • AWS helps simplify active-active operations
All AWS facilities are always on • No need for a “Disaster Recovery Datacenter” when you can have
resilience • Every one managed to the same global standards
AWS has robust connectivity and bandwidth • Each AZ has multiple, redundant Tier 1 ISP Service Providers • Resilient network infrastructure
v
Customers control their VPC IP address ranges
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Avai
labi
lity
Zone
B
Choose your VPC address range • Your own private, isolated
section of the AWS cloud • Every VPC has a private IP
address space • That maximum CIDR block you
can allocate is /16 • For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP addresses
Select IP addressing strategy • You can’t change the VPC
address space once it’s created • Think about overlaps with other
VPCs or existing corporate networks
• Don’t waste address space, but don’t’ constrain your growth either
v
We will concentrate on a single availability zone just now
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
v
Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
NAT
10.0.5.0/24 10.0.4.0/24
EC2
EC2 Web
v
Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
v
Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app servers on port 8080”
Log
EC2 Web
v
Each instance can be in up to five security groups
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app servers on port 8080”
“Allow outbound connections to the log server”
Log
EC2 Web
v
Use separate security groups for applications and management
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app servers on port 8080”
“Allow outbound connections to the log server”
“Allow SSH and ICMP from hosts
in the Jump Hosts security group”
Log
EC2 Web
v
Security groups are stateful with both ingress and egress rules
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Security groups • Operate at the instance level • Supports ALLOW rules only • Are stateful • Max 50 rules per security group
v
The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
v
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
v
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
“Deny all traffic between the web server subnet and the database
server subnet”
v
Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
NACLs are opLonal • Applied at subnet level, stateless and
permit all by default • ALLOW and DENY • Applies to all instances in the subnet • Use as a second line of defence
v
Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web
Elas?c Load Balancer
v
Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web EC2 EC2 EC2 Web
Elas?c Load Balancer
v
Your security can scale up and down with your solution
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web EC2 EC2 Web
ElasLc load balancers • Instances can automaLcally be
added and removed from the balancing pool using rules
• You can add instances into security groups at launch Lme
Elas?c Load Balancer
Auto scaling
v
Add an Internet Gateway to route Internet traffic from your VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Internet Gateway
VPC Router
v
You choose what subnets can route to the Internet
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Internet Gateway
VPC Router
Internet rouLng • Add route tables to subnets to
control Internet traffic flows – these become Public subnets
• Internet Gateway rouLng allows you to allocate a staLc Elas?c IP address or use AWS-‐managed public IP addresses to your instance
v
NAT instances allow outbound Internet traffic from private subnets
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Internet Gateway
VPC Router
Internet rouLng • Use a NAT instance to provide
Internet connecLvity for private subnets -‐ required to access AWS update repositories
• This will also allow back-‐end servers to route to AWS APIs – for example storing logs on S3, or using Dynamo, SQS, SNS and SWS
NAT
v
Add a Virtual Private Gateway to route traffic to your premises
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Virtual Private Gateway
Your premises
v
You can create multiple IPSEC tunnels to your own VPN endpoints
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Virtual Private Gateway
Customer Gateway
Your premises
v
You can also connect privately using AWS Direct Connect
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
v
You can also create VPNs over Direct Connect if required
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
v
You can route VPC Internet connections through your own gateways
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Customer Gateway
Your premises
v
You can have both Internet and private connectivity to your VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web VPC Router
Direct Connect Virtual Private
Gateway
Internet Gateway
Amazon S3 DynamoDB NAT
Customer Gateway
Your premises
v
You have full control in designing robust hybrid solutions
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
EC2
EC2
NAT
EC2 EC2 VPC Router
Direct Connect Virtual Private
Gateway
Internet Gateway
Amazon S3 DynamoDB NAT
Your premises
Elas?c Load Balancer
Web
Public subnet
Private subnet
Web Auto scaling
Master
EC2
Failover
v 1. Your VPC is private until you decide to make it public
2. Security groups block horizontal as well as vertical traffic
3. You can use your own internet in your DC
4. Protect your instances with NAT and ELB
5. Create hybrid architectures with Direct Connect
To Summarise…….
What we will cover next 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Securing and auditing your account
4. Protecting your content on AWS
5. Building secure applications on AWS
v § Enable multi-factor authentication to secure your root account for login
§ Manage risk by not putting services and instances in your root account
§ Enable CloudTrail alerting and logging for auditing changes
§ Create roles to assign temporary access to your resources
§ Federate users with on-premise sign on solutions to reduce administration
Controlling your Root account
v
Segregate duties between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
You get to choose who can do what in
your AWS environment and
from where
A web server can access S3 to read static images from your private subnet
Simon can create snapshots for RDS. But cannot restore data from them.
Cloudtrail can log all interactions with AWS API’s for your account.
v
Federate with on-premise directories like Active Directory or another SAML 2.0 compliant identity provider
Federate AWS IAM with your existing directories
v Increase your visibility of what happened in your AWS environment – who did what and when, from where CloudTrail will record access to API calls and save logs in your S3 buckets, no ma^er how those API calls were made
Use AWS CloudTrail to track access to APIs and IAM
v
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
• Security analysis
• Record changes to AWS resources, for example VPC security groups and NACLs
• Compliance – understand AWS API call history
• Troubleshoot operaLonal issues – quickly idenLfy the most recent changes to your environment
v
Amazon CloudWatch Logs can monitor your system, applicaLon and custom log files. Monitor your web server h^p log files and use CloudWatch Metrics filters to idenLfy 404 errors and count the number of occurrences within a specified Lme period Alarm when thresholds are reach and automaLcally generate a Lcket for invesLgaLon.
Monitor everything with CloudWatch logs
What we will cover today 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
v
AWS has many different content storage services
EBS
S3 S3
RDS
REDSHIFT
Simple Storage Service (S3) for static objects and web hosting
Redshift for data warehousing of large datasets
Relational Database Service (RDS) for hosting managed SQL databases
Elastic Block Store (EBS) for storing workloads on EC2
v
AWS Key Management Service
Customer Master Key(s)
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshie Cluster
Data Key 2 Data Key 3 Data Key 4
Custom ApplicaLon
AWS KMS
v Configure S3 access controls at bucket and object level • Restrict access and rights as tightly as possible and regularly review access logs • Use versioning for important file, with MFA required for delete
Use S3 cryptographic features • Use HTTPS to protect data in transit • S3 server side encryption
• AWS will transparently encrypt your objects using AES-256 and manage the keys on your behalf, or manage those keys using AWS Key Management Service (KMS)
• Use S3 client side encryption • Encrypt information before sending it to S3 • Build yourself or use the AWS Java SDK
Use MD5 checksums to verify the integrity of objects loaded into S3 over long periods of time
Making use of available Amazon S3 security features
v
Understanding Amazon RedShift security features
Redshift has one-click full disk encryption as standard • If chosen, backups to S3 are also encrypted
• You can use the AWS CloudHSM to store your keys or supply keys from AWS Key Management Service (KMS)
You can build end-to-end encryption for your data pipeline • Use S3 client side encryption to load data into S3
• Pass RedShift the same key and it will decrypt when loading
Configure security groups and consider deploying within VPC • RedShift loads data from S3 over SSL
• Limit access to those S3 buckets and consider the end-to-end data load process from source
Use SSL to protect data in transit if querying over the Internet
v
Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases • Limit security group access to RDS instances
• Limit RDS management plane access with AWS IAM permissions
Encrypt data in flight • Oracle Native Network Encryption, SSL for SQL Server, MySQL
and PostgreSQL – especially if the database is accessible from the Internet
Encrypt data at rest in sensitive table space
• Native RDS via SQL Server and Oracle Transparent Data Encryption
• Encrypt sensitive information at application level or use a DB proxy
Configure automatic patching of minor updates – let AWS do the heavy lifting for you within a maintenance window you choose
DBA
RDS
v
Encrypting EBS volumes on Amazon EC2 instances
Use AWS native encryption, roll your own or use commercial solutions from AWS partners
• AWS EBS native encryption at the click of a mouse. Encryption keys are managed and visible using AWS Key Management Service
• Use Windows BitLocker or Linux LUKS for encrypted volumes
• SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer boot volume encryption, including hardware key storage options
Managing encryption keys is critical and difficult!
• How will you manage keys and make sure they are available when required, for example at instance start-up?
• How will you keep them available and prevent loss? How will you rotate keys on a regular basis and keep them private?
EBS
v
AWS CloudHSM can integrate with on-premise SafeNet HSMs
Your premises
Applica?ons
Your HSM NAT CloudHSM NAT CloudHSM
Volume, object, database encryp?on
Transac?on signing / DRM / apps
EC2
H/A PAIR SYNC
EBS
S3 Amazon S3
Amazon Glacier
What we will cover next 1. Understanding shared responsibility for security
2. Building a secure virtual private cloud
3. Using AWS Identity and Access Management
4. Protecting your content on AWS
5. Building secure applications on AWS
v
Traditional network intrusion detection and prevention is less relevant now • Dude, where’s my SPAN port? • Attackers have moved to layer 7 (HTTP) so we need to follow them there • You can still build an effective DMZ within the VPC using a wide-range of
open source or AWS technology partner solutions
Drop bad traffic before it hits your application and databases • Can be deployed in two-way configuration to implement simple DLP, for
example scan outgoing traffic for Credit Card Numbers • Design for scale and high-availability using ELBs • Scale fast and wide to cope with huge traffic volumes • Build a solution designed to cope with volumetric attacks Lets build an example in the next slides
Block threats to your application
v
Building a scalable threat protection layer in your VPC
VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
Elas?c Load Balancer
Avai
labi
lity
Zone
B
WAF
Public subnet
EC2
EC2
Private subnet
Private subnet
WAF Auto scaling
Web Applica?on
Web Applica?on
Elas?c Load Balancer
Private subnet
Elas?c Load Balancer Public subnet
WAF
Private subnet
WAF
Elas?c Load Balancer
Private subnet
EC2 Private subnet
Web Applica?on
Web Applica?on
Auto scaling
Auto scaling
Auto scaling
Internet Gateway
v
Use VPC peering to build common security gateways
Web App (HTTP/S)
Amazon S3
APIs
Internet users / customers
VPC Peering
Provides secure access to APIs
from applications
All customer access is routed through WAF web applications
Web App (HTTP/S)
Web App (HTTP/S)
Web App (HTTP/S)
WAF Service (HTTP/S)
Apps and OperaLons Team Security Team
Proxy Service (HTTP/S)
v
You can build a solution that can scale and offload attacks
Player one: your VPC
Auto scaling
Vital statistics You can scale your VPC up to your financial threshold • You have AWS scale and bandwidth at your disposal
• Auto-scale your application
• Use queues and worker instances to process traffic
• Think how you can shard your databases
v
You can also bring AWS resources to assist you
Player one: your VPC
Auto scaling CloudFront
Route 53
S3
Player two: AWS
v
You can also bring AWS resources to assist you
CloudFront
Route 53
S3
Player two: AWS
Vital statistics AWS provides large-scale Global endpoints
• 52 CloudFront edge locations and growing all the time
• 100% Route53 availability SLA
• 24x7 dedicated teams responding
• Drop malformed requests • Soaking up load and watching your back
v
Serve your static content from S3
EC2
EC2
EC2
Region
Amazon S3
S3 is processing more than a million requests/s
Customers
v
Use CloudFront to cache your origin servers
EC2
EC2
EC2
Amazon S3
CloudFront Edge
Loca?on
CloudFront has over 52 global edge loca?ons
Customers
Region
v
CloudFront can also proxy your dynamic content
EC2
EC2
EC2
Amazon S3
Customers
Customers
Customers
Region
v
CloudFront will unload volume from your VPC and drop bad requests
EC2
EC2
EC2
Amazon S3
Distributed aYackers
Distributed aYackers
Distributed aYackers
Region
v
Route 53 is a global, resilient DNS to keep your traffic coming
EC2
EC2
EC2
Amazon S3
Distributed aYackers
Distributed aYackers
Distributed aYackers
Route53
Region
v
AWS is delivering and defending large-scale endpoints 24x7
EC2
EC2
EC2
Amazon S3
Distributed aYackers
Distributed aYackers
Distributed aYackers
Route53
Region
v
You can out-scale your attacker until their resources diminish
EC2
EC2
EC2
Amazon S3
Customers
Customers
Customers
Route53
Region
v
Route 53 can also load balance traffic across multiple AWS Regions
SYDNEY
Avai
labi
lity
Zone
A
NAT
EC2
EC2
NAT EC2
DUBLIN
Avai
labi
lity
Zone
A
NAT
EC2
EC2
Avai
labi
lity
Zone
B
NAT EC2
Route 53
Avai
labi
lity
Zone
B
v
You can use health-checks to failover Regions or even just VPCs
SYDNEY
Avai
labi
lity
Zone
A
NAT
EC2
EC2
NAT EC2
DUBLIN
Avai
labi
lity
Zone
A
NAT
EC2
EC2
Avai
labi
lity
Zone
B
NAT EC2
Route 53
Avai
labi
lity
Zone
B
v
DNS is hard and complex from a security viewpoint • Route 53 lets AWS take care of the heavy-lifting • Customers just have to configure DNS entries • Latency-based routing and app health-checking
• Fall back to static website if main site down • Round-robin load balance across VPCs / Regions
Security best practices for Route 53 • DNS is a critical service – understand and limit who can
access and change Route 53 configurations using AWS IAM
• Use two-factor authentication for those users • Use new Private DNS features to limit internal domain
visibility
Amazon Route53 makes DNS easy and reliable
v
Amazon CloudFront will deliver your content from the nearest edge
Use CloudFront to increase your solutions performance and availability • Cache more than static content – now with more supported
HTTP verbs • Highly reliable global network of edge locations • Can help absorb volumetric attack and drop bad HTTP
requests Security best practices for CloudFront • Use private content option to authorise only signed requests • Use SSL when POSTing sensitive information • Review logs for attack intelligence – are you being targeted? • Lock CloudFront to specific S3 origin buckets when possible • Configure HTTPS only for downloads
v
AWS partners can help you build and implement secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =AWS partner solutions
These products and more are available on the AWS marketplace -‐ WAF, VPN, IPS, AV, API gateways, data encrypLon, user management
Your secure AWS soluLons
v
Browse and read AWS security whitepapers and good practices • http://blogs.aws.amazon.com/security • http://aws.amazon.com/compliance • http://aws.amazon.com/security • Risk and compliance, including CSA questionnaire response • Security best practices • Audit and operational checklists to help you assess security
before you go live • Regularly check Trusted Advisor Sign up for AWS support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment
Where you can go for help and further information