Module 3 : Security Overview

Donnie Prakoso
Technical Evangelist, AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Topics

Introduction to AWS Security

The AWS Shared Responsibility Model
AWS Access Control and Management
AWS Security Resources and Features

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Introduction to AWS Security

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to AWS Security

Security is of the utmost importance to AWS.

• Approach to security
• AWS environment controls
• AWS offerings and features

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Keep Your Data Safe

Resilient infrastructure
High security
Strong safeguards

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Continual Improvement

Rapid innovation
Constantly evolving security services

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Pay For What You Need

Advanced security services

Address real-time emerging risks
Meeting needs at a lower operational cost

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Meet Compliance Requirements

Governance-enabled features
• Additional oversight
• Security control
• Central automation

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Security Products and Features

Tools
• Access from AWS and partners
• Use for monitoring and logging

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Network Security

Built-in firewalls
Encryption in transit
Private/dedicated connections
Distributed denial of service (DDoS)
mitigation

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Inventory and Configuration Management

Deployment tools
Inventory and configuration tools
Template definition and management tools

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Data Encryption

Encryption capabilities
Key management options
• AWS Key Management Service
Hardware-based cryptographic key storage options
• AWS CloudHSM

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Access Control and Management

Identity and Access Management (IAM)

Multi-factor authentication (MFA)
Integration and federation with corporate directories
Amazon Cognito
AWS Single Sign-On

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Monitoring and Logging

Tools and features to reduce your risk profile:

• Deep visibility into API calls
• Log aggregation and options
• Alert notifications

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS Marketplace

Qualified partners to market/sell software to AWS

customers
Online software store that can run on AWS

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
The AWS Shared Responsibility Model

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Security of the Cloud

Protection of the AWS global infrastructure is top priority

Availability of third-party reports

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Security of the Cloud

AWS Foundation Services

Unmanaged services Managed Services

Amazon EC2 Amazon DynamoDB

Amazon EBS Amazon RDS
Amazon Redshift
Amazon EMR
Amazon WorkSpaces
© 2018, Amazon Web
Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Security in the Cloud

What to store In what content format and structure

Which AWS services
In what location Who has access
© 2018, Amazon Web
Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
Security in the Cloud

Customers retain control

Changes to model depend on services

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS Access Control and Management

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM

Control access to AWS resources

• Authentication
• Authorization
Controls access to services such as:
Compute
Storage
Database
Application services

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS IAM

Create users and groups

Grant permissions

User Group Permissions Role

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS IAM

Functionality
Manage
• Users and their access
IAM Corp
• Roles and their permissions
• Federate users and their permissions

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS Account Root User

Account root user has complete access to all

AWS Services.

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS Account Root User

Recommendations
1. Delete root user access
keys.
2. Create an IAM user.
3. Grant administrator
access.
4. Use IAM credentials to
interact with AWS.

IAM

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS IAM: Authentication

Programmatic access
• Enables access key ID and secret access key

Management console access

• Uses AWS account name and password
• MFA prompts for code

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS IAM: Authorization

Access AWS services

• Grant authorization
Assign permissions
• Create an AWS IAM policy

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
AWS IAM: Policy Assignment

IAM Policy

IAM User IAM Group IAM Roles

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
IAM Best Practices

Delete AWS root account access keys

Activate multi-factor authentication (MFA)
Give IAM users only the permissions they must have
Use IAM groups
Apply an IAM password policy

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
IAM Best Practices

Roles
• Use roles for applications
• Use roles instead of sharing credentials
Credentials
• Rotate credentials regularly
• Remove unnecessary users and credentials
Use policy conditions for extra security
Monitor activity in your AWS account

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.
 End of Module 3
Test Your Knowledge

© 2018, Amazon Web

Web Services,
Services,Inc.
Inc.ororitsitsAffiliates.
Affiliates.AllAll
rights reserved.
rights reserved.