AWSome Day Online 2020 Module 4 Deck - Final

Module 4:
Secure your cloud applications

Navjot Singh
Technical Trainer
AWS
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is our top priority
Designed for Constantly Highly Highly Highly

security monitored automated available accredited
Security of the cloud
• Hosts, network, software, facilities

• Protection of the AWS global infrastructure is top priority
• Availability of third-party audit reports
Foundation services
Compute Storage Database Network
AWS
AWS global Availability zones Regions Edge locations

infrastructure
Security in the cloud
Customer data
Customer
Platform, applications, identity & access management
Operating system, network & firewall configuration
Client-side data encryption & Server-side encryption Network traffic protection

Data integrity authentication (File system and/or data) (Encryption/integrity/identity)
Considerations
• What you should store • In what content format and
• Which AWS services you structure
should use • Who has access
• Which region to store in
AWS shared responsibility model
Customer data
Customer
Platform, applications, identity & access management
Operating system, network & firewall configuration
Client-side data encryption & Server-side encryption Network traffic protection

Data integrity authentication (File system and/or data) (Encryption/integrity/identity)
Foundation services
Compute Storage Database Network
AWS
AWS global Availability zones Regions Edge locations

infrastructure
Security, identity, and compliance products
AWS Artifact Amazon Inspector

AWS Certificate Manager AWS Key Management Service
Amazon Cloud Directory Amazon Macie
AWS CloudHSM AWS Organizations
Amazon Cognito AWS Shield
AWS Directory Service AWS Secrets Manager
AWS Firewall Manager AWS Single Sign-On
Amazon GuardDuty AWS WAF
AWS Identity and Access Management
Manage authentication and
authorization
AWS Identity and Access Management (IAM)
Securely control access to AWS resources
IAM USER GROUP ROLE

A person or application Collection of users Temporary privileges
that interacts with AWS with identical permissions that an entity can assume
Authentication: Who are you?
$ aws
AWS
CLI IAM
AWS
SDKS IAM USER IAM GROUP
AWS
Management
Console
Authorization: What can you do?
$ aws AWS
Full CLI
access
Read only Amazon

IAM USER, S3 Bucket
GROUP OR ROLE
IAM policies
IAM roles
• IAM users, applications, and

services may assume IAM roles
• Roles uses an IAM policy
IAM ROLE for permissions
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
EC2
instance
Application
Amazon
S3 bucket
EC2
instance
Application
Amazon
S3 bucket
IAM Role IAM Policy
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy
Best practices
• Delete access keys for the • Rotate credentials regularly

AWS account root user
• Remove unnecessary users
• Activate multi-factor and credentials
authentication (MFA)
• Monitor activity in your
• Only give IAM users AWS account
permissions they need
• Use roles for applications
Access your security and compliance
Challenges of threat assessment
• Expensive
• Complex
• Time-consuming
• Difficult to track IT changes
What is Amazon Inspector?
Automated security
assessment as a service
• Assesses applications for

vulnerabilities
• Produces a detailed list of

security findings
• Leverages security best

practices
Amazon Inspector findings
Remediation recommendation
Protect your infrastructure from
Distributed Denial of Service (DDoS) attacks
What is DDoS?
DDoS
DDoS DDoS
DDoS mitigation challenges
Limited Involves
Complex bandwidth rearchitecting Manual
Time- Degraded
consuming performance Expensive
What is AWS Shield? • A managed DDoS protection service
• Always-on detection and mitigations
• Seamless integration and deployment
• Cost-efficient and customizable protection
DDoS
DDoS DDoS
AWS Shield Standard and AWS Shield Advanced
AWS Shield Standard AWS Shield Advanced

(Included) (Optional)
• Quick detection • Enhanced detection
• Inline attack mitigation • Advanced attack mitigation
• Visibility and attack notification
• DDoS cost protection
• Specialized support
AWS security compliance
Assurance programs
How AWS helps customers achieve compliance
Sharing information Assurance program

• Industry certifications • Certifications/attestations
• Security and control practices • Laws, regulations, and privacy
• Compliance reports directly • Alignments/frameworks
under NDA
Customer responsibility
Review – Design – Identify – Verify

AWSome Day Online 2020 Module 4 Deck - Final

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AWSome Day Online 2020 Module 4 Deck - Final

Încărcat de

Drepturi de autor:

Formate disponibile

Module 4:

Secure your cloud applications

Designed for Constantly Highly Highly Highly

• Hosts, network, software, facilities

AWS global Availability zones Regions Edge locations

Platform, applications, identity & access management

Operating system, network & firewall configuration

Client-side data encryption & Server-side encryption Network traffic protection

Platform, applications, identity & access management

Operating system, network & firewall configuration

Client-side data encryption & Server-side encryption Network traffic protection

AWS global Availability zones Regions Edge locations

AWS Artifact Amazon Inspector

Securely control access to AWS resources

IAM USER GROUP ROLE

Read only Amazon

• IAM users, applications, and

IAM Role IAM Policy

• Delete access keys for the • Rotate credentials regularly

• Use roles for applications

• Difficult to track IT changes

• Assesses applications for

• Produces a detailed list of

• Leverages security best

AWS Shield Standard AWS Shield Advanced

Sharing information Assurance program

Review – Design – Identify – Verify

S-ar putea să vă placă și