Module 4:

Secure your cloud applications

Sander Veenstra
Technical Trainer
AWS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure your infrastructure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is our top priority

Designed for Constantly Highly Highly Highly

security monitored automated available accredited

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the cloud

• Hosts, network, software, facilities

• Protection of the AWS global infrastructure is top priority
• Availability of third-party audit reports

Foundation services
AWS

Compute Storage Database Network

AWS global
Availability Zones Regions Edge Locations
infrastructure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Security in the cloud
Customer data
Customer

Platform, applications, identity & access management

Operating system, network & firewall configuration
Client-side data encryption & Server-side encryption Network traffic protection
Data integrity authentication (File system and/or data) (Encryption/integrity/identity)

Considerations
• What you should store
• Which AWS services you should use
• Which Region to store in
• In what content format and structure
• Who has access
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 AWS shared responsibility model
Customer

Customer data
Platform, applications, identity & access management
Operating system, network & firewall configuration
Client-side data encryption & Server-side encryption Network traffic protection
Data integrity authentication (File system and/or data) (Encryption/integrity/identity)

Foundation services
AWS

Compute Storage Database Network

AWS global Availability Zones Regions Edge Locations

infrastructure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security, identity, and compliance products
AWS Artifact Amazon Inspector
AWS Certificate Manager AWS Key Management
Amazon Cloud Directory Service
AWS CloudHSM Amazon Macie
Amazon Cognito AWS Organizations
AWS Directory Service AWS Shield
AWS Firewall Manager AWS Secrets Manager
Amazon GuardDuty AWS Single Sign-On
AWS Identity and Access AWS WAF
Management
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Manage authentication and authorization

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS resources

A person or application that interacts with AWS

IAM user

Collection of users with identical permissions

Group

Temporary privileges that an entity can assume

Role

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication: Who are you?
$ aws
AWS
CLI

IAM
AWS
SDKs
IAM user IAM group

AWS
Management
Console

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authorization: What can you do?

$ aws
Full AWS
access CLI

Read Amazon
IAM user, only S3 Bucket
group or role

IAM policies

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM roles

• IAM users, applications, and

services may assume IAM roles

IAM role • Roles uses an IAM policy for

permissions

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials

EC2
instance

Application
Amazon
S3 bucket

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials

EC2
instance

Application
Amazon
S3 bucket

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials

EC2
instance

Application
Amazon
S3 bucket

IAM
IAM role policy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials

EC2
instance

Application
Amazon
S3 bucket

Assume

IAM
IAM role policy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials

EC2
instance

Application
Amazon
S3 bucket

Assume

IAM
IAM role policy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices

• Delete access keys for the AWS • Rotate credentials regularly

account root user
• Remove unnecessary users
• Activate multi-factor and credentials
authentication (MFA)
• Monitor activity in your AWS
• Only give IAM users permissions they account
need
• Use roles for applications

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access your security and compliance

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of threat assessment

• Expensive

• Complex

• Time-consuming

• Difficult to track IT changes

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon Inspector?
Automated security assessment as a service

• Assesses applications for

vulnerabilities

• Produces a detailed list of security

findings

• Leverages security best practices

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector findings

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediation recommendation

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Proctect your infrastructure from Distributed
Denial of Service (DDoS) attacks

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is DDoS?

O
Legit user
DDoS

DDoS DDoS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS mitigation challenges
Complex
Limited bandwidth
Involves rearchitecting
Manual
Degraded performance
Time-consuming
Expensive
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is AWS Shield?

P
Legit user

DDoS

DDoS DDoS

• A managed DDoS protection service

• Always-on detection and mitigations
• Seamless integration and deployment
• Cost-efficient and customizable protection

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Standard and AWS Shield Advanced

AWS Shield Standard AWS Shield Advanced

(included) (Optional)
• Quick detection • Enhanced detection
• Inline attack mitigation • Advanced attack mitigation
• Visibility and attack notification
• DDoS cost protection
• Specialized support

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS security compliance

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Assurance programs

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How AWS helps customers achieve compliance

Sharing information Assurance program

• Industry certifications • Certifications/attestations
• Security and control practices • Laws, regulations, and privacy
• Compliance reports directly • Alignments/frameworks
under NDA

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer responsibility

Review – Design – Identify – Verify

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.