AWS Security

Fundamentals
Infrastructure and services to
elevate your security in the cloud

© 2023, Amazon Web

© 2023,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc. or its affiliates.
What are your perceptions on
cloud security?

© 2023, Amazon Web Services, Inc. or its affiliates.

Why is on-premises security traditionally challenging?

Lack of visibility Low degree of automation

© 2023, Amazon Web Services, Inc. or its affiliates. 4

 Before…

Move fast OR Stay secure

© 2023, Amazon Web Services, Inc. or its affiliates. 5

 Now…

Move fast AND Stay secure

© 2023, Amazon Web Services, Inc. or its affiliates. 6

 At AWS, security
is the top priority!

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Global Infrastructure
31 geographical regions, 99 Availability zones, 410+ POPs, 32 Local Zones

31 Launched Regions
each with multiple Availability Zones (AZs)

99 Availability zones

245 Countries and Territories Served

115 Direct Connect Locations

32 Local Zones
29 Wavelength Zones
for ultralow latency applications

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS region design

AWS Regions are comprised of multiple Availability Zones (AZs) for high availability,
high scalability, and high fault tolerance. Applications and data are replicated in real
time and consistent in the different AZs.
AWS Availability Zone (AZ)

AWS Region

Transit AZ

Datacenter Datacenter
AZ AZ

Transit AZ
Datacenter

A Region is a physical location in the world Availability Zones consist of one or more discrete data
where we have multiple Availability Zones. centers, each with redundant power, networking, and
connectivity, housed in separate facilities.

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Availability Zones
us-east-1a us-east-1b
Physical Sites Physical Sites

Availability Zone
us-east-1c Availability Zone

Physical Sites

N. Virginia Region
us-east-1
Availability Zone
© 2023, Amazon Web Services, Inc. or its affiliates.
 Shared
Responsibility
Model

© 2023, Amazon Web Services, Inc. or its affiliates. 11

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Confidential and Trademark
Traditional On-Premises Security Model
CUSTOMER DATA

PLATFORM & APPLICATION MANAGEMENT

OS, NETWORK, FIREWALL

CONFIGURATION
Customers are responsible for

CUSTOMER IAM
NETWORK TRAFFIC PROTECTION
end-to-end security in their
on-premises data centers SERVER-SIDE ENCRYPTION

CLIENT-SIDE DATA ENCRYPTION / INTEGRITY

COMPUTE / STORAGE / DATABASE /

NETWORK

CORE INFRASTRUCTURE

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Shared responsibility model

Security IN
the Cloud
Security OF the
Customers
Cloud
AWS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared responsibility model

Customer responsibility is
Security IN
determined by the AWS Cloud
the Cloud services a customer selects.

AWS is responsible for

Security OF protecting the infrastructure
the Cloud that runs all the services
offered in the AWS Cloud.
Customers
AWS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model

Customer data

Platform, applications, identity, and access management

Operating system, network, and firewall configuration

Client-side data encryption & Server-side encryption Network traffic protection
data-integrity authentication (file system and/or data) (encryption/integrity/identity)

Customer is responsible for

security in the cloud Compute Storage Database Networking

Regions
AWS global Edge
infrastructure Availability Zones
locations
Customer
AWS

AWS is responsible for

security of the cloud
© 2023, Amazon Web Services, Inc. or its affiliates.
 AWS Responsibilities

Physical Security of Data Center

• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Responsibilities
EC2 Security
• Host (hypervisor) operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
• Guest (EC2 Instance) operating system
• Customer controlled (customer owns root/admin)
• AWS admins cannot log in
• Customer-generated keypairs
• Stateful firewall
• Mandatory inbound firewall, default deny mode
• Customer controls configuration via Security Groups

Network Security
• IP Spoofing prohibited at host OS level.
• Packet sniffing (promiscuous mode) is ineffective (protected at hypervisor level).
• Unauthorized Port Scanning a violation of TOS and is detected/blocked.
• Inbound ports blocked by default.

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Responsibilities
Configuration Management
• Most updates are done in such a manner that they will not impact the customer.
• Changes are authorized, logged, tested, approved, and documented.
• AWS will communicate with customers, either via email, the AWS Service Health
Dashboard (http://status.aws.amazon.com/), or the AWS Personal Health Dashboard
(https://phd.aws.amazon.com/) when there is a potential for service being affected.

Built for “Continuous Availability”

• Scalable, fault tolerant services.
• All availability zones (AZs) are always on.
• There is no “Disaster Recovery Datacenter”
• All managed to the same standards
• Robust Internet connectivity
• Each AZ has redundant, Tier 1 ISP Service Providers
• Resilient network infrastructure
© 2023, Amazon Web Services, Inc. or its affiliates.
 AWS Responsibilities

Disk Management
• Proprietary disk management prevents customers from accessing each other’s data.
• Disks wiped prior to use.
• Disks can also be encrypted by the customer for additional security.

Storage Device Decommissioning

• All storage devices go through process using techniques from:
• DoD 5220.22-M (“National Industrial Security Program Operating Manual “).
• NIST 800-88 (“Guidelines for Media Sanitization”).
• Ultimately devices are:
• Degaussed.
• Physically destroyed.

© 2023, Amazon Web Services, Inc. or its affiliates.

Security OF the Cloud

SOC 1 SOC 2 SOC 3

The AWS Artifact tool supports

increased transparency
A portal that provides on-demand access to:

• Information on AWS policies, processes, and controls

• Documentation of controls relevant to specific AWS services

• Validation that AWS controls are operating effectively

Inherit Global Security & Compliance Control Customers can use the reports to align AWS controls
to their own control frameworks, and verify that
AWS controls are operating effectively.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer applications & Compliance

Customer Applications
Applications built on top of
Your own Your own Your own AWS services, are not
accreditation certifications external audits implicitly compliant to
security controls (that AWS
services are complaint with).

Customers need to certify

applications separately by
engaging with external
AWS Services auditors.

© 2023, Amazon Web Services, Inc. or its affiliates.

 Security starts with the AWS Shared Responsibility Model

Amazon EC2 Amazon VPC Amazon RDS Amazon EMR Amazon DynamoDB Amazon S3

CUSTOMER DATA CUSTOMER DATA CUSTOMER DATA

CUSTOMER
IAM
CUSTOMER IAM
CLIENT-SIDE DATA CLIENT-SIDE DATA CLIENT-SIDE DATA
ENCRYPTION CUSTOMER IAM ENCRYPTION ENCRYPTION

NETWORK TRAFFIC NETWORK TRAFFIC NETWORK TRAFFIC

PROTECTION PROTECTION PROTECTION
More Customer Less Customer
Responsibility SERVER-SIDE ENCRYPTION SERVER-SIDE ENCRYPTION SERVER-SIDE ENCRYPTION Responsibility
= =
PLATFORM & APPLICATION PLATFORM & APPLICATION PLATFORM & APPLICATION
More Customer More Best Practices

AWS IAM
MANAGEMENT MANAGEMENT MANAGEMENT
Security Ownership built-in
OS, NETWORK, FIREWALL OS, NETWORK, FIREWALL OS, NETWORK, FIREWALL

AWS IAM
CONFIGURATION CONFIGURATION CONFIGURATION

COMPUTE / STORAGE / COMPUTE / STORAGE / COMPUTE / STORAGE /

AWS IAM

DATABASE / NETWORK DATABASE / NETWORK DATABASE / NETWORK

HARDWARE/AWS GLOBAL HARDWARE/AWS GLOBAL HARDWARE/AWS GLOBAL

INFRASTRUCTURE INFRASTRUCTURE INFRASTRUCTURE

Infrastructure Services Container Services Abstracted Services

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SRM practical example: AWS Network Firewall

Customer
Security “in” the cloud

Create firewall Deploy and route Centrally control

policy and traffic to firewall with AWS Firewall
Customer

rules endpoint Manager

AWS
Security “of” the cloud

Automatically scales Managed zonal affinity and

with traffic session symmetry
AWS

Throughput Resilient with SLA of

performance >45 Gbps 99.99%

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Security Best Practices

© 2023, Amazon Web Services, Inc. or its affiliates. 25

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Confidential and Trademark
 AWS Well-Architected Framework: Security

1. Implement a strong identity foundation

2. Enable traceability

Recommended to 3. Apply security at all layers

any customer 4. Automate security best practices
using the AWS
cloud Security 5. Protect data in transit and at rest
6. Keep people away from data
7. Prepare for security events

https://docs.aws.amazon.com/wellarchitected/latest/framework/security.html
© 2023, Amazon Web Services, Inc. or its affiliates.
Top 5 root causes for Customer Security events

1. Inaccurate AWS account information

2. AWS resource configuration does not follow best practices

3. Unintended disclosure of security credentials and secrets

4. Inappropriate response to GuardDuty and Detective findings

5. Lack of continuous vulnerability management

Source: AWS Security Operations

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Security Services

© 2023, Amazon Web Services, Inc. or its affiliates. 28

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Confidential and Trademark
 AWS security, identity, and compliance solutions

Identity and access Detective Infrastructure Data Incident

Compliance
management controls protection protection response
AWS Identity and AWS Security Hub AWS Firewall Amazon Macie Amazon Detective AWS Artifact
Access Management Manager
(IAM) Amazon AWS Key Amazon AWS Audit Manager
GuardDuty AWS Network Management EventBridge
AWS IAM Identity AWS Control Tower
Firewall Service (KMS)
Center Amazon Security AWS Backup
AWS Well-Architected
Lake AWS Shield AWS CloudHSM
AWS Organizations AWS Security Hub Tool
Amazon Inspector AWS WAF AWS Certificate
AWS Directory Service AWS Elastic Amazon Route 53
Manager
Amazon Amazon VPC Disaster Recovery Application Recovery
Amazon Cognito CloudWatch AWS Private CA Controller
AWS PrivateLink
AWS Resource Access AWS Config AWS Secrets Fault Injection
Manager AWS Systems Manager Simulator
AWS CloudTrail Manager
Amazon Verified AWS VPN Resiliency Hub
Permissions VPC Flow Logs AWS Verified
Access Server-Side
AWS IoT Encryption
Device Defender
© 2023, Amazon Web Services, Inc. or its affiliates. 29
 Largest ecosystem of security partners & solutions
Logging, monitoring,
Identity and Vulnerability and
Network and infrastructure security SIEM, threat detection,
access control configuration analysis and analytics

Data protection
and encryption
Host and endpoint security

Application security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Consulting and technology competency partners
Security operations
Security engineering Governance, risk, and compliance and automation

© 2023, Amazon Web Services, Inc. or its affiliates. 31

AWS foundational and layered security services

AWS Amazon Amazon Amazon AWS Step AWS

AWS AWS AWS AWS
Network GuardDuty Macie CloudWatch Functions` OpsWorks
Organizations Shield Cetificate KMS
Manager Firewall

AWS AWS AWS

Systems Lambda CloudFormation
AWS AWS AWS AWS Amazon AWS Manager
AWS
WAF Firewall CloudHSM Secrets Inspector Security Hub
Security Hub
Manager Manager
Automate
Identify Protect Detect Respond Recover
Investigate

Amazon
S3 Glacier

AWS AWS Trusted Amazon IAM AWS Amazon Amazon

Config Advisor Cloud Transit VPC CloudWatch
Directory Gateway
Amazon
Detective CloudEndure
Disaster Recovery

AWS
CloudTrail
AWS Systems AWS Control AWS AWS Amazon VPC AWS Amazon
Manager Tower Single Directory PrivateLink Direct Cognito
© 2023, Amazon Web Services, Inc. or its affiliates.
Sign-On Service Connect Snapshot Archive
 AWS Identity and Access Management (IAM)
Securely manage access to AWS services and resources

AWS IAM Identity Center

Centrally manage SSO access to multiple AWS accounts
and business apps

AWS Directory Service

Managed Microsoft Active Directory in AWS
Identity and Amazon Cognito
access management Add user sign-up, sign-in, and access control to your web and
Define, enforce, and audit mobile apps
user permissions across
AWS Organizations
AWS services, actions, and
Policy-based management for multiple AWS accounts
resources
AWS Resource Access Manager
Simple, secure service for sharing AWS resources

Amazon Verified Permissions

Fine-grained permissions and authorization for your applications

© 2023, Amazon Web Services, Inc. or its affiliates.

Understanding an AWS account
AWS Cloud
• Each AWS account
Account A
§ Is a resource container for AWS Cloud services
§ Is an explicit security boundary Compute

§ Is a container for cost tracking and billing

§ Is a mechanism to enforce limits and
thresholds (e.g., Service Quotas and Networking &
content delivery
API thresholds)
• Over time, customers will add more
accounts to support more applications Storage
and services
. . .and much more

© 2023, Amazon Web Services, Inc. or its affiliates.

Single vs Multi-Account

AWS Cloud AWS Cloud

Account A
Account Account Account
Compute

Mgmt
Networking & Account Account
content delivery

Account Account
Account
Storage

…and more

Single account Multi-account Organization

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Organizations

Central governance and management across AWS accounts for a

comprehensive multi-account AWS environment

Audit, monitor, and

Manage and define
Control access and secure your Share resources Centrally manage
your organization
permissions environment for across accounts costs and billing
and accounts
compliance

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Organizations

AWS Organization
MASTER Account

Organizational Unit Organizational Unit

AWS Account AWS Account AWS Account

© 2023, Amazon Web Services, Inc. or its affiliates.

Use multiple accounts to ease the governance
AWS Organization

Management Account Application

VPC

AWS Organizations AWS Identity and Access AWS CloudTrail Instance

AWS Single Sign-On
Management (IAM) Org trail

Security OU Infrastructure OU

Log archive Security tooling Networking Shared services

Central logs

Security tools Automated Amazon Route 53 AWS CodeBuild

CloudTrail Access DNS logs
responses
logs
Flow logs

© 2023, Amazon Web Services, Inc. or its affiliates.

The AWS Security Reference Architecture (AWS SRA)

Where should these

services go?

How to organize AWS

Security Services?

aws-samples/aws-security-reference-
How do I integrate these architecture-examples
services? https://github.com/aws-samples/aws-
security-reference-architecture-examples

https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html

© 2023, Amazon Web Services, Inc. or its affiliates.

Org Management account

Org Management account

Roles
Permissions AWS Systems Manager
AWS CloudTrail
Organization trail

AWS Single Sign-On AWS Config IAM Access Advisor

© 2023, Amazon Web Services, Inc. or its affiliates. 40

Security OU – Security Tooling account

Security Tooling account

Roles
Permissions Amazon EventBridge
AWS Config
Aggregator

Amazon GuardDuty AWS Security Hub AWS Firewall AWS Lambda

Manager (RESPONSE)

AWS IAM Access Amazon Macie Amazon Detective AWS Key Management
Analyzer Service (AWS KMS)

© 2023, Amazon Web Services, Inc. or its affiliates. 41

Security OU – Log Archive account
Log Archive account Central logs

Roles
Permissions
ail
dTr ail
ou tr
Cl tion
om iza
Fr gan
Or

Access DNS Flow logs

logs logs

AWS Security Hub Amazon GuardDuty Amazon Macie AWS Config Amazon EventBridge AWS IAM Access AWS CloudTrail
Analyzer Organization trail

42

© 2023, Amazon Web Services, Inc. or its affiliates.

 Network account
ess
DNS Acc s
logs log

Infrastructure OU – Permissions
Roles
Amazon CloudFront Amazon Route 53

Network account Inbound VPC

ess
Acc s
log
Might includes:
• NAT
Internet AWS Shield
gateway Advanced AWS WAF
Flow logs

Outbound VPC

Might includes:
• NAT
Internet • Proxy Services AWS Certificate
gateway Manager
Flow logs

Inspection VPC
Might includes: GuardDuty Security Hub
• IDS/IPS

Firewall Subnet

AWS Config IAM Access Analyzer

AWS Network Firewall

EventBridge Organization trail

© 2023, Amazon Web Services, Inc. or its affiliates. 43

Infrastructure OU – Shared Services account
Shared Services account

Roles
Permissions

AWS Systems Manager AWS Directory AWS Managed

Service Microsoft AD

AWS Security Hub Amazon GuardDuty AWS Config Amazon EventBridge AWS IAM Access AWS CloudTrail
Analyzer Organization trail

44

© 2023, Amazon Web Services, Inc. or its affiliates.

Workload - OU
Application account

Roles Security Hub

Permissions
AWS Secrets Amazon S3 AWS Key Management
Manager data bucket Service (AWS KMS)
GuardDuty
VPC

Private subnet Application Load AWS Certificate AWS Config

Balancer AWS KMS
endpoint Manager (ACM) Private CA

EC2 Instances AWS IAM

Amazon Inspector Access Analyzer
Agent Systems Manager
Private subnet endpoint
AWS CloudHSM
EventBridge

Amazon Aurora SSM Agent Amazon S3

endpoint

Flow logs
Amazon Cognito Organization trail

45

© 2023, Amazon Web Services, Inc. or its affiliates.

A typical Landing Zone used by a large enterprise

© 2023, Amazon Web Services, Inc. or its affiliates.

 Multi-account setup
Workload account Security account

Amazon SNS

Amazon Amazon Amazon

Amazon
Detective GuardDuty GuardDuty
Detective

AWS Step
Functions
Amazon Amazon
Macie Macie Amazon Amazon
CloudWatch EventBridge
Events
Amazon SNS AWS Security AWS Security
Hub Hub
Amazon Amazon AWS Lambda
Inspector Inspector

AWS Config AWS Config

AWS Systems AWS Systems
Manager Manager
(automation) (automation)

© 2023, Amazon Web Services, Inc. or its affiliates.

 Managing your multi-account environment

• Organizations gives you native tools to build your environment

• If you’d like to jump-start your AWS environment using a simple UI

and built-in best practices, we recommend AWS Control Tower

AWS Control Tower

© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 AWS Control Tower – Guardrail examples
Guardrail Type Requirement

Disallow creation of access keys for the root user Preventive Strongly recommended

Disallow public read access to Amazon S3 Detective Strongly recommended

Enable AWS Config in all available Regions Preventive Mandatory

Disallow changes to encryption configuration of log archive buckets Preventive Mandatory

Integrate AWS CloudTrail events with Amazon CloudWatch logs Preventive Mandatory

Detect Whether Versioning for Amazon S3 Buckets is Enabled Detective Elective

Disallow delete actions on Amazon S3 buckets without MFA Preventive Elective

© 2023, Amazon Web Services, Inc. or its affiliates.

Identity and Access Management (IAM)
Security before the cloud Security in the cloud
• Implemented at perimeter • IAM authorization at every resource
• Reliant on a hard shell • Pervasive security - part of the
application
Corporate data center AWS Cloud

Availability Zone 1 Availability Zone 2

VPC

NAT Gateway Amazon EC2 NAT Gateway

Auto Scaling

Auto Scaling group

Instance Instance

Auto Scaling group

Instance Instance

© 2023, Amazon Web Services, Inc. or its affiliates.

 Identity, access, and resource management

Who can access what

AWS account
AWS account

Identity Access Resource

management management management

© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 AWS identity management – Who

• Workforce identity
– AWS IAM Identity Center
– AWS Directory Service
– AWS Partner Identity Provider Federation
• Consumer identity
– Amazon Cognito
– AWS Partner Identity Provider Federation

© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 AWS access management – Can access
• AWS Identity and Access Management (IAM)

Identity-based policies Resource-based policies

Two AWS policy types shown

Policies define permissions

© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 AWS resource management – What

At cloud scale for . . .

And thousands of workloads

© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 Using TAGs on IAM Policies (ABAC)

At scale in three steps

Standardize the tagging of your AWS resources

Tag policies Define tag key capitalization and allowed tag values

Tags can be attached to IAM principals (users or roles) and to AWS resources
AWS Resource Groups Tag Editor – add tags to, or edit or delete tags of, multiple AWS resources at once
© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
 Resulting in AWS providing
fine-grained controls

Control access based on For example, allow developers to

Specific services Use Amazon EC2

Specific actions Launch new instances . . .

Specific resources Within a particular subnet . . .

Specific conditions In approved Regions

and cost centers
© 2022, Amazon
© 2023,Web Services,
Amazon Inc.
Web Services, Inc. or
or itsits Affiliates.
affiliates.
Reading and writing IAM policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-2:111122223333:table/MyTableName"
]
}
]
}

© 2023, Amazon Web Services, Inc. or its affiliates.

Authenticate and Authorize

Signature Version 4 (SigV4)

Always default to “Deny”

• Our service API
• IAM policies
• Security Group access

AWS Identity and Access Management (IAM)

Every API request to our service API’s is authenticated
and authorized

Permissions Role
Over 400 Million calls per second!

© 2023, Amazon Web Services, Inc. or its affiliates. 60

Apply guardrails to limit actions

AWS Organizations

© 2023, Amazon Web Services, Inc. or its affiliates.

Policy Evaluation Logic

© 2023, Amazon Web Services, Inc. or its affiliates.

Identity federation

Enterprise (Identity Provider) AWS (Service Provider)

Post the SAML
assertion to sign-in
Browser interface 4 AWS Sign-in

1 Receive response
(SAML assertion)

Identity
User logs in

5
to Portal

Store
3
Redirected
to AWS
Management
2 Console
User
authenticated
Portal
Corporate Data Center

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Security Hub
Automate AWS security checks and centralize security alerts.

Amazon GuardDuty
Protect your AWS accounts with intelligent threat detection.

Amazon Inspector
Automated and continual vulnerability management at scale.

Amazon CloudWatch
Observe and monitor resources and applications on AWS, on
premises, and on other clouds.

Gain the visibility you AWS Config

need to spot issues before Assess, audit, and evaluate configurations of your resources.
they impact your business, AWS CloudTrail
improve your security Track user activity and API.
posture, and reduce the risk
profile of your environment VPC Flow Logs
Capture info about IP traffic going to and from network interfaces in your
VPC.

Amazon Security Lake

Automatically centralize your security data in a few steps.

© 2023, Amazon Web Services, Inc. or its affiliates.

Threat detection, monitoring, and response

Detect threats &

anomalous behavior

Amazon
Amazon Detective
GuardDuty
Discover Investigate
Security Monitoring and sensitive data events/findings

Threat Detection AWS

Security Hub
Amazon
Macie Centralize, normalize
& analyze

Detect
vulnerabilities
Integrated with AWS Workloads in an Amazon
AWS Account, along with identities and Inspector
network activity Amazon
Security Lake

© 2023, Amazon Web Services, Inc. or its affiliates.

Automate your response in a multi-account environment

Detect Ingest Remediate Log

Security account Playbooks

AWS Security Hub AWS Lambda Amazon Simple Notification

Rule Service (Amazon SNS)

Findings AWS Step Functions Amazon CloudWatch

Member account

Cross-account role
AWS Systems
Manager
AWS Security Hub
Automation

© 2023, Amazon Web Services, Inc. or its affiliates.

Add business context to your Incident Response
workflow
MaxMind

Amazon
Event CloudWatch Event

CloudWatch
or Insights

Security Hub Athena

or
Auto
Rule Remediation

Deployment
Enrichment Database
Lambdas
1. Security Hub Finding 2. CloudWatch Event 3. Finding is enriched with GeoIP data (MaxMind), 4. Enriched Finding 5. Tier 1 / 2 findings
automatically sent to Rules pick up relevant contextual CloudTrail Data (Insights), VPC Flow, S3 automatically sent to are auto-remediated
CloudWatch Events findings and trigger access, ELB Access logs (Athena), deployment / CloudWatch Events and archived. Tier 3
enrichment Lambdas business unit information (Deployment Database) findings are escalated.

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner integrations (50+ external partners and open-
source tools)

Forwarding findings into AWS Security Hub “Taking action”

Firewalls

Vulnerability

Endpoint

AWS Amazon
Security Hub EventBridge
Compliance

MSSP Other Event

(event-based)

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Firewall Manager
Centrally configure and manage firewall rules across your accounts.

AWS Network Firewall

Deploy network firewall security across your VPCs.

AWS Shield
Maximize application availability and responsiveness with managed DDoS
protection.

AWS WAF
Infrastructure Protects your web applications from common exploits.
protection Amazon Virtual Private Cloud
Reduce surface area to manage Define and launch AWS resources in a logically isolated virtual network.
and increase privacy for and AWS PrivateLink
control of your overall Establish connectivity between VPCs and AWS services without exposing data
infrastructure on AWS to the internet.

AWS Systems Manager

Gain operational insights into AWS and on-premises resources.

AWS Verified Access

Provide secure access to corporate applications without a VPN.

© 2023, Amazon Web Services, Inc. or its affiliates.

Common Network Security Risks

Denial of service App vulnerabilities Bad bots

SYN floods SQL injection Crawlers

Reflection attacks Cross-site scripting (XSS) Content scrapers
Web request floods OWASP Top 10 Scanners and probes
Common vulnerabilities
and exposures (CVE)

© 2023, Amazon Web Services, Inc. or its affiliates.

 Protecting the network and
application perimeter

AWS Network Firewall AWS WAF AWS Shield Advanced* AWS Firewall Manager
Protects your Amazon VPCs Protects web applications Managed threat protection Centrally configure
with essential network by allowing you to write that blocks DDoS attacks, and manage security
security capabilities like custom rules or choose vulnerability exploitation, rules across accounts
intrusion prevention, stateful managed rules from AWS or and bad bots and applications
inspection, and web filtering the AWS Marketplace
*Includes AWS WAF and
AWS Firewall Manager
at no additional cost

© 2023, Amazon Web Services, Inc. or its affiliates.

Perimeter protection: Overall picture

• Centrally enable baseline security

using AWS WAF, Shield, VPC security
groups, and VPC routes monitoring
on Network Firewall across your
organization
• Consistently enforce the
protections, even as new
applications are created
AWS VPC AWS AWS
WAF security Shield Network • View perimeter protection posture
groups Firewall centrally across your AWS accounts

© 2023, Amazon Web Services, Inc. or its affiliates.

INTRODUCING

AWS Network Firewall

Managed infrastructure for high availability

Flexible protection through fine-grained controls
Consistent policy across VPCs and AWS accounts

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Network Firewall: At-a-Glance

Customer Create firewall Deploy and route Centrally control

policy and traffic to firewall with AWS Firewall
rules endpoint Manager

AWS
Automatically scales Managed zonal affinity and
with traffic session symmetry

Throughput Resilient with SLA of

performance >45 Gbps 99.99%

© 2023, Amazon Web Services, Inc. or its affiliates.

Distributed Security Inspection

VPC 1

Instance 1 Firewall
Endpoint

VPC 2

Instance 2 Firewall
Endpoint

AWS Network Firewall

VPC 3

Instance 3 Firewall
Endpoint
© 2023, Amazon Web Services, Inc. or its affiliates.
Centralized Security Inspection

VPC 1

VPC 4
North-South Inspection
(Internet, Direct Connect,
Instance 1 Site-to-Site/Client VPN)

Inspection VPC
VPC 2

Instance 2 Firewall Endpoint

Transit
Gateway AWS Network Firewall
East-West Inspection
VPC 3 (VPC to VPC Traffic)

Instance 3

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS WAF

Frictionless setup: Deploy without changing your existing

architecture, and no need to configure TLS/SSL or DNS

Low operation overhead: Managed rules from AWS and AWS

Marketplace, ready-to-use CloudFormation templates, built-
AWS WAF in SQLi/XSS detection, and Bot Control

Customizable security: Highly flexible rule engine

Amazon AWS Application
that can inspect any part of incoming request under
CloudFront Load Balancer single-millisecond latency

Simply pull in third-party rules: Within the AWS WAF

Amazon
API Gateway
console, you can pivot to AWS Marketplace to select
© 2023, Amazon Web Services, Inc. or its affiliates.
industry-leading security vendor rules to pull into AWS WAF
Benefits of AWS Shield Standard
and AWS Shield Advanced

Built-in DDoS
Point and Protect
Protection for
Wizard
Everyone

Automatic Enhanced 24x7 access to

Protection across Protection DDoS Response
AWS Shield customers baselined to you Team (DRT)

Standard / Advanced
Global Threat
CloudWatch Metrics Attack Diagnostics Environment
Dashboard
Amazon Amazon Elastic Load
Route 53 CloudFront balancing
AWS WAF at no
AWS Firewall
additional cost Cost Protection for
Manager at
For protected scaling
no additional cost
AWS Global Elastic IP resources
Accelerator Address
© 2023, Amazon Web Services, Inc. or its affiliates.
End result: A multi-layered security approach

Shield Firewall
Advanced Manager ALB EC2 Instance

CloudFront

S3 Bucket
WAF Public Private
Resources Resources

Reference: https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-
© 2023, Amazon Web Services, Inc. or its affiliates. resiliency/welcome.html
 Amazon Macie
Discover and protect your sensitive data at scale.

AWS Key Management Service (AWS KMS)

Create and control keys used to encrypt or digitally sign your data.

AWS CloudHSM
Manage single-tenant hardware security modules (HSMs) on AWS.

AWS Certificate Manager

Data protection Provision and manage SSL/TLS certificates with AWS services and
A suite of services designed connected resources.
to automate and simplify AWS Secrets Manager
many data protection and Centrally manage the lifecycle of secrets.
security tasks ranging from
key management and AWS VPN
storage to credential Connect your on-premises networks and remote workers to the
management. cloud.

Server-Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys.

AWS Private CA
Create private certificates to identify resources and protect data.
© 2023, Amazon Web Services, Inc. or its affiliates.
Data stays where you put it
Data residency by default. You need to tell the service if you want to move data out of a region.

Europe (Ireland) US West (Oregon)

Amazon Simple Storage Amazon Simple Storage

Service (Amazon S3) Service (Amazon S3)

© 2023, Amazon Web Services, Inc. or its affiliates. 90

Nitro Hypervisor - Next generation virtualization
Virtual Machines on XEN-based Virtual Machines on Nitro

• No Dom0 in use by Nitro hypervisor – huge win for simplicity and safety
• No SSH or other interactive modes anywhere – no human access
• All access via 100% AuthN/AuthZ APIs with logging/auditing

© 2023, Amazon Web Services, Inc. or its affiliates. 91

Amazon Macie - Fully managed sensitive data types

Amazon Macie maintains a growing list of sensitive data types that include
common personally identifiable information (PII) and other sensitive data types
as defined by data privacy regulations, such as GDPR, PCI-DSS, CCPA and
HIPAA.

Data identifiers
• Financial (card, bank account numbers…)
• Personal (names, address, contact…)
• National (passport, ID, driver license…)
• Medical (healthcare, drug agency …)
• Credentials & secrets (AWS secret keys, private keys …)

© 2023, Amazon Web Services, Inc. or its affiliates.

Amazon Macie - Custom-defined sensitive data types

Amazon Macie provides you the ability to add custom-defined data

types using regular expressions to enable Macie to discover
proprietary or unique sensitive data for your business.

• Regular expression that defines the pattern to match

• Keywords that define specific text to match
• Ignore words that define specific text to exclude

© 2023, Amazon Web Services, Inc. or its affiliates.

 Amazon Detective
Analysis and visualization of security data to get to the
root cause of potential security issues quickly

Amazon EventBridge
Serverless event bus that makes it easier to build event-
driven applications to scale your programmed,
automated response to incidents
Incident response
AWS Backup
During an incident, Centrally manage and automate backups across AWS
containing the event and services to simplify data protection at scale
returning to a known good
state are important elements AWS Security Hub
of a response plan. AWS Out-of-the-box integrations with ticketing, chat, SIEM,
provides the following tools SOAR, threat investigation, incident management, and
to automate aspects of this GRC tools to support your security operations workflows
best practice. AWS Elastic Disaster Recovery
Fast, automated, cost-effective disaster recovery

© 2023, Amazon Web Services, Inc. or its affiliates.

 Security finding flows
AWS Personal AWS Config Amazon Amazon Take action and remediate
Health Dashboard Inspector GuardDuty findings with AWS services
AW and AWS Partner solutions
Ss
er s
vic Amazon
AWS Systems AWS Firewall Amazon AWS Identity and e fin ding
Manager Manager Macie Access Management din Fin Security Lake
gs s
(IAM)
ding AWS AWS AWS Step
Fin Lambda Systems Functions
Manager
Partner findings Findings
Fin
din
gs
lts AWS Security Hub Amazon
esu EventBridge
Plus many other partner solutions . . . sr
eck
h
Findings from AWS service categories ubc Investigations
yH Audit prep
urit
c
Se

Compute Storage Database Containers

Amazon AWS Audit

Detective Manager Plus many other
Networking & Management Security, identity, partner solutions . . .
content delivery & governance & compliance

© 2023, Amazon Web Services, Inc. or its affiliates.

Simple and Scalable Security Monitoring
Scale existing services Simple and easy deployment Continuous monitoring
customers use same console, One-click enables container support Centralization of security findings
findings, and experience AWS Orgs assures environment-wide enablement scales and automates operations
(new customers have support on by default)

GuardDuty EKS Protection GuardDuty Malware

GuardDuty monitors EKS Protection
cluster via Kubernetes audit At launch is aware of
logs (KAL) containers running on EC2 AWS Security Hub
Amazon GuardDuty

Detective EKS Investigation

Detective is container-aware and continuously aggregates KAL into
graph model and analytics. Pivot from GuardDuty console to
immediately investigate findings for root cause analysis.
Amazon Detective

Inspector ECR Support

Inspector scans ECR images on push and continually for software
vulnerability management—integrates with ECR console for easy
builder communication Automate Response
Initiate automated remediation,
Amazon Inspector
invoke runbooks, integrate with
ticketing and workflow tools
© 2023, Amazon Web Services, Inc. or its affiliates.
Customizable response and remediation actions

Event
Amazon
CloudWatch
Lambda function
or

AWS Security Hub Automation document

or

Custom
Rule
Remediation
1. All findings automatically send to
CloudWatch events, and AWS Step Function
5. The target could be things
2. Security Hub user can select findings in the 3. User creates Amazon 4. The rule defines a like a chat, ticketing, on-call
CloudWatch Events rules to target, typically a management, SOAR
console and take a custom action on them.
look for certain findings Lambda function, Step platform, or custom
These findings are sent to CloudWatch
associated with a custom Function, or remediation playbook
decorated with a custom action ID
action ID or findings with Automation document
specific characteristics.

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Artifact
Compliance No-cost, self-service portal for on-demand access to AWS
compliance reports
AWS supports security
standards and compliance AWS Audit Manager
certifications to help you Continuously audit your AWS usage to simplify how you
satisfy compliance assess risk and compliance
requirements for virtually
every regulatory agency
around the globe.

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Config = Continuous configuration auditor

• Continuously tracks resource configuration changes.

• Evaluates the configuration against policies defined using AWS Config rules.
• Alerts you if the configuration is noncompliant using Amazon SNS and
CloudWatch Event.
Notification

Automation

Changing resources AWS Config AWS Config

rules History

© 2023, Amazon Web Services, Inc. or its affiliates.

Manage risk – AWS Config
Cloud CMDB Compliance management
(configuration management database) (evaluate for compliance and remediate)

• Track configuration changes of AWS and • Ensure continuous compliance evaluation

third-party resources of resources

• Save configuration snapshots for audit tracking • Enable remediation actions for
non-compliant resources
• Integrate with existing solutions for CMDB
(ServiceNow) • Select from out-of-the-box
compliance standard templates/ build yours

Visualize configuration and compliance across accounts and Regions with

Config aggregators and Advanced Queries

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Config - Conformance packs

• A single ARN-able entity called a conformance pack

• Deploy the pack from the delegated admin account
• Create immutable rules
• Process check rules
• Simplify reporting
• 75+ sample conformance pack templates
• Use cases: operational best practices and customized compliance

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS Config compliance score for conformance packs

• Get a quantitative measure of

compliance status at a glance
• Measures compliance for
rule/resource combination
• Historical view of compliance of
conformance packs
• Measure impact of changes
• Prioritize the non-compliance
conformance packs

© 2023, Amazon Web Services, Inc. or its affiliates.

The Evidence Journey

Gather log data Convert to Audit Select and evaluate Map annotated and
Manager raw evidence raw evidence aggregated evidence to
in a universal format audit controls
AWS CloudTrail

Assessment
AWS Config
ü Audit Control 1-a

ü Audit Control 1-b

AWS Security Hub
Audit Manager ü ……
Audit Manager
Internal
Raw Evidence 1
Control A
AWS License Manager

AWS Control Tower

© 2023, Amazon Web Services, Inc. or its affiliates.

 AWS Audit Manager frameworks
INCLUDES PRE-BUILT ASSESSMENT FRAMEWORKS FROM AWS AND AWS PARTNERS

• NIST 800-53 (Rev. 5) (Low-Moderate-High) * new

• CIS (Center for Internet Security) Foundations Benchmark & CIS Controls v7.1

• PCI DSS (Payment Card Industry Data Security Standard)

• GDPR (General Data Protection Regulation) AWS Audit Manager
• GxP (Good Practice Quality guidelines)
supports custom-
defined controls and
• GLBA (Financial Service Modernization Act of 1999)
compliance
• HIPAA (Health Insurance Portability and Accountability Act) frameworks
• FedRAMP moderate (Federal Risk and Authorization Management Program)
• SOC 2 (Service and Organization Controls)

• ISO 27001 (International Standard for Information Security Controls)

• AWS operational best practices (for Amazon S3, IAM, and Amazon DynamoDB)

• AWS Control Tower framework

• Software licensing
© 2023, Amazon Web Services, Inc. or its affiliates.
Assurance of risk management – AWS Audit Manager

Activate assessment
to continuously
gather evidence

AWS Audit Review, Select a Define the Generate

Manager customize, prebuilt or scope of the audit-ready
or create custom assessment Conduct control reports
Continuously audit reviews and/or
Assess your AWS usage to
framework framework
Specify the delegate to resource Assessment
simplify how you Review prebuilt Use a prebuilt accounts and owners to validate reports with
Control assess risk frameworks and framework or services in links to evidence
effectiveness and compliance included controls, select your scope in a
customize an customized Region for
assessment existing framework to assessments
framework, or begin an
define your own assessment

© 2023, Amazon Web Services, Inc. or its affiliates.

Assurance of risk management –
AWS Audit Manager evidence sources
Manually uploaded evidence
(e.g., documentation or
evidence from non-AWS
sources)

Compliance checks for Compliance checks for

security findings from resource configurations
AWS Security Hub from AWS Config

Custom AWS Config rules

are supported

User activity logs from Configuration snapshots

AWS CloudTrail from AWS API calls

© 2023, Amazon Web Services, Inc. or its affiliates.

Wrap Up

© 2023, Amazon Web Services, Inc. or its affiliates. 107

https://docs.aws.amazon.com/security/

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 108
Available Resources

https://aws.amazon.com/compliance/ https://aws.amazon.com/artifact/

© 2023, Amazon Web Services, Inc. or its affiliates.

Available Reports

https://aws.amazon.com/compliance/ https://aws.amazon.com/artifact/

© 2023, Amazon Web Services, Inc. or its affiliates.

Thank you!
https://aws.amazon.com/security/
https://aws.amazon.com/products/security

@AWSSecurityInfo

© 2023, Amazon Web

© 2023,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc. or its affiliates.