1. Security Essentials & Best Practices
© 2017 Amazon Web Services, Inc. and its affiliates. All rights served. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon Web Services, Inc.

2. Overview
Overview of the AWS cloud security concepts such as the AWS Security Center, Shared Responsibility Model, and Identity and Access Management.

3. 1
AWS Security

4. What are your perceptions
on cloud security?
Start the session off with this question to engage the audience, and spark discussion. Get a sense of where their understanding of cloud security is. This will also give you (the presenter) a sense of the areas to focus on during the presentation

5. "The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers."
Rob Alexander Capital One's chief information officer (presented at AWS re:Invent 2015 user conference keynote)
Also, mention the IDC whitepaper: “Assessing the Risk: Yes, the Cloud can be More Secure than your On-Premises Environment”
--Pete Lindstrom, June 2015

6. At AWS, cloud security is job zero.
All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.

7. Gain access to a world-class security team
Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards
So AWS has world-class security and compliance teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers

8. Broad Accreditations & Certifications
Glacier Vault Lock
& SEC Rule 17a-4(f)

9. Shared Responsibility Model2
Shared Responsibility Model

10. AWS Shared Responsibility Model
Customer
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies + =
More secure and compliant systems than any one entity could achieve on its own at scale .
Scope of responsibility depends on the type of service offered by AWS: Infrastructure, Container, Abstracted Services
Understanding who is responsible for what is critical to ensuring your AWS data and systems are secure!
There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.

11. Shared Responsibility Model
Customer
Customer content
Customers are responsible for their security and compliance IN the Cloud
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
AWS
AWS Foundation Services
AWS is responsible for the security OF
the Cloud
Compute
Storage
Database
Networking
Availability Zones
AWS Global Infrastructure
Edge Locations
Regions
We look after the security OF the cloud, and you look after your security IN the cloud.

12. Meet your own security objectives
Customer scope and effort is reduced
Better results through focused efforts
Built on AWS consistent baseline controls
Customer
Your own accreditation
Your own certifications
Your own external audits
AWS
AWS Foundation Services
Compute
Storage
Database
Networking
Availability Zones
AWS Global Infrastructure
Edge Locations
Regions
Segway to talk about FedRAMP potentially and share your experiences from around the world!

13. AWS Responsibilities Physical Security of Data Center
Amazon has been building large-scale data centers for many years.
Important attributes:
Non-descript facilities
Robust perimeter controls
Strictly controlled physical access
Two or more levels of two-factor authentication
Controlled, need-based access.
All access is logged and reviewed.
Separation of Duties
Employees with physical access don’t have logical privileges.

14. AWS Responsibilities EC2 Security Network Security
Host operating system
Individual SSH keyed logins via bastion host for AWS admins
All accesses logged and audited
Guest (a.k.a. Instance) operating system
Customer controlled (customer owns root/admin)
AWS admins cannot log in
Customer-generated keypairs
Stateful firewall
Mandatory inbound firewall, default deny mode
Customer controls configuration via Security Groups
Network Security
IP Spoofing prohibited at host OS level.
Packet sniffing is ineffective (protected at hypervisor level).
Unauthorized Port Scanning a violation of TOS and is detected/blocked.
Inbound ports blocked by default.

15. AWS Responsibilities Configuration Management
Built for “Continuous Availability”
Most updates are done in such a manner that they will not impact the customer.
Changes are authorized, logged, tested, approved, and documented.
AWS will communicate with customers, either via , or through the AWS Service Health Dashboard ( when there is a potential for service being affected.
Scalable, fault tolerant services.
All availability zones (AZs) are always on.
There is no “Disaster Recovery Datacenter”
All managed to the same standards
Robust Internet connectivity
Each AZ has redundant, Tier 1 ISP Service Providers
Resilient network infrastructure

16. AWS Responsibilities Disk Management Storage Device Decommissioning
Proprietary disk management prevents customers from accessing each other’s data.
Disks wiped prior to use.
Disks can also be encrypted by the customer for additional security.
All storage devices go through process using techniques from:
DoD M (“National Industrial Security Program Operating Manual “).
NIST (“Guidelines for Media Sanitization”).
Ultimately devices are:
Degaussed.
Physically destroyed.

17. Under the AWS Shared Responsibility Model
AWS Responsibility? or Customer Responsibility?
Patching the operating system with the latest security patches
Installing camera systems to monitor the physical datacenters
Configuring the Security Group rules that determine which ports are open on the EC2 Linux instance
Shredding disk drives before they leave a datacenter
Toggling on the Server-side encryption feature for S3 buckets
Preventing packet sniffing at the hypervisor level
Securing the internal network inside the AWS datacenters
This is a quick quiz to keep the audience engaged, and test their understanding of the AWS Shared Responsibility Model which is one of the most important take-aways we want attendees to have.
If they get any answer wrong, use that opportunity to further clarify why the answer is a wrong one.

18. Under the AWS Shared Responsibility Model
AWS Responsibility? or Customer Responsibility?
Patching the operating system with the latest security patches
Installing camera systems to monitor the physical datacenters
Configuring the Security Group rules that determine which ports are open on the EC2 Linux instance
Shredding disk drives before they leave a datacenter
Toggling on the Server-side encryption feature for S3 buckets
Preventing packet sniffing at the hypervisor level
Securing the internal network inside the AWS datacenters
This is a quick quiz to keep the audience engaged, and test their understanding of the AWS Shared Responsibility Model which is one of the most important take-aways we want attendees to have.
If they get any answer wrong, use that opportunity to further clarify why the answer is a wrong one.

19. Identity and Access Management3
Identity and Access Management

20. What is Identity Management?
“…the management of individual principals, their authentication, authorization, and privileges …with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” (Wikipedia)
IAM allows you to implement a comprehensive access control on AWS resources.
IAM is giving you the ability to Authenticate, Authorize, Log all access.
-> Authenticate, including regular credentials or with strong authentication for your privilege users (or everybody), as well authenticate an other AWS accounts or even trust other Identity Providers
-> Authorize with granularity who can do what. Therefore you can implement Least Privilege and Segregation of Duties.
-> And finally, Log every allow and deny in CloudTrail, for troubleshoot or audit purposes.
Basically when you think Access control with AWS resources then think IAM… Every time.

21. IAM Username/Password
AAA with AWS
Authenticate
IAM Username/Password
Access Key
(+ MFA)
Federation
Authorize
IAM Policies
Audit
CloudTrail

22. Considerations for Layers of Principals
Applications
Identities: Application Users, Application Administrators
Considerations for Layers of Principals
Operating Systems
Identities: Developers, and/or Systems Engineers
Amazon Web Services
Identities: Developers, Solutions Architects, Testers, Software/Platform
Interaction of AWS Identities:
Provisioning/deprovisioning EC2 instances and EBS storage.
Configuring Elastic Load Balancers.
Accessing S3 Objects or data in DynamoDB.
Accessing data in DynamoDB.
Interacting with SQS queues.
Sending SNS notifications.
Key takeaway here is: Identities for Applications and Operating Systems are outside of the scope of AWS IAM

23. AWS Principals Account Owner ID (Root Account)
IAM Users, Groups and Roles
Access to all subscribed services.
Access to billing.
Access to console and APIs.
Access to Customer Support.
Temporary Security Credentials
Access to specific services.
Access to console and/or APIs.
Access to Customer Support (Business and Enterprise).
Access to specific services.
Access to console and/or APIs.

24. AWS Identity Authentication
AWS Management Console
API access
AWS Identity Authentication
Authentication: How do we know you are who you say you are?
Login with Username/Password with optional MFA (recommended)
Access API using Access Key + Secret Key, with optional MFA
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
SECRET KEY
Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
For time-limited access: Call the AWS Security Token Service (STS) to get a temporary AccessKey + SecretKey + session token
For time-limited access: a Signed URL can provide temporary access to the Console
The key takeaway here is that you use different approaches to login to the Console vs API access.

25. AWS Authorization and Privileges
Authorization: What are you allowed to do?
Account Owner (Root)
Privileged for all actions.
Note: Always associate the account owner ID with an MFA device and store it in a secured place!
IAM Policies
Privileges defined at User and Resource Level
Account Owner
Can do anything
IAM Policies
User Level
Resource Level

26. AWS IAM Hierarchy of Privileges
Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies and temporary credentials.
Permissions
Example
Unrestricted access to all enabled services and resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by Group and User policies
Action: [‘s3:*’,’sts:Get*’]
Access restricted by generating identity and further by policies used to generate token
Action: [ ‘s3:Get*’ ]
Resource: ‘arn:aws:s3:::mybucket/*’
AWS Account Owner (Root)
AWS IAM User
Temporary Security Credentials

27. AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.
Optional Configurations:
Username/User
Manage groups of users
Centralized Access Control
Password for console access.
Policies for controlling access AWS APIs.
Two methods to sign API calls:
X.509 certificate
Access/Secret Keys
Multi-factor Authentication (MFA)
A username for each user
Groups to manage multiple users
Centralized access control
Optional provisions:
Password for console access
Policies to control access to AWS APIs
Two methods to sign API calls:
X.509 certificate
Access Key ID + Secret Access Key
Multifactor Authentication

28. Identity and Access Management
Local User Databases
LDAP Directories
Identity and Access Management
Common approaches for Applications and Operating Systems
On-premise accessed over VPN.
Replicated to AWS (read-only or read/write)
Federated (one-way trusts, ADFS).
Managed Samba-based directories via AWS Directory Services.
Local Password (passwd) files
Local Windows admin accounts
User Databases
AWS
Directory Service
Domain
Controller
User DB
LDAP Directories:
EC2 instances access on-premise directory servers via VPN.
Directory servers replicated to AWS as read-only or read/write directory servers on EC2 instance(s).
Create federation via one-way trust or Active Directory Federation Services.
Leverage AWS Directory Services for Samba-based directory services.

29. AWS Directory Service
Use your existing Corporate Credentials for
AWS-based applications
AWS Management Console
Managed service for Active Directory
Microsoft AD Based on Microsoft Active Directory in Windows Server 2012 R2. Supports adding trust relationships with on-premises domains. Extend your schema using MS AD
Simple AD A Microsoft Active-Directory compatible directory powered by Samba 4.
AD Connector
Connect to your on-premises Active Directory. Integrates with existing RADIUS MFA solutions.

30. 4
Encryption

31. How are you currently encrypting your data?
Use this question as a conversation starter to discuss the value of encryption, why it’s not just for financial services and healthcare, and how AWS not only provides for encryption, but makes it easier.

32. Encryption. Protecting data in-transit and at-rest.
Encryption In-Transit
Encryption At-Rest
HTTPS
Object
SSL/TLS
Database
VPN / IPSEC
Filesystem
SSH
Disk
Details about encryption can be found in the AWS Whitepaper,
“Securing Data at Rest with Encryption”.
This slide is not about teaching what encryption is or the differences between transit and rest. It is about mentioning that not only do we provide our customers the ability to encrypt their data as it sits and flows through and in/out of our environment, but that we provide many services and features that make it easier. You should call out KMS, CloudHSM, VGW, EBS encryption, ELB SSL offloading, RDS Oracle TDE, MSSQL TDE, S3 object encryption, etc.
If the customer is currently not encrypting data (either in transit or at rest), this might be a good place to discuss the differences and emphasis the need to do so under the shared responsibility model.

33. Encryption at Rest Volume Encryption Object Encryption
EBS Encryption
Filesystem Tools
AWS Marketplace/Partner
Database Encryption
S3 Server Side Encryption (SSE)
S3 SSE w/ Customer Provided Keys
Client-Side Encryption
RDS MSSQL TDE
RDS ORACLE TDE/HSM
RDS
MYSQL KMS
RDS PostgreSQL KMS
Redshift Encryption

34. AWS Certificate Manager
AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform.
Provision trusted SSL/TLS certificates from AWS for use with AWS resources:
Elastic Load Balancing
Amazon CloudFront distributions
AWS handles the muck
Key pair and CSR generation
Managed renewal and deployment
Domain validation (DV) through
Available through AWS Management console, CLI, or API

35. AWS Key Management Service
Managed service to securely create, control, rotate, and use encryption keys.
Customer Master Key(s)
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshift Cluster
Data Key 2
Data Key 3
Data Key 4
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Integrated with AWS SDKs and AWS services:
S3, EBS, AWS Import/Export Snowball, RDS, Redshift, CodeCommit, CloudTrail, EMR, Kinesis Firehose, Elastic Transcoder, SES, WorkSpaces, WorkMail
Centralized control.
Easy and automatic key rotation (KMS keeps track of old keys for decryption)
*New Feature*: Bring your own keys to KMS

36. Amazon Virtual Private Cloud
AWS CloudHSM
Help meet compliance requirements for data security by using a dedicated Hardware Security Module appliance with AWS.
AWS CloudHSM
AWS Administrator – manages the appliance
You – control keys and crypto operations
Amazon Virtual Private Cloud
Dedicated, single-tenant hardware device
Can be deployed as HA and load balanced
Customer use cases:
Oracle TDE
MS SQL Server TDE
Setup SSL connections
Digital Rights Management (DRM)
Document Signing
The most important part about the CloudHSM service is that you and only you control the keys stored on the HSM. Because of the properties of the HSM that we discussed earlier, separation of duties and physical protection of the keys, and third party validation, you can trust that the HSM is securely storing your keys so that you and only you have access to the keys.
AWS manages and monitors the HSM appliances, but does not have access to the keys. In fact, if you lose the access to your credentials, AWS can’t help you recover your key material. You can recover from your own backup if you have a backup with the required credentials.
The CloudHSM appliances are inside your VPC, so you can use familiar network security groups and ACLs to limit access to the HSM.
We use SafeNet Luna SA HSMs with the service today.
CloudHSM customers are using it to protect master keys for database encryption such as Oracle TDE or MS SQL Server TDE, With Apache to protect the private key used to set up SSL connections, for Digital Rights Management (DRM), and for document signing.
You can find out more about CloudHSM at aws.amazon.com/cloudhsm

37. Configuration Management5
Configuration Management

38. Vulnerability Assessment Service
Amazon Inspector
Vulnerability Assessment Service
Built from the ground up to support DevSecOps
Automatable via APIs
Integrates with CI/CD tools
On-Demand Pricing model
Static & Dynamic Rules Packages
Generates Findings

39. AWS WAF
Let’s talk about why we built the WAF based on customer feedback.
Initially the WAF will be a CDN offering, but will be extended shortly after launch to include ELB
WAFs help protect web sites & applications against attacks that cause data breaches and downtime.
General WAF use cases
Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
Prevent Web Site Scraping, Crawlers, and BOTs
Mitigate DDoS (HTTP/HTTPS floods)
Gartner reports that main driver of WAF purchase (25-30%) is PCI compliance

40. AWS CloudTrail
Web service that records AWS API calls for your account and delivers logs.
Who?
When?
What?
Where to?
Where from?
Bill
3:27pm
Launch Instance
us-west-2
Alice
8:19am
Added Bob to admin group
us-east-1
Steve
2:22pm
Deleted DynamoDB table
eu-west-1
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
Stored durably in S3
Discuss ways to consume CloudTrail logs (Console, CLI, Splunk, SumoLogic, AlertLogic, Loggly, DataDog, etc.)

41. AWS CloudWatch What does it do? How can you use it?
Monitoring services for AWS Resources and AWS-based Applications.
What does it do?
Collect and Track Metrics
Monitor and Store Logs
Set Alarms (react to changes)
View Graphs and Statistics
How can you use it?
Monitor CPU, Memory, Disk I/O, Network, etc.
CloudWatch Logs / CloudWatch Events
CloudWatch Alarms
CloudWatch Dashboards
CloudWatch Metrics
React to application log events and availability
Automatically scale EC2 instance fleet
View Operational Status and Identify Issues
You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.

42. VPC Flow Logs Agentless Enable per ENI, per subnet, or per VPC
Logged to AWS CloudWatch Logs
Create CloudWatch metrics from log data
Alarm on those metrics
Interface
Source IP
Source port
Protocol
Packets
AWS
account
Accept or reject
Destination IP
Destination port
Bytes
Start/end time
No Agents! Just Turn it on. No really, Ill wait.
Enable per ENI, per Subnet or per VPC
All network traffic data is logged to CloudWatch logs so you get durable storage but also all the analysis features such as filter queries and metric creation
And then Create Alarms on those metrics
Collected, processed and stored in ~10 minute capture windows into Cloudwatch Logs

43. VPC Flow Logs Amazon Elasticsearch Service
Amazon CloudWatch Logs subscriptions
Or roll your own real time network dashboard with the new Amazon Elasticsearch Service
Also based on a CloudWatch Logs Subscription filter that tees Flow Log data into a Kinesis stream and a stream reader then takes data and puts it into Elasticsearch
See Jeff’s blog post where he details how to setup this VPC Flow Dashboard in a few clicks

44. Portfolio w/Permissions
AWS Service Catalog
Self-service portal for creating and managing resources in AWS.
Administrator
CloudFormation
Template
Create
Portfolio w/Permissions
Service Catalog
Product
Notifications
Portfolio A B
Deployed Stack(s)
Launch Products
Browse Products
End Users
Create and manage approved catalogs of resources.
End users browse and launch products via self-service portal.
Control user access to applications or AWS resources per compliance needs.
Extensible via API to existing self-service frameworks.

45. AWS Config
Managed service for tracking AWS inventory and configuration, and configuration change notification.
AWS Config
EC2
VPC
EBS
CloudTrail
Security Analysis
Audit Compliance
Change Management
Troubleshooting
Discovery
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Use Cases:
Security analysis: Am I safe?
Audit compliance: Where is the evidence?
Change management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?

46. AWS Config & Config Rules
Changing
Resources
Record
Normalize
Rules
Store
Deliver
History
APIs
Stream
AWS Config
Snapshot (ex )
A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recoded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
Notes: This slide is very similar to the previous one. It adds the concept of Config Rules. It should be noted that although the “Changing Resources” are moved off the page with the animation, they are still important and not being replaced. We’re just making room. It’s probalby a good idea to read all the Config Rule faqs from the public page to make sure you’re comfortable discussing the different elements.

47. Additional Best Practices6
Additional Best Practices

48. AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for availability, cost, performance and security.
Discuss the Four Pillars of being Well Architected and how TA helps you with this.
These are the reasons most of our customers use AWS.
Give some examples of some of the checks in at least two pilars.

49. AWS Marketplace Security Partners
Infrastructure Security
Logging & Monitoring
Identity & Access Control
Configuration & Vulnerability Analysis
Data Protection
AWS Security Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
Infrastructure Security
Designed to identify and protect your applications and data from cyber-attacks and other advanced threats vectors.
Logging & Monitoring
Maintain visibility and auditability of activity in your application infrastructure, while providing policy-driven alerting, and reporting.
Identity & Access Control
Help define and manage access policies to enforce business governance including, user authentication, SSO, and enforcement.
Configuration & Vulnerability Analysis
Help inspect your application deployments for security risks and vulnerabilities, while providing priorities and advice to assist with for remediation.
Data Protection
Assist with safeguarding your data from unauthorized disclosure and modification, through encryption, key management, and policy-driven controls.

50. Enforce consistent security on your hosts
Configure and harden EC2 instances based on security and compliance needs.
Hardening
Audit and logging
Vulnerability management
Malware protection
Whitelisting and integrity
User administration
Host-based Protection Software
Restrict Access Where Possible
Launch with IAM Role
Operating system
Launch instance
EC2
Configure instance
Discuss the importance of hardening the EC2 instances.
Discuss the lifecycle of creating an instance, hardening, and then creating a reusable AMI again. Stress the importance of AMI management and bootstrapping.
Your instance
AMI catalog
Running instance

51. Defense-in-Depth Hardened AMIs System Security OS and App Patch Mgmt.
AWS Compliance Program
Third Party
Attestations
Physical
OS and App Patch Mgmt.
System Security
IAM Roles for EC2
DATA
IAM Credentials
Security Groups
VPC Configuration
Logical Access Controls
User Authentication
Encryption
At-Rest
Data Security
Network
Web App Firewalls
Bastion Hosts
Encryption
In-Transit
Your security posture is determined by the “whole” of the mechanisms you employ.
This slide should serve as a review, but be sure to address any questions here.

52. 7
AWS Security Center

53. AWS Security Center http://aws.amazon.com/security
Comprehensive security portal to provide a variety of security notifications,
information and documentation.
Security Whitepapers
Overview of Security Process
AWS Risk and Compliance
AWS Security Best Practices
Security Bulletin
Security Resources
Vulnerability Reporting
Penetration Testing
Requests
Report Suspicious s
The main point of this slide is to introduce the fact that AWS takes security very seriously. We dedicate an entire section of our website to the Security and Compliance Center to communicate with our customers providing things like:
Security and Compliance whitepapers
Security best practice whitepapers
Security bulletins
Requests for customer penetration testing
This presentation is a brief overview of the information on this site, please be aware of it and check out the site for more details and information.

54. Security Resources http://aws.amazon.com/security/security-resources/
Developer Information, Articles and Tutorials,
Security Products, and Whitepapers
AWS Security Blog
Subscribe to the blog – it’s a great way to stay up-to-date on AWS security and compliance.

55. AWS Compliance
List of compliance, assurance programs and resources:
Glacier Vault Lock
& SEC Rule 17a-4(f)
27018

56. ?
Questions