Presentation AWS Quick+Start+ +A+Practitioner+Guide+to+Securing+Your+Cloud+ +
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 57
| Download | |
| Open PDF In Browser | View PDF |
AWS Quick Start
A Practitioner’s Guide to Securing Your Cloud
(Like an Expert)
Gabe Hollombe, Senior Technical Evangelist, AWS, APAC
Agenda: Develop your cloud security know-how
• Become familiar with the different types of AWS resources
• Quickly get up to speed with a practical overview of AWS’s identity-based
and network-based security controls
• Know how to interpret and implement AWS security controls
IAM
VPC
controls
AWS cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where’s my [AWS] stuff?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone
Availability Zone
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone
Availability Zone
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
EC2 instance
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
EC2 instance
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
RDS DB
instance
EC2 instance
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
AWS Directory
Service
EC2 instance
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
AWS Directory
Service
EC2 instance
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
Amazon S3
bucket
Amazon SQS queue
AWS Directory
Service
EC2 instance
Amazon DynamoDB
table
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
$ dig mydatabase.cumxp40klozz.us-east2.rds.amazonaws.com +short
Amazon S3
bucket
Amazon SQS queue
AWS Directory
Service
EC2 instance
10.0.51.81
Amazon DynamoDB
table
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
Amazon S3
bucket
Amazon SQS queue
Amazon DynamoDB
table
$ dig sqs.us-east-2.amazonaws.com +short
52.95.18.51
AWS Directory
Service
EC2 instance
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
Amazon S3
bucket
Amazon SQS queue
AWS Directory
Service
EC2 instance
Amazon DynamoDB
table
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
Determining a method for securing AWS resources
• If it’s in your VPC
• Identity and Access Management
(IAM) permissions
• VPC network security controls
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• If it’s not in your VPC
• Identity and Access Management
(IAM) permissions
Practical introduction to IAM:
Identity and Access Management
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The ABCs of AWS Identity and Access
Management (IAM)
• I: Identity. IAM lets you create identities in your AWS Account who can make
authenticated requests to AWS.
• AM: Access Management. IAM is your tool for defining who has permissions to do
what to which resources in IAM.
• IAM is the AWS-wide permissions control system. So you need to know it.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
I is for Identity: Humans IAM Users
IAM
long-term
security
credential
Human user
IAM user
Amazon
DynamoDB
long-term
security
credential
Human user
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM user
I is for Identity: Robots IAM roles
IAM
EC2 instance
IAM Role
Amazon
DynamoDB
Lambda
function
IAM Role
Application
Auto Scaling
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I is for Identity: Humans with external identities
IAM
Corporate identities
(developers)
IAM Role:
Developers
Amazon
DynamoDB
Corporate
Identification
Provider
Corporate identities
(analysts)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Role:
Analysts
Term: IAM principal
IAM
• An IAM principal is an identity defined within an AWS Account
IAM Roles
IAM Users
IAM roles authenticate using
short-lived credentials
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM users authenticate using
long-lived credentials
Term: IAM policy
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Where does IAM policy matter?
Everywhere in AWS
For an authenticated call to succeed
• The request must have a valid signature for an IAM principal
• IAM policy must specifically authorize the call
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS-managed IAM policies
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Reading an IAM policy
IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}
In English: Allowed to take all
DynamoDB actions
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Writing more granular IAM Policies:
Actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": "*"
}
]
}
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved.
In English: Allowed to take
only a few specific DynamoDB
actions
IAM
Writing more granular IAM Policies:
Resource-level IAM Policies In English: Allowed to take
{
specific DynamoDB actions on
"Version": "2012-10-17",
a specific table and its indexes
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
],
"Resource": [
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName",
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName/index/*"
]
}
]
}
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Term: Amazon Resource Name (ARN)
• Resource: A thing in AWS. Examples: S3 bucket, DynamoDB table, EC2
instance, VPC. Even IAM principals have ARNs.
• ARN: A fully-qualified name for that resource, used throughout AWS
• arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName
•
service
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
region
accountId
service-specific name
IAM
Writing more granular IAM policies:
Conditions
In English: Allowed to use
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:*“
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-2"
]
}
}
]
}
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved.
DynamoDB only in the useast-2 region
IAM
Securing AWS resources across multiple accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Securing AWS resources across multiple accounts
AWS
Organizations
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Example: Resource-based policy
{
In English: The “MyRole” IAM
Role in account 444455556666
(a different account) can read
objects from this bucket under
/some/path/
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal“: {
"AWS": [ {
"arn:aws:iam::444455556666:role/MyRole"
} ],
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-s3-bucket/some/path/*"
}
]
}
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
IAM Authorization of cross-account access
S3 bucket
IAM principal
IAM principal
S3 bucket
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
IAM authorization of cross-account access
Amazon
DynamoDB
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
The IAM Reference
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Practical introduction to Virtual Private Cloud
network security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3
bucket
Amazon SQS queue
AWS Directory
Service
EC2 instance
Amazon DynamoDB
table
RDS DB
instance
AWS Directory
Service
RDS DB
instance standby
EC2 instance
EC2 instance
VPC subnet
Availability Zone
VPC subnet
Availability Zone
Virtual private cloud
AWS region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC subnet
Availability Zone
Secure connectivity with Amazon VPC
VPC subnet
Virtual private cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Security Groups: Authorize
only the traffic you expect
• Routing: Route traffic headed
out of your VPC only to
expected destinations
• VPC Endpoints: Create
specific, least-privilege points
of connectivity
Secure connectivity with Amazon VPC
VPC subnet
Virtual private cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Security Groups: Authorize
only the traffic you expect
• Routing: Route traffic headed
out of your VPC only to
expected destinations
• VPC Endpoints: Create
specific, least-privilege points
of connectivity
Security groups: Stateful network firewalls
Port 443 (HTTPS)
Security Group
sg-08eec15c2101526a1
Port 8443 (HTTPS)
Application Load
Balancer
Security Group
sg-0bbef9ea1db9d2ddf
Backend EC2 instances
Port 3306 (MySQL)
Security Group
sg-0b0a4f8118aa5d450
RDS database
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups: Stateful network firewalls
Port 443 (HTTPS)
Security Group
sg-08eec15c2101526a1
Port 8443 (HTTPS)
Application Load
Balancer
Security Group
sg-0bbef9ea1db9d2ddf
Backend EC2 instances
Port 3306 (MySQL)
Security Group
sg-0b0a4f8118aa5d450
RDS database
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups: Stateful network firewalls
Port 443 (HTTPS)
Security Group
sg-08eec15c2101526a1
Port 8443 (HTTPS)
Application Load
Balancer
Security Group
sg-0bbef9ea1db9d2ddf
Backend EC2 instances
Port 3306 (MySQL)
Security Group
sg-0b0a4f8118aa5d450
RDS database
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Groups: Stateful network firewalls
Port 443 (HTTPS)
Security Group
sg-08eec15c2101526a1
Port 8443 (HTTPS)
Application Load
Balancer
Security Group
sg-0bbef9ea1db9d2ddf
Backend EC2 instances
Port 3306 (MySQL)
Security Group
sg-0b0a4f8118aa5d450
RDS database
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure connectivity with Amazon VPC
VPC subnet
Virtual private cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Security Groups: Authorize
only the traffic you expect
• Routing: Route traffic headed
out of your VPC only to
expected destinations
• VPC Endpoints: Create
specific, least-privilege points
of connectivity
Routing for least-privilege connectivity
VPC subnet: 10.0.1.0/24
VPC subnet: 10.0.2.0/24
VPC subnet: 10.0.3.0/24
VPC subnet: 10.0.51.0/24
VPC subnet: 10.0.52.0/24
VPC subnet: 10.0.53.0/24
Availability Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Availability Zone
Availability Zone
Routing for least-privilege connectivity
VPC subnet: 10.0.2.0/24
VPC subnet: 10.0.52.0/24
Availability Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing: No outbound connectivity
VPC Subnet: 10.0.2.0/24
AWS Elasticache
- Redis
EC2 instances
VPC Subnet: 10.0.52.0/24
Availability Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing: Full internet connectivity
Internet
gateway
Public IP address
Public-facing EC2
instance
Application Load
Balancer
VPC subnet: 10.0.2.0/24
AWS Elasticache Redis
EC2 instances
VPC subnet: 10.0.52.0/24
Availability Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing: Outbound-only internet connectivity
Internet
gateway
Public IP
address
VPC NAT
gateway
VPC Subnet: 10.0.2.0/24
AWS Elasticache
- Redis
EC2 instances
VPC Subnet: 10.0.52.0/24
Availability Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing for least privilege: Summary
• AWS offers a variety of routing options
• Determine the different routing needs of
different parts of your workload, and put
them in different subnets
• Have only the routes you need in each
subnet.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure connectivity with Amazon VPC
VPC subnet
Virtual private cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Security Groups: Authorize
only the traffic you expect
• Routing: Route traffic headed
out of your VPC only to
expected destinations
• VPC Endpoints: Create
specific, least-privilege points
of connectivity
What we didn’t talk about
• Encryption
• Visibility and detective controls
• Higher-level security services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow logs
Thank You
Gabe Hollombe, AWS
Twitter & LinkedIn: @gabehollombe
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You for Attending AWS Quick Start
We hope you found it interesting! A kind reminder to complete the survey.
Let us know what you thought of today’s event and how we can improve
the event experience for you in the future.
aws-apac-marketing@amazon.com
twitter.com/AWSCloud
facebook.com/AmazonWebServices
youtube.com/user/AmazonWebServices
slideshare.net/AmazonWebServices
twitch.tv/aws
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 57 Language : en-US Tagged PDF : Yes Title : PowerPoint Presentation Author : Clarissa Lim Create Date : 2019:03:19 19:18:21+08:00 Modify Date : 2019:03:19 19:18:21+08:00 Producer : Microsoft® PowerPoint® 2013 Creator : Microsoft® PowerPoint® 2013EXIF Metadata provided by EXIF.tools