Presentation AWS Quick+Start+ +A+Practitioner+Guide+to+Securing+Your+Cloud+ +
User Manual:
Open the PDF directly: View PDF .
Page Count: 57
Download | |
Open PDF In Browser | View PDF |
AWS Quick Start A Practitioner’s Guide to Securing Your Cloud (Like an Expert) Gabe Hollombe, Senior Technical Evangelist, AWS, APAC Agenda: Develop your cloud security know-how • Become familiar with the different types of AWS resources • Quickly get up to speed with a practical overview of AWS’s identity-based and network-based security controls • Know how to interpret and implement AWS security controls IAM VPC controls AWS cloud © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where’s my [AWS] stuff? © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone Availability Zone AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone Availability Zone Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone EC2 instance EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone EC2 instance EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone RDS DB instance EC2 instance RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone AWS Directory Service EC2 instance RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone AWS Directory Service EC2 instance RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone Amazon S3 bucket Amazon SQS queue AWS Directory Service EC2 instance Amazon DynamoDB table RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone $ dig mydatabase.cumxp40klozz.us-east2.rds.amazonaws.com +short Amazon S3 bucket Amazon SQS queue AWS Directory Service EC2 instance 10.0.51.81 Amazon DynamoDB table RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table $ dig sqs.us-east-2.amazonaws.com +short 52.95.18.51 AWS Directory Service EC2 instance RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone Amazon S3 bucket Amazon SQS queue AWS Directory Service EC2 instance Amazon DynamoDB table RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone Determining a method for securing AWS resources • If it’s in your VPC • Identity and Access Management (IAM) permissions • VPC network security controls © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • If it’s not in your VPC • Identity and Access Management (IAM) permissions Practical introduction to IAM: Identity and Access Management © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The ABCs of AWS Identity and Access Management (IAM) • I: Identity. IAM lets you create identities in your AWS Account who can make authenticated requests to AWS. • AM: Access Management. IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM I is for Identity: Humans IAM Users IAM long-term security credential Human user IAM user Amazon DynamoDB long-term security credential Human user © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM user I is for Identity: Robots IAM roles IAM EC2 instance IAM Role Amazon DynamoDB Lambda function IAM Role Application Auto Scaling © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans with external identities IAM Corporate identities (developers) IAM Role: Developers Amazon DynamoDB Corporate Identification Provider Corporate identities (analysts) © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Role: Analysts Term: IAM principal IAM • An IAM principal is an identity defined within an AWS Account IAM Roles IAM Users IAM roles authenticate using short-lived credentials © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM users authenticate using long-lived credentials Term: IAM policy © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Where does IAM policy matter? Everywhere in AWS For an authenticated call to succeed • The request must have a valid signature for an IAM principal • IAM policy must specifically authorize the call © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS-managed IAM policies © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Reading an IAM policy IAM { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": "*" } ] } In English: Allowed to take all DynamoDB actions © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing more granular IAM Policies: Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query" ], "Resource": "*" } ] } © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. In English: Allowed to take only a few specific DynamoDB actions IAM Writing more granular IAM Policies: Resource-level IAM Policies In English: Allowed to take { specific DynamoDB actions on "Version": "2012-10-17", a specific table and its indexes "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", ], "Resource": [ "arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName", "arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName/index/*" ] } ] } © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Term: Amazon Resource Name (ARN) • Resource: A thing in AWS. Examples: S3 bucket, DynamoDB table, EC2 instance, VPC. Even IAM principals have ARNs. • ARN: A fully-qualified name for that resource, used throughout AWS • arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName • service © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. region accountId service-specific name IAM Writing more granular IAM policies: Conditions In English: Allowed to use { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:*“ ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-2" ] } } ] } © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. DynamoDB only in the useast-2 region IAM Securing AWS resources across multiple accounts © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Securing AWS resources across multiple accounts AWS Organizations © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Example: Resource-based policy { In English: The “MyRole” IAM Role in account 444455556666 (a different account) can read objects from this bucket under /some/path/ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal“: { "AWS": [ { "arn:aws:iam::444455556666:role/MyRole" } ], "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::my-s3-bucket/some/path/*" } ] } © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM IAM Authorization of cross-account access S3 bucket IAM principal IAM principal S3 bucket © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM IAM authorization of cross-account access Amazon DynamoDB © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM The IAM Reference © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Practical introduction to Virtual Private Cloud network security © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 bucket Amazon SQS queue AWS Directory Service EC2 instance Amazon DynamoDB table RDS DB instance AWS Directory Service RDS DB instance standby EC2 instance EC2 instance VPC subnet Availability Zone VPC subnet Availability Zone Virtual private cloud AWS region © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC subnet Availability Zone Secure connectivity with Amazon VPC VPC subnet Virtual private cloud © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Secure connectivity with Amazon VPC VPC subnet Virtual private cloud © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Security groups: Stateful network firewalls Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Port 8443 (HTTPS) Application Load Balancer Security Group sg-0bbef9ea1db9d2ddf Backend EC2 instances Port 3306 (MySQL) Security Group sg-0b0a4f8118aa5d450 RDS database © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups: Stateful network firewalls Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Port 8443 (HTTPS) Application Load Balancer Security Group sg-0bbef9ea1db9d2ddf Backend EC2 instances Port 3306 (MySQL) Security Group sg-0b0a4f8118aa5d450 RDS database © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups: Stateful network firewalls Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Port 8443 (HTTPS) Application Load Balancer Security Group sg-0bbef9ea1db9d2ddf Backend EC2 instances Port 3306 (MySQL) Security Group sg-0b0a4f8118aa5d450 RDS database © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Groups: Stateful network firewalls Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Port 8443 (HTTPS) Application Load Balancer Security Group sg-0bbef9ea1db9d2ddf Backend EC2 instances Port 3306 (MySQL) Security Group sg-0b0a4f8118aa5d450 RDS database © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC VPC subnet Virtual private cloud © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Routing for least-privilege connectivity VPC subnet: 10.0.1.0/24 VPC subnet: 10.0.2.0/24 VPC subnet: 10.0.3.0/24 VPC subnet: 10.0.51.0/24 VPC subnet: 10.0.52.0/24 VPC subnet: 10.0.53.0/24 Availability Zone © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone Availability Zone Routing for least-privilege connectivity VPC subnet: 10.0.2.0/24 VPC subnet: 10.0.52.0/24 Availability Zone © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: No outbound connectivity VPC Subnet: 10.0.2.0/24 AWS Elasticache - Redis EC2 instances VPC Subnet: 10.0.52.0/24 Availability Zone © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: Full internet connectivity Internet gateway Public IP address Public-facing EC2 instance Application Load Balancer VPC subnet: 10.0.2.0/24 AWS Elasticache Redis EC2 instances VPC subnet: 10.0.52.0/24 Availability Zone © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: Outbound-only internet connectivity Internet gateway Public IP address VPC NAT gateway VPC Subnet: 10.0.2.0/24 AWS Elasticache - Redis EC2 instances VPC Subnet: 10.0.52.0/24 Availability Zone © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing for least privilege: Summary • AWS offers a variety of routing options • Determine the different routing needs of different parts of your workload, and put them in different subnets • Have only the routes you need in each subnet. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC VPC subnet Virtual private cloud © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity What we didn’t talk about • Encryption • Visibility and detective controls • Higher-level security services © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Flow logs Thank You Gabe Hollombe, AWS Twitter & LinkedIn: @gabehollombe © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You for Attending AWS Quick Start We hope you found it interesting! A kind reminder to complete the survey. Let us know what you thought of today’s event and how we can improve the event experience for you in the future. aws-apac-marketing@amazon.com twitter.com/AWSCloud facebook.com/AmazonWebServices youtube.com/user/AmazonWebServices slideshare.net/AmazonWebServices twitch.tv/aws © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 57 Language : en-US Tagged PDF : Yes Title : PowerPoint Presentation Author : Clarissa Lim Create Date : 2019:03:19 19:18:21+08:00 Modify Date : 2019:03:19 19:18:21+08:00 Producer : Microsoft® PowerPoint® 2013 Creator : Microsoft® PowerPoint® 2013EXIF Metadata provided by EXIF.tools