aws enterprise summit - 클라우드에서의 보안 - 양승도
TRANSCRIPT
Seoul, Korea
AWS Enterprise Summit
Security in the AWS Cloud SeungDo Yang Solutions Architect, Amazon Web Services
Defense in Depth
Multi level security • Physical security of the data centers • Network security • System security • Data security
DATA
Old World – Static, Fixed Systems
DB1 DB2
App1 App2
Web1 Web2
SW1 SW2
LB1 LB2
“Cloud applications have amorphous, polymorphic
attack surfaces.”
- Jason Chan Director of Engineering,
Cloud Security Netflix
Monday Friday End of vacation season
Different customer viewpoints on security
PR Keep out of the news!
CEO Protect shareholder
value
CI(S)O Preserve the
confidentiality, integrity and availability of data
Security is our #1 priority
Shared Security Responsibility
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
WHAT WE DO
WHAT YOU HAVE TO DO
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content C
usto
mer
s Security is a Shared Responsibility Between AWS and our Customers
Customers are responsible for their security IN
the Cloud
AWS is responsible for the security OF
the Cloud
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
AWS Foundation Services
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content C
usto
mer
s Every Customer Gets the Same AWS Security Foundations
Customers are responsible for their security IN
the Cloud
Independent validation by experts • Every AWS Region is in scope • SOC 1 (SSAE 16 & ISAE 3402) Type II • SOC 2 Type II and public SOC 3 report • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP Certification, HIPAA capable
Your own compliant solu0ons
• Culture of security and continual improvement
• Ongoing audits and assurance
• Protection of large-scale service endpoints
Your Own Auditor Can Still Audit your AWS Environment Your own ISO cer0fica0ons
Your own external audits and assurance
• Achieve PCI, HIPAA and MPAA compliance
• Certify against ISO27001 with a reduced scope
• Have key controls audited or publish your own independent attestations
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Locations
AWS Foundation Services
Cus
tom
ers
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
AWS SECURITY OFFERS MORE
VISIBILITY AUDITABILITY
CONTROL
AWS Enterprise Summit
MORE VISIBILITY
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR
ENVIRONMENT RIGHT NOW?
TRUSTED ADVISOR
AWS Enterprise Summit
MORE AUDITABILITY
AWS CLOUDTRAIL
You are making API calls...
On a growing set of services …
CloudTrail is continuously recording API
calls…
And delivering log files to you
Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment. Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
LOGS OBTAINED, RETAINED, ANALYZED
PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS TO S3 AND GLACIER
NEW Monitor everything with CloudWatch Log
Amazon CloudWatch Logs can monitor your system, application and custom log files from Amazon EC2 instances and other sources, for example: Monitor your web server http log files and use CloudWatch Metrics filters to identify 404 errors and count the number of occurrences within a specified time period CloudWatch Alarms can then notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation
AWS Enterprise Summit
MORE CONTROL
AWS Security Delivers More Control & Granularity Choose what’s right for your business needs
AWS CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct Connect
AWS Storage Gateway
MORE CONTROL OF YOUR DATA
YOUR DATA STAYS WHERE YOU PUT IT
NEW
Region US-WEST (N. California) EU (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
Customers Choose Where Their Compute and Storage is Located
CHINA (Beijing)
EU (Frankfurt)
MFA DELETE PROTECTION
YOU CAN ENCRYPT ALL OF YOUR DATA
CHOOSE WHAT’S RIGHT FOR YOU Automated – AWS manages encryption
Enabled – user manages encryption using AWS Client-side – user manages encryption their own way
ENCRYPT YOUR SENSITIVE DATA AWS EBS Encryption
AWS CloudHSM Amazon S3 SSE Amazon Glacier
Amazon Redshift Amazon RDS
Managed and monitored by AWS, but you control the keys
Increase performance for applications that use HSMs for key storage or encryption
Comply with stringent regulatory and contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can store your encryption keys in AWS CloudHSM
LEAST PRIVILEGE PRINCIPLE
CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT
AWS account owner
Network management
Security management
Server management
Storage management
You get to control who can do what in your AWS environment and from where Fine-grained control of your entire cloud environment with two-factor authentication Integrated with your existing corporate directory using SAML 2.0
Build and run
Internet Gateway Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
Region
Control Access and Segregate Duties with AWS IAM
MORE CONTROL OF YOUR NETWORK
Create your own private, isolated section of the AWS cloud Av
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
AWS Virtual Private Cloud • Provision a logically
isolated section of the AWS cloud
• You choose a private IP range for your VPC
• Segment this into subnets to deploy your compute instances
AWS network security
• AWS network will prevent spoofing and other common layer 2 attacks
• You cannot sniff anything but your own EC2 host network interface
• Control all external routing and connectivity
Segregate your VPC into subnets to create your architecture
Web App
DB Web
Each subnet has directional network access control lists
App
DB Web
Web
Deny all traffic
Allow
Each EC2 instance has five stateful security group firewalls
App
DB Web
Web Port 443
Port 443
Control which subnets can route to the Internet or on-premise
App
DB Web
Web PUBLIC
PRIVATE PRIVATE
REPLICATE ON-‐PREM
NEW You can securely share resources between VPCs
Digital Websites Big Data
Analytics
Enterprise Apps
Route traffic between VPCs in private and
peer specific subnets between each VPC
Even between AWS
accounts Common Services
AWS VPC Peering
You can connect in private to your existing datacentres
YOUR AWS ENVIRONMENT
AWS Direct
Connect YOUR
PREMISES
Digital Websites
Big Data Analytics
Dev and Test
Enterprise Apps
AWS Internet
VPN
AWS SECURITY OFFERS
MORE VISIBILITY MORE AUDITABILITY
MORE CONTROL
AWS.AMAZON.COM/SECURITY
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS MARKETPLACE
SECURITY SOLUTIONS