Introduction to AWS Security - Level 100 (United States)

Welcome to AWS Summit online. My name is Moses. And I'm a principal security architect here at AWS as part of my job. I get the pleasure of working with this may help them understand the cloud security model. But also to build cloud-native Security Programs to protect and attack the security event in AWS Cloud, security topics, which of the key component to invite to Cloud security success. We will then take a look at those security of the cloud, all the controls and matches that AWS operate on your behalf and Security in the cloud, which

all the controls that you with a customer that it's enough to build. I want to spend a bit of time covering security governance, which is an area that when done right will allow your team's to be a job and move fast but keep strong definite guard rails and controls to protect your systems. And finally, I want to close on two important next steps for you. Watching online to consider to uplift, your AWS security knowledge. Before jumping to the shared responsibility nor do. I want to examine some key benefit of using AWS from a security perspective security. That is why

we listen closely to also both a secure cloud computing environment and Innovative Security Services, that satisfy the security and compliance needs of the most risk-sensitive. Organizations today, AWS, protect millions of customers around the world. While customers represent, diverse Industries, with the wide range of use cases, including large Enterprises, starter educational institutions and government organizations, Security at a w s. Darko infrastructure custom built for the cloud and designed to meet the most stringent security requirements in the world. Our

infrastructure is monitored 24/7 to ensure the confidentiality integrity and availability of our customers data also build and maintain a broad selection of innovative Security Services. Help you simplify meat in your own security and regulatory requirements. As you inherit all of the benefits of our experience list of third-party Assurance Frameworks, I will come back to this Frame Works in the moment. Customers use AWS to transform the way. They do business

ultimatum security and compliance tasks to reduce risk. So you can grow and innovate faster resources to focus on your customers. Awas has the largest network of security partners and solutions. Extend the benefits of a w s by using security technology and consulting services from Familia solution providers. You already know and trust Security compliance is a shared responsibility between AWS and you the customer list. Red model. Can help relieve the customers operation, to add AWS operate, manages, and controls the components from the host operating

system and virtualization, down to the physical security of the facility operates. The customary system, including things like a place and security patches. I just don't see a rated application software as well as the configuration of AWS provided Security Group, fire walls, custom, did the services. The pictures are their responsibilities will vary, depending on the services. Use the integration of the services in to the right environment and applicable laws and regulations. The nature of the responsibilities

also provides the flexibility and customer control that permits the deployment as shown in the diagram. This differentiation of responsibility is commonly referred to as security of About this insecurity in the Bible. AWS is responsible for protecting the infrastructure that runs all of the services offered in AWS Cloud. This infrastructure is comprised of the hardware software networking and Facilities that run. AWS cloud services, the customer responsibilities of

a security responsibilities, for example, of such as Amazon, elastic compute cloud or Amazon ec2 is categorized as infrastructure-as-a-service and a search requires the customer, the phone all of the necessary, security configuration management tasks, Customers of deploying, Amazon ec2 instance are responsible for the management of the guest operating system, including update, the security, patches on any application software, all utilities installed by the customer on those instances and the configuration

of the address provided firewall. On each instance, or obstruct an Amazon dynamodb AWS operating the operating system platforms and the customer access raspbian points to store and retrieve data, customers are responsible for managing the, including encryption options classify and they're all set, I'm using IDM tools to apply the appropriate permissions. Let's take a closer look at security of the cloud. And now he was a customer. Can get a shoe. Run a w. S effective. I mentioned the other day, WS, housing

expensive food, quality assurance program that Audits and verifies our control, objectives and implementations. We have many vacations on a test station. It's like you was a customer can use this year's report talk to PCI DSS and ISO. 27001 certification are used extensively by all customers as a way for them, to verify the controls that we operate. Are in fact effective, I thought the material Outsourcing agreement. In addition to Global programs AWS also certifies Regional AWS cloud, service, provider to achieve the Singapore, multi-tier Cloud security

certification for Singapore and its origin. The certification gives organizations the clarity to utilize a w s to host and process. The highly confidential data in Singapore and South Korea. Web service has achieved the outsourced service providers after station to meet in the high expectations for cloud service providers Sat by the financial services industry in Singapore. The ABS guidelines recommended, Singapore, Banks select auto service providers

that provide us controls against the criteria specified in the guidelines. AWS artifact. Did you go to Central resource for compliance-related information that it provides on-demand access to AWS security and compliance report and select online reports available that validate, the implementation and operating effectiveness of AWS, security controls the center provides a central location to research Cloud regulations in specific countries and learn about AWS compliance programs. If you're interested in finding out more visit

Okay, we are now going to the customer side of the shed responsibilities module, what we previously called Security in the cloud. Regardless of the type of work that you and your security team with a number of security controls to build run and operate. The men covering security visibility intelligence identity and access management encryption network security industry. Standards such as the nist cybersecurity framework. Which uses the concept of identity

protect detect. Respond and recover as a way to frame. You control while protecting and preventing security events is the first line of defense, many organizations. Now prefer to assume that may have been appropriate, detective, responsive and recover controls that allow them to control. This is operations. Diving deep into each of the security services offered by a w s is outside the scope of this presentation to take away from this. Is that a w s how they breath on that of security service offering that can help you meet your control objectives,

examples allows you to very easily patch or infrastructure systems on the predefined parts, Baseline and schedule. And also allows you to execute commands directly on the operating system review only authorized commands are executed and systems attached to reduce the likelihood of mitigation service and a w s with which is the firewall to protect your web applications against, tax collector script and SQL injection. Twin Creek cir data AWS office awst Management Service. Makes it easy for you to create and manage cryptographic keys and control

and in your own applications is it secure and resilient service that uses Hardware security module that have been validated and is integrate with AWS cloudtrail to provide you with logs of all key usage, to help me to Regulatory and compliance needs to sign in operations using asymmetric. He passed to ensure the Integrity of your doctor. Recipients can verify the signatures. Where do they have in AWS account on now? AWS cloud trail is a service that enables government compliance, operational audit in progress of your AWS account. With cloudtrail, you can log,

continuously Monitor and retain account activity related to actions across your AWS infrastructure. AWS account activity, including actions taken through the AWS Management console, aws-sdk come online tools and other AWS Services history. Simplify security analysis research in tracking and troubleshooting you can use cloudtrail to detect unusual activity and your AWS account with AWS cloudtrail you can simplify your compliance, hold it by automatically recording and storing event plugs for

actions made within your AWS account integration with Amazon cloudwatch. Logs provides a convenient way to search to log data. Identify out of compliance events, accelerate incident investigation. A request. I do want to take a closer look at one specific Security Service, Sun guard Duty for malicious activity and an authorized Behavior to protect your AWS accounts on Wood Road with the cloud, the collection and aggregation of account on network activities is simplified, but it can be time-consuming

for security teams to continuously analyze data for potential threats. With gone to you. Now have an intelligent and cost-effective option for continuous protection in the AWS Cloud machine. Anomaly detection, an integrated threat intelligence to identify and prioritize Potential Threat such an AWS cloudtrail Amazon, PPC, flow dogs, and DNS log. The network activity on the account Behavior within the AWS environment Amazon called. It becomes integrated with activate private intelligence from AWS crowdstrike and proofpoint. Threat intelligence

coupled with machine learning and behavior models. Help you detect activity such as cryptocurrency. Mining Prudential compromise Behavior communication, with known command to control my calls for malicious IP, In addition to the technocrats. He also makes it easy to Ultimate how you respond to threats, reducing your remediation and recovery time, God by leveraging. Amazon Cloud. Watch events on AWS Lambda informative and operations, effective attacker information, such as IP address on geolocation. Now looking to explore the shared responsibility model, security of the

cloud and Security in the cloud, I want to take a closer look at security governance. AWS office except of management and governance services to help our customers improve business, agility and maintain government control management and governance Services. They can support Innovation, unlock provision in Dalton, Max improve a security and compliance posture enhance, operational, efficiency, and reduce cost. A customer how to use AWS scale, you want to know you follow AWS best practices, do isolate their resources and workers into multiple AWS accounts for

capitalization and blast radius with customers needs an environment. That is well governed in order to manage these multiple AWS account that they owned since 2016 AWS, well architected environment. Idle on a cloud environment, starting points that can be used to deploy customer workload, which can be deployed by a different solutions models. And we evolved out thinking and implementation for AWS. Multi-account environment London in 2016 and we've evolved it from an essay design

to an off-brand announced with full service, AWS control tower. We have an opinion that every Landing Zone used to have full function with opponents. It needs to set up an account structure as a baseline that allows for monitoring and operations. Secondly, it allows you to create accounts, the following standard best practice and integrate uses with your identity system of choice. It creates and allows you to all policies that can be detective or preventative and finally allows centralized access to all accounts by the cloud

admins. Unless you scale a know about distributed teams without those teams having to do all the heavy lifting every time. AWS control tower, the easiest way to set up and government aucuba compliant, multi-account AWS environment. It actually abstracts. So you can set up your environment yourself based on best practices without needing to have lots of AWS knowledge. AWS organizations established the structure for centralized, you can use it to establish granular control of your AWS account manager

and the policies that broadly or as narrowly as you need them, the next tree services help. You establish cost controls for when your environment is up and running and finally the AWS well architected to this helps you prove your architectural the time against a w, s best practices in the AWS well architected framework security, reliability performance cost optimization an operational excellence. We don't need to provision in my teeth and increase developer and business use of velocity by providing the right services to the right

teams and they belong to self service and provision. The security benefit of this approach is that relevant stakeholders, like infosec Risk, compliance and operations can order through these predefined patents against their internal policies and standards to ensure compliance. What's the populist being approved for use? It can be uploaded to service and consume self-service bi business uses an application teams throughout your organization, efficiency in a pre-production sign of all, operational Readiness assessment again

that you can use to make provision in. So it's faster and Sakura. And the fact that we have AWS cloudformation with Provisions, resources quickly using infrastructure as code templates. AWS opsworks allows you to launch Management Services of Chatham puppet for configuration management to model and provision applications rapidly deploy pseudo resources and automate tasks like package installation. AWS Marketplace allows you to access. Thousands of third-party Solutions, ready to deploy from AWS Marketplace. AWS service catalog

allows you to easily deploy standardized predefined products in just a few clicks speeding up Innovation, expects to operation with control and visibility into how their resources and applications are being used and how they have almond. Then, they want to make sure where that is older people. Everything from how those resources are configured to, which uses a rack system and what policies are being enforced. They want to take operational action on those resources to manage the MIT scale logical group them an ultimatum operational, tasks safely

and securely of scale. And of course, they want to continue to optimize and analyzed to reduce cost, improve efficiency and security. We have a really rough past data services that you can use to operate with both of us can control these, a more integrated services that are highly Dynamic. Always changing and highly. Scalable Cloud watch. Helps you to improve visibility into all the resources. It can collect visualize, analyze and correlate data points from the silos to help. Make your website on back in processes are running smoothly. If you get together with

AWS organization, you can raise events when specific actions occur in an organization, such as administrator, administrator attempts to leave the old Edition very easily and non-compliant resources will be taking a closer look at AWS. Config soon we have a number of services to help you optimize your environment. AWS trusted advisor provides recommendations on how you can save money by reducing underutilized resources for tolerance and performance, many organizations, complete freaking security regulations

like the Social Services industry, may need to follow guidelines. Like the MMS technology risk management guidelines here in Singapore, where technology risk and Security will issue a checklist to the application and infrastructure team to complete. And the response will typically be a best-effort around full parcel or no complaints. There are challenges with this approach is the point of time assessment on the results today may not be the same as the results tomorrow. If it

is still accurate without three complete in it also there is a lot of human involvement. AWS Security benefits including an unprecedented visibility and real-time. Information provides customers with the ability to perform continuous ongoing security compliance, assessments visibility into who made walk, change from where in near real-time allows customers to detect. Miss configuration, unknown compliances and respond quickly to prevent wrist from materializing, AWS config is a service that enables you to assess and evaluate the configurations of your AWS resources

resources and allows you to automate the evaluation of recorded configurations against your desired effect, duration with conflict. You can review changes in configurations and relationships between AWS resources, configuration histories and determine your overall compliant against the Confederation specified in your internal guidelines security analysis, change management and operational troubleshooting AWS, config rules allows customers to codify the security and compliance assessment into rules that run continuously and constantly evaluate your environment against

your information security policy. For example, you could take your static check list of spreadsheet, play security assessment the verify the effectiveness of your controller into your information security, team technology. AWS config allows you to record and retrieve the compliance office of a resource overtime. This allows your risk and compliance teams to determine if a resource to compliance with ongoing changes, you can see from the screenshot in this example, the resources previously

compliant to the control and Rule but some changes were in your teens can use the information provided here to troubleshoot security and operational incident quickly and effectively Finally AWS config allows you to automatically respond and remediate security control failures in real-time you can use AWS config as a framework for creating a cruise across your AWS accounts and Regent you can Kodi fire, compliance requirements, documents and package them together within a conformance pack that can be easily deployed across an organization

that. I want to close with two important, next step for you to continue learning about AWS Cloud security. The well architected framework has been developed to help Cloud. Architect. Build such a high-performing resilient and efficient infrastructure for their applications. Based on Five Pillars, operational security, reliability, performance, efficiency and cost optimization the framework provides a consistent approach for customers to evaluate architectures. And then let's take a look at the security pillar

of the architect in framework. There are 11 questions, used to assess the security to protect information systems and ask this while delivering business value, and mitigation strategies, The security pillow for design principles best practices and question. You can find prescriptive guidance on implementation in the security pillow. White paper have the ability to create a well architected review, which is a self-assessment against the questions laid out by the frame of himself on this slide. You can see an example of the question along with recommended ounces that are

available for you to select. Once you completed your assessment, the two will respond with, whether we'd consider any height or medium respondents and provide, a detailed recommendations for you to review and consider who's the security posture of the workload. Once you've completed the other four pillars, you get a complete view of your application finding across all five, well architected pillars, operational excellence, security, reliability performance, efficiency and cost optimization that. I want to leave you with

such as a 2-hour AWS security fundamentals, which will cover and refresh a lot of what we went through today. But also focus on more Security Services that we did not have time to cover. We also have a security certification, which is an exam to a test just to keep us in AWS will close, visit the security security, I hope you enjoy. Security Services to help you build next-generation security, and government programs. Remember that I'm training, team members in Cloud security conference and

facts,