Scribd
Upload
29 views61 pages

Opening Session Cloud Security Fundamentals

This document provides an overview of security best practices when using AWS. It discusses that security of the cloud infrastructure is managed by AWS through controls like availability zones, regions, and compliance programs. However, security of applications and data in the cloud is managed by the customer. It recommends learning about AWS Identity and Access Management (IAM) to control permissions, AWS Key Management Service (KMS) to encrypt data, and Amazon Virtual Private Cloud (VPC) for network security controls. The presentation aims to help builders understand what AWS manages versus what they need to secure when using AWS services.

Uploaded by

cavishkar57
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views61 pages

Opening Session Cloud Security Fundamentals

This document provides an overview of security best practices when using AWS. It discusses that security of the cloud infrastructure is managed by AWS through controls like availability zones, regions, and compliance programs. However, security of applications and data in the cloud is managed by the customer. It recommends learning about AWS Identity and Access Management (IAM) to control permissions, AWS Key Management Service (KMS) to encrypt data, and Amazon Virtual Private Cloud (VPC) for network security controls. The presentation aims to help builders understand what AWS manages versus what they need to secure when using AWS services.

Uploaded by

cavishkar57
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

Welcome to AWS Builders Online Series

Gabe Hollombe
Senior Developer Advocate,
Amazon Web Services
@gabehollombe
Why cloud infrastructure?

Increase Gain Improve Lower


agility scalability reliability costs

Maximum security

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud security is a shared responsibility

Security of the cloud Security in the cloud


Managed by AWS Managed by you

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. A builder-focused introduction to AWS's security controls
• Understand what AWS takes care of and what you need to secure
• Control your cloud infrastructure: AWS Identity and Access Management (IAM)
• Control your data: AWS Key Management Service (KMS)
• Control your network: Amazon Virtual Private Cloud (VPC)

2. An overview of what to expect from today's sessions

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the cloud

Managed by AWS

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Availability Zones
ap-southeast-2a ap-southeast-2b
Physical Sites Physical Sites

Availability Zone Availability Zone


ap-southeast-2c
Physical Sites

Sydney Region
ap-southeast-2 Availability Zone
AWS Region

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global infrastructure
24 Regions
(+3 Announced Regions)

77 Availability Zones

216 Network Points of


Presence

https://aws.amazon.com/about-aws/global-infrastructure/

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS compliance programs

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the cloud

Managed by you

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn a few patterns, secure everything in AWS
Permissions management:
AWS Identity and
Access Management (IAM)

Data encryption: Network security controls:


AWS Key Management Service Amazon Virtual Private Cloud
(AWS KMS) (Amazon VPC)

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM
• What it is:
• ‘I’—Authentication. Support for human and application caller identities
• ‘AM’—Authorization. Powerful, flexible permissions language for controlling access to cloud
resources

• Why it matters to you: Every AWS service uses IAM to authenticate and
authorize API calls
• What builders need to know:
• How to make authenticated API calls to AWS from IAM identities
• Basic fluency in IAM policy language
• Where to find, and how to understand, service-specific authorization control details

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS identities for human callers: IAM users
AWS Account

Long-term security credential

IAM
User

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS identities for human callers: Federated identities

AWS Account

Temporary security credentials


IAM Role:
Administrator

IAM Role:
Developer

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS identities for non-human callers

EC2 Instance Lambda Function Amazon SageMaker AWS Glue Crawler Amazon ECS Task
Notebook

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Creating a role in the AWS Management Console

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS-managed policies for common sets of permissions

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}

In English: Allowed to take all


Amazon DynamoDB actions

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": "*"
} In English: Allowed to take
]
} only a few specific Amazon
DynamoDB actions

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reading and writing IAM policy
In English: Allowed to take
{
"Version": "2012-10-17",
specific Amazon DynamoDB
"Statement": [ actions on a specific table
{
"Effect": "Allow",
and its indexes
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
],
"Resource": [
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName",
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName/index/*"
]
}
]
}

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reading and writing IAM policy
In English: You can read
{
"Version": "2012-10-17",
secrets whose project tag
"Statement": [ matches your own
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to write a least-privilege IAM policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS
• What it is: AWS-managed encryption/decryption service
• Why it matters to you: Many data-handling AWS services offer simple
AWS KMS integrations. If you know how to use AWS KMS, you can protect
your data at rest simply and with no management overhead.
• What builders need to know:
• The basics of how to use an AWS KMS key
• Familiarity with the AWS KMS integrations offered by many AWS data-handling services
• How to use IAM to control access to keys

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The mechanics of an AWS KMS key
For encrypting individual pieces of data (<=4KB): AWS KMS key

• KMS.Encrypt(“hello world”) ➔ AQICAHiwKPHZcwiIv….


• KMS.Decrypt(“AQICAHiwKPHZcwiIv….”) ➔ “hello world”

For encrypting application data, use envelope encryption:


• KMS.GenerateDataKey ➔ symmetric data key
(plaintext and encrypted) EncryptedDataKey:
AQIDAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yVe3t
• Use plaintext data key to encrypt your data, then discard qrBtwGBaaY6AwTrEcsjY0gTN8J8AAAAfjB8Bgk…

• Store encrypted data key alongside your data EncryptedPayload:


AQICAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yVe3t
• To decrypt: qrBtwGEZdK9s3SxlUE11PSPSadGAAAAaTBnBgk…

• KMS.Decrypt(encryptedDataKey) ➔ plaintextDataKey
• Then decrypt the data with the plaintext symmetric key
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypting the easy way with AWS Service Integrations

Amazon S3 manages the encryption key

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypting the easy way with AWS Service Integrations

An AWS KMS key in your account is used for


encryption: “Customer-Managed Key” (CMK)

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM permissions for AWS KMS keys

{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM permissions for AWS KMS keys

{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM permissions for AWS KMS keys

{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-
2:111122223333:key/01234567-89ab-cdef-0123-456789abcdef"
}

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC
• What it is: “Your virtual data center in the cloud,” i.e., the network
for your cloud infrastructure
• Why it matters to you: When you deploy cloud infrastructure, your
VPC is the network that provides connectivity to and from that
infrastructure
• What builders need to know:
• VPC core concepts: Subnets and security groups
• Routing basics in VPC
• Private connectivity capabilities

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What a VPC is and what goes in it
Region, e.g. eu-west-1

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What a VPC is and what goes in it
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What a VPC is and what goes in it
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What a VPC is and what goes in it
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Public subnet: 10.0.0.0/24 Public subnet: 10.0.1.0/24 Public subnet: 10.0.2.0/24

Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What a VPC is and what goes in it
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Public subnet: 10.0.0.0/24 Public subnet: 10.0.1.0/24 Public subnet: 10.0.2.0/24

Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

EC2 Instances EC2 Instances EC2 Instances

Amazon RDS Amazon RDS

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand nothing else about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Security group

Security group

EC2 Instances EC2 Instances EC2 Instances

Security group
Amazon RDS Amazon RDS

. . . understand security groups © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand nothing else about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Security group

Security group

EC2 Instances EC2 Instances EC2 Instances

Security group
Amazon RDS Amazon RDS

. . . understand security groups © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand nothing else about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Security group

Security group

EC2 Instances EC2 Instances EC2 Instances

Security group
Amazon RDS Amazon RDS

. . . understand security groups © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand nothing else about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Security group

Security group

EC2 Instances EC2 Instances EC2 Instances

Security group
Amazon RDS Amazon RDS

. . . understand security groups © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand only two things about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16

Public subnet: 10.0.0.0/24 Public subnet: 10.0.1.0/24 Public subnet: 10.0.2.0/24

Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

. . . understand routing © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you understand only two things about VPC . . .
Region, e.g. eu-west-1

Availability Zone: eu-west-1a Availability Zone: eu-west-1b Availability Zone: eu-west-1c

VPC: 10.0.0.0/16
Internet
gateway
Public subnet: 10.0.0.0/24 Public subnet: 10.0.1.0/24 Public subnet: 10.0.2.0/24

Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

. . . understand routing © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS resources not in your VPC
Region, e.g. eu-west-1

VPC: 10.0.0.0/16

$ dig logs.eu-west-1.amazonaws.com +short


52.94.221.80

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints: Private connectivity to AWS services
Region, e.g. eu-west-1

VPC: 10.0.0.0/16

Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints: Private connectivity to AWS services
Region, e.g. eu-west-1

VPC: 10.0.0.0/16

Security group
Private subnet: 10.0.50.0/24 Private subnet: 10.0.51.0/24 Private subnet: 10.0.52.0/24

VPC endpoint VPC endpoint VPC endpoint


10.0.50.125 10.0.51.39 10.0.52.82

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints: Authorization using network path
Region, e.g. eu-west-1

VPC: 10.0.0.0/16

{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-11112222"
}
}
}
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn a few patterns, secure everything in AWS

Data encryption: Network security controls:


AWS KMS Amazon VPC

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn a few patterns, secure everything in AWS

Data encryption: Network security controls:


AWS KMS Amazon VPC

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn a few patterns, secure everything in AWS

Data encryption: Network security controls:


AWS KMS Amazon VPC

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn a few patterns, secure everything in AWS

Data encryption: Network security controls:


AWS KMS Amazon VPC

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model

Security in the cloud

Managed by
customers

Security of the cloud

Managed by
AWS

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Track 1 Track 2
• Performance Efficiency • Reliability
• Operational Excellence • Cost Optimization
• Marketplace • Startup – AWS Activate

English Tracks Korean Track

Bahasa Indonesia Track Vietnamese Track

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda (https://aws.amazon.com/events/builders-online-series/ )

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Builders Online Series

Thank you
Gabe Hollombe
@gabehollombe

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy