Speaker: Rinon Belegu

Cloud und Security geht nicht? Geht DOCH!

Agenda

Einleitung AWS 101 in 5 Minuten

Shared Responsibility Model Identity and Access Management Logging-Möglichkeiten und Visualisierung

Überblick Tools und Möglichkeiten

Rinon BeleguLegendary IT (Founder),Digicomp (Technical-Lead AWS and Veeam)

rinon@legendary.swiss

Certification:

AWS Mentor, AWS Champion AAI, AWS Trainer, AWS Ambassador, DASA DevOps Trainer, Microsoft Certified Trainer, Veeam Trainer, Veeam Exam Author

Cloud experience:Buildup diffrent Cloud-Solutions 2007 – 2019 (Switzerland) Implementation of Private-,Public- and Hybrid-Cloud Solutions

AWS 101 in 5 Minuten

Basic Network Security

Overview 3-Tier App

Schutz der Kundendaten

Anonymisierung: Bei der Anonymisierung werdenpersonenbezogene Attribute (zum Beispiel Name und andereIdentifikationsmerkmale einerPerson) unwiederbringlichverändert, so dass nicht mehr auf die betroffene Person geschlossen werden kann. Die Daten sind folglich nicht mehr alsCID beziehungsweisePersonendaten zu klassifizieren.

Pseudonymisierung: Bei der Pseudonymisierung werdenpersonenbezogene Attribute durch ein Kennzeichen, einsogenanntes Pseudonym, ersetzt. Die Zuordnungsregeldieser Pseudonymisierungsollte unter Kontrolle der Firma stehen und angemessengeschützt werden. JederZugang sollte nach dem Need-to-know-Prinzip geschützt und der Zugriff nachvollziehbarprotokolliert werden.

KMS

AWS Key Management

Service

Two-tiered key hierarchy using envelope

encryption

Centrally manage and secure keys

Determine who can use keys with usage policies

Managed encryption service that provides key storage and management, and data encryption

KMS vereinfacht

KMS Integration

Data-Security S3

Data-Security S3

What’s that?

Once Upon a time there was an hard disk..

Shared Responsibility Model

Shared Responsibility Model

Security of the Cloud

Security in the Cloud

Identity and Access Management (IAM)

Securely control access to AWS resources

IAM Authentication

IAM Authorization

AWS Account Root User

IAM Roles

Using Roles for Temporary Security Credentials

Logging-Möglichkeiten und Visualisierung

Challenges in Logging

Amazon CloudWatch

Amazon CloudWatch

Monitors AWS built-in and custom metrics

Collects log files from services and applications

Includes events and alarms to send notifications

and automatically make changes

Provides real-time monitoring of your AWS resources and the applications you run on AWS

Simple CloudWatch Example

EC2 instance with CloudWatch agent

CPU utilization > X%(CloudWatch Alarm)

Amazon CloudWatch

Amazon SNS

Email Happy

Administrator

CPU utilization(standard)

Notify

404 Errors (custom)

CloudWatch EventsEvents

• Resource state changes

• API events from AWS CloudTrail

• Application-level events

• Scheduled events

Rules

• Match incoming events and routes events to one or more targets.

Targets*

Use Case: Application Security

API Security-Relevant Information

AWSCloudTrail

Who?

Where? When?

What?Who made the API call?

Where was the API call made from?

When was the API call made?

What was the API call and what resources were affected?

Log sample

35

{"Records": [{

"eventVersion": "1.0","userIdentity": {

"type": "IAMUser","principalId": "EX_PRINCIPAL_ID","arn":

"arn:aws:iam::123456789012:user/Alice","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Alice"

},

"eventTime": "2018-03-06T21:01:59Z","eventSource": "ec2.amazonaws.com","eventName": "StopInstances","awsRegion": "us-west-2","sourceIPAddress": "205.251.233.176","userAgent": "ec2-api-tools 1.6.12.2",

"responseElements": {"instancesSet": {

"items": [{"instanceId": "i-ebeaf9e2","currentState": {

"code": 64,"name": "stopping"

},"previousState": {

"code": 16,"name": "running"

}

"requestParameters": {"instancesSet": {

"items": [{"instanceId": "i-ebeaf9e2"

}]},"force": false

},

Who made the request? When and from where?

What was requested?

What was the response?

Demo-Aufbau

AWS Config

AWS Config

Continuously captures details on all configuration

changes associated with your resources

Enables compliance monitoring and security

analysis

Sends notifications when changes occur

Managed service that provides resource inventory, configuration history, and change notifications

VPC Flow Logs

Guard Duty

Demo Visualization

Überblick Tools and Possibilities

DDoS Challenges

AWS Shield

AWS Shield

AWS Shield

Always-on detection

Network and Transport layer protection

Standard vs. Advanced

Integration with Amazon Route 53, Amazon

CloudFront, ELB

Managed Distributed Denial of Service (DDoS) protection service

AWS WAF

AWS WAF

Web traffic filtering

Real-time metrics

Application layer protection

Helps detect and block malicious web requests targeted at your web applications

AWS Inspector Overview

Amazon Inspector

Offers an agent-based solution

Detects vulnerabilities

Verifies security best practices

Generates findings report

Agent-less option available

Automated assessments that help improve security and compliance of applications

Inspector - Findings

Assurance

Summary

AWS IAM

AWS SSO

AWS Directory Service

AWS Cloud Directory

AWS Secrets Manager

AWS Cognito

AWS Organizations

AWS Resource Access

Manager

AWS Security Hub

Amazon GuardDuty

AWS CloudTrail

AWS Config

Amazon CloudWatch

VPC Flow Logs

AWS Systems Manager

AWS Shield

AWS WAF

Amazon Inspector

Amazon VPC

AWS Key Management

Service (KMS)

AWS CloudHSM

Amazon Macie

AWS Certificate

Manager

Server-Side Encryption

AWS Config Rules

AWS Lambda

Questions?