Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Speaker: Rinon Belegu
Cloud und Security geht nicht? Geht DOCH!
Agenda
Einleitung AWS 101 in 5 Minuten
Shared Responsibility Model Identity and Access Management Logging-Möglichkeiten und Visualisierung
Überblick Tools und Möglichkeiten
Rinon BeleguLegendary IT (Founder),Digicomp (Technical-Lead AWS and Veeam)
Certification:
AWS Mentor, AWS Champion AAI, AWS Trainer, AWS Ambassador, DASA DevOps Trainer, Microsoft Certified Trainer, Veeam Trainer, Veeam Exam Author
Cloud experience:Buildup diffrent Cloud-Solutions 2007 – 2019 (Switzerland) Implementation of Private-,Public- and Hybrid-Cloud Solutions
AWS 101 in 5 Minuten
Basic Network Security
Overview 3-Tier App
Schutz der Kundendaten
Anonymisierung: Bei der Anonymisierung werdenpersonenbezogene Attribute (zum Beispiel Name und andereIdentifikationsmerkmale einerPerson) unwiederbringlichverändert, so dass nicht mehr auf die betroffene Person geschlossen werden kann. Die Daten sind folglich nicht mehr alsCID beziehungsweisePersonendaten zu klassifizieren.
Pseudonymisierung: Bei der Pseudonymisierung werdenpersonenbezogene Attribute durch ein Kennzeichen, einsogenanntes Pseudonym, ersetzt. Die Zuordnungsregeldieser Pseudonymisierungsollte unter Kontrolle der Firma stehen und angemessengeschützt werden. JederZugang sollte nach dem Need-to-know-Prinzip geschützt und der Zugriff nachvollziehbarprotokolliert werden.
KMS
AWS Key Management
Service
Two-tiered key hierarchy using envelope
encryption
Centrally manage and secure keys
Determine who can use keys with usage policies
Managed encryption service that provides key storage and management, and data encryption
KMS vereinfacht
KMS Integration
Data-Security S3
Data-Security S3
What’s that?
Once Upon a time there was an hard disk..
Shared Responsibility Model
Shared Responsibility Model
Security of the Cloud
Security in the Cloud
Identity and Access Management (IAM)
Securely control access to AWS resources
IAM Authentication
IAM Authorization
AWS Account Root User
IAM Roles
Using Roles for Temporary Security Credentials
Logging-Möglichkeiten und Visualisierung
Challenges in Logging
Amazon CloudWatch
Amazon CloudWatch
Monitors AWS built-in and custom metrics
Collects log files from services and applications
Includes events and alarms to send notifications
and automatically make changes
Provides real-time monitoring of your AWS resources and the applications you run on AWS
Simple CloudWatch Example
EC2 instance with CloudWatch agent
CPU utilization > X%(CloudWatch Alarm)
Amazon CloudWatch
Amazon SNS
Email Happy
Administrator
CPU utilization(standard)
Notify
404 Errors (custom)
CloudWatch EventsEvents
• Resource state changes
• API events from AWS CloudTrail
• Application-level events
• Scheduled events
Rules
• Match incoming events and routes events to one or more targets.
Targets*
Use Case: Application Security
API Security-Relevant Information
AWSCloudTrail
Who?
Where? When?
What?Who made the API call?
Where was the API call made from?
When was the API call made?
What was the API call and what resources were affected?
Log sample
35
{"Records": [{
"eventVersion": "1.0","userIdentity": {
"type": "IAMUser","principalId": "EX_PRINCIPAL_ID","arn":
"arn:aws:iam::123456789012:user/Alice","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Alice"
},
"eventTime": "2018-03-06T21:01:59Z","eventSource": "ec2.amazonaws.com","eventName": "StopInstances","awsRegion": "us-west-2","sourceIPAddress": "205.251.233.176","userAgent": "ec2-api-tools 1.6.12.2",
"responseElements": {"instancesSet": {
"items": [{"instanceId": "i-ebeaf9e2","currentState": {
"code": 64,"name": "stopping"
},"previousState": {
"code": 16,"name": "running"
}
"requestParameters": {"instancesSet": {
"items": [{"instanceId": "i-ebeaf9e2"
}]},"force": false
},
Who made the request? When and from where?
What was requested?
What was the response?
Demo-Aufbau
AWS Config
AWS Config
Continuously captures details on all configuration
changes associated with your resources
Enables compliance monitoring and security
analysis
Sends notifications when changes occur
Managed service that provides resource inventory, configuration history, and change notifications
VPC Flow Logs
Guard Duty
Demo Visualization
Überblick Tools and Possibilities
DDoS Challenges
AWS Shield
AWS Shield
AWS Shield
Always-on detection
Network and Transport layer protection
Standard vs. Advanced
Integration with Amazon Route 53, Amazon
CloudFront, ELB
Managed Distributed Denial of Service (DDoS) protection service
AWS WAF
AWS WAF
Web traffic filtering
Real-time metrics
Application layer protection
Helps detect and block malicious web requests targeted at your web applications
AWS Inspector Overview
Amazon Inspector
Offers an agent-based solution
Detects vulnerabilities
Verifies security best practices
Generates findings report
Agent-less option available
Automated assessments that help improve security and compliance of applications
Inspector - Findings
Assurance
Summary
AWS IAM
AWS SSO
AWS Directory Service
AWS Cloud Directory
AWS Secrets Manager
AWS Cognito
AWS Organizations
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS CloudTrail
AWS Config
Amazon CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF
Amazon Inspector
Amazon VPC
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
Questions?