SlideShare a Scribd company logo

Security @ (Cloud) Scale Deep Dive

K
Kristana Kane

This document summarizes a presentation about security at scale on AWS. It discusses AWS security controls that customers don't need to manage themselves. It also outlines the AWS Cloud Adoption Framework for adapting security practices to the cloud. Finally, it provides examples of how to implement security capabilities like identity and access management, detective controls, infrastructure security, data protection, and incident response on AWS.

Technology
1 of 48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cameron Worrell, Solutions Architect August 17th, 2017 Security @ (Cloud) Scale
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • AWS Controls that You Don’t Need to Worry About • Framework to Help You Adapt the Cloud Faster • AWS Services that You Should be Using • Reference Architectures that You Can Use
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls 2,500+
I wish I was a Solid State Drive in someone else’s Datacenter…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Your own certifications Your own external auditsCustomerAWS Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework • Each Perspective provides guidance for different parts of an organization • Helps YOU adapt existing practices or introduce new practices for cloud computing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Security Journey to the Cloud Security in the cloud is familiar. The increase in agility and the ability to perform actions faster, at a larger scale and at a lower cost, does not invalidate well- established principles of information security.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The CAF Security Perspective 5 Core Capabilities Identity and Access Management Detective Controls Infrastructure Security Data Protection Incident Response
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built In… Security groups are virtual firewalls that control the traffic for one or more resources AWS IAM securely controls access to AWS services and resources for your users.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built In…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity and Access Management AWS Organizations AWS IAM AWS Security Token Service
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls AWS CloudTrail Amazon CloudWatch AWS Config Amazon Inspector VPC Flow Logs Account Resources Network
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security AWS Shield AWS WAF Network AWS OpsWorks Resources AWS Trusted Advisor AWS Config Rules Demo @ https://waf.widgetsllc.xyz
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules • Amazon CloudTrail should be enabled… • Is it? • All EBS volumes encrypted… • Are they? • All security groups in attached state should not have unrestricted access to port 22. • Do they?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules • Codify and automate your own practices • Get started with samples in AWS Lambda • Implement guidelines for security best practices and compliance • Use rules from various AWS Partners • View compliance in one dashboard
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS Certificate Manager • AWS Certificate Manager (AWS ACM) is a service that lets you easily provision, manage, and deploy TLS certificates for use with Amazon Elastic Load Balancer or Amazon CloudFront distribution. • No additional charge for provisioning TLS certificates • Manages the renewal process of TLS certificates • Certificates are verified by Amazon’s certificate authority (CA), Amazon Trust Services (ATS)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS Certificate Manager
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS KMS Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application Customer Master Keys
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response Amazon CloudWatch Amazon Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Log from __future__ import print_function import json def lambda_handler(event, context): print(json.dumps(event, indent=2))
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Respond cloudtrail = boto3.client('cloudtrail') trail_arn = event["detail"]["requestParameters"]["name "] ct_response = cloudtrail.start_logging( Name = trail_arn )
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Notify sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic" subject = 'EVENT: ' + event["detail"]["eventName"] message = "What happened? " + event["detail"]["eventName"] + "n" "What service? " + event["detail"]["eventSource"] + "n" "Where? " + event["detail"]["awsRegion"] + "n" "When? " + event["detail"]["eventTime"] + "n" "Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2)) sns = boto3.client('sns') sns_response = sns.publish( TopicArn = sns_topic, Message = message, Subject = subject, MessageStructure = 'string' )
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Amazon SNS Notification
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Complete
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda AWS WAF AWS Shield AWS Organizations AWS CloudTrail AWS Config VPC Flow Logs Amazon Inspector AWS OpsWorks
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploy Faster Wherever You Like 16 Regions – 44 Availability Zones – 82 Edge Locations Region & Number of Availability Zones AWS GovCloud (2) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6), Ohio (3) Sydney (2), Tokyo (3), Seoul (2), Mumbai (2) Canada Central (2) China Beijing (2) South America São Paulo (3)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary • AWS Security Benefits: • Integrated Security & Compliance • Global Resilience, Visibility, & Control • Maintain Your Privacy and Data Ownership • Agility Through Security Automation • Security Innovation at Scale • Broad Security Partner & Marketplace Solutions
Thank You!

More Related Content

Similar to Security @ (Cloud) Scale Deep Dive (6)

PDF
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
PDF
Intro to threat_detection_and_remediation on aws
Bela Sojina MBA, PMP
 
PPTX
Journey Towards Scaling Your API to 10 Million Users
Adrian Hornsby
 
PPTX
Serverless in Action on AWS
Adrian Hornsby
 
PPTX
Serverless Architectural Patterns
Adrian Hornsby
 
PDF
AWS - Security & Compliance
Amazon Web Services LATAM
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
Intro to threat_detection_and_remediation on aws
Bela Sojina MBA, PMP
 
Journey Towards Scaling Your API to 10 Million Users
Adrian Hornsby
 
Serverless in Action on AWS
Adrian Hornsby
 
Serverless Architectural Patterns
Adrian Hornsby
 
AWS - Security & Compliance
Amazon Web Services LATAM
 

More from Kristana Kane (7)

PDF
AWS Summit Atlanta Keynote
Kristana Kane
 
PDF
Getting Started with AWS Lambda and Serverless Computing
Kristana Kane
 
PDF
An Overview to Artificial Intelligence Services at AWS
Kristana Kane
 
PDF
AWS IoT Deep Dive
Kristana Kane
 
PDF
Deep Dive into Apache MXNet on AWS
Kristana Kane
 
PDF
Getting Started with AWS IoT
Kristana Kane
 
PDF
VMware and AWS Together - VMware Cloud on AWS
Kristana Kane
 
AWS Summit Atlanta Keynote
Kristana Kane
 
Getting Started with AWS Lambda and Serverless Computing
Kristana Kane
 
An Overview to Artificial Intelligence Services at AWS
Kristana Kane
 
AWS IoT Deep Dive
Kristana Kane
 
Deep Dive into Apache MXNet on AWS
Kristana Kane
 
Getting Started with AWS IoT
Kristana Kane
 
VMware and AWS Together - VMware Cloud on AWS
Kristana Kane
 
Ad

Recently uploaded (20)

PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Ad

Security @ (Cloud) Scale Deep Dive

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cameron Worrell, Solutions Architect August 17th, 2017 Security @ (Cloud) Scale
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • AWS Controls that You Don’t Need to Worry About • Framework to Help You Adapt the Cloud Faster • AWS Services that You Should be Using • Reference Architectures that You Can Use
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls 2,500+
  • 6. I wish I was a Solid State Drive in someone else’s Datacenter…
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Controls AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Your own certifications Your own external auditsCustomerAWS Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework • Each Perspective provides guidance for different parts of an organization • Helps YOU adapt existing practices or introduce new practices for cloud computing
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Security Journey to the Cloud Security in the cloud is familiar. The increase in agility and the ability to perform actions faster, at a larger scale and at a lower cost, does not invalidate well- established principles of information security.
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The CAF Security Perspective 5 Core Capabilities Identity and Access Management Detective Controls Infrastructure Security Data Protection Incident Response
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built In… Security groups are virtual firewalls that control the traffic for one or more resources AWS IAM securely controls access to AWS services and resources for your users.
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Already Built In…
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity and Access Management AWS Organizations AWS IAM AWS Security Token Service
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls AWS CloudTrail Amazon CloudWatch AWS Config Amazon Inspector VPC Flow Logs Account Resources Network
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detective Controls - VPC Flow Logs
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security AWS Shield AWS WAF Network AWS OpsWorks Resources AWS Trusted Advisor AWS Config Rules Demo @ https://waf.widgetsllc.xyz
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules • Amazon CloudTrail should be enabled… • Is it? • All EBS volumes encrypted… • Are they? • All security groups in attached state should not have unrestricted access to port 22. • Do they?
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules • Codify and automate your own practices • Get started with samples in AWS Lambda • Implement guidelines for security best practices and compliance • Use rules from various AWS Partners • View compliance in one dashboard
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure Security – AWS Config Rules
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS Certificate Manager • AWS Certificate Manager (AWS ACM) is a service that lets you easily provision, manage, and deploy TLS certificates for use with Amazon Elastic Load Balancer or Amazon CloudFront distribution. • No additional charge for provisioning TLS certificates • Manages the renewal process of TLS certificates • Certificates are verified by Amazon’s certificate authority (CA), Amazon Trust Services (ATS)
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS Certificate Manager
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Protection – AWS KMS Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application Customer Master Keys
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response Amazon CloudWatch Amazon Lambda
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Log from __future__ import print_function import json def lambda_handler(event, context): print(json.dumps(event, indent=2))
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – AWS CloudWatch Events
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Respond cloudtrail = boto3.client('cloudtrail') trail_arn = event["detail"]["requestParameters"]["name "] ct_response = cloudtrail.start_logging( Name = trail_arn )
  • 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Lambda Notify sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic" subject = 'EVENT: ' + event["detail"]["eventName"] message = "What happened? " + event["detail"]["eventName"] + "n" "What service? " + event["detail"]["eventSource"] + "n" "Where? " + event["detail"]["awsRegion"] + "n" "When? " + event["detail"]["eventTime"] + "n" "Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2)) sns = boto3.client('sns') sns_response = sns.publish( TopicArn = sns_topic, Message = message, Subject = subject, MessageStructure = 'string' )
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Amazon SNS Notification
  • 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Incident Response – Complete
  • 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda
  • 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling to >1 Million Users RDS DB Instance Active (Multi-AZ) Availability Zone ELB Balancer RDS DB Instance Read Replica RDS DB Instance Read Replica Web Instance Web Instance Web Instance Web Instance Amazon Route 53 User Amazon S3 Amazon CloudFront DynamoDB Amazon SQS ElastiCache Worker Instance Worker Instance Amazon CloudWatch Internal App Instance Internal App Instance Amazon SES Lambda AWS WAF AWS Shield AWS Organizations AWS CloudTrail AWS Config VPC Flow Logs Amazon Inspector AWS OpsWorks
  • 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploy Faster Wherever You Like 16 Regions – 44 Availability Zones – 82 Edge Locations Region & Number of Availability Zones AWS GovCloud (2) EU Ireland (3) US West Frankfurt (3) Oregon (3) London (2) Northern California (3) Asia Pacific US East Singapore (2) N. Virginia (6), Ohio (3) Sydney (2), Tokyo (3), Seoul (2), Mumbai (2) Canada Central (2) China Beijing (2) South America São Paulo (3)
  • 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
  • 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary • AWS Security Benefits: • Integrated Security & Compliance • Global Resilience, Visibility, & Control • Maintain Your Privacy and Data Ownership • Agility Through Security Automation • Security Innovation at Scale • Broad Security Partner & Marketplace Solutions