PowerPoint Presentation

AWS

sdyang@amazon.com2016. 09.

In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud. 1

AWS

2

3

DATA

. 4

DB1DB2App1App2Web1Web2SW1SW2LB1LB2

5

6

?

7

AWSAWS .

API (++) . .

. . AWS 8 , AWS . AWS API . API . . .8

AWS

AWS ( or ) (// ), , (IAM), , Customers

AWS

AWS .

AWS . AWS / , AWS . . . .

9

AWS

AWS

VPC NACLVPC Flow LogsBastion Hosts / NATHTTPS / SSL / TLS

Service CatalogConfigIAM(MFA/Role)Cloud Watch Logs

KMSCloudHSMCloudTrail

AWS . AWS VPC IAM KMS . AWS . ISO27017/27018 , VPC Security Group 500 . NAT NAT G/W . , Config IAM . IAM , CloudTrail .10

AWS ! , /,

, , , 2015 40% , 722

269(37%)

722 37

AWS . , . , 40% , . AWS .

11

AWS // .

, AWS . ISO27017/27018 . AWS , .

12

/ - (Disk Wiping)

13

14

, AWS Tom Soderstrom, CTO, NASA JPL

AWS .(Visibility)(Controllability) (Auditability)

.. .16

(, , )

: , .

.. .. . .. ,. ..

18

: = software! , , . . .

We think it can get better. ESM .... ..ems ( (Enterprise Security Management)

. .. . . . , SIEM(security information and event management) , , . SIEM . . . .. . AS-IS . . ..

.19

AWS CloudWatchAWS AWS

EC2AutoScalingELBRoute 53EBSStorage GatewayCloudFrontDynamoDBElastiCacheRDSEMRSNSSQSEBS Custom

CPU . . , .. 200 200 . 200 .. 100 . . . 100 . . . . .20

CloudWatch Logs Amazon CloudWatch Logs: EC2 , . ;

HTTP (404 ) CloudWatch Metrics

404 CloudWatch Alarms . =>

.. . .. EC2 () () . . . . ,, .. . ..

1 5..

.

404 URL 21

AWS Trusted Advisor Security

. (TCP) .. . . TA .( ) .10 .

As is . .. .

Trusted advisor gives you best practices recommendations in 4 different areas:Cost optimization- Security - Fault tolerance- Performance22

Here you have a couple of recommendations regarding security, including the usage of security groups, IAM accounts, MFA authentication for root, etc.

71 20 . Unrestricted .. . . . .

23

AWS InspectorAgent - API Rule PackageCVE (common vulnerabilities and exposures) Network security best practices 4 Authentication best practices 9 Operating system security best practices 4 Application security best practices 2 PCI DSS 3.0 readiness 25

, .

, . ,( )

knowledge base RULE SET . (

CVE several thousand checksNetwork Security 4 checks (weak ciphers, vulnerable TLS version, SMB packet signing)Authentication 9OS 4AppSec 2PCI 25

..OS .

..( 8 ) ..

..

24

(, , )

And just like an electricity grid, where you would not wire every factory to the same power station, the AWS infrastructure is global, with multiple regions around the globe from which services are available. This means you have control over things like where you applications run, where you data is stored, and where best to serve your customers from. 26

( !)

27

Encryption - /

,Securing Data at Rest with Encryption.

HTTPSSSL/TLSSSHVPNObject

ObjectDatabaseFilesystemDisk

To be used for customers with HIPAA requirements. Keep hidden otherwise.28

AWS KMS - //

Customer MasterKey(s)

Data Key 1

Amazon S3 Object

Amazon EBS Volume

Amazon Redshift Cluster

Data Key 2

Data Key 3

Data Key 4

// :EBSS3RedshiftAWS SDKAWS CloudTrail : KMS Cryptographic Details.

To be used for customers with HIPAA requirements. Keep hidden otherwise.29

AWS Key Management Service AWS

IAM

S3RedShiftGlacier

EBSRDS

30

AWS Key Management ServiceIntegrated with Amazon EBS

USER

AWS Identity and Access Management (IAM)

AWS . / , , (Role) APIs, AWS ( ) ,

A username for each userGroups to manage multiple usersCentralized access controlOptional provisions:Password for console accessPolicies to control access to AWS APIsTwo methods to sign API calls:X.509 certificateAccess Key ID + Secret Access KeyMultifactor Authentication

33

Each user can have a specific policy which defines what she can do with AWS. You can pick a policy from the list of predefined ones we offer

34

NETWORK

AWS Cloud

A

BAWS Virtual Private Cloud VPC IP EC2 AWS network securityAWS IP Spoofing 2 EC2

36

Web

App

DB

Web

37

(NACL)

App

DB

Web

Web

AllowDeny all trafficAllowAllow

38

EC2 (Security Group)

App

DB

Port 3306

Web

Web

Port 443

Port 443

Port 443Port 443Port 443Deny all traffic

( )

39

( or DC)

Private

AppOn-Prem

DBPublic

Private

Web

Web

40

AWSAWS DirectConnect

DC

App

/

App

AWS Internet VPN

41

WEBWAS

WEBWAS

www.a.com

WAF on CloudFront edgesusersSafeTraffic

Edge Location

Edge Location59 edges

WAF

WAF

hackersBad botslegitimatetrafficSQL Injection, XSS, ..site scripting

AWS WAF

CloudFront edge WAF monitor & filter

edge scaling

CloudFront

SQL injection, XSS

42

(, , )

Consistent, regular, exhaustive 3rd party evaluations with commonly understood resultsPeople often ask, really the cloud can support PCI? Yes, many customers are moving to AWS especially for this feature (ex: Vodaphone Italy)

44

The key difference between SOC 2 and SOC 3 reports is that the former contains a detailed description of the service auditor's tests and results of controls as well as the auditor's opinion on the description of the service organization's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.45

API ... CloudTrail API AWS CloudTrailAWS

CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.

Just a few weeks ago, we added the ability for CloudTrail to record both successful and unsuccessful console logins from your AWS IAM accounts as well... .. .. .. .. .(SNS)

46

AWS Config

AWS (AWS SNS) TroubleshootingDiscovery : ?

: ?

: ?

: ?

AWS 47

AWS Config Rules AWS AWS Lambda

, .

, . ,( )

knowledge base RULE SET . (

CVE several thousand checksNetwork Security 4 checks (weak ciphers, vulnerable TLS version, SMB packet signing)Authentication 9OS 4AppSec 2PCI 25

..OS .

..( 8 ) ..

..

48

AWS Config Rules

, .49

/ .

SaaS

SaaS

SaaS

, AWS . , , , .

AWS Marketplace is an important part of the AWS ecosystem. Through the AWS Marketplace you can buy many of the same tools as you use within your own environments today, all validated and optimized to work in an AWS environment. There are over 200 offerings available, across 7 key technology areas, Advanced Threat Analytics, Application Security, Identity and Access Management, Server & Endpoint Protection, Network Security, Encryption and Key Management, and Vulnerability and Pen Testing.

These are some of our key partners in each of these spaces, and many of you will be running at least a few of these already.

Why Customer purchase through Marketplacefast evaluation and procurement of softwareSimplifies buying by eliminating contracting process / no need to get a new vendor approvedOn demand pricing options for annual with hourly option when customer bursts

50

!

51

:

" Redshift . , Redshift 55 .

-- Nate Simmons, Principal Architecthttp://aws.amazon.com/cn/solutions/case-studies/nasdaq-finqloud/http://aws.amazon.com/solutions/case-studies/nasdaq-omx/

S3EMRHSM S3 EMR HSM S3

EMR

What Nasdaq ,

AWS ( Redshift)

Redshif dw .

on-premise HSM HSM S3 EMR

52

AWS AWS : http://aws.amazon.com/security AWS AWS

The main point of this slide is to introduce the fact that AWS takes security very seriously. We dedicate an entire section of our website to the Security and Compliance Center to communicate with our customers providing things like:Security and Compliance whitepapersSecurity best practice whitepapers Security bulletinsRequests for customer penetration testing

This presentation is a brief overview of the information on this site, please be aware of it and check out the site for more details and information.53

, , :http://aws.amazon.com/security/security-resources/ + AWS :http://blogs.aws.amazon.com/security/AWS AWS https://aws.amazon.com/ko/blogs/korea/

..URL .. (, ) .

, .54

!

55