尊敬的 微信汇率:1円 ≈ 0.046089 元 支付宝汇率:1円 ≈ 0.04618元 [退出登录]
SlideShare a Scribd company logo

Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

In this introductory chalk talk, we cover how to secure your resources in the cloud for common AWS workloads such as Amazon EC2 computing, database, and serverless. We cover security best practices recommended by AWS for each workload using simple and effective identity and networking techniques. Learn how and why these controls do what they do, and come away with the ability to interpret and apply AWS identity and network access controls.

1 of 53
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing Your Virtual Data Center in the Cloud Alan Halachmi Senior Manager, Solutions Architecture AWS Worldwide Public Sector N E T 2 1 0 Becky Weiss Senior Principal Engineer AWS Identity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Master the fundamentals of AWS security: • Learn how Identity and Access Management (IAM) enforces your authorization rules • Learn how Virtual Private Cloud (VPC) lets you apply the principle of least privilege to your network connectivity This is an interactive session: We want to be interrupted! Ask questions, talk about your workloads.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Alan Halachmi & Becky Weiss AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lock down traffic patterns with security groups Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs Port 8443 (HTTPS) Port 3306 (MySQL) Port 443 (HTTPS)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lock down traffic patterns with security groups Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs Port 8443 (HTTPS) Port 3306 (MySQL) Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table Internet Gateway Route for 0.0.0.0/0
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table Internet Gateway subnet Route table Route for 0.0.0.0/0
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table subnet Route table Route for 0.0.0.0/0
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The ABCs of IAM • I: Identity. IAM lets you create Principals in your AWS account who can make authenticated requests to AWS • AM: Access Management. IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. IAM
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans  IAM Users IAM IAM user long-term security credential IAM user long-term security credential Human user Human user
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans with external identities  IAM roles Corporate identities (analysts) IAM Role: Developers Corporate identities (developers) IAM Role: Analysts IAM Corporate Identification Provider
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AM is for Authorization IAM
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Robots  IAM roles IAM EC2 instance Lambda function IAM Role IAM Role
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AM is for Authorization IAM
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where does IAM Policy matter? Everywhere in AWS. For an authenticated call to succeed: • The request must have a valid signature for an IAM principal • IAM policy must specifically authorize the call
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Administrator Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } IAM In English: Whoever has this policy can do everything*
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing granular IAM Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::my-example-workload-bucket/config.txt" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:us-east-2:111122223333:log-group:MyLogGroup", "arn:aws:logs:us-east-2:111122223333:log-group:MyLogGroup:*" ] } ] } IAM In English: Allowed to read one particular object from Amazon S3 and write to one particular CloudWatch Logs Group
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity-based policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity-based policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 subnet Route table
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Role policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-example-workload-bucket/*“ } ] } IAM In English: Allowed to read and write objects to a specific S3 bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 1 Result Corporate OfficeSecure VPC Some Other VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoint policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-example-workload-bucket/*", "Principal": "*" } ] } IAM In English: Allowed to read and write objects to a specific S3 bucket through this VPC Endpoint
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 2 Result Corporate OfficeSecure VPC Some Other VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. S3 bucket policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": “Deny", "Resource": "arn:aws:s3:::my-example-workload-bucket/*", "Condition": { “StringNotEquals": { "aws:SourceVpce": "vpce-0123456789abcdefg" } }, "Principal": "*" } ] } IAM In English: Deny read and write for the specific bucket, unless the specific VPC Endpoint is used
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3 Result Corporate OfficeSecure VPC Some Other VPC
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions policies
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions boundary
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Some final, and interesting uses of IAM
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: SSH access to EC2 instances • VPC security controls used: • Security groups • Routing for least privilege Availability Zone EC2 instances SSH bastion instance Port 22 (SSH) Port 22 (SSH) $ echo "hello world"
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: IAM-controlled SSH access to EC2 instances • Makes use of SSM Session Manager • IAM controls used: • Permissions for users to SSH to specific instances or groups • VPC security controls used: • Security groups • VPC endpoints to SSMAvailability Zone EC2 instances Amazon EC2 Systems Manager $ echo "hello world"
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: Securing serverless workloads Amazon API Gateway Lambda functions Amazon DynamoDB Amazon DynamoDB Accelerator Serverless workload with in-VPC components IAM controls used: Least-privilege access on IAM Roles for Lambda function and DAX cluster Lambda functions allow invocation by API Gateway VPC endpoint Policies for DynamoDB VPC security controls used: Security groups VPC endpoint for DAXDynamoDB Port 8111

Recommended

Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Amazon Web Services
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Amazon Web Services
 
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Amazon Web Services
 
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
Amazon Web Services
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Amazon Web Services
 
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
Amazon Web Services
 
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 

Recommended

Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Your Virtual Data Center: VPC Fundamentals and Connectivity Options (NET201) ...
Amazon Web Services
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Amazon Web Services
 
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Interactive Zero-Touch Enterprise Networks: Nuage SD-WAN on AWS (TLC310) - AW...
Amazon Web Services
 
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
[NEW LAUNCH!] Introducing AWS Transit Gateway (NET331) - AWS re:Invent 2018
Amazon Web Services
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Amazon Web Services
 
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
How Vanguard and Bloomberg Use AWS PrivateLink (NET323) - AWS re:Invent 2018
Amazon Web Services
 
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Use SD-WAN to Manage Your AWS Environment and Branch Office Connectivity (NET...
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon Web Services
 
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Amazon Web Services
 
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Amazon Web Services
 
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Amazon Web Services
 
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Amazon Web Services
 
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech TalksDeep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
Amazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
Amazon Web Services
 
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ... SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
Amazon Web Services
 
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Amazon Web Services
 
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Amazon Web Services
 
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Amazon Web Services
 
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
Amazon Web Services
 
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
Amazon Web Services
 
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Amazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Amazon Web Services
 
高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)
Amazon Web Services
 
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
Amazon Web Services
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Amazon Web Services
 
Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018
Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
Amazon Web Services
 

More Related Content

What's hot

Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon Web Services
 
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Amazon Web Services
 
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Amazon Web Services
 
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Amazon Web Services
 
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Amazon Web Services
 
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech TalksDeep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
Amazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
Amazon Web Services
 
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ... SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
Amazon Web Services
 
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Amazon Web Services
 
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Amazon Web Services
 
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Amazon Web Services
 
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
Amazon Web Services
 
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
Amazon Web Services
 
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Amazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Amazon Web Services
 
高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)
Amazon Web Services
 
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
Amazon Web Services
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Amazon Web Services
 

What's hot (20)

Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
 
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018
 
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
Inside AWS: Technology Choices for Modern Applications (SRV305-R1) - AWS re:I...
 
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
Optimizing Storage for Enterprise Workloads and Migrations (STG202) - AWS re:...
 
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
Leadership Session: Networking (NET209-L) - AWS re:Invent 2018
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech TalksDeep Dive on New AWS Networking Features - AWS Online Tech Talks
Deep Dive on New AWS Networking Features - AWS Online Tech Talks
 
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
 
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ... SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
SRV204 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity ...
 
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
Autonomous DevSecOps: Five Steps to a Self-Driving Cloud (ENT214-S) - AWS re:...
 
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
Extending Data Centers to the Cloud: Connectivity Options and Best Practices ...
 
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
Designing Network Architectures with Direct Connect for Multiple Traffic Stre...
 
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
 
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
 
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
Visualize and Monitor Live OTT Media Services on AWS (CTD402) - AWS re:Invent...
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)高度規模化、可信賴的混合雲網路 (Level 300-400)
高度規模化、可信賴的混合雲網路 (Level 300-400)
 
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
AWS re:Invent 2018: [NEW LAUNCH] AWS Transit Gateway & Transit VPCs, Ref Arch...
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
 

Similar to Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS re:Invent 2018

Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018
Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
Amazon Web Services
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your Security
Amazon Web Services
 
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Amazon Web Services
 
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Amazon Web Services
 
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
Amazon Web Services
 
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
Amazon Web Services
 
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS SummitBuilding serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Amazon Web Services
 
The Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 KeynoteThe Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 Keynote
Arun Gupta
 
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
AWS Germany
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Amazon Web Services
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Teri Radichel
 
Orchestrating containers on AWS | AWS Floor28
Orchestrating containers on AWS | AWS Floor28Orchestrating containers on AWS | AWS Floor28
Orchestrating containers on AWS | AWS Floor28
Amazon Web Services
 
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Amazon Web Services
 

Similar to Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS re:Invent 2018 (20)

Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your Security
 
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
 
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
Lessons Learned from Building an AWS Service on AWS Lambda (SRV327-R1) - AWS ...
 
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
 
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS SummitBuilding serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
The Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 KeynoteThe Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 Keynote
 
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...Modern Applications Web Day | Impress Your Friends with Your First Serverless...
Modern Applications Web Day | Impress Your Friends with Your First Serverless...
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Orchestrating containers on AWS | AWS Floor28
Orchestrating containers on AWS | AWS Floor28Orchestrating containers on AWS | AWS Floor28
Orchestrating containers on AWS | AWS Floor28
 
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing Your Virtual Data Center in the Cloud Alan Halachmi Senior Manager, Solutions Architecture AWS Worldwide Public Sector N E T 2 1 0 Becky Weiss Senior Principal Engineer AWS Identity
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Master the fundamentals of AWS security: • Learn how Identity and Access Management (IAM) enforces your authorization rules • Learn how Virtual Private Cloud (VPC) lets you apply the principle of least privilege to your network connectivity This is an interactive session: We want to be interrupted! Ask questions, talk about your workloads.
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our example workload Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 8. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Alan Halachmi & Becky Weiss AWS
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lock down traffic patterns with security groups Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs Port 8443 (HTTPS) Port 3306 (MySQL) Port 443 (HTTPS)
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lock down traffic patterns with security groups Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs Port 8443 (HTTPS) Port 3306 (MySQL) Port 443 (HTTPS) Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table Internet Gateway Route for 0.0.0.0/0
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling traffic into and out of your VPC Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table Internet Gateway subnet Route table Route for 0.0.0.0/0
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table subnet Route table Route for 0.0.0.0/0
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs subnet Route table
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The ABCs of IAM • I: Identity. IAM lets you create Principals in your AWS account who can make authenticated requests to AWS • AM: Access Management. IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. IAM
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans  IAM Users IAM IAM user long-term security credential IAM user long-term security credential Human user Human user
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans with external identities  IAM roles Corporate identities (analysts) IAM Role: Developers Corporate identities (developers) IAM Role: Analysts IAM Corporate Identification Provider
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AM is for Authorization IAM
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Robots  IAM roles IAM EC2 instance Lambda function IAM Role IAM Role
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AM is for Authorization IAM
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where does IAM Policy matter? Everywhere in AWS. For an authenticated call to succeed: • The request must have a valid signature for an IAM principal • IAM policy must specifically authorize the call
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Administrator Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } IAM In English: Whoever has this policy can do everything*
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 Amazon CloudWatch Logs
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing granular IAM Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::my-example-workload-bucket/config.txt" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:us-east-2:111122223333:log-group:MyLogGroup", "arn:aws:logs:us-east-2:111122223333:log-group:MyLogGroup:*" ] } ] } IAM In English: Allowed to read one particular object from Amazon S3 and write to one particular CloudWatch Logs Group
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity-based policies
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity-based policies
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based policies
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authorizing access to AWS resources from EC2 Application Load Balancer Backend EC2 instances RDS database Amazon S3 subnet Route table
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Role policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-example-workload-bucket/*“ } ] } IAM In English: Allowed to read and write objects to a specific S3 bucket
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 1 Result Corporate OfficeSecure VPC Some Other VPC
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoint policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-example-workload-bucket/*", "Principal": "*" } ] } IAM In English: Allowed to read and write objects to a specific S3 bucket through this VPC Endpoint
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 2 Result Corporate OfficeSecure VPC Some Other VPC
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. S3 bucket policy { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": “Deny", "Resource": "arn:aws:s3:::my-example-workload-bucket/*", "Condition": { “StringNotEquals": { "aws:SourceVpce": "vpce-0123456789abcdefg" } }, "Principal": "*" } ] } IAM In English: Deny read and write for the specific bucket, unless the specific VPC Endpoint is used
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3 Result Corporate OfficeSecure VPC Some Other VPC
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions policies
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions boundary
  • 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Some final, and interesting uses of IAM
  • 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: SSH access to EC2 instances • VPC security controls used: • Security groups • Routing for least privilege Availability Zone EC2 instances SSH bastion instance Port 22 (SSH) Port 22 (SSH) $ echo "hello world"
  • 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: IAM-controlled SSH access to EC2 instances • Makes use of SSM Session Manager • IAM controls used: • Permissions for users to SSH to specific instances or groups • VPC security controls used: • Security groups • VPC endpoints to SSMAvailability Zone EC2 instances Amazon EC2 Systems Manager $ echo "hello world"
  • 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: Securing serverless workloads Amazon API Gateway Lambda functions Amazon DynamoDB Amazon DynamoDB Accelerator Serverless workload with in-VPC components IAM controls used: Least-privilege access on IAM Roles for Lambda function and DAX cluster Lambda functions allow invocation by API Gateway VPC endpoint Policies for DynamoDB VPC security controls used: Security groups VPC endpoint for DAXDynamoDB Port 8111
  翻译: