© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
December 8, 2014 | Korea
양승도 솔루션스 아키텍트
re:
JOB ZERO
Job Zero
Network
Security Physical
Security
Platform
Security People &
Procedures
SHARED
constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content C
ust
om
ers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
FAMILIAR
familiar
VISIBILITY
VISIBILITY
RIGHT NOW?
Visible
You are making
API calls... On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
Redshift AWS CloudFormation
AWS Elastic Beanstalk
Use cases enabled by CloudTrail
AUDITABILITY
Continuous Change Recording Changing Resource
s
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
Integrated Support from Our Partner Ecosystem
CONTROL
First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
Encryption & Best Practices with AWS
Managed key encryption
Key storage with AWS CloudHSM
Customer-supplied key encryption
DIY on Amazon EC2
Create, store, & retrieve keys securely
Rotate keys regularly
Securely audit access to keys
Partner enablement of crypto
DIY AWS Marketplace
Partner Solution AWS CloudHSM
AWS Key
Management
Service
Where are keys
generated and
stored
Your network or in
AWS
Your network or in
AWS
In AWS, on an
HSM that you
control
AWS
Where keys are
used
Your network or
your EC2 instance
Your network or
your EC2 instance
AWS or your
applications
AWS services or
your applications
How to control key
use
Config files,
Vendor-specific
management
Vendor-specific
management
Customer code +
Safenet APIs
Policy you define;
enforced in AWS
Responsibility for
Performance/Scale
You You You AWS
Integration with
AWS services?
Limited Limited Limited Yes
Pricing model Variable Per hour/per year Per hour Per key/usage
How AWS Services Integrate with AWS Key
Management Service
• Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
• Benefits of envelope encryption: • Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master
keys than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
AWS Key Management Service Reference Architecture
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a
reference to a master key under the account.
2. Client request is authenticated based on whether they have access to use the master key.
3. A new data encryption key is created and a copy of it is encrypted under the master key.
4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt
customer data and then deleted as soon as is practical.
5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data
needs to be decrypted.
Nasdaq is a great example of security excellence in the cloud
Nasdaq Use Case Requirement
Replace on-premises data warehouse while keeping
equivalent schemas and data
Only one year of capacity remaining
4-8 billion rows of new information stored daily stock trading
Must cost less than existing system
Must satisfy multiple security and regulatory audits
Must perform similarly to legacy warehouse under
concurrent query load
AWS’s ability to satisfy multiple security and regulatory audits was critical to
Nasdaq’s migrating its data warehouse to AWS
Nasdaq Data Warehouse Implementation Pull data from numerous sources, validate data, and securely load into Redshift
AWS CloudTrail to monitor and audit environment
Network isolation with Amazon VPC and AWS
Direct Connect
Encryption in flight using TLS and Amazon
Redshift JDBC connections
Encryption at rest with Amazon S3 (client-side,
AES-256) with Amazon Redshift cluster
encryption enabled and AWS CloudHSM
Nasdaq Security Best Practices AWS CloudHSM integration was critical to Nasdaq adoption of AWS
AGILITY
Agility Self-service
Time to market
IT Developers
Control Visibility
Compliance
Use a personalized portal to find & launch services
IT Developers
Create custom services and grant access to
developers
Providing Developers fast provisioning
Create and
manage Portfolio Add custom products
and services
Grant access to
developers
Achieving self-service with IT approval
Find and launch
services
Automate
provisioning
Manage AWS
resources
Creates portfolio
Adds constraints
and grant access
1
4
5
Administrator
Portfolio
Users
Browse Products
6 Launch Products AWS CloudFormation
template
Creates
product 3 Authors template 2 ProductX ProductY ProductZ
7 Deploys
stacks
Notifications Notifications
8 8
Simple Security Controls
BETTER OFF IN AWS
Top Related