LIVE - AWS Security Architecture | Cloud Security | InfosecTrain

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome to infosectrain my name is krish i'll be a speaker for this webinar so this webinar is about the aws security architecture it's actually about the various kinds of security uh strategies in aws and the services which we can use in different perspectives to understand how to enforce the security in aws okay there's gonna be an overview session which you will be able to understand about various kinds of aws services the functionalities the features and all so team about my profile for those people who don't know me my name is krish and i work in the industry for the last 16 plus years on various domains especially i was a guy who is working completely on open source and linux and those kind of things and from 2010 onwards i am working in cloud computing specifically focusing on cloud security governance and cloud security architecture in aws mostly and i'm a trainer as well as a consultant for a lot of companies worldwide and i support a lot of companies on their cloud transition and securing their cloud infrastructure that's about my profile team so the agenda for this webinar is very simple team it's about how we can basically talk about the security we talk about a cloud platform specifically aws and what exactly is a defense in-depth approach and how this is possible in the aws cloud platform then we'll discuss about the identity network traceability and data architecture actually these four are the main factors which we have to understand when we talk about the security then we have a insulin response strategy let's say there is incident happens how we have to have a strategy to respond to it and then we will have a question also where you can ask your queries and i'll be responding to that that's about the agenda team the first thing i want to tell you on this particular uh security topic is that whenever you go to the cloud platform a lot of factors are there which can affect your business like for example or which can give you advantages which can give you some risk and all like for example we have a word called security uh we have a word called as data we have a word called as functionality lot of things are there we talk about availability security data functionality a lot of things like that out of these things when we talk about the word caller security security is the primary word which actually makes or gives us the maximum concern why because we can't say that okay the security is something which is completely the responsibility of the cloud service provider or the security is the responsibility of the cloud service consumer so basically what happens is our provider consumer actually so what happens is let's say for example if you go to any cloud platform like if you go to aws or azure or gcp or even if you're on premises cloud platform definitely in the cloud platform there is one very important risk which you cannot mitigate the risk is called as multi-currency this risk is there but you cannot mitigate because why because this risk will always be there like for example i go to aws if i go to aws what happens is in the aws architecture or azure architecture of any cloud platform you are sharing your infrastructure with multiple customers like for example you're sharing your infrastructure with a people who you don't even know actually from different parts of the world so because you're sharing your sensitive data your functionalities and your operations on the same hardware devices from people around the globe across the globe so what happens is that it can affect our security in a very serious strategy but that's why the primary challenge in the cloud platform is we have a multi-tenancy we even have a lot of more challenges like compliance governance third parties a lot of challenges are there but still this always forms the first one okay so how we can have a proper security in the cloud platform if you see the team when you talk about security in any cloud platform i'm not talking about aws specifically if you talk about any cloud platform let's take aws azure alibaba or digitalocean or any cloud platform whenever you take a service previously there is a word which we always say let's for example see if i am showing you my aws console here or if i am showing you my azure console here previously the word i have seen many people say that chris we are choosing the cloud provider that's the most common word which we always hear we are choosing the cloud service provider but that word is now outdated we are not choosing the cloud service provider we are choosing the cloud services like for example i will give an example team which is your favorite cloud or which is the best cloud platform so we have aws some people will say azure a lot of people will say like this but definitely team even if i like aws much more than any other cloud platform to make it very simple whenever there is a new requirement coming up in your organization or anywhere the primary point which we have to understand here is that we should never have an assumption that this is the cloud provider for all our requirements like for example okay now aws is providing me a lot of services doesn't mean that aws is okay for all my business requirements if i want to get the complete business strategy in aws the primary thing i have to understand is that i have to choose the services wisely see for example aws can offer you some services azure can operate some services so gcp can offer some services but out of these services which of the services are actually most beneficial for our company so because of this reason what happens is nowadays the companies are going for something called as a multi-cloud strategy that means companies want to use various cloud providers with various cloud services so there is a one question like for example chris if i learn aws then how can i uh choose a service in azure if you land it learn aws or if you learn azure definitely you can choose a service another cloud platform also how because every cloud platform is offering the same kind of services it's just a matter of comparison you just compare the services if you feel the service is best for you you can go for it so it's all about choosing the right service for your requirement okay so now we are specifically talking about aws definitely for a lot of things for example i'll give you a simple example so in aws we have a service called as amazon s3 i will say that in my personal experience i have seen that no cloud providers is offering a better service than this amazon s3 why because this is the best kind of object storage you can get in the market like the same way we have an ec2 so certain services are in aws which is uncomparable that much perfect services you can get but how do i basically ensure a proper security for this the first role is that team let's say for example i have chosen a cloud provider let's say i choose aws then i have chosen a service called ec2 let's say for example i choose a service called amazon ec2 so when you say amazon ec2 amazon app runner if you take a service like that how do i know that is the best service by requirement first of all you have to know that what is your responsibility and what is the responsibility of the cloud service provider the primary thing in adopting a service in the cloud platform is that you have to look into the service to meet if it's able to meet your requirements second is that who is responsible for what like for example let's say if i talk about aws if i talk about aws who is actually responsible for what like uh when you talk about amazon ec2 in amazon ec2 my responsibility is certain particular things and the cloud provider is having some responsibility like the same way we have to understand what exactly is the responsibility of the cloud provider and what exactly is your responsibility so that is why we have something called as a responsibility metrics that means that see definitely if you go to any cloud platform i'm not talking about aws or azure ain't out any cloud platform the security of the cloud platform when you say security of the cloud platform it includes the data center the hardwares they are having the physical security of their data centers and the physical security of the locations and the on background the backend networking the back end cpu memory capacity the back-end storage so all these things will always come under the responsibility of the cloud service provider and the responsibility in the cloud platform is based on what kind of services you're choosing let's say for example if you go for a ir service i can give you a simple example here if you go for ir service what happens here is that you can see this see if i'm going for a ir service the cloud provider is always responsible for the physical security and deploying the vm okay the cloud service provider helps you to set up the physical security and they will help help you to set up the virtual machine or an aws terminology we call it as instances but from the operating system onwards the application the database the user authentication and the security and the patching maintenance and everything on that particular operating system is your responsibility only like the same way the primary thing in choosing a cloud service is about the understanding the responsibility of the particular service but i want to tell you some uh some very important variations have this happened for the last few years for example team uh definitely in the past platform you know that uh can anyone tell me team in the past platform who is responsible for providing the platform like who is responsible for providing the platform like php or mysql or python or those kind of things when you go for a pass platform we know that when you go to a pass service so basically what happens is okay we build a virtual machine like for let's say for example we have a vm and on top of the vm they will install us an operating system and on top of the operating system they will install as a platform like php or java or whatever it is they will give us a platform and on top of it we will basically deploy the applications this is what happens in the past platform but the same time in the past platform what happens is that see this almost all the cases as per the traditional definitions of past platform this operating system will not be visible to you this operating system will be 100 controlled and managed by the cloud service provider and customers are not given access to this operating system that is a traditional definition but now what happens is that let's assume that i am taking a service in aws called as aws elastic bean stock see it's a pass service don't uh get opened by the name it's a very simple name actually uh it's a classic means it's a pass service let me show you a simple example here so in the past service means it will help us to host a web application or website without managing the underlying operating system or platform or anything like that so i simply click on create an application here and i can select the platform i want like php java whatever it is i can select my platform i want i can select my version of the platform and i can click on create an application so as per the traditional definition of the past platform you are not supposed to access the operating system but this particular service called as elastic bean stock lets you access the operating system see this this particular service called elastic bean stock lets you access the operating system even if its a pass service so because of that reason you also have some specific responsibilities regarding your application configuration in the os side see usually what happens is you host an application and the underlying operating system and the platform will be completely managed by the cloud service provider but here what happens is they give you access to these things also so that you can customize whatever things you need like security perspective or some compliance requirements or whatever it is you can access and you can customize the requirements you want so that is why i'm saying that whenever you go for any cloud service provider be aware of what is your responsibility or what all features you will get and what all things are provided by the cloud service provider so even if these uh traditional things like i asked spaz and sas and things say like this you have to be very clear that what exactly they are providing and what is your responsibility and their responsibility that's a primary thing i want to tell you on this webinar so first of all understand who is responsible for what then define the faces of the application like what other features can be provided by the application and third thing is see the compliance see if this application this particular service is able to meet your business security procurements okay this is the basics i want to tell you as a whole okay that's it and the responsibility can vary according to the cloud service model and team nowadays there is one more thing like i i can see that there is a lot of things like you know containers serverless functions lot of things are coming up in this for a long time and the responsibility can very seriously vary according to the various kind of new services added up okay that's it so it doesn't mean that you have to go to every service and personally learn everything whenever you have a requirement you can basically go through the service and you can see that what all things are the responsibility and basically how it is shared okay that's it and the next point to understand is that we will talk about the secure design principles of cloud platform there is a word called as secure design principles of cloud platform it can be customized as per the different different providers and all but as for this particular aws strategy i am giving a seven design principles for security in the cloud platform first of all team we have to implement a strong identity foundation okay implement a strong security identity foundation that's the first thing we have to implement a strong security identity federal foundation so why the identity is liquor like for example team let's say for example we have some thousands of users or more than that users logging on to the cloud platform when we have all these users logging onto the cloud platform how do i know or how do i ensure that they are able to do only they are authorized how do i know that they are getting properly authenticated how do i know my data is protected for all these things for data protection for confidentiality for integrity for availability for traceability for everything we need to have a proper identity and access management we will discuss more about this in very much detail in the upcoming slides anyway identity is a primary thing when you go to any cloud platform the primary thing which can be a concern is the identity see whenever i take my sessions on security and all the primary thing i will say is the same thing identity why because if you are not clear about how to perform a proper identity and access management strategy you will not be able to define the or you will not be able to have a security in the cloud platform and this thing can become complex every day i can give you some use case in aws and azure also because you will be able to understand the difference how these guys are differentiating this particular thing i can give an example team let's say for example we have some users let's say for for example now i'm having some customers in european region when i'm having some customers in europe and region what is the compliance requirements i have to comply with what is the regulation i have to comply with if i am having some customers in the european region i have to comply with gdpr but the problem is that if i say i have to compare the gdpr i have to make sure the data is stored in the location okay the data is stored in the location either it can be it must be a part of the european union or they must be complying with gdpr so that is first thing is the location then how the data is stored the security of data a lot of factors has to comply with for example let's say you have an employee who is storing the data of the european customers in china or who is storing the europe data of european customers in different country which is not gdpr compliant so what happens it is not affecting that employee it is affecting your organization so implementing a proper identity and access management for a lot of reasons for security for a lot of reasons implementing a proper identity and access management is the primary factor when you talk about the security in a cloud platform the next thing is that see team the next very important point is that enable traceability traceability in the sense means they can say detection in other words like uh i'll give an example if you don't know what you're facing there is a very common terminology in security that when if you don't know what you're facing you will not be able to respond to it or you'll not be able to mitigate it like for example if i don't have a visibility on the cloud platform see first of all the cloud platform means that i am going to a cloud service provider i am depending on a third party provider and the third party providers data center in that perspective what happens is if i don't have a proper traceability or if i don't have a proper monitoring alerting auditing and change management in the cloud platform i will not be able to have a proper cloud governance let's say for example team a person log into my cloud platform or an attacker or log into my cloud platform and do something wrong if i am not getting notified of that particular thing so let's say for example what if an attacker log into your cloud platform and turn off the logging what if a attacker basically log into your cloud platform and turn off the data collection or basically turn off monitoring so whatever things happen you must be able to immediately get notified on the changes happening in your infrastructure that's a next thing monitoring and visibility is the next thing that is enabled traceability then the next thing is that security in different layers so what is a different layers we have that is the next thing i want to tell you team we have a word called as defense in depth defense in depth this is a very important word i won't tell you we will discuss about in detail because defense in depth and sense means i will give an example in azure because azure is giving you a very precise diagram for how to implement defense in that approach but definitely team how to implement a defense in-depth approach that is a multi-layered security strategy i can give a simple example now why are we wearing this and because we know that we have a covet pandemic now we all are wearing some mask right we are wearing a mask why we are having multiple layers for the mask you want to have a protection but definitely single air can offer you protection but why we are having multiple three or four layer masks the reason is because you want to make sure that even if this particular layer fails to provide you protection the next layer must be providing you even if these two layer fails to do that you must have one more layer so you want to have a multi-layer protection the same applies in security also see let's say for example so basically what happens is when you go for a cloud platform when you go for any infrastructure now don't think about cloud platform when you talk about any infrastructure if you want to have a security defense in depth is a very mandatory thing why because you must have a multi-layered approach why we need a multi-layer approach i'll tell you see by implementing a firewall or by implementing an anti-malware software is not a security thing so by doing this will not make any changes or any security to your company but if you want to make sure you have a proper security you must implement the security in the right places in multiple layers so that even if one layer is basically you know vulnerable the other layer can catch the failure like for example okay we have a we have a dlp solution if the dlp solution fails to protect my data i have a ir about drm solution there so we have a firewall if the firewall basically fails to protect to uh to buy uh to protect a particular thing or against a particular thing what happens we need to have a ips system there like the same way we need to have a multi-layered security architecture i will give you a real example of how these things work in the cloud platform i will show you a simple example because this is the way i am doing in my custom for my customers the next thing is automation so definitely team whenever we talk about security definitely seek for security we have to implement everything and we have to be alerted but why what is the need of automation see every day you are hearing a lot of news on data breaches and all even recently for the last two weeks you have heard more than three to four big data bridge insurance right the reason is because we basically have a lot of security issues coming up now which is unexpected and you want to respond let's say for example you want to respond to it you are saying that okay we will be i want to basically respond to a particular security incident what if you are not able to immediately respond to it what if you you are not able to immediately notified on that let's say for example i am having a person who is working my company or my whole security team is there but suddenly they missed a particular change or they missed a particular attack so what happens there i want to make sure that there is an automated mechanism wherever it's possible to do automation why because if i go for manual strategy the problem is that it can be error prone or it can be giving you a lot of cost challenges if you make the things more and more and more automated the response mechanism the security mechanism the monitoring mechanism the alerting if you can make it completely automated in a cycle it can help you to mitigate a lot of things as soon as as soon as possible like for example i will give an example if somebody tried to modify a permission in your ian or somebody try to change something in your firewall let's say for example i am having a firewall in aws we call a security group so if somebody tried to modify a firewall configuration let's say i am adding a new port number or i am trying to modify a security configuration in that case what happens i need to have a mechanism which can immediately respond to it and remove the change happened or undo the change or block the things like the same way i must have a mechanism to do all these things i will talk about a carrier perspective here also team anyway let's come to the next thing and after that i'll talk about a career perspective in this automation also then we have a word called protection so team we have a data whenever we talk about data the primary word we have to understand is about data classification what is the purpose of data classification so that is a very important point we have to understand data classification so when you say the word data classification we classify the data based on the sensitivity and value it provides to the organization let's say for example team i am storing some data here in a storage this is my s3 bucket i am storing some data here so based on how much sensitive this data is is it a pii or phi or if it's a functional data so based on this required or based on sensitive to data what i will do i will classify if i don't classify it properly what happens is it will result in improper security controls i'll give an example here i am having some data which is basically a data of some particular customers like for example let's say this this data is belonging to some you know some it contains some pii or pxi it's a very sensitive data if i don't understand this data as sensitive what happens i will not make a proper access control i will not have a proper production so we classify the data based on sensitivity and value to the organization and based on that we will protect our data and to make sure like we will use mechanisms like encryption tokenization access control identity protection lot of things like that to protect our data we are going to discuss about this in detail okay the next thing keep people away from data that's a very common word the reason why because definitely we know that see having a person who is doing all these things manually doesn't mean that he will make a mistake but definitely when you talk about manual process whenever i am talking about a manual security intervention it can always bring you some risk let's say for example the person do some mishandling of data what if there is a mishandling of data or what if there is a modification of data due to some human error so whenever we are handling sensitive data if it's possible to make the things automated than manually classifying or manually organizing data do it and finally always be prepared for security insurance like what i find let's say for example now previously what happens is thing we will hear the news of a lot of companies worldwide who is the top companies worldwide regarding data breaches but now what happens is that when you go to even a very small company databases are very common nowadays so whether your company is a very small the smallest company or your company is the top company or the largest company in the world you must always get prepared for a security insurance it can always happen when you go to the cloud platform you can always expect attacks or you can always expect a lot of it can be attacks or it can be some unexpected or unwa like human level process or whatever it is but be prepared for the incident like for example immediately an attacker gain access to my identity identity or immediately a person able to access my server so hundreds of thousands of things can happen you must be prepared for all these things preparing in the sense means you must have a proper plan for your incident management like for example there must be a proper incident management plan an investigation policy and a process that aligned to your organizational requirements and also we have to test it while testing your secure team if you don't test something it's more likely to fail let's say for example i am saying that okay team we are taking a backup every day or i am taking the backup of my systems but how do i know this backup is perfectly fine how do i know this backup is properly working i have to test it if you don't test something it's more likely to fail that's why you have to go for it okay that's it let's discuss about these things in very much detail now okay that's it so team let's discuss about the best practices in the cloud platform security this is a very very interesting what i want to tell you team the reason why because these are the main factors or these are the key factors which when you talk about cloud security especially security in aws these are the key factors which we have to understand identity and access management detection infrastructure protection data protection and insurance response i'll give you what all services are basically important for this or what all services can help you in this process in a very effective way see when working with aws it's very imperative that that your account and data your computer and everything is there is basically secure and it must be only accessible for authorized purposes and aws provides a lot of services for that but we have to be very clear that how these services are protecting us and worst case okay let's say for example i know that aws is offering me a proper monitoring solution if this aws monitoring solution is not able to provide me the proper things go for a third-party solution so we have to figure out that if the solutions offered by aws for our requirement is able to meet perfectly otherwise what we have to do we have to go for some third-party requirements like for example i will tell you some one example i have felt so in aws we have a service called aws instructor so aws inspector is a very good service for doing a vulnerability assessment if you want to have a complete vulnerability estimate you can go for the aws instructor but in almost some 60 cases i have seen that this aws inspector is not compatible with the on-premises or it's not good for a hybrid environment or a multi-cloud environment that's why what i will do i will go for a nessus or those kind of tools which is third party so don't hesitate to go for third party tools but what we have to check here is that if these tools are able to provide our complete procurements before you architect any workload in aws we need to put in the best practices that influence the security and how can we do that who can do that and all these things we have to do and always understand that there is a word called a shared responsibility who is responsible for what be clear with your responsibility if you want to avoid the burden of operations okay that's it the first thing is that i want to talk about the difference in depth approach in the cloud platform defense in depth approach so what is the difference in depth approach yeah i told you that it's a multiple independent levels if your dbms have a multiple layers of security but how do i do this like for example let's say i am hosting an application so team let's say for example this is my web server in my web server we know that okay i am hosting a website let's say for example aws gladiators.com i'm hosting your website but how do i know this particular website is actually this particular website is actually able to provide me the or how this website is secured how this website that site is protected yeah we have a firewall i know we have a firewall but having a firewall doesn't mean that your website is safe there can be error in your code right there can be issue in your uh architecture right so for these kind of scenarios what you have to do is defense in depth approach is a very important thing whether if you go for aws or azure or anything having a difference in depth of course helps you a lot and doesn't mean that okay i'm having multi-layer security or i am having some hundreds of layers of security when you say you have a lot of flares of security doesn't mean that it is a different defense in depth approach that's a very common mistake most people understand why because people say that having a lot of security layers or having a lot of security layers simply will give you defense in depth it's not like that you need to have multi-layer security definitely but you must be able to know where to place it and how these things must be working so once you plan these things properly what happens is let's say for example this is my network this is my server so the attacker has to break your network then he has to break your firewall then he has to enter your computer he has to break the access control like the same way you must have a multi-layered security architecture so i can give you a simple example in the aws perspective see the scheme this is an example defense and approach i have seen for the slack platform okay so let's say for example they have a server which is basically hosted on amazon this is their server which is forced in amazon ec2 so what happens is that whenever a person calls slack.com what happens there the request is basically passed to the amazon dns service this is amazon dns service this can help us prevent a lot of attacks we have a dns firewall now because of the dns firewall this can help us to protect against the lot of kind of attacks so once the person hit the dns and the request is verified then he is taken to the cdn service what is the benefit of going to the cdn service first of all the primary benefit is that we can integrate a web application firewall or a layer 7 firewall with the cloudfront cdn service and the second thing is that the most common attacks we have for the cloud platform when you have the servers in the cloud is a ddos attack what is a weirdos attack defense oh sorry distributed denial of service attack right and what is a primary intention team what is the primary intention of ddos attack affect the availability the primary goal of this thing is to affect the availability right that means that whatever things happen uh the particular thing the server the website must be taken down it must be unavailable so if you use a cdn system in front of it what happens is that this particular cdn is distributed across the world okay this particular cdn is basically what is the cdn team let's say this is my website i can basically cache the copy of the website in various locations across the globe see this which we call us and these are called edge locations this is called edge location so basically this is my website i can sell my website through various edge locations across the globe because of that reason when there is a huge number of requests coming as a readous attack it can absorb the attack very easily it can basically help us to absorb the attack very easily and we can basically have a web application firewall to prevent or protect all these kind of attacks so this is the second layer and the third layer is that team we can have a load balancer and the load balancer is something which will help us to balance the load to make sure that when we have multiple servers the the servers are having the proper loads shared between them very easily so like this this is a simple example for a defense in depth approach see so what happens is when a person wants to call this website first of all they have to pass it to the dns and they have to pass it through a web application firewall and the syrian service then have they have to pass it through the load balancer then they have to pass to the ec2 instance so here also they have one more layer they have a security group so what happens is they have to pass the security group layer here we have four layered security series here we have four layer security or we can say file sometimes let me see if i can show you one more example of this just in a second i can show you a picture here let me see i just saw a picture here it's very interesting one i have seen this picture in the aws uh some of the links actually i uh this is not a perfect one for your request but still this helps you a lot see the steam i don't think you can see this clearly but anyway see this theme so a person is trying to access a website see the request is passed through the dns and then through the dns it has taken the web application firewall then the web application file is taken to the load balancer and in the aws itself by default there is a ddos production called aws shield see so here we have a production level number one production level number two protection level number three then we have our encryption protection level number four encryption then we have uh auto scaling for other so we have five or six or seven levels of protection in this particular single thing itself see this like this we can enforce a proper security strategy so many people ask me in this query that fish when we have a let's say auto scaling how can auto scaling help us in this video's attack because in even in one website i have seen a very you know i don't think it's like that basically the website i have seen one point that auto scaling can help us to mitigate data's attack auto scaling cannot mitigate ddos attack but when you have auto scaling functionality enabled it can help us to give some get some time to respond to this attack i'll give an example team this is my server this is my website let's say for example my website dot com this is my server okay so what happens is that whenever there is a ddos attack happening to the server if you have auto scaling enabled what happens they will automatically increase the number of servers like this when they automatically increase the number of servers the attack will get distributed because the attack will get distributed what happens there because the attack will get distributed this particular darius attack will not be successful soon they have to spend a lot of time and effort for the attack to be successful so what happens by the time we can understand this attack and we can respond to it at the same way a lot of functionalities are a lot of service no that's a very important point yeah i was waiting for this particular point you see this is my server this is the dos attack happening when the attack happens okay when we have auto scaling enabled we will have more servers created right but the same time there is a very important concern here that so krish basically by doing this we have a lot of cost also right when you will scale you scale things for you they will charge you the money right if you are having a proper protection mechanism like dados shield advanced there is aws service called aws shield if you have a shield advanced enabled in your account even if the auto scaling happens because of a ddos attack they will not charge you for that they have mechanism to completely or mimic the charges for auto scaling happening because of the duros attack see so by that way you can prevent the cost also okay that's it so what what we're trying to say here is that when you have a multi-layered security like this it can help us to bring a lot of benefits okay team that's the first thing okay so the next thing i won't tell you is that team so first of all we have to always understand one more thing so how do i securely operate our workloads in the cloud platform so in azure what happens i have seen that in azure what happens is we can create multiple azure subscriptions okay we can create multiple azure subscriptions and tenants we can say that ad tenants and subscriptions in the case of azure in aws the best practice is that always make sure you create different accounts for different workloads like for example team in our company we have a team one we have a team two we have a team three and we have a team four who is doing separate projects for every project we can create one or more accounts in aws why when you create multiple accounts in aws and you have a multi-account strategy in aws the advantage is that okay when you go for a multi-layered security status so when you go for a multi-account strategy in aws what happens is that it will help us to limit the attack interface see it will basically help us to limit the attack interface so what happened let's say for example there is attack happening in account number one so we can make sure that this attack is limited to this a particular account only if there is attack happening in account number two we can make sure that this attack is basically means or contained in the account number two like the same way it can help us in create managing the strategy properly so always make sure that in aws if you want to have a security if you have multiple complex projects and teams make sure you create multiple aws accounts and manage them using the aws organization's strategy okay aws organizations and aws iam strategy it can help you to basically help us with the thing we can separate the projects in the project itself we can separate the development account we can have a production account we can have a testing account see in one company i am currently as of now i am supporting for long for alarm previous long time but they have more than 60 aws accounts that's a very small company who has less than 100 employees they are having 60 plus aws accounts as of now because they want to make it completely like you know proper security like what they do is they have a separate account for every project and in every account in every project what they will do is they have a different production account they have a different uh testing account they have a different development account and all and end of the day the whole thing is we have to integrate all of these things together for the effective process that's a very simple thing okay that's it don't think about the number of accounts think about how we are managing it like most people think yeah if you have more than 100 accounts how do you manage it even if you have a hundred account or thousand account the strategy is same all you have to do is organize properly with the help of aws organizations with the help of aws iam with the help of say centralized monitoring and all it can be very easy for you okay that's it so let's discuss about these things in bit more detail the first thing i want to tell you as a part of this thing is the identity architecture the primary thing in the aws security is that the identity architecture i want to discuss a bit detail about this the reason why is that because team i don't know why but i think you also agree with me when you go for the cloud platform if you're not having a proper iem strategy the whole security will go in vain okay first of all the primary thing which you have to always do when you talk about the iam is that lock away your aws root access keys what is a root account let's say for example i am now creating aws i can see this this is my aws account this is the aws account uh like all azure account voter brokers see i'm having an account here and you can see that i am using the default username and password for this account what is the default username and password like when you create aws account they will give your default username and password and that default username and password is what you call as a root account the primary account in azure or aws when you create an account the primary username and password they will give you is called as a root account never use this root account for any operations unless otherwise it's very sensitive never use a root account for any operations why because if you use the root account and somehow if it got compromised you cannot do anything the whole account can be compromised the whole data and whatever things you're hosting in the cloud platform can be compromised so primary thing is that never use or create a root account instead of what you have to do you can basically go to the aws identity and access management service you can go to the aws identity and access management i can show you how it works so this is this is something which you can you can immediately learn like for example you can learn it while while you start learning aws don't have to do it only when you work this is something which you have to practice while you start learning aws so never use your root account you can go for the ian console go to user section see here team you can see i'm having a user here called admin user like the same way just create a user it's very simple test you can basically create a user here like let's say for example i am creating user called as admin okay this is my username i can provide the access to my management console or application access whatever i want i can give a password for this anyway i'm getting a password and then you can give him the permission called less administrator access there's a permission call as administrator i can see this by giving this permission you can do almost 90 things which can be done by this root user don't forget while giving this permission call as administrator access for a user you can get almost 90 percent permissions of the root user so you can do all your regular routine tasks by going for this user right so never use your root account is the primary thing if you want to have a security cloud platform never use your root account or root account for management for all the routine management operations make sure you create a separate user and give him the admin privileges and let him join do that okay and the next thing is that we have a root account the root account username and password root account credentials must be kept in a very uh secure place and we have to make sure that there is a multi-factor authentication plus login notifications enabled don't forget we must have a multi-factor authentication with login notification enabled for root account it's a very mandatory thing what is this multi-fact authentication i'll explain anyway i'll explain the next slide so whenever you have a root account make sure you enable that multi-factor authentication and enable login notification what is login notification if somebody tried to log into your root account you will get an immediate email in your inbox this is mandatory the next thing is that even in very large very very large companies like i can say the companies where there are more than ten thousand people 10 000 employees or more than that i can see that this even see last time also when i went to a company i have seen this mistake that people are trying to share the credentials even you see you go to your you go to your company you have an access card to enter your company so what happens is okay you tap your access card and your partner although your friend will also you know take your tailgate to give back you see what happens that the identity system is completely compromised there so always make sure that most of the cloud providers like even if you go for aws or azure especially aws the ien is a complete free service this is completely free no cost at all this is completely free no cost so because it is completely free you don't have to hesitate creating users you can create thousands of users millions of users how much employees you have make sure if they want to have cloud access create a user account for them if you need it actually don't hesitate to create user accounts okay and never share the credentials the next thing is that this is a very important thing we have a mechanism called as groups what is a group here team let's say for example see i'm having two users here we have a two users called as admin user and cloud code see this so what happens is if i'm having definitely yes we can integrate lady yeah that i can i will basically come to that that's a very important point integration with the third party so team what happens is if you go for let's say i am having some 10 uses let's say for example we have a user for us what happens is that when we have these four users who need the same permission or who are basically working in the same project or same permission don't use the mechanism called like giving the permission separately add them to a group you can basically create a group here let's say for example add them to a group called as admin administrators and what i will do is i will add both of these guys to the group called as administrators and i can assign the permission to this group by assigning the permission to this group who are people who is the member of this group will get the permission okay that's a very interesting strategy which you have to follow and then the next thing is grant and lease privilege so team grant release privilege means that when you say least privilege that's a very confusing word sometimes why because so even if i have seen many people say that yeah when you try to give permission so let's say i want to give some permission to this guy so what we do is we basically click on add permissions you can see a lot of permissions here say this okay see you can see a lot of permissions here see this all these formations are all these policies policy is something which will help us to give permission say this we have a lot of permissions here you can go for a lot of things are there most people rely on these particular default permissions never use this the best way is that always make sure always make sure we create customized policies as per our business requirements what is the customized permission series this is a customized policy made by me so for example okay i want to make sure this particular user we have a user here called as admin user right so i want to make sure that this user must be able to manage a particular server okay i want him to manage a particular server okay when i say i want to manage a particular server one one common scenario i have seen is that most people okay first of all we have to give permission to amazon ec2 to give a complete read write permission but the problem is that if you give a permission to amazon ec2 and if you give a read write permission that means he is able to manage all our servers i don't want to do that if you go for a default permissions in aws they will give you the policy where you the person is able to access everything in amazon ec2 but if you make a custom policy like this if you make a custom policy like you see this this policy will ensure that the person will be able to manage only this specific server see this the most common approach we have for i'm not just uh heading to a career path for this that's why sorry for this interruption so basically what happens is that when you go for this programming things i don't want you to learn let's say jason this is completely json i don't want you to learn json completely there is no point you learn json completely it will not help you anything if you learn json completely it's definitely good okay you learn something that's all except that it will not give you any benefits it can take a lot of time up for you to avoid it learn this policy that's enough see now now i am telling you team let me let me give an example here i want to give an example let's let's do it this way we have a policy here now i'm asking you team this is my server okay this is my server this is my server's id you for every aws services there is a specific amazon resource id is there so i'm asking you team how do i ensure that this person can manage another instance tell me how do i customize this policy for a person to manage another server for another instance so what i will do is i will remove this particular thing and add the new new error okay i want to make sure that the person is not able to restart the server what i have to do tell me i i want the person to completely avoid restarting a server so what i would do here see if you can learn this way just first of all learn the structure okay learn the structure like it will start with the calling background with the curling bracket we have statements like this anyway we can we can take it in another day anyway i will definitely publish a youtube video for this how to read your json policy and that is something which is all required for you to learn this particular thing but make it very simple by having this top down approach that you have a script you have to customize it if you are able to do that you are able to survive in this identity access management that is what i done in my personal experience see if whatever policy you want it is available like for example okay i want to have a policy okay iam aws policy to block easy to access or let's say s3 access if you search it like this you will get the policy you need you can basically get the policy here copy the policy customize it that's enough for you see you can basically copy the policy you can customize it once you do that see i'm just simply copying the policy replacing this bucket name with the actual bucket name this is my bucket name i will replace this with the actual bucket name i'm having that's it so all you have to know is to how to customize things and how just simple modifications simple customization is all what you require i swear on that it's very simple i am able to manage things for a long time very effectively but just by these customizations so if you ask me this do you know complete python no i'm not able to know python for sure i don't know python for all these years i don't know but still if you give me a script and tell me krish i we won't do it like this i can simply customize it because we have a lot of resources in internet just customize it that's very simple learn in that way top down approach is what we need top down approach nothing more do our top-down approach so automation is mandatory and you have to learn scripting at least json and simple python is required when you go to any security industry okay that's it okay the next thing you see that that is how you can basically assign a proper you know what we can say that is how we can assign a proper permissions or a proper fine drain to access control permission to a user then the next thing is that uh the main challenge is that see this is a statement which i have copied from the aws website but to be honest i don't prefer this i don't know but you can basically post your views if you want but basically i don't prefer this why because this is what you call as aws manage policies that means these are the default permissions you can assign by aws see this this is some default permissions you are having if you go for the default permissions it is perfectly fine for a top level approach but when you want to make the policy more and more stringent if you want to make the policy more and more fine-grained you have to customize it i'll give you a simple example i want to allow access to amazon s3 just type s3 you will get the policy here copy the policy and customize the way you want that's enough okay that's it and i'm sure that thing if you do it some three to four times you will be able to do it very easily because it's nothing you have to learn like there's no gods in this even if you even if you're good in jason you have to learn this separately then why we have to learn this and we can learn directly this okay the next thing is validate your policies this is a very common thing i have seen many people are missing like you write a policy team let me give you let me show you one of the policies i have written here so team this is a very important policy this policy is telling you that the person will be able to access everything in aws account only if he is logging in from this ip address that is a main goal of this policy the person will be able to do everything only if he is logging in from this ip address that's the policy why do you get a policy like this make sure you review the policy from end to end i want to make sure that i review the policy it's not about the policy language i want to know what all permissions i have specifically given to the policy why because if i don't know what purpose let's see this policy key so in this policy you know that not only is that you can have a ip based taxes you can have a location based taxes now you can have a device based access a lot of things are there time based taxes date-based access lot of things are there location based access everything is there so in this policy all you have to do is go through the policy read the language and see if there is anything suspicious in this if you feel anything suspicious customize it that's all so review the policy properly validate the policy properly and verify it if you're getting the permission and some people ask me this query that first when you go for these kind of policies the main challenge most people are facing is that how do i know the spacing and all see this spacing is nothing you have to worry these things are just for uh you know aesthetics that's all like i just want to make sure this policy looks cool and i must i'm able to understand things very effectively that's why we have this particular you know proper spacing you know even if you write the policy like this it's perfectly fine see this this will not change the policy anything like and one more thing you don't have to spend time on anything like this let's say team i have this policy i want to make this policy look a bit uh you know cute so just go to this policy go to your browser open json formatter just type json formatter you'll get a lot of websites see open a website called json formatter any website is fine refresh it let's see we can go to another side no problem so we go to website even you have a you know extension of that also yeah they have a decent so i all i have to do is just simply copy this particular code here see they will format it for me see this the code is already formatted see format is beautify series i get the complete code which is beautified or formatted see it's perfectly fine now if you basically go for the policies it's all about everything is available for you all you have to do is customize things that's all okay by using that day you can learn these things very easily don't have to learn everything completely to the master of it but learn how to work in a smart way on this next thing not over identity is the best largest thing actually you have to learn the next thing is team there is a use customer managed policies instead of inline files so basically what happens is always make sure you create your own policies okay always make sure you create your own policies then we have a mechanism called as access review in aws we have a mechanism called as access review see this if you go to the iem console you can basically see that there is an access analyzer by using the access analyzer see the permissions you basically get then configure strong password policy how do i configure the strong password policy very simple i go to the ian console in aws i can basically go to the account settings i can see the password policy click on change password policy customize the personal policy as you want see this password link password complexity password expiration password reuse i can basically set the policy as per my company standards very simple okay then we have a enable mfa i i won't tell you what exactly is mfa in a very simple words so team when you say multi-factor organization most people think it has two-factor authentication 2fa is also mfa but when you want to say mf18 we have three things something we know something you something you know then we have a something you have and then something you are we have three things what is something you know like passwords pin numbers otp all these things are something you know and what is something you have something you have means like uh you know certificates key files or sorry otp is basically something you have actually look at the otp and all these things are something you have and something you are means your biometrics right so if you want to say if you want to say multi-factor authentication you must have any two of this at least two of this like i'll give an example let's say for example now you are trying to log into your cloud platform you are getting a username and password you are entering the username and password is it a multi-factor authentication team no it's not a username and password so it's not a multi-factor application it's a single five probably so what i will do is okay after this you have an email notification you have to click on the email notification or you have to get notified in your mobile phone so because this is something you know plus something you have i will give you one more example let's say for example team i'm trying to login when i'm trying to login first they're asking me scan your fingerprint scan your fingerprint so you place your fingerprint at the fingerprint scanner and after that then then they're asking you that read the text displayed read the message displayed read the text is it multi-fact authentication team see so scan your fingerprint means what it's basically asking to scan your it's a biometric thing and read the text display means it's a voice recognition voice attached and also biometrics so because it's something you are this is not multi-factor if you want to say multi-factor you must have at least two of this so the next question you can have is do you think mfa is safe definitely i don't say i'm a face safe even you have a capture now captures also also you know by possible very easily now so when you have an mfa mfa doesn't mean that it's safe but it is much more safer than having a single factorial application that's a primary thing mfa is much more safer than having a single factor application the next thing is team this is a aws specific concept we call it as roles there's a very important area of specific concept roles i'll give an example for this role thing this is a very very important thing i will tell you even if this is something for people who already know aws but definitely you can understand this when i say roles in aws what happens is that let's say this is my instance this is my aws easy twins in my server my vm in azure language okay this is my ec2 instance or we can say my server in the server what happens is steam okay this server what happens is i am having an application my application want to access an aws service let's say s3 bucket or any aws service does the existing server this application aws instance want to access an s3 bucket or any aws service so what happens is that when this happens okay when this particular thing happens if you want your a server to access your s3 bucket first of all you have to create a username and password you have to basically go to the aws ian console and go to users and create a service account you know the service account in windows concept type see this we can basically create a programmatic access so by using this mechanism you can provide the access to this application but the problem is that when you are using a user account for giving access to these particular scenarios end of the day it will be always easy to compromise or what happens is the attackers will be able to get this somehow let's say if an attacker is able to get this credentials they will be able to access the storage that is where we use the concept called as roles by using the mechanism caller's role what happens is you are not creating a user account don't forget you are not creating user account we have a server here in aws i am attaching something called as a role to this account role by doing this this i am authorizing this instance without giving any credentials in the front end without passing any currencies to the front end i am giving this permission to the server to access this particular storage without entering credentials manually so what happens here is whenever i host an application on this the application which is hosted on this instance will be able to access the s3 bucket without entering the credentials because the credentials are passed in the back end by address itself so role is like a user but the only difference is that i am not generating any credentials and giving it to users i am not creating any credentials or giving users i am giving the credentials to the server so the server will be able to access the storage that's the concept of role you can learn this about more enroll if you work in an organization or if you want to work in a enterprise scenario in with multiple aws accounts and all without roles you can't do this role is the key for learning iea most people say policy is the key but i will say role is the key why because how much efficiently you can manage the rules that much efficiently you can control the access and minimize the security risk in aws okay so the next thing is theme do not share the credentials so as we discussed earlier never share the credentials always create separate username and password and the credentials must be rotated like there is a proper policy so of course what is the default there is no default rate but you have to you ask for your company's strategies you have to create a strategy where like three months or two months or six weeks you have to create a strategy to make sure you rotate your means update your credentials properly and any orphan credentials any unnecessary accounts if you feel if there is any account which is not used or unnecessary it is not required remove the credentials and use policy conditions what is the policy condition team i showed you earlier right this is a policy condition see only if the person is logging in from this ip address give him full access this person can be administrator if he is logging in from this ip address like the same way and monitor the activity in a regardless account make sure we have a complete monitoring we are going to discuss that monitoring also in very much detail so team do you mind before we go to the monitoring part of it can i show you something in azure also if it's okay for all of you even i know it's a aws webinar but i want to show you one uh strategy in azure also so team i can show you a simple example azure also this is a very interesting thing so azure i'll type zero trust model this is something i found very interesting that's why i want to show it to you you can do it in aws also but in a different way that's all i want to show you how these companies or organizations are having a proper strategy like this this is the one i want to show you it looks very interesting actually so what happens is a person is trying to log into the azure account okay from his pc or ipad or tab laptop or mobile phone he's trying to log into a azure account obviously you know the first step is always to have a multi-factor organization you have to make sure that the username and password plus a multi-factor authentication mechanism that's mandatory without this you cannot have a security mfa is mandatory okay after this we can basically put something called as access conditions what is an access condition like for example let's say okay now chris is trying to log in he is entering the username and password and the password but when he enter that the next thing they will look into is the access conditions what is an access condition okay as for the updates the person is as of now the person is in india but the request is coming from a different country that means there is some issue with the location it can be a spoofer right usually this person will log in from logging in from this ipad or list pc if there is a new device trying to log in that means there's a suspicious thing what is the risk rating of the user the user is creating like for example if there is many attempts or attacks for the user the user is in a high res profile exception so based on all these things i will decide verify whether if i want to give access or block access so what is the point here it's not only about entering username and password it's about verifying a lot of other factors also so based on this whether i will allow access or deny access and i will verify this continuously this is an example like this i will give you one more thinking there is a word called as in azure there is a word for less privileged identity management i don't know if it's in aws it's there but in azure it's definitely there i liked it very much so team why i won't tell you this let's say for example we have a user we have a user here called as krish so this user belong to the group called as database administrators example we have a user here call us fish who is a database administrator but my my challenge is that the database contain very sensitive information if this account is compromised the whole company database can be compromised so what i will do i will do something called as a privileged identity management privileged identity management what is the privilege identity management that means that when you say privileged identity management means that this user will not give will not be given permission every time so this user is allowed to be the admin but as of now this user is not having permission when the user login the user will log in and every time he login he has to request for the permission don't forget so this user is an administrator but he will not get permission for this this promise is not there for him he log into the azure account he has to request for permission every time and a person has to approve it like his manager or a person who is basically working on top level has to approve this and this user will get the permission for the next two hours or three hours based on how much hours i'm giving their permission so what is advantage there even if an attacker is able to get the get the access he has to request the permission i can verify if the user has requested permission and approve it the permission is not requested by the user i can block it right so that's a very interesting thing privileged access manager you see this when you go to a plugin expanding what happens with that see i have to first of all request for something and it must be approved by the manager or a person who is basically managing it then only i'll get the permission for the next few hours this makes things more secure like every cloud platform is having some kind of mechanisms like this okay that's it so take the next one is okay i won't tell you one more thing this is about the basics of aws okay this is about the identity access management basics anyway one more thing is that let's say for example if you want to reuse your credentials let's say for example you have an active directory in your on-premises you want to the same credentials it's also possible identity federation is also possible in aws just go to the identity providers here let me show you that see i can go to the identity providers and and by using the identity providers i can simply add the providers here like i can use a active directory or a facebook account or a gmail account or i can use all these things actually so basically reuse the same identity username and password in aws as well that's also possible okay that's it that's about the basics of aws identity architecture the next thing is theme we have a detection this is something which i i found very complex when you go to any cloud platform this is something which i personally found a bit complex but i don't know why but still i'll tell you the reason when you go to the cloud platform when you see this detection or detective controls it can be very challenging because unless otherwise you know how to manage these things it can make give you a challenge you can use a lot of detective controls to identify a potential security threat or incident like for example team we have things like aws cloud watch aws cloud trailing plus config it plus guard duty this may see a lot of servers are there which can help you to provide this particular strategy but as we as we always say if you don't know what you're facing you are not able to respond to it more than response the primary thing any organization if there is no proper detection strategy if you are not able to understand that you are basically affecting the particular kind of service you will not be able to respond to it so detection must be very clear so i can do i i got a very interesting picture from a website i'll show you that see this this is the best detection picture i have seen see this we have a tools like we have a tools like uh like we have a cloud trail it's a logging thing it will help us to log all the api calls what who when where and all api calls we have a tool called as cloud watch for monitoring we have a tool called as may see the dlp solution we have a tool called aws config for change management we have a tool called as inspector for vulnerability assessment so like this you have a guard duty for it's a kind of siem solution you have a transfer valve for giving advices by having all these tools and making it responding like what is the response immediately notifying us and to do some triggers by responding these things in a proper way we will be able to have a proper detection strategy detection is the key if you want to respond you have to detect and definitely team uh now now aws is offering a lot of services especially there's a new service called aw security hub this is not a service which can do something it will provide a visibility to all these things in a single console that's all okay and your you can able to uh integrate with third party tools also there's a lot of third-party tools in the market for doing all these things okay that's it so i can give you some very simple things like in aws you can implement a lot of detective controls by processing the logs crossing the events continuous monitoring continuous auditing automated analysis alarming things let's say for example there is a huge uh data traffic usage you can increase your instances you can do auto scaling there okay a lot of things like that first of all team configure the services and application login logging is something trails and logs both are same actually by logging is mandatory like for everything for your network for your instance for your aws accounts for everything do the logging logging is mandatory to configure the logging throughout your workloads like including your application lots or resource logs or service logs like using services like cloud trade cloud watch god duty security help by using all these things configuring a proper logging strategy is a very important thing which you can use the next thing is that team uh as we discussed previously we have something called as a multi-account strategy in every company you will see i this you can basically keep this word actually you can see a multi-account strategy and multi-cloud stutter these two things are there in every company now multi-account strategy that means using multiple aws accounts and multi-cloud strategy by using multiple cloud providers but if you keep all your log files or monitoring data and everything separately in every account that will not give you any benefit at the end of the day you will lose everything to avoid that centralize all these things centralize all these things to a centralized account we can say that the monitoring account or some accounts we can create we can centralize or we can aggregate all these log files like the pc flow logs cloud tray logs cloudworks logs we can do application logs everything we can aggregate to a centralized account and we must use mechanisms like ai they help the help of ai ml mechanism with the help of giving proper rules we can analyze these things and we can detect the anomalies and unauthorized activities okay that's it and the best service for doing how to have visibility for all these things is called as the aws security hub and aws uh guard duty and all okay that's it and the next thing is team we have something called as a automate the response to events so i will give you a simple example for automatic response to a event let's say now we have a instance let's say for example team assume that i am having an instance here a server here okay i'm having a server here not having it now let's see let's simply assume that we have a server here or instance here then we have a instance here or server running here what is my primary challenge i want to make sure this company scheme completely protected let's say for example this is the security group used by instance okay so i am an attacker assume that i am an attacker as an attacker what i will do is i will basically access the security group and allow a permission i will add one more rule let's say i am adding a remote or via port number let's say for example i am adding a port number for database i am allowing all the ip addresses that means i am making a change here right this change will make this whole infrastructure vulnerable definitely what you can do okay whenever you get notified okay when you get notified on this okay let's say for example uh when you basically get notified on this you can respond to it i'll give an example now okay tomorrow you're getting an alarm that somebody has modified a security group you can go there manually and remove this i know that but if you try to do that manually and wait for that particular time what happens there by then the attacker will gain access and do whatever things he want so he can't you can't wait for that particular response to happen that is why you have to automate it i'll give a simple example let's say whenever there is a change or modification happening in this particular security group by any person except the administrator it will basically trigger an alarm and this alarm will trigger a lambda function lambda is computing okay it will still lambda function and the lambda function will delete the change or undo the changes happen very simple so immediately when he make the change within a matter of seconds what happens the change will be reversed or it's undo so automation is a key so next question comes here so krish how do i know all these things how do i do this automation i'm not good in programming see it's not like you have to do everything you're a security architect or users you're a security administrator or you have a security operations export you have developers in your company they can help you with this process they can simply write your script all you have to do is customize the script or modify the script and make it run that's all okay that's a very simple thing so the next thing is team implement actionable security events what is implement action security events and i'll tell you what i want to tell you one more thing when you talk about this automation right let's say for example in amazon guard duty it's a sound tool if you uh in the guard duty you have basically seen there is a trigger or there is a kind of security attack you have to create a function to respond to it so you don't have to do anything there you don't have to have a human effort to do that the script will run and do it for you so automation is the key and the next thing is implement actionable security events alerting that's all you're talking about alerts whenever something goes wrong you get the things alerted immediately that's all and it must be automatically responded this is a simple example for the detection concepts okay that's it you can go through this picture it's very useful actually see this is what you call as detection the next thing is still we have a infrastructure protection i will this is the uh this is the most important topic after this identity access management identity management why because infrastructure production is a very important challenge actually i want to show you a picture of this let's say in our company we have something called zones in every company we know that there is something called as zones zone is there like for example we have a public zone we have a private zone we have a dmz zone we are creating the zones or we are segmenting it to make sure that we have a proper mechanism to secure right so what we can do here is let me show you pictures here see i can create multiple sub networks when you say subnetworks in aws you're talking about zones like for example let's say i am having an aws account aws account we are having subnets or sub networks and when you say subnets what you're talking about is the various zones let's say i can go give you a simple picture here to make it more clear see this is a very simple example picture it's not a big deal honestly very simple actually seriously in this picture you can see that see we have we have a vpc here this is my vpc so in the vpc we have a production so we are here we have a network or we have a sub network we have a zone one we have a zone two zone one i want to make sure that all these servers are able to access from the public zone 2 i want to make sure that these servers must not be accessible from the public so i can have a multi-layer security here how like for example the vpc the vp seller we have something called as a vpc firewall now now there is a vpc firewall we have our aws ddos production aws shield is there for production here and after that when you go for subnets or when you go for zones we have a network acl then when you go for the instance you have a security group so if a person want to attack this particular server first of all he has to bypass the vpc firewall then he has to bypass a security then secure the network acl then he has to bypass security group then he has to bypass the os firewall then only he will be able to access the application so we have actually four layer of protection here see this we can increase it also so difference in that approach is very important when you talk about the zoning and all okay if you want to talk about zones and all you must have a proper difference in the approach okay that's it that's the first thing i want to tell you okay the next thing is create multiple network segments of network layers like group them like for example web servers must be placed in a single layer there is a intro taxes and database servers must be placed in a location where there is no internet access the communication happens only through this particular network only this particular ip is allowed like the same way i can create lens and i can control the access to the layers using various mechanisms like firewalls then third-party firewalls then we have us network acls then we have a security groups then we have os firewall by using a lot of mechanisms like this i can control the traffic to all these layers but it's it's not a big deal it's very simple but only make sure you have to know how the traffic is flowing before you implement it just try to draw a diagram and try to visualize it in your mind that's all then we have a automated network production that means that we must have a proper threat intelligence mechanism and a self-defending network how do i do that implement a proper intrusion detection or prevention system to make sure that we can proactively adapt to the and always make sure we inspect traffic okay we have a we have to inspect traffic okay so what happens that we have to make sure that we always offer web application firewall and other mechanisms to inspect the traffic and to make sure that the traffic is properly secured okay that's it i want to tell you a few more things as a part of this definitely i'll share here i'll share the product in definitely so till the next thing is infrastructure protection when you say infrastructure protection what happens that in the compute what about the compute compute means i am talking about the server so always make sure that the server must be protected with the help of a vulnerability assessment solution and if the server is not required to be public make sure it is completely in a private location always make sure the number of servers we place in the internet must be reduced so if you have more servers or more services which is placing their facing the internet it can give you a lot of security issues and always use a man what is a managed service team and this is the workforce managed services go whenever you see the word managed that means it is managed by the cloud service provider like amazon rds aws lambda aws containers ecs so all these things are managed services and automatic protection make a mechanism to automatically do the vulnerability assessment and the mechanisms and then always make sure validation is mandatory like for example verify your code properly more than the security issue which can happen in your infrastructure i have seen most just happen with the code let's say for example team i have done every security in aws every possible security aws but if your code is vulnerable that means your application can be compromised okay that's it the next thing is that we have a mechanism called as data protection okay we have mechanism called as data protection so when you talk about the cloud platform the most fearsome word we always have in the industry is data if the data is not protected then your whole thing can be lost right it can affect your business it can affect your compliance it can affect your security it can affect your customers everything the primary thing is that identify what kind of data you're handling first thing is that identify what kind of data you're handling and how to classify it who is on then how do i control c i'll give an example team many people has misunderstood the advantage of using the aws s3 and all see now i told you okay we have a mechanism called as iam to ensure the security access so we can use iam plus we can we can have a mechanism called as bucket policies see we have mechanism called as bucket policies i'll give an example see i i open my aws s3 bucket here see i am having a spa bucket here i am opening a bucket here and when i open a bucket here i can see the worst option of permissions so here i can write my policy here i can write my bucket policy here what is a bucket policy this bucket policy ensures that who is allowed to access my bucket in what ways so by having a bucket policy by having an iam policy by having a monitoring and all i can ensure my data is affected and always use mechanisms like versioning and like what is worsening whenever you make any unauthorized changes to this particular thing you can always revert back to the previous question that's what you call as worst name then automate the identification classification automating the process of identifying it and classifying it is always a very important thing that we know and this is a very important thing define the data for life cycle management what is data lifecycle team ask for the compliance requirements let's say for example ask for the hipaa compliance i want to make sure that my data is there for five years so how do i keep it for five years and how do i delete it i have to create a policy for that how do i create a policy okay let's say this data must be there for the next one or 30 days in amazon s3 and after 30 days the data must be taken to amazon glacier and after five years it must be deleted like the same way i can define automated policies which will handle the data automatically with the life cycle and this is something which you can learn for a lot of years actually ensuring a proper encryption and key management how much effective you are encrypting your data and managing the key files securely you can have a security and definitely team when you get time please go to this particular service this service is something which can be a you know very primary one for protecting your data we have a service called as aws kms if you can learn the service called as kms or key management service see definitely clients and encryption is always not possible unless otherwise your company have mechanisms for that that is what is client sanitation team when you say clients are interested you're talking about the encryption that you're doing the on premises we entered some data and then we upload to the cloud platform that's what it finds our encryption but it's not practically feasible in every company that is why we have a mechanism called as kms if you know how to how this service works or if you know how this service can be utilized for your data you can do a lot of security there by doing this in an effective manner you are getting a proper data security kms is something which is very important and you have whenever the time team whenever please go through this xsm and kms these two things are very important in your aws data security strategy okay that's it and it's not about implementing it's about continuous verifying it's not about implementing it's about verifying and access control i told you about bucket policies all right and always use certificates to ensure that the data is basically included in the transit and everything must be authenticated because why because or always make sure that you have mechanism to properly authenticate things like you have a mechanism like tls sl etc ip second vpn etcetera for doing the authentication okay and final team we have one more thing called as incident response strategy we have something called as a incident what is the insulin response strategy team so when you say insulin response strategy it means that any unplanned event is called as infantine okay any unplanned event is called as incident there is no other nothing more to say like for example let's say our system is compromised a credential is compromised uh data is compromised all these things are called as inserts and everything is infinite like you have modified a security group you have mod of another modifier firewall uh instance is compromised if you want to have a proper insulin response the primary thing is that make a proper key strategy for that what is the key strategy for the team that means that to make it more simple i will tell you let's say for example if you want this is not something which you do immediately when there is insulin occurs this is something which you have to do in a prepared predefined manner how do you anticipate how do you respond to or how do you recall from the incidents preparation is critical to timely and effectively do the investigation and respond to it and recover from the incident first of all team you have to identify the key person like for example who is responsible for what what all resources you want to protect what is sensitive what is nonsense what are the legal challenges like for this if you don't know this you are done what are the legal challenges what happens if this data is compromised so all these things you must be able to know as the initial thing and based on all these things delve a proper plan based on your company you cannot get this plan in the internet team you have to make this plan based on a company like for example let's say you know that okay we have these data data to perfect whenever there is a compromise how to communicate how to trigger the escalation process how to contact aws or which in which case aws will support me all these things are something which you have to do in the user management strategy then after that the next thing is that prepare foreign sex crash what is the difference between foreign cloud no difference in cloud the only challenge is that the servers under cloud service providers promises so because of that there is no challenges there what we have to do is we have to identify and prepare for the forensic investigation okay how to identify and like for example what are the tools we can use for foreign forensic purposes and how to automate this process and so team this is a very interesting thing let's say for example you feel that your server is compromised when you feel your server is compromised what is the first thing you have to do tell me if you feel a service compromise what is the first thing you have to do isolation isolate it first of all we'll isolate him because i want to stop the spread at the same way when you have a server here if you feel its compromise the first step is you will isolate it and this can be automated also and the next thing is the people who is handling the incident the people who is handling the incident have proper predefined access definitely reporting is also part of this particular containment process you have to immediately you know basically start the process and process something which is very important to follow and then always make sure the people who is basically involved in this process are having the proper access and tools must be there for this particular incident response see you can't do this or deploy these tools after the incident so be prepared to respond to it by enabling these tools prior to the incidents always make your those tools in an alarm day to basically protect the incident and finally test it do some mob drills where you're basically doing some simulations to make sure that you're able to respond to the like some attacks like pen testing scenarios and some offensive scenarios just try to do all these things to make sure that your infrastructure is protected these are the key factors which you have to understand in the perspective overview of aws okay that's it but definitely one one more thing is there so how do we include all these things by for implementing all these things it's not a big deal once you learn these services properly and if you have these points in your mind you can automatically do it like for example okay if i know if i know aws s3 security in detail if i know i am in dpl if i know vpc in detail i can basically combine this together without any hazel because it's already there you can basically combine it together very easily all you have to do is learn these things in a very simple day see example i told you the example of json see json is something which you don't have to learn but when you look here to do that read the code or try to read the code and try to customize something play with it you will be able to do it that's all okay there's no point you learned that json or python completely all you want to do is you want to make the things effective and working for you so do prepare for that not for the other things okay that's it thank you teams you

Info

Channel: INFOSEC TRAIN

Views: 2,664

Rating: undefined out of 5

Keywords:

Id: 9BqsBTlvIAw

Channel Id: undefined

Length: 93min 33sec (5613 seconds)

Published: Fri Jun 04 2021