Overview of Security on AWS

Ekta Parashar
Workshop Agenda Security

• Overview of Security on AWS.

• VPC Design and Patterns
• Network Security
• WAF, DDoS, IDS/IPS
• Identity and Access Management
• Logging and Alerting
• Encryption and Data Protection
• Security Automation
• Partner Marketplace
Overview of Security on AWS v3.1
AWS Global Infrastructure Region & Number of Availability Zones
AWS GovCloud (2) EU
Ireland (3)
16 Regions – 42 Availability Zones – 73 Edge Locations
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia Pacific
US East Singapore (2)
N. Virginia (5), Ohio (3) Sydney (2), Tokyo (3),
Seoul (2), Mumbai (2)
Canada
Central (2) China
Beijing (2)
South America
São Paulo (3)

Announced Regions
Paris, Ningxia
AWS Regions and Availability Zones

Region
 An independent collection of AWS services in a defined
Region geographical location
Availability Availability  Foundation for meeting location dependent privacy and
Zone Zone compliance requirements
A B
 Customer has full control. AWS does not move
customer’s resources
 Contains two or more Availability Zones
Availability
Zone
C Availability Zone
 Distinct locations engineered to be insulated from
failures in other Availability Zones
 Connected via an inexpensive, low latency network
 Marketplace Mgmt. Tools Analytics Dev Tools Artificial IoT Mobile Enterprise Game
Intelligence Applications Development
The AWS Business
Applications
Monitoring
Query Large
Data Sets

Platform DevOps Tools Auditing Elasticsearch

Business Business
Service Catalog
Intelligence Analytics
Server Build, Test, Document
Security Hadoop/Spark Rules Engine
Account Support Management Monitor Apps Sharing
Configuration Real-time Data Private Git Voice & Text Local Compute Push Email &
Support Networking
Tracking Streaming Repositories Chatbots and Sync Notifications Calendaring
Database & Orchestration Continuous Machine Build, Deploy, Hosted
Managed Services Optimization Device Shadows
Storage Workflows Delivery Learning Manage APIs Desktops

Professional SaaS Resource Managed Build, Test, and Application 3D Game

Text-to-Speech Device Gateway Device Testing
Services Subscriptions Templates Search Debug Streaming Engine

Partner Operating Multi-player

Automation Managed ETL Deployment Image Analysis Registry Identity Backup
Ecosystem Systems Backends

Training &
Certification Application Application Database Server
Migration Discovery Migration
Data Migration
Migration Migration
Solution
Architects Integrated Identity Resource VMware on Devices & Edge
Hybrid Data Integration
Networking Federation Management AWS Systems
Account
Management Application
Transcoding Step Functions Messaging
Security & Pricing Services
Reports Identity & Key Storage & Application Certificate Web App.
Security Access Management
Active Directory DDoS Protection
Analysis Management Firewall
Technical Acct.
Management Data
Database Aurora MySQL PostgreSQL Oracle SQL Server MariaDB
Warehousing
NoSQL

Exabyte-scale Managed File

Storage Object Storage Archive
Data Transport
Block Storage
Storage
Virtual Web Event-driven
Compute Machines
Simple Servers
Applications
Auto Scaling Batch Containers
Computing
Isolated Dedicated
Networking Resources Connections
Global CDN Load Balancing Scalable DNS

Availability Points of
Infrastructure Regions
Zones Presence
Focus on Security & Enabling Compliance

AWS provides the same, familiar approaches to security and compliance that companies have
been using for decades – with increased visibility, control, and auditability.

Visibility Control
View your entire
Deep insight with AWS You have sole authority Shared responsibility
infrastructure with one
click CloudTrail on where data is stored model

Auditability
3rd party validation – certifications for workloads that matter
Physical Security of Data Centers
• Amazon has been building large-scale data centers for many years
• Important attributes:
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
• Controlled, need-based access
• All access is logged and reviewed
• Separation of Duties
• employees with physical access don’t have logical privileges
Shared Security Responsibility Model
 Shared Security Model

• Shared Responsibility
– Let AWS do the heavy lifting
– Focus on what’s most valuable to your business

• AWS • Customer
• Facility operations • Choice of Guest OS
• Physical Security • Application Configuration Options
• Physical Infrastructure • Account Management flexibility
• Network Infrastructure • Security Groups
• Virtualisation Infrastructure • ACLs
• Hardware lifecycle management • Identity Management
Shared Security Model: Infrastructure Services
Such as Amazon EC2, Amazon EBS, and Amazon VPC
 I WAS A
SOLID STATE
DRIVE
Compliance
AWS Compliance
 AWS Artifact – Self Service

For new customers reach out to your account manager to obtain compliance reports via email.
Virtual Private Cloud
(VPC)
AWS Security
What is a Virtual Private Cloud? Security

Logically isolated
Software-defined network
Virtual networking
Complete control
Secure

Overview of Virtual Private Cloud on AWS v3.1

Defining the subnets
VPC A - 10.0.0.0/16

• Public – This is where we will launch our load

balancers and any server that needs a public
network interface
Availability Zone A

• Private – This is where most of our servers will

reside (web servers, app servers, etc).
• Sensitive – Where confidential data resides. We will
use NACLs here as a second line of defense. We
can also remove the default route to the NAT.

Overview of Virtual Private Cloud on AWS v3.1

Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16

10.0.32.0/20 ( Public )

“Deny all traffic between the

Availability Zone A

Public subnet and the Sensitive

Web App
EC2 subnet”

10.0.0.0/19  ( Private )

EC2 Jump Log

10.0.48.0/21 ( Sensitive ) Router

Overview of Virtual Private Cloud on AWS v3.1

Use Network Access Control Lists for defense in depth
VPC A - 10.0.0.0/16

NACLs are optional

• Applied at subnet level, stateless
10.0.32.0/20 ( Public ) and permit all by default
• ALLOW and DENY
Availability Zone A

• Applies to all instances in the

Web App
EC2
subnet
10.0.0.0/19  ( Private ) • Use as a second line of defense

EC2 Jump Log

10.0.48.0/21 ( Sensitive ) Router

Overview of Virtual Private Cloud on AWS v3.1

Integrating your VPC with your existing infrastructure

Your premises

Overview of Virtual Private Cloud on AWS v3.1

Add a Virtual Private Gateway to route your traffic to your premises
VPC A - 10.0.0.0/16

Elastic Load
NAT Balancer

10.0.32.0/20 ( Public )
Availability Zone A

Web
EC2EC2
Web Web
EC2EC2
Web App
EC2 VPC
Router
10.0.0.0/19  ( Private )
Your premises

EC2 Jump Log

Virtual Private
10.0.48.0/21 ( Sensitive ) Gateway

Overview of Virtual Private Cloud on AWS v3.1

You can create multiple IPSEC tunnels to your own VPN endpoints
VPC A - 10.0.0.0/16

Elastic Load
NAT Balancer

10.0.32.0/20 ( Public )
Availability Zone A

Web
EC2EC2
Web Web
EC2EC2
Web App
EC2 VPC
Router
10.0.0.0/19  ( Private )
Your premises

Log
Customer
EC2 Jump
Virtual Private
Gateway
10.0.48.0/21 ( Sensitive ) Gateway

Overview of Virtual Private Cloud on AWS v3.1

You can also connect privately using AWS Direct Connect
VPC A - 10.0.0.0/16

Elastic Load
NAT Balancer

10.0.32.0/20 ( Public )
Availability Zone A

Web
EC2EC2
Web Web
EC2EC2
Web App
EC2 VPC
Router
10.0.0.0/19  ( Private )
Your premises

Log
Customer
EC2 Jump
Virtual Private
Gateway
10.0.48.0/21 ( Sensitive ) Gateway

Overview of Virtual Private Cloud on AWS v3.1

You can also create VPNs over Direct Connect if required
VPC A - 10.0.0.0/16

Elastic Load
NAT Balancer

10.0.32.0/20 ( Public )
Availability Zone A

Web
EC2EC2
Web Web
EC2EC2
Web App
EC2 VPC
Router
10.0.0.0/19  ( Private )
Your premises

Log
Customer
EC2 Jump
Virtual Private
Gateway
10.0.48.0/21 ( Sensitive ) Gateway

Overview of Virtual Private Cloud on AWS v3.1

You can route VPC Internet connections through your own gateways
VPC A - 10.0.0.0/16

Elastic Load
NAT Balancer

10.0.32.0/20 ( Public )
Availability Zone A

Web
EC2EC2
Web Web
EC2EC2
Web App
EC2 VPC
Router
10.0.0.0/19  ( Private )
Your premises

Log
Customer
EC2 Jump
Virtual Private
Gateway
10.0.48.0/21 ( Sensitive ) Gateway

Overview of Virtual Private Cloud on AWS v3.1

VPC Network Security Control – Traffic Flow
EC2 Instance EC2 Instance
VPC 10.1.0.0/16 EC2 Instance
1 2 3
10.1.1.6 10.1.1.7 10.1.10.20

SG SG SG SG SG SG
In Out In Out In Out

Subnet 10.1.1.0/24 Subnet 10.1.10.0/24

Network ACL Network ACL Out Network ACL Network ACL Out
In In

Virtual Router
Route Route
Table Table

Internet Virtual
Gateway Private
Gateway
VPC Patterns - Single Large VPC
Analogous to a traditional data center
Pros
• Aligned with existing data center concept, allows Enterprises
to easily accept virtual DC concept
• Allows for Rapid Deployment requiring minimal incremental
Involvement from Network group
WEB UAT
• Single Direct Connect integration point

APP SIT Direct

Connect
Locations Cons
• Complex operational management where multiple teams are
delegated access to VPC
DB DEV
• Complex security management, IAM Policies, Security Groups
and NACLs are common
• Higher chance of reaching VPC limits more quickly
• Security blast radius, common security and network controls
CORE SERVICES
• Need to plan capacity requirements, “get it right first time”
VPC Patterns - Multiple VPCs by Classification
Segregated based on information classification level
Pros
• Clear boundaries of security control are established based on
data classification
• Security assessment policies can be adapted based on
classification
CONFIDENTIAL

Direct
Connect
Locations Cons
• Complex operational management where multiple teams are
UNRESTRICTED

delegated access to VPC

• Complex security management, IAM Policies are common
• Large blast-radius for incremental changes
• No segregation between environments, development and
production co-exist
INTERNAL
VPC Patterns - Multiple VPCs by Workload
Segregated based on application or workload
Pros
• Able to scale by adding VPCs for new workloads
• Delegate VPC configuration to different LOB
• Security policies can be adapted based on application
• Easier separation of applications, thus highly limiting the
ECOMMERCE PAYMENT GW
blast radius of changes
• Support for common core services across applications
• Supports highly automated and streamlined process within
each LOB
Direct
Connect
Locations Cons
INTRANET
• Accountability and responsibility needs to be enforced when
setting up inter-VPC peering
• Increased network routing complexity across peered VPCs
• Multiple Direct Connect virtual interfaces required to
corporate data centers

COMMON SERVICES
VPC Patterns - Multiple VPCs by Environment
Segregated based on environment type
Pros
• Delegate access control and VPC configuration to different
teams based on environment
• Easier separation of environments, thus limiting the blast
radius of changes
PRODUCTION
• Separation of security controls across environments
• Security assessment policies can be based on environment
• Supports strong segregation of duties by environment
Direct
Connect
Locations Cons
SIT UAT
• Complex operational management where multiple teams are
delegated access to VPC
• Complex security management, IAM policies are common
• Complex tagging processes required for billing
• Limited expansion space, “get it right first time” or add
multiple environment VPCs
DEVELOPMENT
VPC Patterns - Multiple VPCs and Accounts
Segregated based on environment type, across multiple AWS accounts
Pros
• Delegate access control and VPC configuration to different
teams based on environment
• Easier separation of environments, thus limiting the blast
radius of changes
PRODUCTION
• Separation of security controls across accounts and
environments
• Security assessment policies can be based on environment
• Supports strong segregation of duties by environment
Direct
Connect
Locations Cons
• Limited expansion space, “get it right first time” or add
SIT UAT
multiple environment VPCs
• Availability Zone mapping

DEVELOPMENT
 Identity & Access
Management (IAM)
AWS Security
 User Access (IAM)
• With AWS IAM you get to control who can do
what in your AWS environment and from
where

• Fine-grained control of your AWS cloud with

two-factor authentication

• Integrated with your existing corporate

directory using SAML 2.0 and single sign-on
AWS account
owner

Network Security Server Storage

management management management management
AWS API Logging: Amazon CloudTrail Security

You are On a growing CloudTrail is And

making API set of services continuously delivering log
calls... around the recording API files to you
world… calls…
Amazon CloudTrail Partners
Security
 What is AWS CloudWatch Logs Security

• CloudWatch Logs lets you monitor and troubleshoot your systems and
applications using your application or system logs.
• CloudWatch Logs can be used to monitor your logs for specific phrases,
values, or patterns.

Design Logging and Alerting on AWS Workshop v3.1

 What is AWS CloudWatch Logs Security

• Consume logs from instances with CloudWatch

Logs agent
• Set alarms and view graphs
• Configurable retention period

Design Logging and Alerting on AWS Workshop v3.1

 What is Amazon VPC Flow Logs Security

• You can enable VPC Flow Logs to capture information about the IP traffic
going to and from network interfaces in your VPC.
• Flow log data is stored using Amazon CloudWatch Logs approximately
batched every 10 minutes.
• In addition to troubleshooting, you can use VPC Flow Logs as a security
tool to monitor the traffic that is reaching your instance.

Design Logging and Alerting on AWS Workshop v3.1

 Example: VPC Flow Logs Record Security

• Inbound SSH connection allowed

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22

6 20 4249 1438530010 1438530070 ACCEPT OK

Design Logging and Alerting on AWS Workshop v3.1

What is a Config Rule Security

A rule that checks the validity of configurations recorded

• AWS-managed rules
• Defined by AWS
• Require minimal (or no) configuration
• Rules are maintained by AWS
• Customer-managed rules
• Authored by you using AWS Lambda
• Rules execute in your account
• You maintain the rule
AWS Config Rules
Compliance guideline Action if non-compliance

All EBS volumes should be encrypted Encrypt volumes and alert operations
team

Instances must be from a specific Terminate instance and notify build team
approved AMI

Instances must be tagged with Flag as non-compliant but take no

environment type further action
 Penetration Testing
• AWS Security regularly scans all Internet facing service endpoint IP addresses for
vulnerabilities (these scans do not include customer instances).

• External vulnerability threat assessments are performed regularly by independent security

firms. Findings and recommendations resulting from these assessments are categorized and
delivered to AWS leadership.

• Customers can request permission to conduct scans of their cloud infrastructure or use pre-
approved marketplace scanning products.
 Amazon Inspector

• Vulnerability Assessment Service

• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices
What is the AWS WAF Security Automations Solution?
AWS WAF is a web application firewall that enables
customers to quickly create custom, application-specific
rules that block common attack patterns that can affect
application availability, compromise security, or consume
excessive resources.

The AWS WAF Security Automations solution enables customers to

easily deploy preconfigured protections using AWS WAF and AWS
CloudFormation. Once the solution is deployed, AWS WAF will begin
inspecting web requests to the user’s existing Amazon CloudFront
distributions, and block them when applicable.
 Protective Capabilities
This solution is designed to protect web applications from the following common attack types:
• Bots and scrapers: Identifies and block bad bots and content scrapers that bypass
restrictions (defined in your robots.txt file).
• SQL injection: Blocks web requests that contain potentially malicious SQL code designed to
compromise an application’s database.
• Cross-site scripting (XSS): Inspects commonly explored elements of incoming requests to
help block XSS attacks, protecting users from malicious client-side scripts.
• HTTP floods: Identifies IP addresses that send requests over a defined threshold (in an
attempt to flood backend resources), and then automatically updates your AWS WAF rules to
block subsequent requests from those IP addresses.
• Scanners and probes: Creates an AWS Lambda function that parses Amazon CloudFront
access logs, counts the number of bad requests from unique source IP addresses, and
updates AWS WAF to block further vulnerability scans from those addresses.
• Known attacker origins (IP reputation lists): Pulls data from third-party reputation lists to
help you block requests from known malicious IP addresses.
 WAF Types Commonly Seen

Pure Play WAF CDN WAF Load Balancer WAF UTM WAF
• Imperva* • Akamai Kona • F5 Networks* • Sophos*
• Alert Logic • CloudFlare** • Citrix* • Fortinet*
• Barracuda* • EdgeCast • Barracuda*
• Qualys* • Incapsula**
• LeaseWeb

* Denotes a WAF that is available from the AWS Marketplace

** Denotes advertised product in AWS Marketplace from technology partner
Co-opetition: AWS WAF and Marketplace Offerings

AWS WAF Marketplace WAFs

• Applies only to Amazon CloudFront • Software run on EC2 instances
• Cloud based protection • Managed service, licensing (BYOL),
• Self-service, easy deployment, pay and hourly based
as you go • Requires additional configuration to
• Automatically scales with traffic scale
• DevOps friendly • Feature rich w/automatic learning
• Requires additional work to deploy &
• “Do it yourself” scale
CloudFront without WAF

CloudFront

legitimate
users traffic
Edge AND/OR
Location
S3 ELB EC2
hackers SQL Injection,
XSS, other attacks Customer On Premises Environment

site
bad bots
scraping
Origin Server Origin Storage

All requests are passed through, including malicious traffic

 Traditional WAF Deployment

ELB Sandwich

CloudFront

legitimate
users traffic ELB EC2
WAF ELB
Edge
Location

hackers SQL Injection,

XSS, other attacks
Customer On Premises Environment

site
bad bots
scraping

WAF Origin Origin Storage

WAF on EC2 in an ELB sandwich, added complexity and latency

CloudFront with AWS WAF

CloudFront

legitimate
users traffic
AND/OR

Edge S3 ELB EC2

Location WAF
hackers SQL Injection,
XSS, other attacks Customer On Premises Environment

site
bad bots
scraping
Origin Server Origin Storage

Malicious traffic is blocked by WAF rules at edge locations

-can be custom origin
-can be static and dynamic content
-show the other on premises + S3
DDoS – AWS Shield
AWS Shield

Standard Protection Advanced Protection

Available to ALL AWS customers at Paid service that provides additional,

No Additional Cost comprehensive protections from large
and sophisticated attacks
AWS Shield Advanced
Always-on monitoring &
detection

AWS bill protection Advanced L3/4 & L7 DDoS

protection

24x7 access to DDoS Attack notification and

Response Team reporting
AWS API Logging: Amazon CloudTrail
Security

You are On a growing CloudTrail is And

making API set of services continuously delivering log
calls... around the recording API files to you
world… calls…
Amazon CloudTrail Partners
Security
Considerations on key management… Security

• Where are keys stored?

• Hardware you own?
• Hardware the cloud provider owns?

• Where are keys used?

• Client software you control?
• Server software the cloud provider controls?

• Who can use the keys?

• Users and applications that have permissions?
• Cloud provider applications you give permissions?

• What assurances are there for proper security around keys?

Design Encryption and Data Protection v3.1

 What is AWS Key Management Service Security

• Managed service that simplifies creation, control, rotation,

usage policies, and use of encryption keys in your applications
• Integrated with Amazon CloudTrail to provide auditable logs of
key usage for regulatory and compliance activities
• Available in all commercial regions (except China)

Design Encryption and Data Protection v3.1

 What services work with AWS Key Security

Management Service (KMS)

• Integrated with AWS server-side encryption
• S3, EBS, RDS, CloudTrail, SES, Amazon Aurora, Amazon Redshift,
Amazon WorkSpaces, Amazon WorkMail, and Amazon Elastic
Transcoder

• Integrated with AWS client-side encryption

• AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB
encryption client

Design Encryption and Data Protection v3.1

 Alternatives to KMS Security

• AWS CloudHSM

• AWS Partner Solutions

• On-premise solutions

Design Encryption and Data Protection v3.1

What is AWS CloudHSM Security

• Tamper-resistant, customer-controlled hardware

security module within your VPC
• Industry-standard SafeNet Luna devices. NIST FIPS 140-2 validated and
designed to meet Common Criteria EAL4+
• No access to HSM cryptographic partition by Amazon, who will
manage and monitor the health of the physical HSM appliance
• You can use CloudHSM for transparent data encryption on self-
managed databases (Oracle Database 11g, Microsoft SQL Server 2008
and 2012)
• Amazon Relational Database Service (RDS) for Oracle Database and
Amazon Redshift can be configured to store master keys in CloudHSM
instances.

Design Encryption and Data Protection v3.1

 AWS Partner Encryption Solutions Security

• You can browse, test, and buy encryption and key management solutions via
the AWS Marketplace
• Pricing models vary: pay-by-the-hour, monthly, or annual
• The software fees are simply added to your AWS bill
• Some solutions offer a bring-your-own-license option

Design Encryption and Data Protection v3.1

 Other Common Encryption Solutions Security

• There are a number of popular or open source solutions that

can be used:
• Loop-AES
• dm-crypt LUKS
• eCryptfs
• EncFs
• Encrypted File System (EFS)
• BitLocker

Design Encryption and Data Protection v3.1

 Comparing KMI Solutions Security

AWS Marketplace
AWS KMS AWS CloudHSM DIY
Partner Solutions
Where keys are generated AWS In AWS, on an HSM that Your network or in AWS Your network or in AWS
and stored you control
Where keys are used AWS services or your AWS or your Your network or your Your network or your
applications applications EC2 instance EC2 instance
How to control key use Policy you define; Customer code + Vendor-specific Config files, vendor-
enforced by AWS SafeNet APIs management specific management
Responsibility for AWS You You You
performance/scale
Integration with AWS Yes Limited Limited Limited
services?
Pricing model Per key/usage Per hour Per hour/per year Variable

Design Encryption and Data Protection v3.1

Encryption in Transit

Design Encryption and Data Protection v3.1

 Encryption in Transit Security

• Two topics:
• Between your corporate network and the VPC
• Virtual Private Networks (VPN)
• Between applications to your apps’ end-users
• TLS certificates

Design Encryption and Data Protection v3.1

Encryption in Transit Security

• Between your corporate network and the VPC

• Virtual Private Networks (VPN)
• You can create an IPsec, hardware VPN connection between your corporate
network and your VPC (Virtual Private Cloud)
• You can combine AWS Direct Connect with an AWS hardware VPN
connection to create an IPsec-encrypted connection over the dedicated
private connection.

• Alternatively, you can create a VPN connection to an Amazon EC2 instance in

your VPC that's running VPN software.
• Visit the AWS Marketplace for vendor VPN solutions.

Design Encryption and Data Protection v3.1

Example: Multiple VPN Connections Security

Design Encryption and Data Protection v3.1

 Encryption in Transit Security

• Two topics:
• Between your corporate network and the VPC
• Virtual Private Networks (VPN)
• Between applications to your apps’ end-users
• TLS certificates

Design Encryption and Data Protection v3.1

 What is SSL/TLS Security

• SSL/TLS (Secure Sockets Layer/Transport Layer Security)

certificates are used to secure network communications and
establish the identity of websites over the Internet.
• The protocol uses an X.509 certificate (TLS server certificate) to
authenticate both the client and the back-end application.
• You can terminate TLS connections on your Amazon EC2
instances, your Amazon Elastic Load Balancers, and Amazon
CloudFront.
• Note: SSL is a deprecated protocol

Design Encryption and Data Protection v3.1

 What is AWS Certificate Manager Security

• AWS Certificate Manager (ACM) is a service that lets you easily provision,
manage, and deploy TLS certificates for use with Amazon Elastic Load
Balancer or Amazon CloudFront distribution.
• With ACM, there is no additional charge for provisioning TLS certificates.
• ACM manages the renewal process of TLS certificates and deploys renewed
certificates to your AWS resources.
• Certificates provided by ACM are verified by Amazon’s certificate authority
(CA), Amazon Trust Services (ATS).

Design Encryption and Data Protection v3.1

What is AWS Certificate Manager Security

Design Encryption and Data Protection v3.1

 What is Amazon Elastic Load Balancer Security

• Amazon ELB provides integrated certificate management and

TLS decryption allowing you to centrally manage the TLS
settings of the load balancer and offload CPU intensive work
from your instances.

Design Encryption and Data Protection v3.1

 TLS options with Amazon ELB Security

HTTPS HTTP HTTPS HTTPS

EC2 EC2
Encrypted Unencrypted Encrypted Encrypted
Security Group Security Group
Elastic Load Elastic Load
Balancing Balancing
(Terminate TLS) (Terminate TLS &
Re-negotiate)

TCP Pass Through

EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(no termination)

Design Encryption and Data Protection v3.1

 TLS with Amazon CloudFront Security

• You can configure CloudFront to deliver content securely over HTTPS

from all of CloudFront’s edge locations
• In addition to delivering securely from the edge, you can also configure
CloudFront to use HTTPS connections for origin fetches so that your data
is encrypted end-to-end from your origin to your end users.

Design Encryption and Data Protection v3.1

AWS Marketplace Network/Security Partner Ecosystem SECURITY

Infrastructure Logging and Identity and Configuration and Data

Security Monitoring Access Control Vulnerability Protection
Analysis

SaaS

SaaS
SaaS
 More secure in the cloud

“We work closely with AWS to develop

a security model, which we believe
enables us
to operate more securely in the public
cloud
than we can in our own data centers.”

Rob Alexander - CIO, Capital One

THANK YOU