Upload
amazon-web-services-korea
View
302
Download
0
Embed Size (px)
Citation preview
December 4, 2014 | Korea
AWS 보안 기능 업데이트
이종남, AWS Professional Services
re:Cap
http://youtu.be/OEK7mHn4JLs
http://www.slideshare.net/AmazonWebServices/sec201-aws-security-keynote-address-aws-reinvent-2014
http://youtu.be/IT-krK_wI3o
http://www.slideshare.net/AmazonWebServices/sec311-architecting-for-endtoend-security-in-the-enterprise-aws-reinvent-2014
http://youtu.be/mGZZ20wxjrg
http://www.slideshare.net/marknca/updating-security-operations-for-the-cloud-41657619
http://youtu.be/zP5giSxe8fM
http://www.slideshare.net/AmazonWebServices/sec315-new-launch-get-deep-visibility-into-resource-configurations-aws-reinvent-2014
http://youtu.be/nzSrRvADh6g
http://www.slideshare.net/AmazonWebServices/sec404-incident-response-in-the-cloud-aws-reinvent-2014
http://youtu.be/gT6djiVrJxs
http://www.slideshare.net/AmazonWebServices/sec405-enterprise-cloud-security-via-devsecops-aws-reinvent-2014
http://youtu.be/fIqVS0mI83w
http://www.slideshare.net/AmazonWebServices/sec202-closing-the-gap-moving-critical-regulated-workloads-to-aws-aws-reinvent-
2014
https://www.youtube.com/watch?v=BJprWgompq0
http://www.slideshare.net/AmazonWebServices/sec306-turn-on-cloudtrail-log-api-activity-in-your-aws-account-
aws-reinvent-2014
https://www.youtube.com/watch?v=LUGe0lofYa0
http://www.slideshare.net/AmazonWebServices/sec308-navigating-pci-compliance-in-the-cloud-aws-reinvent-
2014
https://www.youtube.com/watch?v=0zJuULHFS6A
http://www.slideshare.net/AmazonWebServices/sec302-delegating-access-to-your-aws-environment-aws-reinvent-2014
https://www.youtube.com/watch?v=0WI5sirOvco
http://www.slideshare.net/AmazonWebServices/sec303-mastering-access-control-policies-aws-reinvent-2014
https://www.youtube.com/watch?v=debJ3o5w0MA
http://www.slideshare.net/AmazonWebServices/sec304
https://www.youtube.com/watch?v=ZhvXW-ILyPs
http://www.slideshare.net/AmazonWebServices/sec305-iam-best-practices-aws-reinvent-2014
https://www.youtube.com/watch?v=kBCbz7L52-Q
http://www.slideshare.net/AmazonWebServices/sec309-amazon-vpc-configuration-when-least-privilege-meets-the-penetration-tester-aws-reinvent-2014
https://www.youtube.com/watch?v=Y3uSYpFJVvQ
http://www.slideshare.net/AmazonWebServices/sec310-integrating-aws-with-external-identity-management-aws-reinvent-2014
https://www.youtube.com/watch?v=JbmJ4BSpNqE
http://www.slideshare.net/AmazonWebServices/sec403-building-aws-partner-applications-using-iam-roles-aws-reinvent-2014
https://www.youtube.com/watch?v=OT2y3DzMEmQ
http://www.slideshare.net/AmazonWebServices/sec307-building-a-ddosresilient-architecture-with-amazon-web-services-aws-
reinvent-2014
https://www.youtube.com/watch?v=WUQNeMhkaco
http://www.slideshare.net/AmazonWebServices/sec402-intrusion-detection-in-the-cloud-aws-reinvent-2014
https://www.youtube.com/watch?v=bqIYI3mDsd4
http://www.slideshare.net/AmazonWebServices/sec301-encryption-and-key-management-in-aws-aws-reinvent-2014-41572090
https://www.youtube.com/watch?v=8AODa_AazY4
http://www.slideshare.net/AmazonWebServices/sec316-ssl-with-amazon-web-services-aws-reinvent-2014-41572311
https://www.youtube.com/watch?v=0kWpm1FyG_Q
http://www.slideshare.net/AmazonWebServices/sec406-new-launch-building-secure-applications-with-aws-key-management-
service-aws-reinvent-2014
주요 헬스케어 제공사에서 솔루션채택
• “상업용 시설에서 군용 수준의 보안을
확보하기 위해” 작업 중
effective access
“effective access”
“ineffective access”
Singapore
MTCS
{
"configurationItems": [
{
…
-,
"relationships": [
{
"resourceType": "AWS::EC2::NetworkInterface",
"resourceId": "eni-f097eca9",
"relationshipName": "Contains
NetworkInterface"
},
{
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-9ddbb9f8",
"relationshipName": "Is associated with
SecurityGroup"
},…
"resourceType": "AWS::EC2::Subnet",
"resourceId": "subnet-62dde924",
"relationshipName": "Is contained in Subnet"
},
{
"resourceType": "AWS::EC2::Volume",
"resourceId": "vol-122ede1d",
"relationshipName": "Is attached to Volume"
},
{
"resourceType": "AWS::EC2::VPC",
"resourceId": "vpc-ba9072df",
"relationshipName": "Is contained in Vpc"
}
-,
"arn": "arn:aws:ec2:us-west-
2:350616417307:instance/i-7a220375",
"version": "1.0",
"configurationItemMD5Hash":
"f62b29193af10e25f713ba6f746de8b1",
AWS CloudTrail
AWS Config AWS CloudTrail
관리 대상 자원 형상
(Resource Configuration)
사용자 행동
(User Activity)
활용 케이스 • 현재시점의 자원 형상 탐지
• 자원들의 상호 연관관계 관리
• 형상 변경을 감사 및
문제해결
• 사용자 행동패턴 탐지 등의
보안 분석
• AWS 자원 변경 이력 추적
• 운영 이슈 해결
• 규제 준수
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. 애플리케이션/AWS 서비스는 데이타 암호화 위한 암호화키를 요청. 해당 어카운트의 마스터키에게
참조값을 전달.
2. 클라이언트 요청이 마스터키 접근권한을 가졌는 지 인증.
3. 새 데이타암호화키 생성 후 마스터키를 이용해 해당키를 암호화.
4. 데이타키와 암호화된 데이타키 쌍을 클라이언트에게 반환. 데이타키는 고객데이타를 암호화하는
데 사용한 후 즉시 폐기.
5. 암호화된 데이타키는 나중을 위해 저장해 두었다가, 원천데이타를 복호화(decrypt) 시 AWS
KMS에게 전달해서 데이타키 복호화.
HSM
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
DIY AWS Marketplace
Partner Solution AWS CloudHSM
AWS Key
Management
Service
Where are keys
generated and
stored
Your network or in
AWS
Your network or in
AWS
In AWS, on an
HSM that you
control
AWS
Where keys are
used
Your network or
your EC2 instance
Your network or
your EC2 instance
AWS or your
applications
AWS services or
your applications
How to control key
use
Config files,
Vendor-specific
management
Vendor-specific
management
Customer code +
Safenet APIs
Policy you define;
enforced in AWS
Responsibility for
Performance/Scale
You You You AWS
Integration with
AWS services?
Limited Limited Limited Yes
Pricing model Variable Per hour/per year Per hour Per key/usage
Creates portfolio
Adds constraints
and grant access
1
4
5
Administrator
Portfolio
Users
Browse Products
6 Launch Products AWS CloudFormation
template
Creates
product 3 Authors template 2 ProductX ProductY ProductZ
7 Deploys
stacks
Notifications Notifications
8 8
re:Cap