Embed Size (px)
Citation preview
AWS Certified Solutions ArchitectAssociate Level
Agenda● 08/Set - Abertura, Overview AWS e S3● 16/Set (terça) - Cloudfront e Route53● 22/Set - EC2 e VPC● 29/Set - RDS, DynamoDB e Other Storage Options● 13/Out - CloudFormation, SQS e SWF● 20/Out - Elastic Beanstalk e Security● 27/Out - Architecting for the Cloud e Revisão
Horário: 18:00 as 20:00
Materiais de ApoioReferências1. Página oficial2. Post sobre o programa e prova3. AWS Architecture Center4. AWS Security Center5. AWS Documentation Page6. Curso online7. Slideshare
White Papers1. Overview of Amazon Web Services2. Overview of Security Processes3. AWS Risk and Compliance4. Storage Options in the AWS Cloud5. Architecting for the AWS Cloud: Best
Practices6. Storage Use Cases7. Designing Fault-Tolerant Applications in
the AWS Cloud
O que preciso lembrar?● Share Responsibility Model
● Built-in Security Features○ Global Infrastructure○ Multi-factor authentication○ Encrypted data storage○ AIM - Roles○ Security Groups○ VPC - VPN - Direct Connect○ Cloudwatch Logs○ Cloudtrail○ CloudHSM○ Trusted Advisor
● O que é?
● Diferenças○ Elastic Beanstalk○ OpsWorks○ CloudFormation
● Components○ Application○ Application Version○ Environment○ Environment Configuration○ Configuration Template○ Host Manager○ SQS Daemon
Overview
Features● PaaS (with Control)
○ Capacity Provisioning○ Load Balancing○ Auto Scaling○ Application Deployment○ Application Health check○ Version Control○ Database○ Log file rotation S3○ Notifications
● Platforms○ Docker○ Java○ .NET○ Node.js○ PHP○ Python○ Ruby
Workflow
Web Server Environment
Host Manager
Worker Environment
SQS Daemon
1. Create an Application2. View Information About Your Environment3. Deploy New Version4. Change Configuration
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/GettingStarted.Walkthrough.html
ConsideraçõesFinais
● Security
● Software Updates and Patching
● Eb - CLI
● Configuration Template
● Deployment and Management Solutions
○ Elastic Beanstalk - Application Container
○ OpsWorks - Application Automation
○ CloudFormation - Templated Provisioning
Share Responsibility Model
● Facilities ● Physical security of hardware● Network infrastructure● Virtualization infrastructure
● Amazon Machine Images (AMIs)● Operating systems● Applications● Data in transit● Data at rest● Data stores● Credentials● Policies and configuration
Infrastructure/Platform Services Categories
● Infrastructure Services○ Compute services (EC2, EBS, VPC ...)○ Controle do SO
● Container Services○ RDS, EMR, Elastic Beanstalk …○ Nem sempre com controle do SO, mas com controle do network
(regras de firewall)
● Abstracted Services○ S3, Glacier, DynamoDB, SQS, SES …○ Abstração da plataforma e camada de gestão >> Acesso a endpoints
Infrastructure Services
Container Services
Abstracted Services
AWS Compliance
Fonte: http://www.example-infographics.com/is-your-i-t-organization-clouding-the-issue/
AWS Built-in Security Features
1. Global Infrastructure2. Multi-factor authentication3. AIM - Roles4. Protecting Data at Rest5. Security Groups6. VPC - VPN - Direct Connect7. Cloudwatch Logs8. Cloudtrail9. CloudHSM
10. Trusted Advisor
1. AWS Global Infrastructure
10 - Regions26 - Availability Zones52 - Edge Locations
Fonte: http://aws.amazon.com/about-aws/global-infrastructure/
2. Multi-factor authentication
Virtual● Based on open TOTP standard● Google Authenticator
○ Android○ iPhone○ Blackberry
● AWS Virtual MFA○ Android
● Authenticator○ Windows Phone
Hardware
Fonte: http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-I
MFA protection to service APIs
Policy
{ "Statement": [{
"Action": ["ec2:*"],"Effect": "Allow","Resource": ["*"],"Condition": {
"NumericLessThan": {"aws:MultiFactorAuthAge": "300"} } }]}
Fonte: http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/-Securing-access-to-AWS-using-span-class-matches-MFA-span-Part-2
3. Roles
4. Protecting Data at Rest
Problema Estratégia
Confidencialidade 1. Permissions2. File, partition, volume or application-level encryption
Integridade
1. Permissions2. Data integrity checks (MAC/HMAC/Digital Signatures/Authenticated Encryption)3. Backup4. Versioning (Amazon S3)
DisponibilidadeDeleção
1. Permissions2. Backup3. Versioning (Amazon S3)4. MFA Delete (Amazon S3)
DisponibilidadeFalha de Sistema
1. Backup2. Replication
Products
Mais Informações: http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
5. Security Groups
Instance Isolation
6. VPC Private and isolated section of the AWS Cloud
VPN
Mais Informações: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
Direct Connect
● Conexão segura e privada com a AWS● Bypass public internet● Alta velocidade (banda)● Latencia previsível
7. CloudWatch Logs
CloudWatch Logs - Alarms
Mais Informações: http://aws.amazon.com/blogs/aws/cloudwatch-log-service/
8. HSM
Mais Informações: http://aws.amazon.com/blogs/aws/aws-cloud-hsm-secure-key-storage-and-cryptographic-operations/
● Dedicated Hardware Security Module
● Secure key storage● Encrypt and decrypt data while
keeping them safe● Meet strict requirements for key
management
9. Cloudtrail
Cloudtrail - Sumologic
Fonte: http://www.sumologic.com/applications/aws-cloudtrail/
10. Trusted Advisor Best Practices (Checks)
● Security Groups - Specific Ports Unrestricted (Free!)
● Security Groups - Unrestricted Access● IAM Use (Free!)● Amazon S3 Bucket Permissions● MFA on Root Account (Free!)
● IAM Password Policy● Amazon RDS Security Group Access Risk● AWS CloudTrail Logging● Amazon Route 53 MX and SPF Resource
Record Sets
O que preciso lembrar?● Share Responsibility Model
● Built-in Security Features○ Global Infrastructure○ Multi-factor authentication○ Encrypted data storage○ AIM - Roles○ Security Groups○ VPC - VPN - Direct Connect○ Cloudwatch Logs○ Cloudtrail○ CloudHSM○ Trusted Advisor
● O que é?
● Diferenças○ Elastic Beanstalk○ OpsWorks○ CloudFormation
● Components○ Application○ Application Version○ Environment○ Environment Configuration○ Configuration Template○ Host Manager○ SQS Daemon
Agenda● 08/Set - Abertura, Overview AWS e S3● 16/Set (terça) - Cloudfront e Route53● 22/Set - EC2 e VPC● 29/Set - RDS, DynamoDB e Other Storage Options● 13/Out - CloudFormation, SQS e SWF● 20/Out - Elastic Beanstalk e Security● 27/Out - Architecting for the Cloud e Revisão
Horário: 18:00 as 20:00
AWS Certified Solutions ArchitectAssociate Level
OBRIGADO!!
