SlideShare a Scribd company logo

Building Secure Architectures on AWS

Download as pptx, pdf
M
ManojAccTest

This document provides an overview of how to build secure architectures on AWS. It discusses modeling an on-premises network architecture in AWS, securing the cloud network using security groups and IAM roles, migrating to a serverless architecture with API Gateway and Lambda, securing the serverless components with encryption and authentication, and connecting to the on-premises network using VPN or Direct Connect. It also reviews the cloud architecture against the Cloud Adoption Framework and discusses next steps to learn more about the AWS Well-Architected Framework.

1 of 80
Downloaded 20 times
Building Secure Architectures on AWS Manoj Fernando
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
On-premises network architecture
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
CIDR Notation 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-28) = 2 ^ 4 = 16 End – 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16
203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End – 203.0.113.7 Range – 203.0.113.0 – 203.0.113.7 203.0.113.0/29 203.0.113.8/29 Start - 203.0.113.8 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End - 203.0.113.16 Range – 203.0.113.8 - 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16 Subnet 01 Subnet 02 Network
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Connecting with the On-Premises Network • Migrating to a serverless architecture • Securing your serverless architecture • Review our architecture against Cloud Adoption Framework • Next Steps…
Modeling On-Premises architecture on AWS cloud
Shared Responsibility Model Reference : AWS
Web Server Backend Server
Setting up our private network
Web Server Backend Server 10.0.0.0/16
Divide into sub networks
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02
Setting up an Internet Gateway
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway Internet
Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target
Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local Route Table (Subnet 2) Destination Target
Setting up a Nat Gateway
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target NAT Gateway
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Securing our cloud network architecture
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target Can our web server access internet?
203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
Security Groups • Who can access me? • Applied to AWS Resources • Eg: EC2 instances, Databases, Load Balancers etc… • Virtual Firewalls • You can create inbound and outbound rules in a security group • Follow the principle of Least Privilege • Security Groups are stateful • When architecting your application, list down all the resources and decide who needs talk to whom and create security groups for your resources
Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0
10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0 Type Port Source Custom 4000 Web-Server-SG Backend-Server-SG Web Server Backend Server
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Migrating to Serverless Architecture
Web Server Instance Backend Server Instance www.myapp.com
New features can be developed in a serverless architecture
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
Serverless Means... Reference: AWS
API Gateway + AWS Lambda is the easiest way to create microservices
AWS Lambda Programming Model Reference: AWS
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) RouterInternet Gateway Internet MySQL DB (in RDS)
How can getUsers lambda access the Database?
IAM Roles – What I can do? • Security group – Who can access me • IAM Role – What I can do • Consider the backend server. What it can do? • It can access the database • So create an IAM role with database access permissions and attach to backend EC2 server
How can getUsers lambda access the Database? Step 01 • Run the getUsers lambda inside our VPC so that lambda executes in our private network Step 02 • Assign an IAM role for getUsers lambda to read from database
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Securing your Serverless Architecture
Securing Lambda Function • Use IAM roles per function and don’t be too permissive • Leverage principle of least privilege • Application security best practices still apply • Mandatory code reviews, static analysis • Environment variables and sensitive data via KMS and Lambda’s encryption helpers
Encrypting Environment Variables
Encrypting Environment Variables
How to secure our Identities (Authentication + Authorization)
Too many concerns… • Need to develop a reliable user directory to manage identities • Handling user data and password and protecting privacy • Prioritizing scalability of your user store • Implementing token-based authentication • Support for multiple social identities • Federation with corporate directories for B2E applications
User Pools & Federated Identities Reference: AWS
Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Reference: Slideshare
Serverless App Security Reference: Slideshare
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users WAF
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Connecting with On-Premises Network
Our AWS VPC On-Premises Network
Our AWS VPC On-Premises Network VPN Connection VPN Gateway Customer Gateway 10.0.0.0/16 192.168.0.0/16
VPN and AWS Direct Connect • Both allow secure connections between your corporate network and your VPC • VPN uses encrypted IPSec tunnel over the internet • Direct Connect is a dedicated line between the corporate network and your VPC • Direct Connect is not affected by uncertainties in the internet and suitable for large data transfers at high speed
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
Next Steps… • Read about AWS Well Architected Framework Whitepaper • Operational Excellence • Security • Reliability • Performance Efficiency • Security Pillar Whitepaper
Thank You!
Ad

Recommended

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
Pedro Sousa
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
Sai Kesavamatham
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
saifam
 
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web ServicesAmazon Virtual Private Cloud VPC Architecture AWS Web Services
Amazon Virtual Private Cloud VPC Architecture AWS Web Services
Robert Wilson
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv Loft
Ian Massingham
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
Aidan Finn
 
Vpc (virtual private cloud)
Vpc (virtual private cloud)Vpc (virtual private cloud)
Vpc (virtual private cloud)
RashmiDhanve
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
Chris Munns
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
Amazon Web Services LATAM
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
LalitMohanSharma8
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
Monica Trantow
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
Faiza Mehar
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient CareAn Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
Cyntexa
 
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptxReimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
John Moore
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Config 2025 presentation recap covering both days
Config 2025 presentation recap covering both daysConfig 2025 presentation recap covering both days
Config 2025 presentation recap covering both days
TrishAntoni1
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Ad

More Related Content

Similar to Building Secure Architectures on AWS (11)

AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
Chris Munns
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
Amazon Web Services LATAM
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
LalitMohanSharma8
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
Monica Trantow
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
Faiza Mehar
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
Cobus Bernard
 
Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
Chris Munns
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
Amazon Web Services LATAM
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
LalitMohanSharma8
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
Monica Trantow
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
Faiza Mehar
 

Recently uploaded (20)

Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient CareAn Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
Cyntexa
 
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptxReimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
John Moore
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Config 2025 presentation recap covering both days
Config 2025 presentation recap covering both daysConfig 2025 presentation recap covering both days
Config 2025 presentation recap covering both days
TrishAntoni1
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
Artificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptxArtificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptx
03ANMOLCHAURASIYA
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
AI 3-in-1: Agents, RAG, and Local Models - Brent LasterAI 3-in-1: Agents, RAG, and Local Models - Brent Laster
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
All Things Open
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Developing System Infrastructure Design Plan.pptx
Developing System Infrastructure Design Plan.pptxDeveloping System Infrastructure Design Plan.pptx
Developing System Infrastructure Design Plan.pptx
wondimagegndesta
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
Could Virtual Threads cast away the usage of Kotlin Coroutines - DevoxxUK2025
João Esperancinha
 
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient CareAn Overview of Salesforce Health Cloud & How is it Transforming Patient Care
An Overview of Salesforce Health Cloud & How is it Transforming Patient Care
Cyntexa
 
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptxReimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
John Moore
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
Config 2025 presentation recap covering both days
Config 2025 presentation recap covering both daysConfig 2025 presentation recap covering both days
Config 2025 presentation recap covering both days
TrishAntoni1
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptxDevOpsDays SLC - Platform Engineers are Product Managers.pptx
DevOpsDays SLC - Platform Engineers are Product Managers.pptx
Justin Reock
 
Cybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and MitigationCybersecurity Threat Vectors and Mitigation
Cybersecurity Threat Vectors and Mitigation
VICTOR MAESTRE RAMIREZ
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
Artificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptxArtificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptx
03ANMOLCHAURASIYA
 
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
On-Device or Remote? On the Energy Efficiency of Fetching LLM-Generated Conte...
Ivano Malavolta
 
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
AI 3-in-1: Agents, RAG, and Local Models - Brent LasterAI 3-in-1: Agents, RAG, and Local Models - Brent Laster
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
All Things Open
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
Com fer un pla de gestió de dades amb l'eiNa DMP (en anglès)
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Developing System Infrastructure Design Plan.pptx
Developing System Infrastructure Design Plan.pptxDeveloping System Infrastructure Design Plan.pptx
Developing System Infrastructure Design Plan.pptx
wondimagegndesta
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Ad

Building Secure Architectures on AWS

  • 1. Building Secure Architectures on AWS Manoj Fernando
  • 2. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 3. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 5. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 6. CIDR Notation 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-28) = 2 ^ 4 = 16 End – 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16
  • 7. 203.0.113.0/28 Start - 203.0.113.0 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End – 203.0.113.7 Range – 203.0.113.0 – 203.0.113.7 203.0.113.0/29 203.0.113.8/29 Start - 203.0.113.8 Total IP Count - 2 ^ (32-29) = 2 ^ 3 = 8 End - 203.0.113.16 Range – 203.0.113.8 - 203.0.113.16 Range – 203.0.113.0 – 203.0.113.16 Subnet 01 Subnet 02 Network
  • 8. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 9. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Connecting with the On-Premises Network • Migrating to a serverless architecture • Securing your serverless architecture • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 13. Setting up our private network
  • 14. Web Server Backend Server 10.0.0.0/16
  • 15. Divide into sub networks
  • 16. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2
  • 17. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1
  • 18. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02
  • 19. Setting up an Internet Gateway
  • 20. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway Internet
  • 21. Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target
  • 22. Web Server Backend Server 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Availability Zone - 01 Availability Zone - 02 RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local Route Table (Subnet 2) Destination Target
  • 23. Setting up a Nat Gateway
  • 24. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target NAT Gateway
  • 25. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 26. Securing our cloud network architecture
  • 27. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet 10.0.0.0/16 local 0.0.0.0/0 Internet-gateway-id Route Table (Subnet 1) Destination Target 10.0.0.0/16 local 0.0.0.0/0 nat-gateway-id Route Table (Subnet 2) Destination Target Can our web server access internet?
  • 28. 203.0.113.0/28 203.0.113.8/29203.0.113.0/29 > Web servers > Application server > Database Server
  • 29. Security Groups • Who can access me? • Applied to AWS Resources • Eg: EC2 instances, Databases, Load Balancers etc… • Virtual Firewalls • You can create inbound and outbound rules in a security group • Follow the principle of Least Privilege • Security Groups are stateful • When architecting your application, list down all the resources and decide who needs talk to whom and create security groups for your resources
  • 30. Web Server Backend Server 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0
  • 31. 10.0.0.1 10.0.1.1RouterInternet Gateway (igw) Internet Public Subnet Private Subnet Web-Server-SG Type TargetType Port Source HTTP 80 0.0.0.0/0 HTTPS 443 0.0.0.0/0 Type Port Source Custom 4000 Web-Server-SG Backend-Server-SG Web Server Backend Server
  • 32. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 33. Migrating to Serverless Architecture
  • 35. New features can be developed in a serverless architecture
  • 36. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
  • 38. API Gateway + AWS Lambda is the easiest way to create microservices
  • 39. AWS Lambda Programming Model Reference: AWS
  • 40. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users
  • 41. Web Server Backend Server 10.0.0.0/16 10.0.0.0/24Subnet 1 10.0.1.0/24Subnet 2 10.0.0.1 10.0.1.1 Ireland (eu-west-1) RouterInternet Gateway Internet MySQL DB (in RDS)
  • 42. How can getUsers lambda access the Database?
  • 43. IAM Roles – What I can do? • Security group – Who can access me • IAM Role – What I can do • Consider the backend server. What it can do? • It can access the database • So create an IAM role with database access permissions and attach to backend EC2 server
  • 44. How can getUsers lambda access the Database? Step 01 • Run the getUsers lambda inside our VPC so that lambda executes in our private network Step 02 • Assign an IAM role for getUsers lambda to read from database
  • 45. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 46. Securing your Serverless Architecture
  • 47. Securing Lambda Function • Use IAM roles per function and don’t be too permissive • Leverage principle of least privilege • Application security best practices still apply • Mandatory code reviews, static analysis • Environment variables and sensitive data via KMS and Lambda’s encryption helpers
  • 50. How to secure our Identities (Authentication + Authorization)
  • 51. Too many concerns… • Need to develop a reliable user directory to manage identities • Handling user data and password and protecting privacy • Prioritizing scalability of your user store • Implementing token-based authentication • Support for multiple social identities • Federation with corporate directories for B2E applications
  • 52. User Pools & Federated Identities Reference: AWS
  • 53. Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
  • 54. Authentication & Authorization (API Gateway) • API Gateway can authenticate and authorize requests to backend • (eg: Lambda, EC2 Instances, Elastic Search, S3 etc..) • 3 Main Methods 1. Amazon Cognito User Pools – User Pool Authorizer 2. Amazon Cognito Federated Identities – AWS IAM Authorizer 3. Custom Identity Providers – Custom Authorizer • Identity Providers 1. Web Identities – Eg: Google, LinkedIn, UserPools 2. Corporate Identities – Eg: Active Directory, LDAP
  • 65. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
  • 66. Web Server Instance Backend Server Instance www.myapp.com Amazon CloudFront /* /api/* MySQL DB (in RDS) API Gateway Lambda (getUsers Lambda) /api/users WAF
  • 67. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
  • 68. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config Reference: AWS
  • 69. Other AWS Services for Security • AWS WAF • AWS Trusted Advisor • AWS Cloud Trail • AWS Cloud Watch • AWS Inspector • AWS Config
  • 70. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 72. Our AWS VPC On-Premises Network
  • 73. Our AWS VPC On-Premises Network VPN Connection VPN Gateway Customer Gateway 10.0.0.0/16 192.168.0.0/16
  • 74. VPN and AWS Direct Connect • Both allow secure connections between your corporate network and your VPC • VPN uses encrypted IPSec tunnel over the internet • Direct Connect is a dedicated line between the corporate network and your VPC • Direct Connect is not affected by uncertainties in the internet and suitable for large data transfers at high speed
  • 75. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 76. Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
  • 77. Cloud Adoption Framework 1. Infrastructure Security 2. Identity and Access Management 3. Data Protection 4. Detective Control 5. Incident Response
  • 78. Agenda • On-premises network architecture • Modeling on-premises architecture on AWS cloud • Securing our cloud network architecture • Migrating to a serverless architecture • Securing your serverless architecture • Connecting with the On-Premises Network • Review our architecture against Cloud Adoption Framework • Next Steps…
  • 79. Next Steps… • Read about AWS Well Architected Framework Whitepaper • Operational Excellence • Security • Reliability • Performance Efficiency • Security Pillar Whitepaper
  翻译: