A security session at the AWS Summit Online focused on the basics of Control Tower, Landing Zones, and GuardDuty.
Amazon CTO Werner Vogels kicked off the US and Canada version of the AWS Online Summit on Wednesday from his home in Amsterdam. Vogels said that the cloud is intrinsic to the new way of working during the coronavirus epidemic.
“If nothing else, these past few months have truly ushered in a new era in technology, where we are seeing a fundamental shift in how everyone is feeling, not only the technology itself but how to access that technology, as well as how we built the technology,” Vogels said.
SEE: Hybrid cloud: A guide for IT pros (free PDF)
Security is key to this new way of working and securing cloud deployments is an ongoing challenge. Myles Hosford, a principal of security architecture at Amazon Web Services, gave a presentation about best practices for AWS security. He covered the shared responsibility model, security of the cloud, security in the cloud, and security governance.
Hosford shared these three resources as a way to improve your understanding of how to secure AWS cloud deployments.
AWS Control Tower
Hosford recommended the AWS Control Tower to manage security governance. This tool establishes a landing zone based on best-practice blueprints and enables governance using guardrails included in a pre-packaged list. The landing zone makes it easier to manage multiple AWS accounts. The landing zone has four components:
- A multi-account environment
- Guidelines for creating accounts that follow best practices
- Guidelines for creating and enforcing policies and governance
- Centralized access for admins
With Control Tower, distributed teams can provision new AWS accounts quickly, while cloud IT engineers can be confident all accounts are aligned with centrally established, company-wide policies. Control Tower offers guardrails for ongoing governance of an AWS environment by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. Control Tower does not provide compliance guidelines for HIPAA, PCI, SOC-1, or SOC-2.
Amazon customers pay for AWS services enabled by AWS Control Tower, including AWS Service Catalog and AWS CloudTrail and AWS Config rules that are set up by AWS Control Tower to implement guardrails. Check out the AWS Regional Table for availability of Control Tower.
In the “security in the cloud” section of his presentation, Hosford described this AWS tool as a way to automate threat response. This threat detection tool monitors for malicious activity to protect accounts and workloads. GuardDuty analyzes streams of metadata generated from AWS accounts and network activity found in AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs. The service uses threat intelligence feeds from CrowdStrike and Proofpoint to spot malicious IP addresses, possible crypto mining activity, and credential stuffing. The service operates independently from AWS resources to preserve performance and availability for workloads. GuardDuty also delivers detailed and actionable alerts that integrate with existing event management and workflow systems.
Amazon offers a free 30-day trial of the service to new customers with access to the full feature set and detections.
Security certifications from Amazon
Hosford closed his session with a brief discussion of certifications. Amazon has a Security Learning Path that includes classroom and online sessions for all skill levels. There is also free digital training as well. Security professionals can get an AWS Certified Cloud Practitioner certification or an AWS Certified Security Specialty certification. The programs are designed for people who have technical AWS Cloud experience and focus on access control, data encryption methods, and securing applications and infrastructure.
The Ramp-Up Guide collectes all free digital training, classroom courses, videos, whitepapers, certifications and other information that IT pros can use to build AWS Cloud knowledge. The free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security.