2. AWS Security Model Overview
Certifications & Accreditations Shared Responsibility Model
! Sarbanes-Oxley (SOX) compliance ! Customer/SI Partner/ISV controls
! ISO 27001 Certification guest OS-level security, including
! PCI DSS Level I Certification patching and maintenance
! HIPAA compliant architecture ! Application level security, including
password and role based access
! SAS 70(SOC 1) Type II Audit
! Host-based firewalls, including
! FISMA Low & Moderate ATOs
Intrusion Detection/Prevention
! DIACAP MAC III-Sensitive Systems
§ Pursuing DIACAP MAC II–Sensitive ! Separation of Access
Physical Security VM Security Network Security
! Multi-level, multi-factor controlled ! Multi-factor access to Amazon ! Instance firewalls can be configured
access environment Account in security groups;
! Controlled, need-based access for ! Instance Isolation ! The traffic may be restricted by
AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as
Management Plane Administrative Access the hypervisor level by source IP address (individual IP
! Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing
access to administrative host prevented access (CIDR) block).
! All access logged, monitored, • Virtualized disk management ! Virtual Private Cloud (VPC) provides
reviewed layer ensure only account IPSec VPN access from existing
! AWS Administrators DO NOT have owners can access storage enterprise data center to a set of
logical access inside a customer’s disks (EBS) logically isolated AWS resources
VMs, including applications and data ! Support for SSL end point encryption
for API calls
4. AWS Security Resources
! http://aws.amazon.com/security/
! Security Whitepaper
! Risk and Compliance Whitepaper
! Latest Versions May 2011, January
2012 respectively
! Regularly Updated
! Feedback is welcome
5. AWS Certifications
! Sarbanes-Oxley (SOX)
! ISO 27001 Certification
! Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
! SAS70(SOC 1) Type II Audit
! FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
! DIACAP MAC III Sensitive ATO
! Customers have deployed various compliant applications such as HIPAA
(healthcare)
6. SOC 1 Type II
! Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2
report every six months and maintains a favorable unbiased and unqualified opinion
from its independent auditors. AWS identifies those controls relating to the operational
performance and security to safeguard customer data. The SOC 1 report audit attests
that AWS’ control objectives are appropriately designed and that the individual controls
defined to safeguard customer data are operating effectively. Our commitment to the SOC 1
report is on-going and we plan to continue our process of periodic audits.
! The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can
meet a broad range of auditing requirements for U.S. and international auditing bodies. This
audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II
report.
! This report is available to customers under NDA.
7. SOC 1
Type II – Control Objectives
! Control Objective 1: Security Organization
! Control Objective 2: Amazon Employee Lifecycle
! Control Objective 3: Logical Security
! Control Objective 4: Secure Data Handling
! Control Objective 5: Physical Security
! Control Objective 6: Environmental Safeguards
! Control Objective 7: Change Management
! Control Objective 8: Data Integrity, Availability and Redundancy
! Control Objective 9: Incident Handling
8. ISO 27001
! AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.
9. Physical Security
! Amazon has been building large-scale data centers for
many years
! Important attributes:
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
! Controlled, need-based access for
AWS employees (least privilege)
! All access is logged and reviewed
10. GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations
11. AWS Regions and Availability Zones
Customer Decides Where Applications and Data Reside
12. AWS Identity and Access Management
! Enables
a
customer
to
create
mul'ple
Users
and
manage
the
permissions
for
each
of
these
Users.
! Secure
by
default;
new
Users
have
no
access
to
AWS
un'l
permissions
are
explicitly
granted.
Us
! AWS
IAM
enables
customers
to
minimize
the
use
of
their
AWS
Account
creden'als.
Instead
all
interac'ons
with
AWS
Services
and
resources
should
be
with
AWS
IAM
User
security
creden'als.er
! Customers
can
enable
MFA
devices
for
their
AWS
Account
as
well
as
for
the
Users
they
have
created
under
their
AWS
Account
with
AWS
IAM.
13.
14. AWS MFA Benefits
! Helps prevent anyone with unauthorized
knowledge of your e-mail address and password
from impersonating you
! Requires a device in your physical possession to
gain access to secure pages on the AWS Portal or
to gain access to the AWS Management Console
! Adds an extra layer of protection to sensitive
information, such as your AWS access identifiers
! Extends protection to your AWS resources such as
Amazon EC2 instances and Amazon S3 data
15. Amazon EC2 Security
! Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
! Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
! Firewall
• Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
! Signed API calls
• Require X.509 certificate or customer’s secret AWS key
16. Amazon EC2 Instance Isolation
Customer 1 Customer 2
…
Customer n
Hypervisor
Virtual Interfaces
…
Customer 1 Customer 2 Customer n
Security Groups Security Groups Security Groups
Firewall
Physical Interfaces
17. Virtual Memory & Local Disk
Amazon
EC2
Instances
Encrypted
File
System
Amazon
EC2
Instance
Encrypted
Swap
File
• Proprietary
Amazon
disk
management
prevents
one
Instance
from
reading
the
disk
contents
of
another
• Local
disk
storage
can
also
be
encrypted
by
the
customer
for
an
added
layer
of
security
18. Network Security Considerations
! DDoS (Distributed Denial of Service):
• Standard mitigation techniques in effect
! MITM (Man in the Middle):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
! IP Spoofing:
• Prohibited at host OS level
! Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
blocked by default
! Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level
19. Amazon Virtual Private Cloud (VPC)
! Create a logically isolated environment in Amazon’s highly scalable
infrastructure
! Specify your private IP address range into one or more public or private subnets
! Control inbound and outbound access to and from individual subnets using
stateless Network Access Control Lists
! Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
! Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
! Bridge your VPC and your onsite IT infrastructure with an industry standard
encrypted VPN connection and/or AWS Direct Connect
! Use a wizard to easily create your VPC in 4 different topologies
20. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over
the Internet
Web Services
AWS Direct Cloud
Connect –
Dedicated Path/
Bandwidth
Customer’s
Network
22. Amazon VPC - Dedicated Instances
! New option to ensure physical hosts are not shared with
other customers
! $10/hr flat fee per Region + small hourly charge
! Can identify specific Instances as dedicated
! Optionally configure entire VPC as dedicated
23. AWS Deployment Models
Logical Server Granular Logical Physical Government Only ITAR Sample Workloads
and Application Information Network server Physical Network Compliant
Isolation Access Policy Isolation Isolation and Facility (US Persons
Isolation Only)
Commercial ü ü Public facing apps. Web
Cloud sites, Dev test etc.
Virtual Private ü ü ü ü Data Center extension,
Cloud (VPC) TIC environment, email,
FISMA low and
Moderate
AWS GovCloud ü ü ü ü ü ü US Persons Compliant
(US) and Government
Specific Apps.
24. Thanks!
Remember to visit
https://aws.amazon.com/security