Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com

Cloud Computing for the Enterprise
Dr. Werner Vogels
CTO, Amazon.com
April 24, 2012

AWS Global Infrastructure
GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)

AWS Regions
AWS Edge Locations

Powering the Most Popular Internet Businesses

What Enterprises are Running on AWS
Business
Applications

Web
Applications

Big Data & High
Performance Computing

Disaster Recovery
& Archive

The Scale of AWS: Amazon S3 Growth
905 Billion
Peak Requests:
650,000+ 762 Billion
per second

Total Number of Objects Stored in Amazon S3

262 Billion

102 Billion
14 Billion 40 Billion
2.9 Billion

Q4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011 Q1 2012

Our Price Reduction Philosophy
Scale & Innovation… … Drive Costs Down

Attract More Invest in
Customers Capital

19 Price Reductions
Reduce Invest in
Prices Technology

Improve
Efficiency

AWS Platform Overview
Deployment & Administration

App Services

Compute Storage Database

Networking


Secure, redundant Cloud
infrastructure for global companies
and global apps Regions

Availability Zones
App Services


Networking Edge Locations


AWS Networking Services
Extend your enterprise infrastructure
to the AWS Cloud
Amazon Virtual Private Cloud
VPN to Extend Your Network Topology to AWS

Deployment & Administration AWS Direct Connect
Private, Dedicated Connection to AWS
App Services

Amazon Route 53
Networking Scalable Domain Name Service


Compute Services
Scalable Linux and Windows
compute services

Amazon EC2
Virtual Servers in the AWS Cloud

Auto Scaling
App Services
Rule-driven scaling service for EC2
Amazon Elastic Load Balancing
Networking
Virtual load balancers for EC2

Storage Services
Scalable and Durable High Performance Cloud Storage

Amazon S3
Redundant, High-Scale Object Store

App Services Amazon Elastic Block Store
Persistent block storage for EC2

Networking
AWS Storage Gateway
AWS Global Infrastructure Seamless backup of enterprise data to S3

Database Services
Scalable and Durable High
Performance Cloud Storage
Amazon DynamoDB
High Performance NoSQL Database Service

Amazon RDS
Managed Oracle & MySQL Database Service
App Services

Amazon ElastiCache
Managed Memecached Service
Networking


AWS App Services
Highly abstracted services
Amazon CloudFront
that replace software for Global Content Delivery Service

commonly needed application
functionality Amazon CloudSearch
Managed Search Service that Automatically Scales

Amazon SWF
Deployment & Administration Simple Workflow Service

App Services
Amazon SNS
Simple Notification Service
Amazon SQS
Networking Simple Queuing Service

AWS Global Infrastructure Amazon SES
Simple Transactional Email Service

Ecosystem App Services
3rd party highly abstracted services Security
that replace software for commonly Services
needed application functionality
… and already run on AWS Log Analysis
Services

Deployment & Administration Developer
Services
App Services

BI
Services

Networking Test
Services

3rd party managed services that
replace software for commonly AWS Ecosystem
needed application functionality AWS Management Console
Web-based management interface
… and already run on AWS
Amazon Elastic MapReduce
Big Data Analytics Service

Deployment & Administration AWS IAM
Identity & Access Management
App Services
Amazon CloudWatch
Automated monitoring & alerts
AWS CloudFormation
Networking Automated AWS resource provisioning

AWS Elastic Beanstalk
AWS Global Infrastructure Java & PHP App deployment & management

AWS Pace of Innovation… 82
Including:
AWS Oregon Region

61 Elastic Beanstalk (Beta)

Including: Amazon SES (Beta)

Amazon SNS AWS CloudFormation

Amazon CloudFront Amazon RDS for Oracle

Amazon Route 53 AWS Direct Connect

48 S3 Bucket Policies AWS GovCloud (US)

Including: RDS Multi-AZ Support Amazon ElastiCache

Amazon RDS RDS Reserved Databases VPC Virtual Networking

Amazon VPC AWS Import/Export VPC Dedicated Instances

Amazon EMR AWS IAM Beta SMS Text Notification

24 EC2 Auto Scaling AWS Singapore Region CloudFront Live Streaming

Including: EC2 Reserved Instances Cluster Instances for EC2 AWS Tokyo Region

Amazon SimpleDB EC2 Elastic Load Balance Micro Instances for EC2 SAP RDS on EC2
9 Amazon Cloudfront AWS Import/Export Amazon Linux AMI SAP BO on EC2

Including: Amazon EBS AWS Mngmt Console Oracle Apps on EC2 Win Srv 2008 R2 on EC2

Amazon FPS EC2 Availability Zones Win Srv 2008 on EC2 SUSE Linux on EC2 Win Srv 2003 VM Import

Red Hat Enterprise on EC2 EC2 Elastic IP Addresses IBM Apps on EC2 VM Import for EC2 Amazon S3 SSE

2007 2008 2009 2010 2011

…Continuing in the First Quarter of 2012
15
Amazon DynamoDB in Europe
Storage Gateway in South America
CloudFront Live Streaming
Route 53 Latency Based Routing
PHP and Git for Elastic Beanstalk
CloudFront Lowers Content Expiration

7 RDS Increases Backup Retention
IAM Password Management
Amazon DynamoDB
6
IAM User Access to Account Billing
AWS Storage Gateway Amazon Simple Workflow Service Amazon RDS Free Trial program
Amazon RDS on Amazon VPC Amazon DynamoDB in Japan Amazon EC2 Medium Instances
AWS IAM Identity Federation ElastiCache in Oregon and Sao Paulo 64-bit AMI on Small & Medium
Windows Free Usage Tier Amazon S3 Lower Prices EC2 Linux Login from Console
New Premium Support Features AWS CloudFormation for VPC Beanstalk Resource Permissions
New AWS Direct Connect Locations New Osaka and Milan Edge Locations EC2, RDS, ElastiCache Lower Prices

January February March

AWS Direct Connect
Private secure connection to AWS
AWS Cloud

Bypass the public Internet
AWS Direct
Connect

High bandwidth and predictable
Internet
latency
Corporate Data Center

AWS Storage Gateway
Easily backup on-premises data to AWS
Snapshots in
S3 Amazon S3

Store snapshots in Amazon S3 for
backup and disaster recovery

Simple software appliance - no changes
required to your on-premises architecture
AWS
Storage
Gateway

Your Data Center

Amazon Simple Workflow Service
Run application workflows and business
processes on AWS
Amazon SWF
Manage processes across Cloud,
mobile and on-premises environments

Cloud Mobile On Premises Use any programming language for
workflow logic

Amazon DynamoDB
Non Relational (NoSQL)
Database

Fast & predictable performance

Seamless Scalability

Zero administration

Amazon CloudSearch
Fully managed search service
Up and running in less than an hour
Automatically scales for data and traffic
Starting at less than $100 / month

PHP & Git Deployment for AWS Beanstalk
git push
Elastic Beanstalk
Run and manage existing PHP
applications with no changes to
application code
PHP

Your App Apache HTTP
Server
Amazon
Provides full control over the
Linux infrastructure and the software
Elastic Load
Balancer

yourApp.elasticbeanstalk.com

AWS Marketplace
Find, buy and run software running
on AWS

More than 250 listings at launch

Sell your software or SaaS app to
our hundreds of thousands of
customers

aws.amazon.com/marketplace

The AWS Mission
Enable businesses and developers to use web services
to build scalable, sophisticated applications.

The Seven Transformations
of Cloud Computing

A common misconception:
cloud computing is only about….

Saving money Doing things faster

Cloud Transforms what’s possible

Transformation 1:
Distributed Architectures Made Easy

High
Availability

Building Distributed Architectures
with Traditional Infrastructure is Difficult

Cloud Computing Makes This Easier
Distributed Multi-AZ Building Loosely Coupled
Infrastructure Services Blocks Process Coordination

AWS
Regions S3
EC2 SWF
Instances

DynamoDB SNS
Availability
Zones
Elastic Load
RDS Balancer SQS

Architecture Templates for Common Patterns

MICROSOFT SHAREPOINT

aws.amazon.com/architecture

… open source Simian Army
coming soon

Transformation 2:
Embracing the security advantages of shared systems

Applications
Flexibility to Choose the Right Your
Apps
Security Model for Each Application

Infrastructure AWS Security Infrastructure
SOC 1/SSAE 16/ISAE 3402,
Every Customer Gets the ISO 27001, PCI DSS, HIPAA, ITAR,
FISMA Moderate, FIPS 140-2
Highest Level of Security

Kit, go
faster

Transformation 3:
From Scaling by
Architecture …
to Scaling By Yes
Command
Michael

Scaling by Architecture: NoSQL Database
Cluster
Set up Config & Shard & Rinse &
more servers Tune Repartition Repeat

Scaling by Command with Amazon
DynamoDB

Amazon DynamoDB

Data is automatically spread
across enough hardware to deliver
single digit millisecond latency.

Transformation 4:
A Supercomputer in the Hands of Every Developer

Supercomputers Today are Privileges of the
Elite

Expensive

Rationed time

Only for the “highest value” jobs

Supercomputers by the Hour… for Everyone.

AWS built the 42nd fastest supercomputer in the world
1,064 Amazon EC2 CC2 instances with17,024 cores
240 teraflops cluster (240 trillion calculations per second)
Less than $1,000 per hour

Develops leading computational
chemistry algorithms

Instead of $20M in datacenter spend…
51,132 Cores…

3 Hours…

$4,828/ hour …

Transformation 5:
Experiment Often & Fail Quickly

Traditional Infrastructure Drives up the Cost
of Failure … Innovation Suffers

How many big ticket
technology ideas can
your budget tolerate?

Experiment Often & Fail Quickly with AWS

  

Cost of failure falls dramatically

People are free to try out new ideas
 
More risk taking, more innovation
  
  

Transformation 6:
Big Data without Big Servers

Attacking Big Data Problems Shouldn’t Be
This Complicated
Storing Massive Data Investing In Expensive
Volumes Into A Huge Data Server Clusters To Process
Warehouse The Data

The Cloud Makes This a Lot Simpler

Hadoop Clusters
Amazon S3

Amazon DynamoDB Amazon EMR

Load Data in Organize & Visualize
the Cloud Analyze Data Results
1 2 3

Transformation 7:
Mobile Ecosystem for a Mobile-First World

Building Mobile
Applications on Your
Own is Hard

What Your Mobile App Requires

Rich media experience Virtual goods economy
Multi-device access Recommendations
Location context aware Integration with social networks
Real-time presence driven Advertisement
Social graph based Premium support
User generated content

PBS Video for iPad PBSKids Video for iPad
Launched Nov ‘10 Launched April ‘11

Fun With Numbers - February 2012
Total Video Mobile Video
Unique visitors: 30M/mo 115k unique visitors per day
Visits: 57M/mo 310k daily app opens
Page views: 367M / mo 27% of hours watched, 40%
of streams
Video streams: 145M/mo
Hours watched: 2.3M/mo

How Enterprises are using the AWS Cloud
Dan Powers
VP, Global Sales and Business Development

Trusted by Enterprises throughout the world

On-Premise Infrastructure is Costly & Complex
Large Capital Expenditures Underutilized IT Assets

Patching Software
Out of Datacenter Space
Scaling down as needed
Slow IT Deployments
Contract negotiation
Scaling up quickly
Prices too high for IT products Managing physical growth

“IT spends 80% of its time and resources keeping the lights on”

Key benefits to running in the AWS Cloud
No Up-Front Low Variable Pay Only for
Capital Expense Pricing What You Use

Self-Service Easily Scale Up Improve Agility &
Infrastructure and Down Time to Market

No Up-Front Capital Expense
On-Premise
Up-Front On-Premise Costs VariableCloud Computing Costs
Cloud Computing
Physical Space
Cabling
Power
Cooling
Networking $0
Racks to Get Started
Servers
Storage
Certification
Labor

Low Cost
Scale & Innovation … … Drive Costs Down
Attract
Invest in
More
Capital
Customers

Reduce Invest in
Prices Technology

Improve
Efficiency

“TCO savings inherent in a cloud provider’s environment relative to that of a
tradition enterprise datacenter may be as high as 60%.”
Morgan Stanly Research, Cloud Computing Takes Off

Pay Only for What You Use
Actual Usage
Compute Power

Customer
Dissatisfaction

Predicted Usage

Waste

Time

Self-Service Infrastructure
On-Premise Cloud Computing
Build new environments can be New infrastructure is always a few
complex and slow clicks away
Needs Survey Assess New Development Environment

New Test Environment
Plan Design Engineer

New Environment in Japan
Commissi
Procure Construct
on
Add 1,000 Servers

Deploy Remove 1,000 Servers

Source: PTS Data Center Solutions

Easily Scale Up and Down
Internet Video App on Amazon EC2
From 50 to 5,000 servers in 3 days
5,000
Scaled to peak of
Number of EC2 Instances

5,000 instances in
3 days

Launch of
Facebook
application

0
Monday Tuesday Wednesday Thursday Friday Saturday Sunday
The Animoto Blog

Cloud Computing is More Than Just
Virtualization
Cloud Computing On-Premise
Virtualization
Self-Service Infrastructure
 ?
No Up-Front Capital Expense
 
Low Cost
 
Pay Only for What You Use
 
Easily Scale Up and Down
 
Improve Agility & Time-to-Market
 

What Analysts are Saying about AWS
Infrastructure-as-a-Service Leader in 2011 Gartner Leader in 2011 Forrester
Market Share Leader IaaS Magic Quadrant Hadoop Wave

Built for Enterprise Security Standards

Certifications Physical Security HW, SW, Network

SOC 1 Type 2 (formerly Datacenters in nondescript Systematic change
SAS-70) facilities management

ISO 27001 Physical access strictly Phased updates
controlled deployment
PCI DSS for EC2, S3,
EBS, VPC, RDS, ELB, IAM Must pass two-factor Safe storage
authentication at least decommission
FISMA Moderate twice for floor access
Compliant Controls Automated monitoring and
Physical access logged self-audit
HIPAA & ITAR Compliant and audited
Architecture Advanced network
protection

aws.amazon.com/security

10.2.1.1

Your
Network

Virtual Private Cloud

10.1.1.1

VPN

Enterprise Apps
On AWS

Internet

10.2.1.1

Your
Network

10.1.1.1

AWS Direct Connect

Enterprise Apps
On AWS

Internet

Business apps are

more efficient
in the cloud

A Variety of Partner Choices..

A Variety of Enterprise Products and Licensing Options..
License Hourly
Popular Applications Mobility Licensing
Oracle Applications
Oracle Fusion Middleware
Oracle DB 11g

SAP ERP/A1
SAP Business Objects
SAP Rapid Deployment Solutions

Microsoft SharePoint Server
Microsoft Server and Tools
Microsoft Windows Server Apps

IBM DB2 and Informix
IBM WebSphere
IBM Lotus, Tivoli, etc.

RedHat Enterprise Linux
JBOSS
Gluster

Benefits
Infrastructure Procurement Time Reduced from
over four to six weeks to minutes.
Amazon Corporate IT
Server Image Build Process that had previously
Deploys Mission-Critical taken a half day is now automated.
Corporate Intranet Annual Infrastructure Costs Cut by 22 percent
running SharePoint 2010 when replacing on-premise hardware with
equivalent cloud resources.
to AWS Cloud
Eliminating Operational Overhead of server
lease returns, freeing up approximately 2 weeks
of engineering overhead per year by replacing
servers with equivalent cloud resources.

“The AWS Cloud brings business agility as Shell is able to deploy
services much more quickly”
- Johan Krebers
Vice President of Architecture

Enterprise case study Business Benefits
• Using AWS since 2010 • No minimum commitment up front and
• Operationalizing their cloud strategy pay per use brings significant savings
• Shell Foundation Platform – an IT • Fast provisioning within minutes for
framework – is AWS approved many applications
• Core operational applications • Elasticity – the ability to expand and
running in production on AWS contract IT infrastructure as needed
• Default for new apps: AWS

“This is a fantastic cloud use case for our company – a truly
live production environment with dynamic content.”
- Rob Prager, Director of IT

Use of AWS Business Benefit

Insurance and Financial Services Cloud-hosted service approved by security
company with over 15M customers. and privacy officers.

Address security challenges while
handling customer data in a regulated Compliant with data privacy requirements
industry. in the U.S. and Europe.

Amazon AWS services leveraged to
deliver Trend Micro SecureCloud. E-signature application in production.

Project Usage AWS Footprint

- Started in Jan 2008, 5 FTE - 276 Cloud Appliances 1,100 new SAP systems
- Focus: IT Automation on IaaS > 600 SAP employees as direct users 42,086 EC2 Instance Hours
from >16 countries 39 TB EBS Storage
- SAP Self-service since March 2008 >10,000 SAP systems provisioned 3 TB S3 Storage
- Enables unlimited # systems in clouds - Cost Savings based on
- Weekly Feature Extensions 1. Less expensive Hardware Hosting
2. IT Process Automation

Top 3 Consuming Departments – Avg. Cost Saving Rate: 77%
Customer Workshops Customer Trainings Customer Demos

215 SAP Systems 111 SAP Systems 118 SAP Systems
$ 15 / SAP system $ 42 / SAP system $ 76 / SAP system
26 hrs / SAP system 82 hrs / SAP system 119 hrs / SAP system
Status: Productive Status: Pilot + Ramp up Status: Productive + Ramp up

Source: SAP

Enterprises getting to value

quickly
in the cloud

Samsung saved $34M on their Smart Hub
application
Problem:
Needed to reduce IT costs and were looking
to create a more flexible IT environment

Solution:
AWS’s low, pay-as-you-go prices and reliable
services. With every request, the application
authenticates devices, delivers apps and
content, and pushes notifications.

Business Benefits:
Saved $34M in hardware and maintenance
expenses, 85% less than running on-
premises

The Guardian easily responds to the
unpredictable demand of new applications
Problem:
Building new online services and they needed the
ability to easily respond to large-scale unpredictable
demand
Solution:
The scale and reliability of the AWS Cloud.
GNM uses AWS for its Apple iPhone application and
Content API service
Business Benefits:
Reduced server configuration from 3 weeks to 30
minutes
Able to meet availability SLAs even with significant
demand peaks after the service’s launched.

FCBarcelona Responds to its Game Day
Demand Peaks with AWS, Saving Money
Use of AWS:
FCBarcelona’s websites, ecommerce, and
mobile applications.

Use Amazon EC2, Amazon CloudFront,
Amazon RDS, Amazon Route 53, and many
other services.

Business Benefits:
Easily respond to game day peaks
Improved time-to-market

“IaaS will significantly change the way IT will deliver
infrastructure services to the business. We selected AWS
because they are a leader in that field.”

- Yves Martelle, Global Director of Infrastructure

Enterprise Case Study Business Benefit

• Started moving Internet and Intranet • Open and flexible platform allows

workloads to AWS in early 2011 Schneider to run Java and .NET apps on

• Runs 15 production applications on Windows and Linux virtual servers

AWS • Increased IT agility by rolling out new

• Used Amazon VPC to connect its applications faster on AWS

datacenter to the AWS cloud

Enterprises are scaling

elastically
in the cloud

Bank – Credit-Risk
Simulation
“The AWS platform was a good fit for its unlimited and flexible computational
power to our risk-simulation process requirements.

With AWS, we now have the power to decide how fast we want to obtain
simulation results, and, more importantly, we have the ability to run
simulations not possible before due to the large amount of infrastructure
required.”

– Castillo, Director, Bankinter

Average time-to-solution down from 23 hours to 20 minutes

“We see continued value in using the AWS cloud because of
the flexibility and the scalability. We have a long queue of
projects and we envision using AWS to help us get there.”

Jeff Sternberg, Data Science Lead
Capital IQ / Standard & Poors

Big Data Case Study Business Benefit

• Recommendation engine for investment • EMR and S3 provided a low-cost and
bankers looking for new ideas. high-performance foundation for
• Leverages EC2, EMR, S3, VPC. parallel applications
• EMR pulls data from S3 for processing • Increased security by using VPC and
and pushes the results into a SQL to extend corporate datacenter into
database. the AWS cloud

“Unilever’s digital data program now processes genetic sequences twenty times
faster—without incurring higher compute costs. In addition, its robust architecture
supports ten times as many scientists, all working simultaneously.”

- Pete Keeley
Unilever Research’s eScience IT Lead for Cloud

The Story Business Benefit

• New biology and informatics program • Ten times as many scientists can process

promotes access to public data studies simultaneously, compared to non-cloud

• Underlying architecture must keep pace with architecture

expanding scientific discoveries • Genetic sequence processing is twenty times

• Simple but robust solution combines Amazon faster, without increasing compute costs

EC2, Amazon RDS, and Amazon S3 with the • Both companies are confident that the AWS-

open-source workflow system, eHive based program helps Unilever’s scientists
create market-leading innovations

Enterprises are

protecting their data
in the cloud

“The primary driver wasn't cost, but rather the ability to set
HAVEN up the infrastructure even though we recognized the design
was changing.”
POWER - Paul Armstrong, Business Systems Manager

Use of AWS Business Benefit

• U.K.-based electric company • Flexible DR architecture at low cost
• Needed flexible disaster recovery • Avoided large up-front investment
• AWS offered flexibility, proven services, lower cost • IT and Operations are more responsive to the
• Smart421 able to quickly translate requirements business
into a solution • New builds that used to take days now take hours
• Running disaster recovery, testing, and
development on AWS
• Planning big data projects on AWS

Archive Vaulting
solution

Business Benefits
“Since 2003 we used IT-Lifeline to safeguard • Complete elimination of tape from the
our corporate data and provide data center,
technology, and workspace recovery if archival process
adversity strikes. Because they have delivered
their promise of recovery on multiple • Faster recovery speeds
occasions, we feel confident in expanding our
relationship with IT-Lifeline.”
• Protects 246 nodes and 40TB daily

Jim Brockett, Chief Information Officer,
Washington Trust Bank

Fortune 400 Customer Uses Sonian to Migrate Archiving to AWS

Customer: Partner:

Business Problem AWS Solution Business Benefit
• Had a legacy on-prem Sonian’s email archiving • Reduced risk on
archive system that wasn’t platform to enable: company’s early case
keeping up with their assessment
incoming data – 10K • Enhanced early case • Enabled search across
mailboxes assessment activities millions of archived emails
• Challenged to find support • Intuitive search to facilitate eDiscovery as
for Lotus Domino archiving capabilities well as worker productivity
• Needed support for early- • Cost-effective archiving • 50% less cost than on-
case assessment and solution premise archiving
internal investigations • Reduced overhead on IT
staff to support archiving

Next Steps
Learn more on Enterprise
Cloud Computing:

aws.amazon.com/enterprise

Get started with a free trial

aws.amazon.com/free

Cloud Computing for the Enterprise | London

WiFi access
Network: WCH
Username: AMAZON
#hashtag
#AWSLondon

Password: P6FW3HY

AWS: Overview of Security Processes
Stephen Schmidt
Chief Information Security Officer

AWS Security Model Overview
Certifications & Accreditations Shared Responsibility Model

Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls
ISO 27001 Certification guest OS-level security, including
PCI DSS Level I Certification patching and maintenance
HIPAA compliant architecture Application level security, including
password and role based access
SAS 70(SOC 1) Type II Audit
Host-based firewalls, including
FISMA Low & Moderate ATOs
Intrusion Detection/Prevention
DIACAP MAC III-Sensitive Systems
 Pursuing DIACAP MAC II–Sensitive
Separation of Access
Physical Security VM Security Network Security
Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured
access environment Account in security groups;
Controlled, need-based access for Instance Isolation The traffic may be restricted by
AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as
Management Plane Administrative Access the hypervisor level by source IP address (individual IP
Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing
access to administrative host prevented access (CIDR) block).
All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC)
reviewed layer ensure only account provides IPSec VPN access from
AWS Administrators DO NOT have owners can access storage existing enterprise data center to a
logical access inside a customer’s disks (EBS) set of logically isolated AWS
VMs, including applications and resources
Support for SSL end point
data encryption for API calls

Shared Responsibility Model
AWS Customer
Facilities Operating System
Physical Security Application
Physical Infrastructure Security Groups
Network Infrastructure Network ACLs
Virtualization Network Configuration
Infrastructure Account Management

AWS Security Resources

http://aws.amazon.com/security/
Security Whitepaper
Risk and Compliance Whitepaper
Latest Versions May 2011, January
2012 respectively
Regularly Updated
Feedback is welcome

AWS Certifications
Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SAS70(SOC 1) Type II Audit
FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive IATO
Customers have deployed various compliant applications such as
HIPAA (healthcare)

SOC 1 Type II
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2
report every six months and maintains a favorable unbiased and unqualified opinion
from its independent auditors. AWS identifies those controls relating to the operational
performance and security to safeguard customer data. The SOC 1 report audit attests
that AWS’ control objectives are appropriately designed and that the individual controls
defined to safeguard customer data are operating effectively. Our commitment to the SOC
1 report is on-going and we plan to continue our process of periodic audits.

The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can
meet a broad range of auditing requirements for U.S. and international auditing bodies.
This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70)
Type II report.

This report is available to customers under NDA.

SOC 1
Type II – Control Objectives
Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling

ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.

Physical Security
Amazon has been building large-scale data centers for many
years
Important attributes:
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed

GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)

AWS Regions
AWS Edge Locations

AWS Regions and Availability Zones

Customer Decides Where Applications and Data Reside

AWS Identity and Access Management
Enables a customer to create multiple Users and
manage the permissions for each of these
Users.
Secure by default; new Users have no access to
AWS until permissions are explicitly granted. Us
AWS IAM enables customers to minimize the
use of their AWS Account credentials. Instead
all interactions with AWS Services and
resources should be with AWS IAM User
security credentials.er
Customers can enable MFA devices for their
AWS Account as well as for the Users they have
created under their AWS Account with AWS IAM.

AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge of your e-
mail address and password from impersonating you
Requires a device in your physical possession to gain access
to secure pages on the AWS Portal or to gain access to the
AWS Management Console
Adds an extra layer of protection to sensitive information,
such as your AWS access identifiers
Extends protection to your AWS resources such as Amazon
EC2 instances and Amazon S3 data

Amazon EC2 Security
Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall
• Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls
• Require X.509 certificate or customer’s secret AWS key

Amazon EC2 Instance Isolation

Customer 1 Customer 2 … Customer n

Hypervisor

Virtual Interfaces
Customer 1 Customer 2 Customer n
Security Groups Security Groups … Security Groups
Firewall
Physical Interfaces

Virtual Memory & Local Disk

Amazon EC2
Instances

Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File

• Proprietary Amazon disk management prevents one Instance from
reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an
added layer of security

Network Security Considerations
DDoS (Distributed Denial of Service):
• Standard mitigation techniques in effect
MITM (Man in the Middle):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing:
• Prohibited at host OS level
Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
• blocked by default
Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level

Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies

Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets

NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over
the Internet
Web Services
AWS Direct Cloud
Connect –
Dedicated
Path/Bandwidth
Customer’s
Network

Amazon VPC Network Security Controls

Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated

AWS Deployment Models
Logical Server Granular Logical Physical Government Only ITAR Sample Workloads
and Information Network server Physical Network Compliant
Application Access Policy Isolation Isolation and Facility (US Persons
Isolation Isolation Only)

Commercial   Public facing apps. Web
Cloud sites, Dev test etc.

Virtual Private     Data Center extension,
Cloud (VPC) TIC environment, email,
FISMA low and
Moderate

AWS GovCloud       US Persons Compliant
(US) and Government
Specific Apps.

Thanks!

Remember to visit
https://aws.amazon.com/security

Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com

Similaire à Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com