WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Cloud Computing for the Enterprise, Dr Werner Vogels, CTO Amazon.com
1. Cloud Computing for the Enterprise
Dr. Werner Vogels
CTO, Amazon.com
April 24, 2012
2. AWS Global Infrastructure
GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations
10. AWS Global Infrastructure
Secure, redundant Cloud
infrastructure for global companies
and global apps Regions
Deployment & Administration
Availability Zones
App Services
Compute Storage Database
Networking Edge Locations
AWS Global Infrastructure
11. AWS Networking Services
Extend your enterprise infrastructure
to the AWS Cloud
Amazon Virtual Private Cloud
VPN to Extend Your Network Topology to AWS
Deployment & Administration AWS Direct Connect
Private, Dedicated Connection to AWS
App Services
Compute Storage Database
Amazon Route 53
Networking Scalable Domain Name Service
AWS Global Infrastructure
12. Compute Services
Scalable Linux and Windows
compute services
Amazon EC2
Virtual Servers in the AWS Cloud
Deployment & Administration
Auto Scaling
App Services
Rule-driven scaling service for EC2
Compute Storage Database
Amazon Elastic Load Balancing
Networking
Virtual load balancers for EC2
AWS Global Infrastructure
13. Storage Services
Scalable and Durable High Performance Cloud Storage
Amazon S3
Redundant, High-Scale Object Store
Deployment & Administration
App Services Amazon Elastic Block Store
Persistent block storage for EC2
Compute Storage Database
Networking
AWS Storage Gateway
AWS Global Infrastructure Seamless backup of enterprise data to S3
14. Database Services
Scalable and Durable High
Performance Cloud Storage
Amazon DynamoDB
High Performance NoSQL Database Service
Amazon RDS
Deployment & Administration
Managed Oracle & MySQL Database Service
App Services
Compute Storage Database
Amazon ElastiCache
Managed Memecached Service
Networking
AWS Global Infrastructure
15. AWS App Services
Highly abstracted services
Amazon CloudFront
that replace software for Global Content Delivery Service
commonly needed application
functionality Amazon CloudSearch
Managed Search Service that Automatically Scales
Amazon SWF
Deployment & Administration Simple Workflow Service
App Services
Amazon SNS
Simple Notification Service
Compute Storage Database
Amazon SQS
Networking Simple Queuing Service
AWS Global Infrastructure Amazon SES
Simple Transactional Email Service
16. Ecosystem App Services
3rd party highly abstracted services Security
that replace software for commonly Services
needed application functionality
… and already run on AWS Log Analysis
Services
Deployment & Administration Developer
Services
App Services
BI
Compute Storage Database
Services
Networking Test
Services
AWS Global Infrastructure
17. Deployment & Administration
3rd party managed services that
replace software for commonly AWS Ecosystem
needed application functionality AWS Management Console
Web-based management interface
… and already run on AWS
Amazon Elastic MapReduce
Big Data Analytics Service
Deployment & Administration AWS IAM
Identity & Access Management
App Services
Amazon CloudWatch
Automated monitoring & alerts
Compute Storage Database
AWS CloudFormation
Networking Automated AWS resource provisioning
AWS Elastic Beanstalk
AWS Global Infrastructure Java & PHP App deployment & management
18. AWS Pace of Innovation… 82
Including:
AWS Oregon Region
61 Elastic Beanstalk (Beta)
Including: Amazon SES (Beta)
Amazon SNS AWS CloudFormation
Amazon CloudFront Amazon RDS for Oracle
Amazon Route 53 AWS Direct Connect
48 S3 Bucket Policies AWS GovCloud (US)
Including: RDS Multi-AZ Support Amazon ElastiCache
Amazon RDS RDS Reserved Databases VPC Virtual Networking
Amazon VPC AWS Import/Export VPC Dedicated Instances
Amazon EMR AWS IAM Beta SMS Text Notification
24 EC2 Auto Scaling AWS Singapore Region CloudFront Live Streaming
Including: EC2 Reserved Instances Cluster Instances for EC2 AWS Tokyo Region
Amazon SimpleDB EC2 Elastic Load Balance Micro Instances for EC2 SAP RDS on EC2
9 Amazon Cloudfront AWS Import/Export Amazon Linux AMI SAP BO on EC2
Including: Amazon EBS AWS Mngmt Console Oracle Apps on EC2 Win Srv 2008 R2 on EC2
Amazon FPS EC2 Availability Zones Win Srv 2008 on EC2 SUSE Linux on EC2 Win Srv 2003 VM Import
Red Hat Enterprise on EC2 EC2 Elastic IP Addresses IBM Apps on EC2 VM Import for EC2 Amazon S3 SSE
2007 2008 2009 2010 2011
19. …Continuing in the First Quarter of 2012
15
Amazon DynamoDB in Europe
Storage Gateway in South America
CloudFront Live Streaming
Route 53 Latency Based Routing
PHP and Git for Elastic Beanstalk
CloudFront Lowers Content Expiration
7 RDS Increases Backup Retention
IAM Password Management
Amazon DynamoDB
6
IAM User Access to Account Billing
AWS Storage Gateway Amazon Simple Workflow Service Amazon RDS Free Trial program
Amazon RDS on Amazon VPC Amazon DynamoDB in Japan Amazon EC2 Medium Instances
AWS IAM Identity Federation ElastiCache in Oregon and Sao Paulo 64-bit AMI on Small & Medium
Windows Free Usage Tier Amazon S3 Lower Prices EC2 Linux Login from Console
New Premium Support Features AWS CloudFormation for VPC Beanstalk Resource Permissions
New AWS Direct Connect Locations New Osaka and Milan Edge Locations EC2, RDS, ElastiCache Lower Prices
January February March
20. AWS Direct Connect
Private secure connection to AWS
AWS Cloud
Bypass the public Internet
AWS Direct
Connect
High bandwidth and predictable
Internet
latency
Corporate Data Center
21. AWS Storage Gateway
Easily backup on-premises data to AWS
Snapshots in
S3 Amazon S3
Store snapshots in Amazon S3 for
backup and disaster recovery
Simple software appliance - no changes
required to your on-premises architecture
AWS
Storage
Gateway
Your Data Center
22. Amazon Simple Workflow Service
Run application workflows and business
processes on AWS
Amazon SWF
Manage processes across Cloud,
mobile and on-premises environments
Cloud Mobile On Premises Use any programming language for
workflow logic
23. Amazon DynamoDB
Non Relational (NoSQL)
Database
Fast & predictable performance
Seamless Scalability
Zero administration
24. Amazon CloudSearch
Fully managed search service
Up and running in less than an hour
Automatically scales for data and traffic
Starting at less than $100 / month
25. PHP & Git Deployment for AWS Beanstalk
git push
Elastic Beanstalk
Run and manage existing PHP
applications with no changes to
application code
PHP
Your App Apache HTTP
Server
Amazon
Provides full control over the
Linux infrastructure and the software
Elastic Load
Balancer
yourApp.elasticbeanstalk.com
26. AWS Marketplace
Find, buy and run software running
on AWS
More than 250 listings at launch
Sell your software or SaaS app to
our hundreds of thousands of
customers
aws.amazon.com/marketplace
27. The AWS Mission
Enable businesses and developers to use web services
to build scalable, sophisticated applications.
39. Applications
Flexibility to Choose the Right Your
Apps
Security Model for Each Application
Infrastructure AWS Security Infrastructure
SOC 1/SSAE 16/ISAE 3402,
Every Customer Gets the ISO 27001, PCI DSS, HIPAA, ITAR,
FISMA Moderate, FIPS 140-2
Highest Level of Security
40. Kit, go
faster
Transformation 3:
From Scaling by
Architecture …
to Scaling By Yes
Command
Michael
41. Scaling by Architecture: NoSQL Database
Cluster
Set up Config & Shard & Rinse &
more servers Tune Repartition Repeat
42. Scaling by Command with Amazon
DynamoDB
Amazon DynamoDB
Data is automatically spread
across enough hardware to deliver
single digit millisecond latency.
45. Supercomputers Today are Privileges of the
Elite
Expensive
Rationed time
Only for the “highest value” jobs
46. Supercomputers by the Hour… for Everyone.
AWS built the 42nd fastest supercomputer in the world
1,064 Amazon EC2 CC2 instances with17,024 cores
240 teraflops cluster (240 trillion calculations per second)
Less than $1,000 per hour
51. Traditional Infrastructure Drives up the Cost
of Failure … Innovation Suffers
How many big ticket
technology ideas can
your budget tolerate?
52. Experiment Often & Fail Quickly with AWS
Cost of failure falls dramatically
People are free to try out new ideas
More risk taking, more innovation
55. Attacking Big Data Problems Shouldn’t Be
This Complicated
Storing Massive Data Investing In Expensive
Volumes Into A Huge Data Server Clusters To Process
Warehouse The Data
56. The Cloud Makes This a Lot Simpler
Hadoop Clusters
Amazon S3
Amazon DynamoDB Amazon EMR
Load Data in Organize & Visualize
the Cloud Analyze Data Results
1 2 3
60. What Your Mobile App Requires
Rich media experience Virtual goods economy
Multi-device access Recommendations
Location context aware Integration with social networks
Real-time presence driven Advertisement
Social graph based Premium support
User generated content
63. PBS Video for iPad PBSKids Video for iPad
Launched Nov ‘10 Launched April ‘11
64. Fun With Numbers - February 2012
Total Video Mobile Video
Unique visitors: 30M/mo 115k unique visitors per day
Visits: 57M/mo 310k daily app opens
Page views: 367M / mo 27% of hours watched, 40%
of streams
Video streams: 145M/mo
Hours watched: 2.3M/mo
69. On-Premise Infrastructure is Costly & Complex
Large Capital Expenditures Underutilized IT Assets
Patching Software
Out of Datacenter Space
Scaling down as needed
Slow IT Deployments
Contract negotiation
Scaling up quickly
Prices too high for IT products Managing physical growth
“IT spends 80% of its time and resources keeping the lights on”
70. Key benefits to running in the AWS Cloud
No Up-Front Low Variable Pay Only for
Capital Expense Pricing What You Use
Self-Service Easily Scale Up Improve Agility &
Infrastructure and Down Time to Market
71. No Up-Front Capital Expense
On-Premise
Up-Front On-Premise Costs VariableCloud Computing Costs
Cloud Computing
Physical Space
Cabling
Power
Cooling
Networking $0
Racks to Get Started
Servers
Storage
Certification
Labor
72. Low Cost
Scale & Innovation … … Drive Costs Down
Attract
Invest in
More
Capital
Customers
Reduce Invest in
Prices Technology
Improve
Efficiency
“TCO savings inherent in a cloud provider’s environment relative to that of a
tradition enterprise datacenter may be as high as 60%.”
Morgan Stanly Research, Cloud Computing Takes Off
73. Pay Only for What You Use
Actual Usage
Compute Power
Customer
Dissatisfaction
Predicted Usage
Waste
Time
74. Self-Service Infrastructure
On-Premise Cloud Computing
Build new environments can be New infrastructure is always a few
complex and slow clicks away
Needs Survey Assess New Development Environment
New Test Environment
Plan Design Engineer
New Environment in Japan
Commissi
Procure Construct
on
Add 1,000 Servers
Deploy Remove 1,000 Servers
Source: PTS Data Center Solutions
75. Easily Scale Up and Down
Internet Video App on Amazon EC2
From 50 to 5,000 servers in 3 days
5,000
Scaled to peak of
Number of EC2 Instances
5,000 instances in
3 days
Launch of
Facebook
application
0
Monday Tuesday Wednesday Thursday Friday Saturday Sunday
The Animoto Blog
76. Cloud Computing is More Than Just
Virtualization
Cloud Computing On-Premise
Virtualization
Self-Service Infrastructure
?
No Up-Front Capital Expense
Low Cost
Pay Only for What You Use
Easily Scale Up and Down
Improve Agility & Time-to-Market
77. What Analysts are Saying about AWS
Infrastructure-as-a-Service Leader in 2011 Gartner Leader in 2011 Forrester
Market Share Leader IaaS Magic Quadrant Hadoop Wave
78. AWS Global Infrastructure
GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations
79. Built for Enterprise Security Standards
Certifications Physical Security HW, SW, Network
SOC 1 Type 2 (formerly Datacenters in nondescript Systematic change
SAS-70) facilities management
ISO 27001 Physical access strictly Phased updates
controlled deployment
PCI DSS for EC2, S3,
EBS, VPC, RDS, ELB, IAM Must pass two-factor Safe storage
authentication at least decommission
FISMA Moderate twice for floor access
Compliant Controls Automated monitoring and
Physical access logged self-audit
HIPAA & ITAR Compliant and audited
Architecture Advanced network
protection
aws.amazon.com/security
80. 10.2.1.1
Your
Network
Virtual Private Cloud
10.1.1.1
VPN
Enterprise Apps
On AWS
Internet
81. 10.2.1.1
Your
Network
10.1.1.1
AWS Direct Connect
Enterprise Apps
On AWS
Internet
82. What Enterprises are Running on AWS
Business
Applications
Web
Applications
Big Data & High
Performance Computing
Disaster Recovery
& Archive
85. A Variety of Enterprise Products and Licensing Options..
License Hourly
Popular Applications Mobility Licensing
Oracle Applications
Oracle Fusion Middleware
Oracle DB 11g
SAP ERP/A1
SAP Business Objects
SAP Rapid Deployment Solutions
Microsoft SharePoint Server
Microsoft Server and Tools
Microsoft Windows Server Apps
IBM DB2 and Informix
IBM WebSphere
IBM Lotus, Tivoli, etc.
RedHat Enterprise Linux
JBOSS
Gluster
86. Benefits
Infrastructure Procurement Time Reduced from
over four to six weeks to minutes.
Amazon Corporate IT
Server Image Build Process that had previously
Deploys Mission-Critical taken a half day is now automated.
Corporate Intranet Annual Infrastructure Costs Cut by 22 percent
running SharePoint 2010 when replacing on-premise hardware with
equivalent cloud resources.
to AWS Cloud
Eliminating Operational Overhead of server
lease returns, freeing up approximately 2 weeks
of engineering overhead per year by replacing
servers with equivalent cloud resources.
87. “The AWS Cloud brings business agility as Shell is able to deploy
services much more quickly”
- Johan Krebers
Vice President of Architecture
Enterprise case study Business Benefits
• Using AWS since 2010 • No minimum commitment up front and
• Operationalizing their cloud strategy pay per use brings significant savings
• Shell Foundation Platform – an IT • Fast provisioning within minutes for
framework – is AWS approved many applications
• Core operational applications • Elasticity – the ability to expand and
running in production on AWS contract IT infrastructure as needed
• Default for new apps: AWS
88. “This is a fantastic cloud use case for our company – a truly
live production environment with dynamic content.”
- Rob Prager, Director of IT
Use of AWS Business Benefit
Insurance and Financial Services Cloud-hosted service approved by security
company with over 15M customers. and privacy officers.
Address security challenges while
handling customer data in a regulated Compliant with data privacy requirements
industry. in the U.S. and Europe.
Amazon AWS services leveraged to
deliver Trend Micro SecureCloud. E-signature application in production.
89. Project Usage AWS Footprint
- Started in Jan 2008, 5 FTE - 276 Cloud Appliances 1,100 new SAP systems
- Focus: IT Automation on IaaS > 600 SAP employees as direct users 42,086 EC2 Instance Hours
from >16 countries 39 TB EBS Storage
- SAP Self-service since March 2008 >10,000 SAP systems provisioned 3 TB S3 Storage
- Enables unlimited # systems in clouds - Cost Savings based on
- Weekly Feature Extensions 1. Less expensive Hardware Hosting
2. IT Process Automation
Top 3 Consuming Departments – Avg. Cost Saving Rate: 77%
Customer Workshops Customer Trainings Customer Demos
215 SAP Systems 111 SAP Systems 118 SAP Systems
$ 15 / SAP system $ 42 / SAP system $ 76 / SAP system
26 hrs / SAP system 82 hrs / SAP system 119 hrs / SAP system
Status: Productive Status: Pilot + Ramp up Status: Productive + Ramp up
Source: SAP
91. Samsung saved $34M on their Smart Hub
application
Problem:
Needed to reduce IT costs and were looking
to create a more flexible IT environment
Solution:
AWS’s low, pay-as-you-go prices and reliable
services. With every request, the application
authenticates devices, delivers apps and
content, and pushes notifications.
Business Benefits:
Saved $34M in hardware and maintenance
expenses, 85% less than running on-
premises
92. The Guardian easily responds to the
unpredictable demand of new applications
Problem:
Building new online services and they needed the
ability to easily respond to large-scale unpredictable
demand
Solution:
The scale and reliability of the AWS Cloud.
GNM uses AWS for its Apple iPhone application and
Content API service
Business Benefits:
Reduced server configuration from 3 weeks to 30
minutes
Able to meet availability SLAs even with significant
demand peaks after the service’s launched.
93. FCBarcelona Responds to its Game Day
Demand Peaks with AWS, Saving Money
Use of AWS:
FCBarcelona’s websites, ecommerce, and
mobile applications.
Use Amazon EC2, Amazon CloudFront,
Amazon RDS, Amazon Route 53, and many
other services.
Business Benefits:
Easily respond to game day peaks
Improved time-to-market
94. “IaaS will significantly change the way IT will deliver
infrastructure services to the business. We selected AWS
because they are a leader in that field.”
- Yves Martelle, Global Director of Infrastructure
Enterprise Case Study Business Benefit
• Started moving Internet and Intranet • Open and flexible platform allows
workloads to AWS in early 2011 Schneider to run Java and .NET apps on
• Runs 15 production applications on Windows and Linux virtual servers
AWS • Increased IT agility by rolling out new
• Used Amazon VPC to connect its applications faster on AWS
datacenter to the AWS cloud
96. Bank – Credit-Risk
Simulation
“The AWS platform was a good fit for its unlimited and flexible computational
power to our risk-simulation process requirements.
With AWS, we now have the power to decide how fast we want to obtain
simulation results, and, more importantly, we have the ability to run
simulations not possible before due to the large amount of infrastructure
required.”
– Castillo, Director, Bankinter
Average time-to-solution down from 23 hours to 20 minutes
97. Bank – Credit-Risk
Simulation
“The AWS platform was a good fit for its unlimited and flexible computational
power to our risk-simulation process requirements.
With AWS, we now have the power to decide how fast we want to obtain
simulation results, and, more importantly, we have the ability to run
simulations not possible before due to the large amount of infrastructure
required.”
– Castillo, Director, Bankinter
Average time-to-solution down from 23 hours to 20 minutes
98. “We see continued value in using the AWS cloud because of
the flexibility and the scalability. We have a long queue of
projects and we envision using AWS to help us get there.”
Jeff Sternberg, Data Science Lead
Capital IQ / Standard & Poors
Big Data Case Study Business Benefit
• Recommendation engine for investment • EMR and S3 provided a low-cost and
bankers looking for new ideas. high-performance foundation for
• Leverages EC2, EMR, S3, VPC. parallel applications
• EMR pulls data from S3 for processing • Increased security by using VPC and
and pushes the results into a SQL to extend corporate datacenter into
database. the AWS cloud
99. “Unilever’s digital data program now processes genetic sequences twenty times
faster—without incurring higher compute costs. In addition, its robust architecture
supports ten times as many scientists, all working simultaneously.”
- Pete Keeley
Unilever Research’s eScience IT Lead for Cloud
The Story Business Benefit
• New biology and informatics program • Ten times as many scientists can process
promotes access to public data studies simultaneously, compared to non-cloud
• Underlying architecture must keep pace with architecture
expanding scientific discoveries • Genetic sequence processing is twenty times
• Simple but robust solution combines Amazon faster, without increasing compute costs
EC2, Amazon RDS, and Amazon S3 with the • Both companies are confident that the AWS-
open-source workflow system, eHive based program helps Unilever’s scientists
create market-leading innovations
101. “The primary driver wasn't cost, but rather the ability to set
HAVEN up the infrastructure even though we recognized the design
was changing.”
POWER - Paul Armstrong, Business Systems Manager
Use of AWS Business Benefit
• U.K.-based electric company • Flexible DR architecture at low cost
• Needed flexible disaster recovery • Avoided large up-front investment
• AWS offered flexibility, proven services, lower cost • IT and Operations are more responsive to the
• Smart421 able to quickly translate requirements business
into a solution • New builds that used to take days now take hours
• Running disaster recovery, testing, and
development on AWS
• Planning big data projects on AWS
102. Archive Vaulting
solution
Business Benefits
“Since 2003 we used IT-Lifeline to safeguard • Complete elimination of tape from the
our corporate data and provide data center,
technology, and workspace recovery if archival process
adversity strikes. Because they have delivered
their promise of recovery on multiple • Faster recovery speeds
occasions, we feel confident in expanding our
relationship with IT-Lifeline.”
• Protects 246 nodes and 40TB daily
Jim Brockett, Chief Information Officer,
Washington Trust Bank
103. Fortune 400 Customer Uses Sonian to Migrate Archiving to AWS
Customer: Partner:
Business Problem AWS Solution Business Benefit
• Had a legacy on-prem Sonian’s email archiving • Reduced risk on
archive system that wasn’t platform to enable: company’s early case
keeping up with their assessment
incoming data – 10K • Enhanced early case • Enabled search across
mailboxes assessment activities millions of archived emails
• Challenged to find support • Intuitive search to facilitate eDiscovery as
for Lotus Domino archiving capabilities well as worker productivity
• Needed support for early- • Cost-effective archiving • 50% less cost than on-
case assessment and solution premise archiving
internal investigations • Reduced overhead on IT
staff to support archiving
104. Next Steps
Learn more on Enterprise
Cloud Computing:
aws.amazon.com/enterprise
Get started with a free trial
aws.amazon.com/free
106. Cloud Computing for the Enterprise | London
WiFi access
Network: WCH
Username: AMAZON
#hashtag
#AWSLondon
Password: P6FW3HY
107. AWS: Overview of Security Processes
Stephen Schmidt
Chief Information Security Officer
108. AWS Security Model Overview
Certifications & Accreditations Shared Responsibility Model
Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls
ISO 27001 Certification guest OS-level security, including
PCI DSS Level I Certification patching and maintenance
HIPAA compliant architecture Application level security, including
password and role based access
SAS 70(SOC 1) Type II Audit
Host-based firewalls, including
FISMA Low & Moderate ATOs
Intrusion Detection/Prevention
DIACAP MAC III-Sensitive Systems
Pursuing DIACAP MAC II–Sensitive
Separation of Access
Physical Security VM Security Network Security
Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured
access environment Account in security groups;
Controlled, need-based access for Instance Isolation The traffic may be restricted by
AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as
Management Plane Administrative Access the hypervisor level by source IP address (individual IP
Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing
access to administrative host prevented access (CIDR) block).
All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC)
reviewed layer ensure only account provides IPSec VPN access from
AWS Administrators DO NOT have owners can access storage existing enterprise data center to a
logical access inside a customer’s disks (EBS) set of logically isolated AWS
VMs, including applications and resources
Support for SSL end point
data encryption for API calls
109. Shared Responsibility Model
AWS Customer
Facilities Operating System
Physical Security Application
Physical Infrastructure Security Groups
Network Infrastructure Network ACLs
Virtualization Network Configuration
Infrastructure Account Management
111. AWS Certifications
Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SAS70(SOC 1) Type II Audit
FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive IATO
Customers have deployed various compliant applications such as
HIPAA (healthcare)
112. SOC 1 Type II
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2
report every six months and maintains a favorable unbiased and unqualified opinion
from its independent auditors. AWS identifies those controls relating to the operational
performance and security to safeguard customer data. The SOC 1 report audit attests
that AWS’ control objectives are appropriately designed and that the individual controls
defined to safeguard customer data are operating effectively. Our commitment to the SOC
1 report is on-going and we plan to continue our process of periodic audits.
The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can
meet a broad range of auditing requirements for U.S. and international auditing bodies.
This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70)
Type II report.
This report is available to customers under NDA.
113. SOC 1
Type II – Control Objectives
Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling
114. ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.
115. Physical Security
Amazon has been building large-scale data centers for many
years
Important attributes:
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed
116. GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations
117. AWS Regions and Availability Zones
Customer Decides Where Applications and Data Reside
118. AWS Identity and Access Management
Enables a customer to create multiple Users and
manage the permissions for each of these
Users.
Secure by default; new Users have no access to
AWS until permissions are explicitly granted. Us
AWS IAM enables customers to minimize the
use of their AWS Account credentials. Instead
all interactions with AWS Services and
resources should be with AWS IAM User
security credentials.er
Customers can enable MFA devices for their
AWS Account as well as for the Users they have
created under their AWS Account with AWS IAM.
119.
120. AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge of your e-
mail address and password from impersonating you
Requires a device in your physical possession to gain access
to secure pages on the AWS Portal or to gain access to the
AWS Management Console
Adds an extra layer of protection to sensitive information,
such as your AWS access identifiers
Extends protection to your AWS resources such as Amazon
EC2 instances and Amazon S3 data
121. Amazon EC2 Security
Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall
• Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls
• Require X.509 certificate or customer’s secret AWS key
122. Amazon EC2 Instance Isolation
Customer 1 Customer 2 … Customer n
Hypervisor
Virtual Interfaces
Customer 1 Customer 2 Customer n
Security Groups Security Groups … Security Groups
Firewall
Physical Interfaces
123. Virtual Memory & Local Disk
Amazon EC2
Instances
Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File
• Proprietary Amazon disk management prevents one Instance from
reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an
added layer of security
124. Network Security Considerations
DDoS (Distributed Denial of Service):
• Standard mitigation techniques in effect
MITM (Man in the Middle):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing:
• Prohibited at host OS level
Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
• blocked by default
Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level
125. Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies
126. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over
the Internet
Web Services
AWS Direct Cloud
Connect –
Dedicated
Path/Bandwidth
Customer’s
Network
128. Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated
129. AWS Deployment Models
Logical Server Granular Logical Physical Government Only ITAR Sample Workloads
and Information Network server Physical Network Compliant
Application Access Policy Isolation Isolation and Facility (US Persons
Isolation Isolation Only)
Commercial Public facing apps. Web
Cloud sites, Dev test etc.
Virtual Private Data Center extension,
Cloud (VPC) TIC environment, email,
FISMA low and
Moderate
AWS GovCloud US Persons Compliant
(US) and Government
Specific Apps.