SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
AWS: Overview of Security ProcessesStephen SchmidtChief Information Security Officer
AWS Security Model Overview Certifications & Accreditations Shared Responsibility Model Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls ISO 27001 Certification guest OS-level security, including PCI DSS Level I Certification patching and maintenance HIPAA compliant architecture Application level security, including password and role based access SAS 70(SOC 1) Type II Audit Host-based firewalls, including FISMA Low & Moderate ATOs Intrusion Detection/Prevention DIACAP MAC III-Sensitive Systems Pursuing DIACAP MAC II–Sensitive Separation of AccessPhysical Security VM Security Network Security Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured access environment Account in security groups; Controlled, need-based access for Instance Isolation The traffic may be restricted by AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well asManagement Plane Administrative Access the hypervisor level by source IP address (individual IP Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing access to administrative host prevented access (CIDR) block). All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC) reviewed layer ensure only account provides IPSec VPN access from AWS Administrators DO NOT have owners can access storage existing enterprise data center to a logical access inside a customer’s disks (EBS) set of logically isolated AWS VMs, including applications and resources Support for SSL end point data encryption for API calls
AWS Security Resourceshttp://aws.amazon.com/security/Security WhitepaperRisk and Compliance WhitepaperLatest Versions May 2011, January2012 respectivelyRegularly UpdatedFeedback is welcome
AWS CertificationsSarbanes-Oxley (SOX)ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70(SOC 1) Type II AuditFISMA A&As • Multiple NIST Low Approvals to Operate (ATO) • NIST Moderate, GSA issued ATO • FedRAMPDIACAP MAC III Sensitive IATOCustomers have deployed various compliant applications such asHIPAA (healthcare)
SOC 1 Type IIAmazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2report every six months and maintains a favorable unbiased and unqualified opinionfrom its independent auditors. AWS identifies those controls relating to the operationalperformance and security to safeguard customer data. The SOC 1 report audit atteststhat AWS’ control objectives are appropriately designed and that the individual controlsdefined to safeguard customer data are operating effectively. Our commitment to the SOC1 report is on-going and we plan to continue our process of periodic audits.The audit for this report is conducted in accordance with the Statement on Standards forAttestation Engagements No. 16 (SSAE 16) and the International Standards for AssuranceEngagements No. 3402 (ISAE 3402) professional standards. This dual-standard report canmeet a broad range of auditing requirements for U.S. and international auditing bodies.This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70)Type II report.This report is available to customers under NDA.
SOC 1 Type II – Control ObjectivesControl Objective 1: Security OrganizationControl Objective 2: Amazon Employee LifecycleControl Objective 3: Logical SecurityControl Objective 4: Secure Data HandlingControl Objective 5: Physical SecurityControl Objective 6: Environmental SafeguardsControl Objective 7: Change ManagementControl Objective 8: Data Integrity, Availability and RedundancyControl Objective 9: Incident Handling
ISO 27001AWS has achieved ISO 27001 certification of ourInformation Security Management System (ISMS)covering AWS infrastructure, data centers in all regionsworldwide, and services including Amazon ElasticCompute Cloud (Amazon EC2), Amazon Simple StorageService (Amazon S3) and Amazon Virtual Private Cloud(Amazon VPC). We have established a formal programto maintain the certification.
Physical SecurityAmazon has been building large-scale data centers for manyyearsImportant attributes:• Non-descript facilities• Robust perimeter controls• Strictly controlled physical access• 2 or more levels of two-factor authControlled, need-based access for AWS employees (least privilege)All access is logged and reviewed
GovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
AWS Regions and Availability ZonesCustomer Decides Where Applications and Data Reside
AWS Identity and Access ManagementEnables a customer to create multiple Users andmanage the permissions for each of theseUsers.Secure by default; new Users have no access toAWS until permissions are explicitly granted. UsAWS IAM enables customers to minimize theuse of their AWS Account credentials. Insteadall interactions with AWS Services andresources should be with AWS IAM Usersecurity credentials.erCustomers can enable MFA devices for theirAWS Account as well as for the Users they havecreated under their AWS Account with AWS IAM.
AWS MFA BenefitsHelps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating youRequires a device in your physical possession to gain accessto secure pages on the AWS Portal or to gain access to theAWS Management ConsoleAdds an extra layer of protection to sensitive information,such as your AWS access identifiersExtends protection to your AWS resources such as AmazonEC2 instances and Amazon S3 data
Amazon EC2 SecurityHost operating system • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and auditedGuest operating system • Customer controlled at root level • AWS admins cannot log in • Customer-generated keypairsFirewall • Mandatory inbound instance firewall, default deny mode • Outbound instance firewall available in VPC • VPC subnet ACLsSigned API calls • Require X.509 certificate or customer’s secret AWS key
Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Customer 2 Customer nSecurity Groups Security Groups … Security Groups Firewall Physical Interfaces
Virtual Memory & Local Disk Amazon EC2 Instances Encrypted File System Amazon EC2 Instance Encrypted Swap File• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another• Local disk storage can also be encrypted by the customer for an added layer of security
Network Security ConsiderationsDDoS (Distributed Denial of Service): • Standard mitigation techniques in effectMITM (Man in the Middle): • All endpoints protected by SSL • Fresh EC2 host keys generated at bootIP Spoofing: • Prohibited at host OS levelUnauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Ineffective anyway since inbound ports • blocked by defaultPacket Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level
Amazon Virtual Private Cloud (VPC)Create a logically isolated environment in Amazon’s highly scalable infrastructureSpecify your private IP address range into one or more public or private subnetsControl inbound and outbound access to and from individual subnets using statelessNetwork Access Control ListsProtect your Instances with stateful filters for inbound and outbound traffic usingSecurity GroupsAttach an Elastic IP address to any instance in your VPC so it can be reacheddirectly from the InternetBridge your VPC and your onsite IT infrastructure with an industry standard encryptedVPN connection and/or AWS Direct ConnectUse a wizard to easily create your VPC in 4 different topologies
Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Cloud Connect – Dedicated Path/Bandwidth Customer’s Network
Amazon VPC - Dedicated InstancesNew option to ensure physical hosts are not shared withother customers$10/hr flat fee per Region + small hourly chargeCan identify specific Instances as dedicatedOptionally configure entire VPC as dedicated
AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Information Network server Physical Network Compliant Application Access Policy Isolation Isolation and Facility (US Persons Isolation Isolation Only)Commercial Public facing apps. WebCloud sites, Dev test etc.Virtual Private Data Center extension,Cloud (VPC) TIC environment, email, FISMA low and ModerateAWS GovCloud US Persons Compliant(US) and Government Specific Apps.
Thanks!Remember to visithttps://aws.amazon.com/security