AWS: Overview of Security Processes

Ryan Holland

Ecosystem Solution Architect

AWS Computing Platform

Certifications & Accreditations

Sarbanes-Oxley (SOX) complianceISO 27001 CertificationPCI DSS Level I CertificationHIPAA compliant architectureSAS 70(SOC 1) Type II AuditFISMA Low & Moderate ATOsDIACAP MAC III-Sensitive

Shared Responsibility Model

Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenanceApplication level security, including password and role based accessHost-based firewalls, including Intrusion Detection/Prevention Systems Separation of Access

Physical SecurityMulti-level, multi-factor controlled access environmentControlled, need-based access for AWS employees (least privilege)

Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative hostAll access logged, monitored, reviewedAWS Administrators DO NOT have logical access inside a customer’s VMs, including applications and data

AWS Security Model Overview

VM SecurityMulti-factor access to Amazon AccountInstance Isolation

• Customer-controlled firewall at the hypervisor level

• Neighboring instances prevented access

• Virtualized disk management layer ensure only account owners can access storage disks (EBS)

Support for SSL end point encryption for API calls

Network SecurityInstance firewalls can be configured in security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources

Shared Responsibility Model

• Facilities• Physical Security• Physical Infrastructure• Network Infrastructure• Virtualization

Infrastructure

AWS Customer• Operating System• Application• Security Groups• Network ACLs• Network Configuration• Account Management

AWS Security Resources

http://aws.amazon.com/security/

Security Whitepaper

Risk and Compliance Whitepaper

Latest Versions May 2011, July 2012 respectively

Regularly Updated

Feedback is welcome

AWS CertificationsSarbanes-Oxley (SOX) ISO 27001 CertificationPayment Card Industry Data Security

Standard (PCI DSS) Level 1 CompliantSSAE 16 (SOC 1) Type II Audit FISMA A&As

• Multiple NIST Low Approvals to Operate (ATO)• NIST Moderate, GSA issued ATO• FedRAMP

DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare)

SOC 1 Type IIAmazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security to safeguard customer data. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits.

The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.

This report is available to customers under NDA.

SOC 1 Type II – Control Objectives

Control Objective 1: Security Organization

Control Objective 2: Amazon Employee Lifecycle

Control Objective 3: Logical Security

Control Objective 4: Secure Data Handling

Control Objective 5: Physical Security

Control Objective 6: Environmental Safeguards

Control Objective 7: Change Management

Control Objective 8: Data Integrity, Availability and Redundancy

Control Objective 9: Incident Handling

ISO 27001 

AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). We have established a formal program to maintain the certification.

PCI DSS Level 1 Service Provider

PCI DSS 2.0 compliant

Covers core infrastructure & services• EC2, VPC, S3, EBS, RDS, ELB, and IAM

Use normally, no special configuration

Leverage the work of our QSA

AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA)• can support forensic investigations

Certified in all regions

Physical Security

Amazon has been building large-scale data centers for many yearsImportant attributes:• Non-descript facilities• Robust perimeter controls• Strictly controlled physical access• 2 or more levels of two-factor auth

Controlled, need-based access for AWS employees (least privilege)All access is logged and reviewed

US West(Northern California)

US East(Northern Virginia)

EU(Ireland)

Asia Pacific

(Singapore)

Asia Pacific(Tokyo)

AWS Regions

AWS Edge Locations

GovCloud(US ITAR Region)

US West(Oregon)

South America(Sao Paulo)

AWS Regions and Availability Zones

Customer Decides Where Applications and Data Reside

Enables a customer to create multiple Users and manage the permissions for each of these Users. Secure by default; new Users have no access to AWS until permissions are explicitly granted. UsAWS IAM enables customers to minimize the use of their AWS Account credentials. Instead all interactions with AWS Services and resources should be with AWS IAM User security credentials.erCustomers can enable MFA devices for their AWS Account as well as for the Users they have created under their AWS Account with AWS IAM.

AWS Identity and Access Management

AWS MFA BenefitsHelps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you

Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console

Adds an extra layer of protection to sensitive information, such as your AWS access identifiers

Extends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data

Amazon EC2 SecurityHost operating system• Individual SSH keyed logins via bastion host for AWS admins• All accesses logged and audited

Guest operating system• Customer controlled at root level• AWS admins cannot log in• Customer-generated keypairs

Firewall• Mandatory inbound instance firewall, default deny mode• Outbound instance firewall available in VPC• VPC subnet ACLs

Signed API calls• Require X.509 certificate or customer’s secret AWS key

Amazon EC2 Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

… Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

Virtual Memory & Local Disk

Amazon EC2Instances

Amazon EC2Instance

Encrypted File System

Encrypted Swap File

• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another

• Local disk storage can also be encrypted by the customer for an added layer of security

EBS Wiping / Data Destruction

Blocks Zeroed Out Upon ProvisioningLogical-to-Physical Block Mapping• Created during provisioning• Destroyed during de-provisioning

Failed or Decommissioned Hardware• Degaussed• Physically destroyed

Network Security ConsiderationsDDoS (Distributed Denial of Service):

• Standard mitigation techniques in effect

MITM (Man in the Middle):• All endpoints protected by SSL• Fresh EC2 host keys generated at boot

IP Spoofing:• Prohibited at host OS level

Unauthorized Port Scanning:• Violation of AWS TOS• Detected, stopped, and blocked• Ineffective anyway since inbound ports blocked by default

Packet Sniffing:• Promiscuous mode is ineffective• Protection at hypervisor level

Amazon Virtual Private Cloud (VPC)

Create a logically isolated environment in Amazon’s highly scalable infrastructure

Specify your private IP address range into one or more public or private subnets

Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists

Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups

Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet

Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect

Use a wizard to easily create your VPC in 4 different topologies

Amazon VPC Architecture

Amazon VPC Network Security Controls

Amazon VPC - Dedicated Instances

New option to ensure physical hosts are not shared with other customers

$10/hr flat fee per Region + small hourly charge

Can identify specific Instances as dedicated

Optionally configure entire VPC as dedicated

AWS Deployment ModelsLogical Server and Application Isolation

Granular Information Access Policy

Logical Network Isolation

Physical server Isolation

Government Only Physical Network and Facility Isolation

ITAR Compliant(US Persons Only)

Sample Workloads

Commercial Cloud

Public facing apps. Web sites, Dev test etc.

Virtual Private Cloud (VPC)

Data Center extension, TIC environment, email, FISMA low and Moderate

AWS GovCloud (US)

US Persons Compliant and Government Specific Apps.

Thanks!

Remember to visit https://aws.amazon.com/security