AWS:

OVERVIEW OF

SECURITY

PROCESSES

Stephen Schmidt

Chief Information Security Officer

steves@amazon.com

OVERVIEW

• Certifications

• SAS70 Type II

• Physical Security

• Backups

• Amazon EC2 Security

• Network Security

• Amazon S3 Security

• Amazon SimpleDB Security

• Amazon SQS Security

• Amazon CloudFront Security

• Amazon Elastic MapReduce

AWS SECURITY RESOURCES

• http://aws.amazon.com/security/

• Security Whitepaper

• Latest Version 8/24/2010

• Updated bi-annually

• Feedback is welcome

AWS CERTIFICATIONS

• Shared Responsibility Model

• Sarbanes-Oxley (SOX)

• SAS70 Type II Audit

• FISMA A&A– NIST Low Approvals to Operate

– Actively pursuing NIST Moderate

– FedRAMP

• Pursuing ISO 27001 Certification

• Customers have deployed various compliant applications such as HIPAA (healthcare)

SAS70 TYPE II

• Based on the Control Objectives for Information and related Technology (COBIT), which is a set of established best practices (transitioning to ISO 27001)

• Covers Access (Security), Change Management and Operations of Amazon EC2 and Amazon S3

• Audit conducted by an independent accounting firm (E&Y) on a recurring basis

SAS70 TYPE II – CONTROL OBJECTIVES

• Control Objective 1: Security Organization

• Control Objective 2: Amazon Employee Lifecycle

• Control Objective 3: Logical Security

• Control Objective 4: Secure Data Handling

• Control Objective 5: Physical Security

• Control Objective 6: Environmental Safeguards

• Control Objective 7: Change Management

• Control Objective 8: Data Integrity, Availability and Redundancy

• Control Objective 9: Incident Handling

PHYSICAL SECURITY

• Amazon has been building large-scale data centers for many years

• Important attributes:

– Non-descript facilities

– Robust perimeter controls

– Strictly controlled physical access

– 2 or more levels of two-factor auth

• Controlled, need-based access for

AWS employees (least privilege)

• All access is logged and reviewed

FAULT SEPARATION AND GEOGRAPHIC

DIVERSITY

EU West Region (IRE)

Availability Zone A

Availability Zone B

US East Region (N. VA)

Availability Zone A

Availability Zone C

Availability Zone B

Amazon CloudWatch

Note: Conceptual drawing only. The number of Availability Zones may vary

APAC Region (Singapore)

vailabilityZone A

Availability Zone B

Availability Zone DUS West Region (N. CA)

Availability Zone A

Availability Zone B

Availability Zone A

Availability Zone B

DATA BACKUPS

• Data stored in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations

• Amazon EBS redundancy remains within a single Availability Zone

• Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability– Equivalent to more traditional backup solutions, but

offers much higher data availability and throughput

• Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy

AWS MULTI-FACTOR AUTHENTICATION

A recommended opt-in security feature of your

Amazon Web Services (AWS) account

AWS MFA BENEFITS

• Helps prevent anyone with unauthorized

knowledge of your e-mail address and password

from impersonating you

• Requires a device in your physical possession to

gain access to secure pages on the AWS Portal or

to gain access to the AWS Management Console

• Adds an extra layer of protection to sensitive

information, such as your AWS access identifiers

• Extends protection to your AWS resources such as

Amazon EC2 instances and Amazon S3 data

• A brand new service designed for our entire range of users

• Multiple user identities per AWS account

• Enhanced security

• Better control

• Integrated with other services

IAM – AWS IDENTITY AND ACCESS MANAGEMENT

• Create users and groups within an AWS account

• Each user has unique security credentials:– Access keys

– Login/Password

– MFA device

• Put users in groups

• Create policy statements for users or groups

• Control access to resources

• Control access to APIs

IAM – AWS IDENTITY AND ACCESS MANAGEMENT

AMAZON EC2 SECURITY

• Host operating system– Individual SSH keyed logins via bastion host for AWS admins

– All accesses logged and audited

• Guest operating system– Customer controlled at root level

– AWS admins cannot log in

– Customer-generated keypairs

• Stateful firewall– Mandatory inbound firewall, default deny mode

• Signed API calls– Require X.509 certificate or customer’s secret AWS key

AMAZON EC2 INSTANCE ISOLATION

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

…Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

VIRTUAL MEMORY & LOCAL DISK

Amazon EC2Instances

Amazon EC2Instance

Encrypted File System

Encrypted Swap File

• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another

• Local disk storage can also be encrypted by the customer for an added layer of security

NETWORK TRAFFIC FLOW SECURITY

Amazon EC2Instances

Amazon EC2Instance

Encrypted File System

Encrypted Swap File

ipta

ble

s

Am

azo

n S

ecu

rity

Gro

up

sInbound Traffic

• Inbound traffic must be explicitly specified by protocol, port, and security group

• iptables may be implemented as a completely user controlled security layer for granular access control of discrete hosts, including other Amazon Web Services (Amazon S3/SimpleDB, etc.)

MULTI-TIER SECURITY ARCHITECTURE

Web Tier

Application Tier

Database Tier

EBS VolumePorts 80 and 443 only open to the Internet

Engineering staff have ssh access to the App Tier, which acts as Bastion

All other Internet ports blocked by default

Authorized 3rd parties can be granted ssh access to

select AWS resources, such as the Database Tier

Amazon EC2 Security Group Firewall

AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers

NETWORK SECURITY

CONSIDERATIONS• DDoS (Distributed Denial of Service):

– Standard mitigation techniques in effect

• MITM (Man in the Middle):– All endpoints protected by SSL– Fresh EC2 host keys generated at boot

• IP Spoofing:– Prohibited at host OS level

• Unauthorized Port Scanning:– Violation of AWS TOS– Detected, stopped, and blocked– Ineffective anyway since inbound ports blocked by default

• Packet Sniffing:– Promiscuous mode is ineffective– Protection at hypervisor level

• Configuration Management:– Configuration changes are authorized, logged, tested, approved, and

documentedMost updates are done in such a manner that they will not impact the customerAWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.

NETWORK TRAFFIC CONFIDENTIALITY

Amazon EC2 Instances

Amazon EC2Instance

Encrypted File System

Encrypted Swap File

• All traffic should be cryptographically controlled• Inbound and outbound traffic to corporate networks should be

wrapped within industry standard VPN tunnels (option to use Amazon VPC)

Corporate Network

Internet Traffic

VPN

Customer’s

Network

Amazon

Web Services

CloudSecure VPN

Connection over

the Internet

Subnets

Customer’s

isolated AWS

resources

AMAZON VPC

RouterVPN

Gateway

AMAZON VPC CAPABILITIES

• Create an isolated environment within AWS

• Establish subnets to control who and what can

access your resources

• Connect your isolated AWS resources and your IT

infrastructure via a VPN connection

• Launch AWS resources within the isolated network

• Use your existing security and networking

technologies to examine traffic to/from your

isolated resources

• Extend your existing security and management

policies within your IT infrastructure to your isolated

AWS resources as if they were running within your

infrastructure

VPC SUPPORTED DEVICES

• Any device that :

– Establishes IKE Security Association using Pre-Shared Keys

– Establishes IPsec Security Associations in Tunnel mode

– Utilizes the AES 128-bit encryption function

– Utilizes the SHA-1 hashing function

– Utilizes Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode

– Establishes Border Gateway Protocol (BGP) peerings

– Binds tunnel to logical interface (route-based VPN)

– Utilize IPsec Dead Peer Detection

AMAZON S3 SECURITY

• Access controls at bucket and object level:

– Read, Write, Full

• Owner has full control

• Customer Encryption– SSL Supported

• Durability 99.999999999%

• Availability 99.99%

• Versioning (MFA Delete)

• Detailed Access Logging

• Storage Device

Decommissioning

– DoD 5220.22-M/NIST 800-

88 to destroy data

YOUR INPUT IS IMPORTANT…

• Thoughts/questions about our SAS70 Type II

Audit?

• Other certifications, compliance requirements or

audits to explore?

• What risk & compliance services should AWS

consider offering natively?

• How can we further promote AWS security

posture?

THANK YOUaws.amazon.com

steves@amazon.com

© 2008-2009 Amazon.com, Inc., or its affiliates. This

presentation is provided for informational purposes only.

Amazon Web Services LLC is not responsible for any

damages related to the information in this presentation,

which is provided “as is” without warranty of any kind,

whether express, implied, or statutory. Nothing in this

presentation creates any warranties or representations

from Amazon Web Services LLC, its affiliates, suppliers,

or licensors. This presentation does not modify the

applicable terms and conditions governing your use of

Amazon Web Services technologies, including the

Amazon Web Services website. This presentation

represents Amazon Web Services' current product

offerings as of the date of issue of this document, which

are subject to change without notice.

This presentation is dated August 2010. Please visit

aws.amazon.com to ensure that you have the latest

version.