3. AWS S ECURITY R ESOURCES
• http://aws.amazon.com/security/
• Security Whitepaper
• Latest Version 8/24/2010
• Updated bi-annually
• Feedback is welcome
4. AWS C ERTIFICATIONS
• Shared Responsibility Model
• Sarbanes-Oxley (SOX)
• SAS70 Type II Audit
• FISMA A&A
– NIST Low Approvals to Operate
– Actively pursuing NIST Moderate
– FedRAMP
• Pursuing ISO 27001 Certification
• Customers have deployed various compliant
applications such as HIPAA (healthcare)
5. SAS70 T YPE II
• Based on the Control Objectives for
Information and related Technology
(COBIT), which is a set of established best
practices (transitioning to ISO 27001)
• Covers Access (Security), Change
Management and Operations of
Amazon EC2 and Amazon S3
• Audit conducted by an independent
accounting firm (E&Y) on a recurring basis
6. SAS70 T YPE II – C ONTROL O BJECTIVES
• Control Objective 1: Security Organization
• Control Objective 2: Amazon Employee Lifecycle
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security
• Control Objective 6: Environmental Safeguards
• Control Objective 7: Change Management
• Control Objective 8: Data Integrity, Availability and Redundancy
• Control Objective 9: Incident Handling
7. PHYSICAL SECURITY
• Amazon has been building large-scale data centers for
many years
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– 2 or more levels of two-factor auth
• Controlled, need-based access for
AWS employees (least privilege)
• All access is logged and reviewed
8. FAULT SEPARATION AND G EOGRAPHIC
D IVERSITY
US East Region (N. VA) EU West Region (IRE)
Availability Availability
Zone A Zone B Availability Availability
Zone A Zone B
Availability Availability
Zone C Zone D
US West Region (N. CA) APAC Region (Singapore)
Availability Availability Availability
vailability Availability
Availability
Zone A Zone B Zone A
Zone A Zone BB
Zone
Amazon CloudWatch
Note: Conceptual drawing only. The number of Availability Zones may vary
9. D ATA B ACKUPS
• Data stored in Amazon S3, Amazon SimpleDB,
and Amazon EBS is stored redundantly in
multiple physical locations
• Amazon EBS redundancy remains within a single
Availability Zone
• Amazon S3 and Amazon SimpleDB replicate
customer objects across storage systems in
multiple Availability Zones to ensure durability
– Equivalent to more traditional backup solutions, but
offers much higher data availability and throughput
• Data stored on Amazon EC2 local disks must be
proactively copied to Amazon EBS or Amazon
S3 for redundancy
10. AWS M ULTI-FACTOR AUTHENTICATION
A recommended opt-in security feature of your
Amazon Web Services (AWS) account
11. AWS MFA B ENEFITS
• Helps prevent anyone with unauthorized
knowledge of your e-mail address and password
from impersonating you
• Requires a device in your physical possession to
gain access to secure pages on the AWS Portal or
to gain access to the AWS Management Console
• Adds an extra layer of protection to sensitive
information, such as your AWS access identifiers
• Extends protection to your AWS resources such as
Amazon EC2 instances and Amazon S3 data
12. IAM – AWS I DENTITY AND ACCESS MANAGEMENT
• A brand new service designed
for our entire range of users
• Multiple user identities per
AWS account
• Enhanced security
• Better control
• Integrated with other services
13. IAM – AWS I DENTITY AND ACCESS MANAGEMENT
• Create users and groups within
an AWS account
• Each user has unique security
credentials:
– Access keys
– Login/Password
– MFA device
• Put users in groups
• Create policy statements for
users or groups
• Control access to resources
• Control access to APIs
14. AMAZON EC2 S ECURITY
• Host operating system
– Individual SSH keyed logins via bastion host for AWS admins
– All accesses logged and audited
• Guest operating system
– Customer controlled at root level
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default deny mode
• Signed API calls
– Require X.509 certificate or customer’s secret AWS key
15. AMAZON EC2 I NSTANCE ISOLATION
Customer 1 Customer 2 … Customer n
Hypervisor
Virtual Interfaces
Customer 1
Security Groups
Customer 2
Security Groups … Customer n
Security Groups
Firewall
Physical Interfaces
16. VIRTUAL MEMORY & LOCAL D ISK
Amazon EC2
Instances
Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File
• Proprietary Amazon disk management prevents one Instance from
reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an added
layer of security
17. N ETWORK TRAFFIC FLOW SECURITY
Inbound Traffic
Amazon EC2
Amazon Security Groups
Instances
iptables
Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File
• Inbound traffic must be explicitly specified by protocol, port, and
security group
• iptables may be implemented as a completely user controlled security
layer for granular access control of discrete hosts, including other
Amazon Web Services (Amazon S3/SimpleDB, etc.)
18. MULTI- TIER S ECURITY A RCHITECTURE
AWS employs a private network with
Web Tier ssh support for secure access
between tiers and is configurable to
limit access between tiers
Application Tier
Database Tier
EBS Volume
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier,
which acts as Bastion
Authorized 3rd parties can Amazon EC2
be granted ssh access to Security Group
select AWS resources, such Firewall
as the Database Tier All other Internet ports
blocked by default
19. NETWORK SECURITY
CONSIDERATIONS
• DDoS (Distributed Denial of Service):
– Standard mitigation techniques in effect
• MITM (Man in the Middle):
– All endpoints protected by SSL
– Fresh EC2 host keys generated at boot
• IP Spoofing:
– Prohibited at host OS level
• Unauthorized Port Scanning:
– Violation of AWS TOS
– Detected, stopped, and blocked
– Ineffective anyway since inbound ports
blocked by default
• Packet Sniffing:
– Promiscuous mode is ineffective
– Protection at hypervisor level
• Configuration Management:
– Configuration changes are authorized, logged, tested, approved, and
documented
Most updates are done in such a manner that they will not impact the
customer
AWS will communicate with customers, either via email, or through the AWS
Service Health Dashboard (http://status.aws.amazon.com/) when there is a
chance that their Service use may be affected.
20. N ETWORK TRAFFIC C ONFIDENTIALITY
Amazon EC2
Instances Internet Traffic
Encrypted
File System Amazon EC2
Instance Corporate
Encrypted Network
Swap File VPN
• All traffic should be cryptographically controlled
• Inbound and outbound traffic to corporate networks should be
wrapped within industry standard VPN tunnels (option to use Amazon
VPC)
21. AMAZON VPC Customer’s
isolated AWS
resources
Subnets
Router
VPN
Gateway
Amazon
Web Services
Cloud
Secure VPN
Connection over
the Internet
Customer’s
Network
22. AMAZON VPC C APABILITIES
• Create an isolated environment within AWS
• Establish subnets to control who and what can
access your resources
• Connect your isolated AWS resources and your IT
infrastructure via a VPN connection
• Launch AWS resources within the isolated network
• Use your existing security and networking
technologies to examine traffic to/from your
isolated resources
• Extend your existing security and management
policies within your IT infrastructure to your isolated
AWS resources as if they were running within your
infrastructure
23. VPC S UPPORTED D EVICES
• Any device that :
– Establishes IKE Security Association using Pre-Shared Keys
– Establishes IPsec Security Associations in Tunnel mode
– Utilizes the AES 128-bit encryption function
– Utilizes the SHA-1 hashing function
– Utilizes Diffie-Hellman Perfect Forward Secrecy in “Group
2” mode
– Establishes Border Gateway Protocol (BGP) peerings
– Binds tunnel to logical interface (route-based VPN)
– Utilize IPsec Dead Peer Detection
24. AMAZON S3 S ECURITY
• Access controls at bucket
and object level:
– Read, Write, Full
• Owner has full control
• Customer Encryption
– SSL Supported
• Durability 99.999999999%
• Availability 99.99%
• Versioning (MFA Delete)
• Detailed Access Logging
• Storage Device
Decommissioning
– DoD 5220.22-M/NIST 800-
88 to destroy data
25. YOUR INPUT IS IMPORTANT …
• Thoughts/questions about our SAS70 Type II
Audit?
• Other certifications, compliance requirements or
audits to explore?
• What risk & compliance services should AWS
consider offering natively?
• How can we further promote AWS security
posture?