More Related Content More from Amazon Web Services (20) AWS Webcast - Security Best Practices on AWS1. Security Best Practices on AWS
Understanding AWS Security, the Shared Responsibility Model, and
some security best practices
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
2. Cloud Security is:
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
3. Every Customer Has Access to the Same
Security Capabilities
And gets to choose whatās right for their business needs
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
Governments
Financial Sector
Pharmaceuticals
Entertainment
Start-ups
Social Media
Home Users
Retail
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
4. Visible Cloud Security
This
Or
This?
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
5. Auditable Cloud Security
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
7. ISO 27001 Certification
Covers the AWS Information Security Management System
Follows ISO 27002 best practice guidance
Includes all Regions
Certification in the standard requires:
ā¢
ā¢
ā¢
ā¢
Systematic evaluation of information security risks
Evaluate the impact of company threats and vulnerabilities
Design and implement comprehensive information security controls
Adopt an overarching management process to ensure that the information
security controls meet the information security needs on an ongoing basis
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
8. Service Organization Controls
American Institute of Certified Public Accountants report
What it contains
Who uses it
SOC 1
Attests that the AWS internal controls for financial reporting are
appropriately designed and the controls are operating effectively
User auditors & usersā controllerās office. Shared
under NDA by AWS.
SOC 2
Expanded evaluation of controls to include AICPA Trust Services
Principles
Management, regulators & others. Shared under
NDA by AWS.
SOC 3
Summary of SOC 2 and provides AICPA SysTrust Security Seal.
Management, regulators & others. Publicly
available.
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
9. PCI DSS Level 1 Service Provider
PCI DSS 2.0 compliant
Covers core infrastructure & services
ā¢ EC2, EBS, VPC, ELB, DirectConnect, S3, Glacier, RDS, DynamoDB,
SimpleDB, EMR, RedShift, CloudHSM, and IAM
Use services normally, no special configuration
Leverage the work of our QSA
AWS will work with merchants and designated Qualified Incident
Response Assessors (QIRA)
ā¢ can support forensic investigations
Certified in all regions
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
10. FedRAMP (FISMA) Moderate
U.S. Civilian Government Agency Specific
FedRAMP Approval To Operate (ATO)
FISMA Moderate (NIST 800-53)
ā¢ Much more stringent than other commercial standards
ā¢ 205 high-level controls spanning 18 domains
ā¢ Access Control, Awareness & Training, Audit & Accountability, Security
Assessment & Authorization, Configuration Management, Contingency Planning,
ID & Authentication, Incident Response, Maintenance, Media Protection, Physical
& Environment Protection, Planning, Personnel Security, Risk Assessment,
System & Services Acquisition, System & Communications Protections, System &
Information Integrity, Program Management
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
11. Shared Assessments SIG
Standard Information Gathering (āSIGā) Questionnaire shared
under NDA
ā¢ www.sharedassessments.org
Robust, easy to use set of questions to gather and assess
ā¢ Information Technology
ā¢ Operating and Security Risks (and corresponding controls)
Based on referenced industry standards
ā¢ Including, but not limited to, FFIEC, ISO, COBIT and PCI
Excel format with AWS provided answers
Updated periodically to stay current
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
12. Additional Initiatives
U.S. Health Insurance Portability and Accountability Act (HIPAA)
ā¢ AWS enables covered entities and their business associates subject to the
U.S. HIPAA to leverage the secure AWS environment to process, maintain,
and store protected health information and AWS will be signing business
associate agreements with such customers.
Cloud Security Alliance (CSA) Questionnaire
ā¢ Answers in the Risk and Compliance Whitepaper
Motion Picture Association of America (MPAA)
ā¢ Answers in the Risk and Compliance Whitepaper
ā¢ Best practices for storing, processing and delivering protected media &
content
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
13. Security & Compliance Control Objectives
Control Objective 1:
Control Objective 2:
Control Objective 3:
Control Objective 4:
Control Objective 5:
Safeguards
Control Objective 6:
Control Objective 7:
Control Objective 8:
Security Organization
Amazon User Access
Logical Security
Secure Data Handling
Physical Security and Environmental
Change Management
Data Integrity, Availability and Redundancy
Incident Handling
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
14. Security & Compliance Control Objectives
(contād)
Control Objective 1: Security Organization
ā¢ Who we are
ā¢ Proper control & access within the organization
Control Objective 2: Amazon User Access
ā¢ How we vet our staff
ā¢ Minimization of access
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
15. Security & Compliance Control Objectives
(contād)
Control Objective 3: Logical Security
ā¢
ā¢
ā¢
ā¢
Our staff start with no system access
Need-based access grants
Rigorous system separation
System access grants regularly evaluated & automatically
revoked
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
16. Security & Compliance Control Objectives
(contād)
Control Objective 4: Secure Data Handling
ā¢ Storage media destroyed before being permitted outside our
datacenters
ā¢ Media destruction consistent with US Dept. of Defense Directive
5220.22
Control Objective 5: Physical Security and Environmental
Safeguards
ā¢ Keeping our facilities safe
ā¢ Maintaining the physical operating parameters of our datacenters
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
17. Security & Compliance Control Objectives
(contād)
Control Objective 6: Change Management
ā¢ Continuous operation
Control Objective 7: Data Integrity, Availability and
Redundancy
ā¢ Ensuring your data remains safe, intact, & available
Control Objective 8: Incident Handling
ā¢ Process & procedures for mitigating and managing potential issues
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
18. Shared Responsibility
AWS
ā¢
ā¢
ā¢
ā¢
ā¢
Customer
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
ā¢ Choice of Guest OS
ā¢ Application Configuration
Options
ā¢ Account Management
Flexibility
ā¢ Security Groups
ā¢ Network ACLs
ā¢ Network Configuration Control
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
19. You Decide Where Applications and Data
Reside
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
20. Network Security
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
21. Amazon EC2 Security
Host operating system (AWS controlled)
ā¢
ā¢
Individual SSH keyed logins via bastion host for AWS admins
All accesses logged and audited
Guest operating system (Customer controlled)
ā¢
ā¢
AWS admins cannot log in
Customer-generated keypairs
Stateful firewall
ā¢
ā¢
Mandatory inbound firewall, default deny mode
Customer controls configuration via Security Groups
Signed API calls
ā¢
Require customerās secret AWS key
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
22. Customer 1
Customer 2
ā¦
Customer n
Hypervisor
Virtual interfaces
Customer 1
Security groups
Customer 2
Security groups
ā¦
Customer n
Security groups
Firewall
Physical interfaces
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
23. Tiering Security Groups
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
24. Web
(HTTP)
Tiering Security Groups
Firewall
Dynamically created rules based on Security Group
membership
Effectively create tiered network architectures
āWebā Security Group:
TCP 80
0.0.0.0/0
TCP 22
āMgmtā
āAppā Security Group:
TCP 8080 āWebā
TCP 22
āMgmtā
āDBā Security Group:
TCP 3306 āAppā
TCP 22
āMgmtā
āMgmtā Security Group:
TCP 22
163.128.25.32/32
Web
Server
22
Firewall
808
0
App
Server
22
Firewall
330
6
DB
Server
22
Firewall
Bastion
Host
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
25. Amazon VPC Architecture
Customerās
isolated AWS
resources
NA
T
Internet
Subnets
Secure VPN
connection
over the
Internet
Customerās
network
Router
AWS Direct
Connect ā
Dedicated
Path/Bandwi
dth
Amazon
Web Services
cloud
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
26. Amazon VPC Network Security Controls
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
27. VPC - Dedicated Instances
Option to ensure physical hosts are not shared with other
customers
$2/hr flat fee per region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
28. AWS Deployment Models
Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Commercial
Cloud
ļ¼
ļ¼
Virtual Private
Cloud (VPC)
ļ¼
ļ¼
ļ¼
ļ¼
AWS GovCloud
(US)
ļ¼
ļ¼
ļ¼
ļ¼
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
Public-facing apps, web
sites, dev, test, etc.
Datacenter extension,
TIC environment, email,
FISMA low and
Moderate
ļ¼
ļ¼
US Persons Compliant
and Government
Specific Apps
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
29. The Importance of Access Control
One of customersā top considerations when moving to the
cloud
CONTROL
Why do we want control?
ā¢
ā¢
ā¢
ā¢
Appropriate access to do appropriate actions
I want to implement security best practices
I want to be at least as secure as on premise
I must comply with certain industry specific security regulations
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
30. AWS Identity and Access Management (IAM)
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
Users and Groups within Accounts
Unique security credentials
ā¢ Access keys
ā¢ AWS Management Console Login/Password
ā¢ Enforce password complexity
ā¢ Optional MFA device
Policies control access to AWS APIs
All API calls must be signed by secret key
Resource level integration into many Services
ā¢ EC2: tags control access to resources
ā¢ S3: policies on objects and buckets
Not for Operating Systems or Applications
ā¢ Use LDAP, Active Directory/ADFS, etc...
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
31. Authentication Methods
CLI
ā¢ Access + Secret Keys for REST calls
ā¢ SSH Keys for access to EC2
instances
API
ā¢ Access + Secret Keys
ā¢ Optional multifactor authentication
Web UI
ā¢ Username + Password
ā¢ Optional multifactor authentication
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
32. Multi-Factor Authentication (MFA)
Extra level of security
Works with
ā¢ AWS root account
ā¢ IAM users
xxxxxxxxxxxxxxxxxxxxxxxxxxx
Multiple form factors
ā¢ Virtual MFA on your phone
ā¢ Hardware MFA key fobs
No additional cost!
ā¢
Except for the cost of the
hardware key fob
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
33. AWS CloudHSM
Secure Key Storage
ā¢
ā¢
ā¢
Dedicated access to tamper-resistant HSM appliances (SafeNetĀ® Luna SA)
Designed to comply with Common Criteria EAL4+ and NIST FIPS 140-2
You retain full control of your keys and cryptographic operations
Contractual and Regulatory Compliance
ā¢
Helps comply with the most stringent regulatory and contractual requirements for key
protection.
Reliable and Durable Key Storage
ā¢
Available in multiple AZs and Regions
Simple and Secure Connectivity
ā¢
ā¢
Connected to your VPC
Improved Application Performance between EC2 and HSM
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
34. Premium Support Trusted Advisor
Security Checks
ā¢
ā¢
ā¢
Security Group Rules (Hosts & Ports)
IAM Use
S3 Policies
Fault Tolerance Checks
ā¢
ā¢
ā¢
Snapshots
Multi-AZ
VPN Tunnel Redundancy
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
35. Enable Root Account MFA!
If you donāt see:
Go to:
http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5
R80UD/Securing-access-to-AWS-using-MFA-Part-1
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
36. AWS Security, Compliance, & Architecture
Resources
http://aws.amazon.com/security/
Security whitepaper
Security best practices
Security bulletins
Customer security testing process
http://aws.amazon.com/compliance/
Risk and compliance whitepaper
http://aws.amazon.com/architecture/
Reference Architectures
Whitepapers
Webinars
http://blogs.aws.amazon.com/security/
Stay up to date on security and
compliance in AWS
Feedback is always
welcome!
Ā© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.