1. AWS: Overview of Security Processes
Stephen Schmidt
Chief Information Security Officer

2. AWS Security Model Overview
Certifications & Accreditations Shared Responsibility Model
Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls
ISO 27001 Certification guest OS-level security, including
PCI DSS Level I Certification patching and maintenance
HIPAA compliant architecture Application level security, including
password and role based access
SAS 70(SOC 1) Type II Audit
Host-based firewalls, including
FISMA Low & Moderate ATOs
Intrusion Detection/Prevention
DIACAP MAC III-Sensitive Systems
 Pursuing DIACAP MAC II–Sensitive
Separation of Access
Physical Security VM Security Network Security
Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured
access environment Account in security groups;
Controlled, need-based access for Instance Isolation The traffic may be restricted by
AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as
Management Plane Administrative Access the hypervisor level by source IP address (individual IP
Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing
access to administrative host prevented access (CIDR) block).
All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC)
reviewed layer ensure only account provides IPSec VPN access from
AWS Administrators DO NOT have owners can access storage existing enterprise data center to a
logical access inside a customer’s disks (EBS) set of logically isolated AWS
VMs, including applications and resources
Support for SSL end point
data encryption for API calls

3. Shared Responsibility Model
AWS Customer
Facilities Operating System
Physical Security Application
Physical Infrastructure Security Groups
Network Infrastructure Network ACLs
Virtualization Network Configuration
Infrastructure Account Management

4. AWS Security Resources
http://aws.amazon.com/security/
Security Whitepaper
Risk and Compliance Whitepaper
Latest Versions May 2011, January
2012 respectively
Regularly Updated
Feedback is welcome

5. AWS Certifications
Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SAS70(SOC 1) Type II Audit
FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive IATO
Customers have deployed various compliant applications such as
HIPAA (healthcare)

6. SOC 1 Type II
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2
report every six months and maintains a favorable unbiased and unqualified opinion
from its independent auditors. AWS identifies those controls relating to the operational
performance and security to safeguard customer data. The SOC 1 report audit attests
that AWS’ control objectives are appropriately designed and that the individual controls
defined to safeguard customer data are operating effectively. Our commitment to the SOC
1 report is on-going and we plan to continue our process of periodic audits.
The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can
meet a broad range of auditing requirements for U.S. and international auditing bodies.
This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70)
Type II report.
This report is available to customers under NDA.

7. SOC 1
Type II – Control Objectives
Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling

8. ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.

9. Physical Security
Amazon has been building large-scale data centers for many
years
Important attributes:
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed

10. GovCloud US West US West US East South EU Asia Asia
(US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific
Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations

11. AWS Regions and Availability Zones
Customer Decides Where Applications and Data Reside

12. AWS Identity and Access Management
Enables a customer to create multiple Users and
manage the permissions for each of these
Users.
Secure by default; new Users have no access to
AWS until permissions are explicitly granted. Us
AWS IAM enables customers to minimize the
use of their AWS Account credentials. Instead
all interactions with AWS Services and
resources should be with AWS IAM User
security credentials.er
Customers can enable MFA devices for their
AWS Account as well as for the Users they have
created under their AWS Account with AWS IAM.

14. AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge of your e-
mail address and password from impersonating you
Requires a device in your physical possession to gain access
to secure pages on the AWS Portal or to gain access to the
AWS Management Console
Adds an extra layer of protection to sensitive information,
such as your AWS access identifiers
Extends protection to your AWS resources such as Amazon
EC2 instances and Amazon S3 data

15. Amazon EC2 Security
Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall
• Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls
• Require X.509 certificate or customer’s secret AWS key

16. Amazon EC2 Instance Isolation
Customer 1 Customer 2 … Customer n
Hypervisor
Virtual Interfaces
Customer 1 Customer 2 Customer n
Security Groups Security Groups … Security Groups
Firewall
Physical Interfaces

17. Virtual Memory & Local Disk
Amazon EC2
Instances
Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File
• Proprietary Amazon disk management prevents one Instance from
reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an
added layer of security

18. Network Security Considerations
DDoS (Distributed Denial of Service):
• Standard mitigation techniques in effect
MITM (Man in the Middle):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing:
• Prohibited at host OS level
Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
• blocked by default
Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level

19. Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies

20. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over
the Internet
Web Services
AWS Direct Cloud
Connect –
Dedicated
Path/Bandwidth
Customer’s
Network

21. Amazon VPC Network Security Controls

22. Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated

23. AWS Deployment Models
Logical Server Granular Logical Physical Government Only ITAR Sample Workloads
and Information Network server Physical Network Compliant
Application Access Policy Isolation Isolation and Facility (US Persons
Isolation Isolation Only)
Commercial   Public facing apps. Web
Cloud sites, Dev test etc.
Virtual Private     Data Center extension,
Cloud (VPC) TIC environment, email,
FISMA low and
Moderate
AWS GovCloud       US Persons Compliant
(US) and Government
Specific Apps.

24. Thanks!
Remember to visit
https://aws.amazon.com/security