Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.
http://pentestmag.com/pentest-webapp-1212/
AWS Cloud Security From the Point of View of the Compliance
1.
2. W
e
b
A
p asasa
p
WS Cloud Security
From the Point of View of the Compliance
Clouds are finding increased use in core enterprise systems, which
mean auditing is the cornerstone expectation. Cloud vendors announce
new cloud services, offer new security solutions and refer to the global
security standards among of them the requirements look like quite
similar. This is series of articles about AWS Cloud Security from the point
of view of the compliance to highlight technical requirements of the
top Worldwide and Russian security standards for key AWS services,
describe how technically prepare to audit and configure AWS services.
C
loud Computing has been one of the top increased security to reduce the operation com-
security topics for the last several years, for plexity of their cloud. This eventually ends with a
enterprise IT departments, as well as oth- lower amount of cloud security that the end-user
er businesses. Cloud Computing offers unlimited will accept. For example, as VM instances are of-
storage and other resources with flexibility. The ten visible you should configure the server or fire-
basic idea of the cloud is centralized IT services, wall “somehow” to protect this flow. Another ex-
with on-demand services, network access, rapid ample talks that the term “physical security” does
elasticity, scalability and resource pooling. There not exist anymore since cloud has come. Nev-
are known are three models: SaaS, PaaS and ertheless, it was this way as it had been when
IaaS. Each of them can be deployed as a Cloud, the hosting service arrived. Even the new tech-
Community Cloud, Public Cloud, or Hybrid Cloud. nology is only another way to perform well-known
Some security questions about clouds are: how is actions; customer must make any improvements
it implemented, how are data or communication than by-default configuration to face cyber-at-
channels secured, how are the cloud and appli- tacks and will eventually succeed. Phishing or
cation environments secure, etc. The cloud sim- SQL injection is not a real concern, because they
ply uses well-known protocols like SMTP, HTTP, have been in existence too long and patches have
SSL, TCP/IP etc. to communicate, send email, file been made available. If the virtual OS is a Win-
handling and other activity. The methods that are dows Server or an Ubuntu server, then the OS
compliant as a part of the RFC should indicate that has the same security and patch management
they are OK. Standards like the ISO 27001 series state as Desktop/Server OS. The virtual server
still provide a measure on information security, but can easily be updated and patched, or even re-
as minimum set of security only. Third party orga- configured. This is acceptable, except in the situ-
nizations like the Cloud Security Alliance (CSA) ation where the cloud vendor notifies you that a
promote their best practices for cloud security and patch or update cannot be applied. In addition, it
have a registry of cloud vendors' security controls is mere trust than you download or buy on disk.
to help users to make right choice. Eventually, they offer solution, e.g. buy & sell suit-
Cloud security vendors claim that the end-user able security solution (third party solution should
companies sometimes prefer cost reduction over be more trustable, than cloud vendor, oh really?),
10/2012(10) Page 50 http://pentestmag.com
3. W
e
b
A
p
p
note that logs should be analyzed from time to
time, you should use IDS, find popular software
to protect network ports but such software often
cannot be applied to this case. Someone believes
that if classic network object like server can be
physical near the company then it is more secure
than virtual but it is not true. Significant example
is thinking about cloud like the one about home/
work PC connected to internet that directly or via
router. When you need protect this PC you do not
talk about why is DNS gates are public, if they are
trusted and more. You can keep you hosts file as
a DNS; several clouds provide end user with the
same feature not through the host, but their own
DNS routing service.
General Cloud and Security Points
Security in the cloud is just like traditional security:
network security, authentication, authorization, au-
diting, and identity management. This is not any-
thing new or revolutionary.
There are several points about security that are
often discussed:
• Perimeter network role and location:
• Location (city/country) where is the data lo-
cated/stored in the cloud?
• What are the compliance with standards
and country regulations?
• What type of firewall (guest, mandatory,
VPN, other) is used?
• Identity and Access Management:
• What is the authentication/authorization and
role-based access control?
• What is the existence of privileged users, or
user access for the cloud services?
• Are there different access types per each
user, application and role?
• Data Privacy:
• How is data separated from other cloud users?
• What type of encryption is used?
• Logging and Auditing
• Endpoint protection Client security
• Misusing as it was shown at the BlackHat Con-
ference like breaking into Wi-Fi network or
password brute-forcing
The virtualization refers primarily to the hypervi-
sor, while a virtual machine works with a config-
ured and snapshot of an OS image and usual-
ly includes virtual disk storage. As all virtual ma-
chines require memory, storage, or network, a
10/2012(10)
4. W
e
b
A
p asasa
p
hypervisor supports these virtual machines and es by attacking gateway. The common network IDS
presents the hardware pool that it can work with. does not necessarily work as well here; it might not
Hypervisors isolate the memory and computing work even as it is on classic network. But, it may
resources and allows performing actions with- work to monitor suspicious traffic between virtual
out affecting other instances. There are securi- machines if the IDS allows network gate or traf-
ty issues when you are using virtualization in the fic to be moved thought VPN to/from your corpo-
cloud, no doubt. Each OS running in virtual en- rate network where the IDS exists. Another point
vironment should be patched and monitored like is performance that may lead to resource alloca-
any non-virtual OS. You may use a gateway de- tion problems and open the service to DoS/DDoS
vice that provides the applicable security config- attacks. Another filtering method for limiting traffic
uration to the devices connected. You still have is firewalling by physical location that isolates dif-
to use host-based firewalls and IDS to capture, ferent security zones. Network traffic between vir-
stop and filter non-allowed activity from applica- tual machines should be encrypted to protect data
tions, network attacks, disable or enable commu- while in transit.
nication between others virtual machines, or to Of course, as the hypervisor has access to all
extend the logging system. guest OS, and if it is compromised itself, it will
Like a classic datacentrewhere you have to have broad impact to the network isolation, but
maintain stability and security by constant monitor- the probability of that is low since all hypervisors
ing, alerting and reporting about what the custom- very custom. The cloud infrastructure adminis-
ers are doing with the resources, what geographic trator will need to depend on new tools that are
locations they are coming from, how many users cloud aware, and may not be defined by the cur-
connect at certain times of the day, also, the cloud rent IT department.
infrastructure should report misuse or other out-of- Another security issue deals with the (de-)allo-
policy activity taking place. Auditing needs to log cating of resources. If data is written to the stor-
and report on all activities taking place in the cloud age and was not wiped before, or crashed before
(elastic computing, storage, VPN, etc.). It really reallocation, then there is a data leakage problem
simplifies increasing complex of the clouds. Some- on the HDD. It means the IT department needs
times, security design failure a single poorly se- to rely on reallocation feature and perform clean
cured service that can easily be compromised to operations instead of relying on the cloud ser-
lead to the risk of stealing valuable data, making vice. It may need special DOD-tools to run man-
the services unavailable by DDoS or other inter- ually, or running processes until OS fires it off
ruptions. (terminates). This may increases operational ex-
Accessing solution known as IAM is an impor- penses. In other words, no sensitive information
tant method to authenticate connections and au- should be stored in the plain text. Using whole
thorizations of the cloud resources. Your IT policy volume encryption will protect the physical stor-
should take into account the broad range of access age, prevent access to a virtual environment, and
rights, because it often divides access into all, to finally reduce the risk of exposure. Also, applica-
owner, and somewhere in between these. Not all tions may encrypt data in storage, data in RAM,
clients should have the right to access all data, but and data during processing to make it more diffi-
staff rights need to be set up so that everyone who cult for someone gain access to.
is responsible should be approved similar to role-
based access in traditional offices where the end Security Overview: Windows Azure vs.
users can have access to the services, and some- Amazon Web Services
times the controls, while administrators have ac- These two platforms differ by the decision made by
cess to the controls and managed the functionality each vendor's vision on how the end-users should
and performance of the workloads. access their cloud services. Windows Azure
In the cloud, you will need to think about how makes a data spreading to the cornerstone, via
you handle inbound connections to the resources neither storage nor web-server. AWS makes many
required to any services, hosting, and client devic- services more accessibility that are important with
es and how they will connect. DMZ and firewalls merging to the cloud. These different goals have a
are a good solution, but belong to different security huge influence on not only the IT policy, but also
zones to prevent access to the whole cloud servic- the API. Both AWS and Azure services were built
10/2012(10) Page 52 http://pentestmag.com
5. W
e
b
A
p
p
in accordance with security best practices, and the continue to be an Amazon employee but promot-
security features are well documented to make it ed to another position.
clear how to use them to design strong protection. A standard employee, or a third-party contractor,
Below I examine the security features offered each has a minimum set of privileges and can be dis-
vendor: abled by the hiring manager. All types of access
to any resources logged, as well as its changes,
Compliance it must be explicitly approved in Amazon's propri-
Azure etary permission management system. All chang-
Microsoft complies with the data protection and pri- es led to revocation of previous access because
vacy laws, but only customers are responsible for of explicitly approving type to the resource. Every
determining if Windows Azure complies with the access grant will revoked since 90 days as it was
country laws and regulations. For example, ISO for approved too. Access to services, resources and
Azure covers cloud services (web and VM), stor- devices relies on user IDs, passwords and Kerbe-
age, and networking. ros. In addition, Amazon mentioned about expira-
tion intervals for passwords.
AWS "Physical access is logged and audited and
AWS offers compliance with FISMA to allow the is strictly controlled both at the perimeter and at
government and federal agencies implement AWS building ingress points by professional security
solutions and security configurations at their se- staff utilizing video surveillance, intrusion detection
curity system. In addition, VPN (Virtual Private systems, and other electronic means". Staff uses a
Cloud), GovCloud and SSL mechanism sustain a two-factor authentication while third party contrac-
FIPS 140-2. AWS has validated with Level 1 PCI tors escorted by authorized staff have to present
DSS physical infrastructure and such services like signed IDs.
EC2, S3, EBS, VPC, RDS, and IAM that allows Also, Amazon describes important things like fire
to the end customers perform storing, processing, detection, power or climate control by mentioning
transmitting credit card information with properly UPS to keep services functional 24 hours per day
security. EC2, S3, and VPC as well as AWS data- while Microsoft just tells that is. Finally, you can
centres are covered by a global security standard know what services is affected through the AWS
ISO 27001 too. Service Health Dashboard (http://status.aws.ama-
zon.com/).
Physical Security
Azure Data Privacy
Azure designed to be available 24 x 7; their data- Azure
centres are managed, monitored, administered by Azure runs in multiple datacentres around the
Microsoft and, of course, compliant with applicable world and offers to the customer deploy redundan-
industry standards for physical security. Azure staff cy and backup features.
is limited by the number of operations, and must
regularly change access passwords (if performed AWS
by administrators). All administrative actions are AWS offers data encryption, backup and redun-
audited to determine the history of changes. Final- dancy features. For example, services that store
ly, you can know what services are affected through data in S3, EBS use redundancy in different phys-
the Health Dashboard (https://www.windowsazure. ical locations but inside one “Available Zone” ex-
com/ru-ru/support/service-dashboard/). cept you set-up backup services to duplicate data.
This way (not across multiple zones) works EBS,
AWS while S3 provide durability across multiple Avail-
AWS datacentres are located throughout the ability Zones. To extend and fix EBS redundancy
world (US, EU, and Asia) and available 24 x 7 x users enabled to backup AMI images stored on
365. Actual location is known by those that have EBS to the S3. Object deletion executes un-map-
a legitimate business need. Amazon datacen- ping process to prevent remote access. When a
tres are secured to prevent unauthorized access; storage device has reached the end of its use-
the access tickets will immediately be destroyed ful life, AWS initiates destroying procedures with-
when someone leaves the company or when they in DOD 5220.22-M ("National Industrial Securi-
10/2012(10) Page 53 http://pentestmag.com
6. W
e
b
A
p asasa
p
ty Program Operating Manual ") or NIST 800-88 Network Security
("Guidelines for Media Sanitization"). AWS allows Azure
encryption of sensitive data and perform actions Microsoft uses a variety of technologies to
before uploads it in S3; additionally, there is no keep customers away from unauthorized traffic
permission to use own and commercial encryp- through the firewalls, NAT boxes (load balanc-
tion tools. ers), and filtering routers. Azure relies on 128-
Table 1. Cloud security features
Type Cloud Vendor
AWS Azure
Compliance ISO 27001 + +
PCI DSS + N/A
FISMA + N/A
NIST + N/A
CSA + N/A
FIPS 140-2 + N/A
HIPAA + +
Physical Security Actions & events logging + +
Logs audit + +
Minimum access rights + +
Auto revocation access after N days + N/A
Auto revocation access after role changed + N/A
Two-factor authentication + N/A
Escort + N/A
Data Privacy Backup + +
Redundancy inside one GeoLocation + N/A
Redundancy across several GeoLocation + +
Encryption + N/A
DoD/NIST Destruction + N/A
Network Security MITM Protection + +
DDoS Protection + N/A
Host-Based Firewall (ip,port,mac) + +
Mandatory Firewall + +
Extended Firewall (Geo, date’n’time) + N/A
Hypervisor protection from promiscuous + +
Pentesting offer + +
Credentials Login and Passwords + +
SSL + +
Cross account IAM + N/A
MFA hardware + N/A
MFA software + N/A
Key-Rotation + N/A
10/2012(10) Page 54 http://pentestmag.com
7. W
e
b
A
p
p
bit TLS protection for communications inside da- AWS
tacentres and between end users and customer IAM enables to manage multiple users, their per-
VMs. Filtering routers reject all non-allowed at- missions, password and password policy under
tempts, i.e. addresses and ports that prevent at- one AWS account or among several AWS ac-
tacks that use "drones" or "zombies" searching counts as unique security credentials. New IAM
for vulnerable servers as the most popular way users as well entire IAM and EC2 has no (“deny”
to break into network. access type) access to all resources by default
Filtering routers also support configuring back and deals with explicitly granted permissions on-
end services to be accessible only from their cor- ly. AWS Multi-Factor Authentication is an addition-
responding front ends. Firewalls restrict incom- al security to the basic credentials providing by a
ing and outgoing communication with known six-digit single-use code. This code usually gen-
IP addresses, ports, protocols. Microsoft of- erates by an authentication device or similar ap-
fers an authorized penetration testing for cus- plications like Google Authenticator. It works very
tomers applications hosted in Windows Azure well for AWS account or user accounts within IAM.
if requests for it submitted 7 days beforehand AWS offers key and certificate rotation on a regu-
at least. lar basis to mitigate compromising risk from lost
or compromised access keys or certificates. It is
AWS available for AWS account or user accounts within
AWS forces MITM protection by SSL-protect- IAM too (Table 1).
ed endpoints for example EC2 generates new
SSH host certificates on first boot and log them How is AWS Services Secure
to the instance's console. EC2 instances de- Access and Credentials
signed to be non-spoofed by host-based firewall An access to applications and services within AWS
that restricts traffic with a source IP or MAC ad- cloud is protected in multiple ways and it requires
dress other than its own and block non-allowed special credentials:
traffic (IP, port, geo location, date and time and
more). Despite of instance running in promiscu- • Access Credentials:
ous mode the hypervisor will not deliver any traf- • Access Keys to manage with REST or Que-
fic relies on explicit restrictions that protect from ry protocol requests to any AWS service
traffic capturing on the same physical host on API, and S3. The possible states:
neither EC2 nor VPC. Unauthorized port scans • Active – Can be used.
are a violation of the AWS Acceptable Use Pol- • Inactive – Cannot be used, but can be
icy, however customers permit to Pentest their moved back to the Active state.
AWS services that should be proved by IP, port, • Deleted – Can never be used again
date and time and login and contact before pen- • X.509 Certificates to manage SOAP protocol
testing with AWS support. Violations may lead to requests to AWS service APIs, except S3
revocation of AWS accounts after investigation • Key Pairs to manage with CloudFront
by Amazon. Moreover, if illegal activity will AWS
customers should inform AWS about that. In ad-
dition, AWS has a proprietary DDoS mitigation
technique but does not describe any key features
of it.
Credentials
Azure Figure 1. AWS Access Credentials I
Azure provides virtual machines to customers, giv-
ing them access to most of the same security op-
tions available in Windows Server. Customers use
SSL client certificates to control up-dates to their
software and configuration. The basic credentials
like username and password are common within
Azure resources. Figure 2. AWS Access Credentials II
10/2012(10) Page 55 http://pentestmag.com
8. W
e
b
A
p asasa
p
• Sign-In Credentials: Key ID is checked to its own Secret Access Key
• E-mail Address, and Password to sign in to validate the signature and confirm that the re-
to AWS web sites, the AWS Management quest sender is legitimate. The key rotation is
Console, the AWS Discussion Forums, and manually at current moment and looks like:
the AWS Premium Support site,
• AWS Multi-Factor Authentication Device as • Make second active credentials.
an optional credential that increases the se- • Update applications and services with new cre-
curity level to manage with the AWS web dential.
site and the AWS Management Console. • Move first credential to Inactive.
• Account Identifiers: • Check that working with the new credential is
• AWS Account ID to manage with all AWS OK
service resources except Amazon S3 and • Delete the first credential.
looks like 8xxx-xxxx-xxx8
• Canonical User ID to manage with for Am- To add an extra layer of security, use AWS MFA
azon S3 resources such as buckets or files feature that provide a six-digit, single-use code in
only and looks like 64 bytes length string addition to the email and password. All details, ac-
“7xbxxxxxxcdxcxbbxcxxxxxe08xxxxx44xxx- tivation hardware or software MFA and more is
aaxdx0xxbxxxxxeaxed8xxxbxd4x” on link http://aws.amazon.com/mfa. (Figure 1 nad
Figure 2, Table 2)
The purpose of the access keys is a manage- Additionally, AWS offers so-called Identity and
ment of requests to the AWS product REST, Que- Access Management that easy integrates with al-
ry APIs, or third-party product with Access Key most of all AWS services, e.g. EC2, S3 and more.
ID; the Access Key ID is not a secret. EC2 is en- IAM provides the following:
abled to use access keys, usually known as SSH
key pair and/or X.509 certificates, to interact with • Create users and groups under your organiza-
the services. The secret/private part of access tion's AWS account
key is used to retrieve an administrator password, • Easily share your AWS account resources be-
REST and Query APIs, while the X.509 certificate tween the users in the account
is used with command line operations and SOAP • Assign unique security credentials to each user
APIs, except S3, which is managed with access • Granular control user's access to services and
keys. When AWS receives a request, the Access resources
Table 2. Resource credentials
Resource Access type
REST or Query API request to an AWS, S3 Access Keys
SOAP API request to an AWS X.509 Certificates (except for Amazon)
Access to the secure pages or AWS Management Console Amazon E-mail Address and Password with optional AWS
Multi-Factor Authentication
Manage to EC2 command line tools Your X.509 Certificates
Launch or connect to an EC2 Your Amazon EC2 Key Pairs
Bundle an Amazon EC2 AMI For Linux/UNIX AMIs: your X.509 Certificates and AWS Ac-
count ID to bundle the AMI, and your Access Keys to up-
load it to Amazon S3.
For Windows AMIs: your Access Keys for both bundling
and uploading the AMI.
Share an EC2 AMI or EBS snapshot The AWS Account ID of the account you want to share
with (without the hyphens)
Send email by using the Amazon SES SMTP endpoint Your Amazon SES SMTP user name and password
Access to the AWS Discussion Forums or AWS Premium Your Amazon E-mail Address and Password
Support site
10/2012(10) Page 56 http://pentestmag.com
9. W
e
b
A
p
p
Virtual Instances (Amazon Elastic Compute cess revocation (this case is talking about
Cloud) AWS that manages with host OS set)
EC2 is a web service that provides resizable com- • Guest OS protection usually includes native
pute capacity in the cloud that allows paying for ca- firewall (Windows Firewall, IPTables, etc.), ba-
pacity only and supports OS's like Windows Server, sic credentials, such login/email and password,
RedHat, OpenSuSE Linux, and more. EC2 allows as well as extended by multi-factor authenti-
setting up everything according to OS. Moreover, cation based on SSH Version 2 access, EC2
you are enabled to export preconfigured OS's from keys that should unique per each virtual in-
VMware, through the AWS console commands, stance.
AWS API, or special VMware Connector. It helps • Firewall protection includes pre-configured in a
to leverage the configuration management or com- default deny-all mode mandatory inbound fire-
pliance requirements. VM Import/Export is avail- wall that allows the following restriction
able for use in all Amazon EC2 regions and with by protocol
VPC even. by service port
The final goal is protection from interception and by source IP address
unauthorized actions and EC2 security is designed • This firewall is not controlled through the Guest
to protect several attack vectors. OS without X.509 certificate and key to autho-
rize changes. Additionally, customers may use
• Host OS protection usually includes event log- and guest OS firewall to filter inbound and out-
ging, multi-factor authentication, regular ac- bound traffic.
Table 3. Requirements of the Russian Federal Law about Personal Data
Requirements AWS Solution
Access management Users require using alphanumeric Native AWS solution implemented in IAM and MFA in ad-
password long six characters at least dition
and special code in addition.
All devices (incl. external), instances, Canonical name developed for users and resources and
network nodes require identification enabled mainly through IAM, EC2 identifies by tags
by logical name
Access event log- Login and logout events Not yet released for IAM and come to EC2 OS solution
ging (Windows, *nix)
Date and time of login and logout
events
Credentials used to login
Access to the file events Not yet released for IAM Native solution implement-
and come to EC2 OS solu- ed in S3 that provides ca-
Date and time of access to the file tion (Windows, *nix) nonical user id and IP ad-
events dress accessed to the file,
User ID/equivalent used to access to date and time or more
the file events
Allocated drive wiping Native AWS solution on un-mapping, termination, etc.
Integrity Physical security, control access AWS solution described above at physical security and
management, restriction of employ- compliance on physical security
ee or third contractor
Backup and restore for protection Depend on designed; generally AMI image stored on EBS
solution and backed up into S3
Additional Network packet filtering by date and Native solution implemented in EC2 mandatory firewall
time that includes IP, port, protocol, additional solutions of
EC2 OS (Windows and *nix), additional IAM solution to
Network packet filtering by IP ad- the resources enabled geo filtering and date and time fil-
dress tering.
Network packet filtering by date and
time
Network packet filtering by protocol
10/2012(10) Page 57 http://pentestmag.com
10. W
e
b
A
p asasa
p
• API calls signed by X509 certificates is a kind side of which there several physically indepen-
of protection that helps to the Xen keep the dif- dent zones. Each zone is isolated from failures
ferent instances isolated from each other. in other; some AWS services is allowed to move
data between zones to keep away from failure,
Moreover, EC2 designed to prevent a mass some not, but moving across regions is manual-
spam distribution by limitations of sending ly only.
email. Any wishes about mass email are avail-
able through the request by URL (https://por- Virtual Storage (Amazon Simple Storage
tal.aws.amazon.com/gp/aws/html-forms-con- Service and Elastic Block Store volume)
troller/contactus/ec2-email-limit-rdns-request). S3 is a simple storage for the Internet with sev-
The main concept of cloud security is visibili- eral interfaces (for example, web service and API
ty by guest OS firewall, mandatory firewall and calls) to store and retrieve data from anywhere.
geo availability (Regions and Availability Zones) EBS provides so-called block-level storage; in
because such zone managed with physically in- other words, it equals to the physical and logical
dependent infrastructure. Different areas of the hard disks. The multiple volumes can be attached
world .i.e. USA or EU are known as region in- to an instance while the same volume cannot
Table 4. Requirements of CSA CAI Questionnaire
Requirements AWS Solution
Data Governance Do you provide a capability to identi- AWS provides the ability to tag EC2 resources. A form
fy virtual machines via policy tags/meta- of metadata, EC2 tags can be used to create user-
data (ex. Tags can be used to limit guest friendly names
operating systems from booting/instan-
tiating/transporting data in the wrong
country, etc.)?
Do you provide a capability to identify
hardware via policy tags/metadata/hard-
ware tags (ex. TXT/TPM, VN-Tag, etc.)?
Do you have a capability to use system Native solution implemented in EC2 mandatory fire-
geographic location as an authentica- wall that includes IP, port, protocol, additional solu-
tion factor? tions of EC2 OS (Windows and *nix), additional IAM
solution to the resources enabled geo filtering and
date and time filtering.
Can you provide the physical location/ AWS currently offers six regions which customer da-
geography of storage of a tenant’s data ta and servers will be located designated by cus-
upon request? tomers: US East (Northern Virginia), US West (North-
ern California and Oregon), GovCloud (US) (Ore-
Do you allow tenants to define accept- gon), South America (Sao Paulo), EU (Ireland), Asia
able geographical locations for data Pacific(Singapore) and Asia Pacific (Tokyo).
routing or resource instantiation?
Do you support secure deletion (ex. de- Native AWS solution on un-mapping, termination, etc.
gaussing / cryptographic wiping) of ar- as well as DoD 5220.22-M / NIST 800-88 to destroy da-
chived data as determined by the ten- ta discussed above.
ant?
Facility Security Are physical security perimeters (fences, Physical security controls include but are not limit-
walls, barriers, guards, gates, electron- ed to perimeter controls such as fencing, walls, secu-
ic surveillance, physical authentication rity staff, video surveillance, intrusion detection sys-
mechanisms, reception desks and secu- tems and other electronic means; compliance with
rity patrols) implemented? AWS SOC 1 Type 2 and ISO 27001 standard, Annex A,
domain 9.1.
Information Secu- Do you encrypt tenant data at rest (on Encryption mechanisms for almost of all the services,
rity disk/storage) within your environment? including S3, EBS, SimpleDB and EC2 and VPC sessions
as well as Amazon S3 Server Side Encryption.
Do you leverage encryption to protect
data and virtual machine images during
transport across and between networks
and hypervisor instances?
10/2012(10) Page 58 http://pentestmag.com
11. W
e
b
A
p
p
be attached to different instance. EBS provides • the requestor's IP,
backup feature through the S3. S3 is “unlimited” • the time and date of the request.
storage while customers size EBS. S3 APIs pro-
vide both bucket- and object-level access con- EBS restriction access looks similar to the S3; re-
trols, with defaults that only permit authenticated sources are accessible under current AWS Ac-
access by the bucket and/or object creator. As count only, and to the users those granted with
opposed to EC2 where all activity restricted by AWS IAM (this case may be affected cross AWS
default, S3 starts with open for all access under Accounts as well if it is explicitly allowed. Snap-
current AWS account only that means all buckets shots backed up to the S3 and shared enable in-
and other folders and files should controlled by direct access (only read permission, not altera-
IAM and canonical user ID that finally authenti- tion, deletion or another modification) to the EBS.
cates with an HMAC-SHA1 signature of the re- There is an interesting point suitable for foren-
quest using the user's private key. S3 provides sics that snapshot stored on S3 will keep all delet-
Read, List and Write permissions in an own ACL ed data from EBS volume, they were not altered,
at the bucket level or IAM permissions list those or DOD wiped. Talking about secure wiping, AWS
independent and supplements each other. S3 provides “destroying” data feature via a specific
provides file versioning as a kind of protection to method, such as those detailed in DoD 5220.22-
restore any version of every object on the bucket. M ("National Industrial Security Program Operat-
Additionally, “S3 versioning's MFA Delete” feature ing Manual") or NIST 800-88 ("Guidelines for Me-
will request typing the six-digit code and serial dia Sanitization"); AWS perform these actions for
number from MFA device. Also, a valuable feature S3 and EBS. In case, it is impossible to wipe data
for audit and forensics case is logging S3 events after storage disk lifetime such disk will be physi-
that can be configured per bucket on initialization. cally destroyed.
These logs will contain information about each
access request and include Gross Inspection on AWS Compliance
from customer side
• request type, As it is first part of series of articles, I briefly ex-
• the requested resource, amine several standards and order documents re-
On the Net
• http://www.windowsecurity.com/articles/Cloud-computing-can-we-trust-how-can-be-used-whilst-being-secure.html
– Cloud computing, can we trust it and how can it be used whilst being secure, Ricky M. Magalhaes
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part1.html – Security Considera-
tions for Cloud Computing (Part 1) – Virtualization Platform, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part2.html – Security Considera-
tions for Cloud Computing (Part 2), Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part3.html – Security Considera-
tions for Cloud Computing (Part 3) – Broad Network Access, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part4.html – Security Considera-
tions for Cloud Computing (Part 4) – Resource Pooling, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part5.html – Security Considera-
tions for Cloud Computing (Part 5) – Rapid Elasticity, Deb Shinder
• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part6.html – Security Considera-
tions for Cloud Computing (Part 6) – Metered Services, Deb Shinder
• https://www.windowsazure.com/en-us/support/legal/security-overview/ – Technical Overview of the Security Featu-
res in the Windows Azure Platform, April 2011
• http://www.baselinemag.com/c/a/Security/Securing-Data-in-the-Cloud/ – Securing Data in the Cloud, Eric Friedberg
• http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf – AWS Security Best Practices,
January 2011
• http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf – Amazon Web Services: Overview of Secu-
rity Processes, May 2011
• https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Trust Center Home, Compliance
• http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm – Convention for the Protection of Individuals with re-
gard to Automatic Processing of Personal Datat
10/2012(10) Page 59 http://pentestmag.com
12. W
e
b
A
p asasa
p
ferred to security on compliance; some of them is Some non-profit organizations try to unify best
worldwide and some is Russian. In further articles, practices for clouds, help the vendors to improve
I will provide a detail AWS services’ examination their security features and provide customers with
with the most known documents to explain and best choice of solution they need. One of them is
show if cloud services (mainly AWS and Azure) CSA that offers range of industry security practitio-
are so insecure, if configuring with compliance is ners, corporations, and associations participate in
so complex and if compliance makes a sense for this organization to achieve its mission. They cre-
end customers on security. Some requirements ate so-called “CSA Consensus Assessments Ini-
and entire documents are going to be discussed tiative Questionnaire” that provides a set of ques-
will deliberately be used as outdated to highlight tions the CSA anticipates a cloud consumer and/or
comparison. One of them, the Russian Federal a cloud auditor would ask of a cloud provider. AWS
Law about Personal Data refers to the “Conven- announced that they has completed the CSA CAI
tion for the Protection of Individuals with regard to (Table 4).
Automatic Processing of Personal Data” that was
confirmed in 2006. This reference allows storing Conclusion
data out Russia and 1C Company has already of- Some companies have to manage with regula-
fer a cloud solution in accordance with Chapter tions because of legal proceedings to how the da-
III about “Transborder data flows” and Article 12 ta should be handled, where they should be stored
about “Transborder flows of personal data and do- and how the consumer data are protected. On an-
mestic law”. other hand, security audit may uncover the vulner-
abilities. Whether audit makes sense or not, there
• The following provisions shall apply to the is case when you or someone else have to vali-
transfer across national borders, by whatever date with standard. In these articles, I briefly ana-
medium, of personal data undergoing automat- lyze security features of WS with several require-
ic processing or collected with a view to their ments. In further articles, I will provide a detail AWS
being automatically processed. services' examination with the most known docu-
• A Party shall not, for the sole purpose of the ments to explain and show if cloud services (main-
protection of privacy, prohibit or subject to spe- ly AWS and Azure) are so insecure, if configuring
cial authorization transborder flows of personal with compliance is so complex and if compliance
data going to the another territory. makes a sense for end customers on security.
• Nevertheless, each Party shall be entitled to
derogate from the provisions of paragraph 2:
• insofar as its legislation includes specific
regulations for certain categories of person-
al data or of automated personal data files,
because of the nature of those data or those Yury Chemerkin
files, except where the regulations of the Yury Chemerkin graduated from RSUH in 2010 (http://
other Party provide an equivalent protection; rggu.com/) on the BlackBerry diploma thesis. Currently
• when the transfer is made from its territo- in the postgraduate program at RSUH on the Cloud Se-
ry to the territory of a non-ing State through curity thesis. Experience in Reverse Engineering, Soft-
the intermediary of the territory of anoth- ware Programming, Cyber & Mobile Security Research,
er Party, in order to avoid such transfers re- Documentation, and as a contributing Security Writer.
sulting in circumvention of the legislation of Also, researching Cloud Security and Social Privacy. The
the Party referred to at the beginning of this last several years, I have worked on mobile social secu-
paragraph. rity, cloud security and compliance, mobile security and
forensics; additionally develops solutions based on ex-
The Russian law refers to another documents pro- ploiting, not only OS vulnerabilities, but also third-par-
vided several requirements to protection some of ty products and solutions.
them I will examine right now. These requirements Regular blog: http://security-through-obscurity.
divide into three categories based on which da- blogspot.com.
ta is processed (medical, religion, nationality, etc.) Regular Email: yury.chemerkin@gmail.com
(Table 3). Skype: yury.chemerkin
10/2012(10) Page 60 http://pentestmag.com