AWS: Overview of Security Processes Ryan Holland Ecosystem Solution Architect
Nov 11, 2014
AWS: Overview of
Security Processes
Ryan Holland
Ecosystem Solution Architect
AWS Computing Platform
Certifications & Accreditations
Sarbanes-Oxley (SOX) compliance
ISO 27001 Certification
PCI DSS Level I Certification
HIPAA compliant architecture
SAS 70(SOC 1) Type II Audit
FISMA Low & Moderate ATOs
DIACAP MAC III-Sensitive
Shared Responsibility Model
Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance
Application level security, including password and role based access
Host-based firewalls, including Intrusion Detection/Prevention Systems
Separation of Access
Physical Security
Multi-level, multi-factor controlled access environment
Controlled, need-based access for AWS employees (least privilege)
Management Plane Administrative Access
Multi-factor, controlled, need-based access to administrative host
All access logged, monitored, reviewed
AWS Administrators DO NOT have logical access inside a customer’s VMs, including applications and data
AWS Security Model Overview
VM Security
Multi-factor access to Amazon Account
Instance Isolation
• Customer-controlled firewall at the hypervisor level
• Neighboring instances prevented access
• Virtualized disk management layer ensure only account owners can access storage disks (EBS)
Support for SSL end point encryption for API calls
Network Security
Instance firewalls can be configured in security groups;
The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
Shared Responsibility Model
• Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
AWS Customer • Operating System
• Application
• Security Groups
• Network ACLs
• Network Configuration
• Account Management
AWS Security Resources
http://aws.amazon.com/security/
Security Whitepaper
Risk and Compliance Whitepaper
Latest Versions May 2011, July 2012
respectively
Regularly Updated
Feedback is welcome
AWS Certifications Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SSAE 16 (SOC 1) Type II Audit
FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive IATO
Customers have deployed various compliant applications such as HIPAA (healthcare)
SOC 1 Type II Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2
report every six months and maintains a favorable unbiased and unqualified opinion
from its independent auditors. AWS identifies those controls relating to the operational
performance and security to safeguard customer data. The SOC 1 report audit attests
that AWS’ control objectives are appropriately designed and that the individual controls
defined to safeguard customer data are operating effectively. Our commitment to the SOC 1
report is on-going and we plan to continue our process of periodic audits.
The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can
meet a broad range of auditing requirements for U.S. and international auditing bodies. This
audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II
report.
This report is available to customers under NDA.
SOC 1
Type II – Control Objectives Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling
ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.
PCI DSS Level 1 Service Provider
PCI DSS 2.0 compliant
Covers core infrastructure & services
• EC2, VPC, S3, EBS, RDS, ELB, and IAM
Use normally, no special configuration
Leverage the work of our QSA
AWS will work with merchants and designated Qualified
Incident Response Assessors (QIRA)
• can support forensic investigations
Certified in all regions
Physical Security
Amazon has been building large-scale data centers for many years
Important attributes: • Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed
US West (Northern
California)
US East (Northern
Virginia)
EU (Ireland)
Asia
Pacific (Singapore)
Asia
Pacific (Tokyo)
AWS Regions
AWS Edge Locations
GovCloud (US ITAR
Region)
US West (Oregon)
South
America (Sao Paulo)
AWS Regions and Availability Zones
Customer Decides Where Applications and Data Reside
Enables a customer to create multiple Users and manage the permissions for each of these Users.
Secure by default; new Users have no access to AWS until permissions are explicitly granted. Us
AWS IAM enables customers to minimize the use of their AWS Account credentials. Instead all interactions with AWS Services and resources should be with AWS IAM User security credentials.er
Customers can enable MFA devices for their AWS Account as well as for the Users they have created under their AWS Account with AWS IAM.
AWS Identity and Access Management
AWS MFA Benefits Helps prevent anyone with unauthorized
knowledge of your e-mail address and password
from impersonating you
Requires a device in your physical possession to
gain access to secure pages on the AWS Portal or
to gain access to the AWS Management Console
Adds an extra layer of protection to sensitive
information, such as your AWS access identifiers
Extends protection to your AWS resources such as
Amazon EC2 instances and Amazon S3 data
Amazon EC2 Security
Host operating system • Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system • Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall • Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls • Require X.509 certificate or customer’s secret AWS key
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n …
… Virtual Interfaces
Firewall
Customer 1 Security Groups
Customer 2 Security Groups
Customer n Security Groups
Virtual Memory & Local Disk
Amazon EC2 Instances
Amazon EC2 Instance
Encrypted File System
Encrypted Swap File
• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an added layer of security
EBS Wiping / Data Destruction
Blocks Zeroed Out Upon Provisioning
Logical-to-Physical Block Mapping • Created during provisioning
• Destroyed during de-provisioning
Failed or Decommissioned Hardware
• Degaussed
• Physically destroyed
Network Security Considerations DDoS (Distributed Denial of Service): • Standard mitigation techniques in effect
MITM (Man in the Middle): • All endpoints protected by SSL • Fresh EC2 host keys generated at boot
IP Spoofing: • Prohibited at host OS level
Unauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Ineffective anyway since inbound ports blocked by default
Packet Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level
Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable
infrastructure
Specify your private IP address range into one or more public or private
subnets
Control inbound and outbound access to and from individual subnets using
stateless Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard
encrypted VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies
Amazon VPC Architecture
Amazon VPC Network Security Controls
Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated
AWS Deployment Models Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
Commercial
Cloud Public facing apps. Web
sites, Dev test etc.
Virtual Private
Cloud (VPC) Data Center extension,
TIC environment, email,
FISMA low and
Moderate
AWS GovCloud
(US) US Persons Compliant
and Government
Specific Apps.
Thanks!
Remember to visit
https://aws.amazon.com/security