Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud

AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS Level I Certification HIPAA compliant architecture SAS 70 Type II Audit FISMA Low ATO Pursuing FISMA Moderate ATO Pursuing DIACAP MAC II I -Sensitive FedRAMP Service Health Dashboard Shared Responsibility Model Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance Application level security, including password and role based access Host-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security Modules Separation of Access Physical Security Multi-level, multi-factor controlled access environment Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative host All access logged, monitored, reviewed AWS Administrators DO NOT have access inside a customer s VMs, including applications and data VM Security Multi-factor access to Amazon Account Instance Isolation Customer-controlled firewall at the hypervisor level Neighboring instances prevented access Virtualized disk management layer ensure only account owners can access storage disks (EBS) Support for SSL end point encryption for API calls Network Security Instance firewalls can be configured in security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block). Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources

AWS Computing Platform

AWS Security Resources http://aws.amazon.com/security/ Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011 Regularly Updated Feedback is welcome

AWS Certifications Shared Responsibility Model Sarbanes-Oxley (SOX) ISO 27001 Certification Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70 Type II Audit FISMA A&As Multiple NIST Low Approvals to Operate (ATO) Actively pursuing NIST Moderate, completed ST&E FedRAMP DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare)

SAS70 Type II We publish a Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security to safeguard customer data. Auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls, attesting that the controls are operating as designed. This report is available to customers under NDA who require a SAS70 Type II to meet their own audit and compliance needs.

ISO 27001 AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide; Services: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC).

PCI DSS Level 1 AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) are included in the PCI compliance validation.

Physical Security Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical access 2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed

Fault Separation and Geographic Diversity Auto Scaling Elastic Load Balancing Amazon CloudWatch US East Region (N. VA) Availability Zone A Availability Zone B EU Region (IRE) Availability Zone A Availability Zone B US West Region (N. CA) Availability Zone C APAC Region (Singapore) APAC Region (Tokyo) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Note: Conceptual drawing only. The number of Availability Zones may vary

Data Backups Data in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations EBS redundancy in a single Availability Zone Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy

AWS Identity and Access Management Enables a customer to create multiple Users and manage the permissions for each of these Users. Secure by default; new Users have no access to AWS until permissions are explicitly granted. Us AWS IAM enables customers to minimize the use of their AWS Account credentials. Instead all interactions with AWS Services and resources should be with AWS IAM User security credentials.er Customers can enable MFA devices for their AWS Account as well as for the Users they have created under their AWS Account with AWS IAM.

AWS Multi-Factor Authentication A recommended opt-in security feature of your Amazon Web Services (AWS) account

AWS MFA Benefits Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console Adds an extra layer of protection to sensitive information, such as your AWS access identifiers Extends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data

Amazon EC2 Security Host operating system Individual SSH keyed logins via bastion host for AWS admins All accesses logged and audited Guest operating system Customer controlled at root level AWS admins cannot log in Customer-generated keypairs Stateful firewall Mandatory inbound firewall, default deny mode Signed API calls Require X.509 certificate or customer s secret AWS key

Amazon EC2 Instance Isolation Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups Firewall Physical Interfaces

Virtual Memory & Local Disk Amazon EC2 Instances Encrypted File System Encrypted Swap File Amazon EC2 Instance Proprietary Amazon disk management prevents one Instance from reading the disk contents of another Local disk storage can also be encrypted by the customer for an added layer of security

Network Traffic Flow Security Inbound Traffic Amazon Security Groups iptables Encrypted File System Encrypted Swap File Amazon EC2 Instances Amazon EC2 Instance Inbound traffic must be explicitly specified by protocol, port, and security group iptables may be implemented as a completely user controlled security layer for granular access control of discrete hosts, including other o Amazon Web Services (Amazon S3/SimpleDB, etc.)

Multi-tier Security Architecture Web Tier AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers Application Tier Database Tier Ports 80 and 443 only open to the Internet EBS Volume Engineering staff have ssh access to the App Tier, which acts as Bastion Authorized 3 rd parties can be granted ssh access to select AWS resources, such as the Database Tier All other Internet ports blocked by default Amazon EC2 Security Group Firewall

Network Security Considerations DDoS (Distributed Denial of Service): Standard mitigation techniques in effect MITM (Man in the Middle): All endpoints protected by SSL Fresh EC2 host keys generated at boot IP Spoofing: Prohibited at host OS level Unauthorized Port Scanning: Violation of AWS TOS Detected, stopped, and blocked Ineffective anyway since inbound ports blocked by default Packet Sniffing: Promiscuous mode is ineffective Protection at hypervisor level Configuration Management: Configuration changes are authorized, logged, tested, approved, and documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.

Network Traffic Confidentiality Amazon EC2 Instances Internet Traffic Encrypted File System Encrypted Swap File Amazon EC2 Instance VPN Corporate Network All traffic should be cryptographically controlled Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)

Amazon VPC Customer s isolated AWS resources Subnets VPN Gateway Router Secure VPN Connection over the Internet Amazon Web Services Cloud Customer s Network

Amazon VPC Capabilities Create an isolated environment within AWS Establish subnets to control who and what can access your resources Connect your isolated AWS resources and your IT infrastructure via a VPN connection Launch AWS resources within the isolated network Use your existing security and networking technologies to examine traffic to/from your isolated resources Extend existing security/management policies within your IT to your isolated AWS resources as if they were running within your infrastructure

Amazon VPC Network Security Controls

Amazon S3 Security Access controls at bucket and object level: Read, Write, Full Bucket Policies Conditional rules based on account, request IP etc. Customer Encryption SSL Supported Durability 99.999999999% Availability 99.99% Versioning (MFA Delete) Detailed Access Logging Storage Device Decommissioning NIST 800-88 methods

Amazon Relational Database Service Security Access based on Database Security Groups Default Deny All Allowances by: IP range EC2 Security Group SSL to protect data in transit User created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy

Amazon SimpleDB Security Access based on AWS account ID Domains accessible based on ACL SSL to protect data in transit User created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy Encrypt data elements not used as keys *Note: That encrypting data elements limits your ability to select those fields as retrieval keys.

Amazon SQS Security Scalable Message Queuing Service Designed to be highly available, reliable and durable Access based on AWS account ID, APL and AWS IAM Access Policy Language enables the creation of complex rules to enable access to queues based on identity (AWS account number), source IP address, date, time, and more. AWS IAM user however only has access to the operations and queues which they have been granted access to via policy SSL to protect data in transit

Amazon CloudFront Security API is only accessible via SSL-encrypted endpoints and must be authenticated Origin data stored in Amazon S3 Private content option will only deliver files authorized by securely signed requests Data Security and Durability provided by Amazon S3 Comprehensive access logs Configurable for https only downloads

Amazon Elastic MapReduce Security Access based on AWS account ID Authenticated APIs Sets up Security Groups: Master Node external access only via SSH Slave Nodes don t allow external access SSL is used to protect data in transit to and from Amazon S3

Simone Brunozzi simone@amazon.com Twitter: @simon Thank you