Amazon Web ServicesSecurity & Compliance Overview

Attila Lengyel Enterprise Account Manager

Dob Todorov Principal Security & Compliance Architect EMEA

undifferentiated heavy lifting

utility computing

AWS provides broad and deep services to support any cloud workload

AWS Global Infrastructure

Application Services

Networking

Deployment & Administration

DatabaseStorageCompute

Hundreds of Thousands of Customers in 190 Countries…

Free steak campaign

Facebook page

Mars exploration

ops

Consumer social app

Ticket pricing optimization

SAP & Sharepoint

Securities Trading Data Archiving

Gene sequencing

Marketing web site

Interactive TV apps

Financial markets analytics

R&D data analysis

Consumer social app

Big data analytics

Web site & media sharing

Disaster recovery

Media streaming

Web and mobile apps

Streaming webcasts

Facebook app

Consumer social app

Every Imaginable Use Case

Gartner “Magic Quadrant for Cloud Infrastructure as a Service,” Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes, August 19, 2013. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.. The Gartner report is available upon request from Steven Armstrong (asteven@amazon.com). Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

“AWS is the overwhelming market share leader, with more than five times the compute capacity in use than the aggregate total of the other fourteen

providers.”

Notable Financial Services Stories

Dutch National Bank (regulator)

US West(Northern California)

US East(Northern Virginia)

EU(Ireland)

Asia Pacific(Singapore)

Asia Pacific(Tokyo)

AWS Regions

AWS Edge Locations

GovCloud(US ITAR Region)

US West(Oregon)

South America(Sao Paulo)

Asia Pacific(Sydney)

A B

A BC

A BC

A BC

A B

A B A B A BUS West

(Northern California)US West

(Oregon)South America

(Sao Paolo)Asia Pacific

(Singapore)

EU West(Dublin)

US East(Virginia)

Asia Pacific(Tokyo)

Asia Pacific(Australia)

Personal Data Protection in Europe•EC Directive 95/46/EC: Personal Data Protection• Use Amazon Web Services Dublin Region

•Safe Harbour EU Compliant•Safe Harbour Switzerland Compliant

The Shared Responsibility Model in the Cloud

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection(Encryption/Integrity/Identity)

Optional -- Opaque Data: 0s and 1s (in flight/at rest)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

The Shared Responsibility Model in the Cloud

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection(Encryption/Integrity/Identity)

Optional -- Opaque Data: 0s and 1s (in flight/at rest)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Security OF the Cloud

Security IN the Cloud

Customer-managed Controls on Amazon EC2

OS-level Firewalls/IDS/IPS Systems/Deep Security

Data

Security Groups &Network Access Control Lists

Industry Standard Protocols: IPSec, SSL, SSH

OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud

Security OF the Cloud

Security IN the Cloud

Applications

Platforms

Operating Systems

Network Security

Encryption of Data at Rest

Encryption of data in Flight

Data Protection at Rest and in Flight

OS-level Firewalls/IDS/IPS Systems/Deep Security

Data

Security Groups &Network Access Control Lists

Industry Standard Protocols: IPSec, SSL, SSH

OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud

Applications

Platforms

Operating Systems

Network Security

Encryption of Data at Rest

Encryption of data in Flight

Application-level Encryption

Platform-level Encryption

Volume-level Encryption

Network Traffic Encryption

AWS Certifications & Accreditations

SOC 1 (SSAE 16 & ISAE 3402) Type II AuditSOC 2 SOC 3 Audit (new in 2013)

ISO 27001

Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

Security IN the Cloud

Security OF the Cloud

Q&A

User Identification, Authentication and Authorisation in the Cloud

Amazon Identity & Access

ManagementIAM Users

EC2

DynamoDB

S3

Active Directory/LDAP

AD/LDAP Users

Enterprise Applications

Corporate Systems

User Identification, Authentication and Authorisation in the Cloud

Amazon Identity & Access

Management

Access Token for Federated

Access

EC2

DynamoDB

S3

Active Directory/LDAP

AD/LDAP Users

Enterprise Applications

Corporate Systems

User Identification, Authentication and Authorisation in the Cloud

Amazon Identity & Access

Management

Access Token for Federated

Access

EC2

DynamoDB

S3

Shibboleth

AD/LDAP Users

Enterprise Applications

Corporate Systems

CBA

Defined byBusinessSystem DesignManaged byAWS

SLAs, RTOs/RPOs

EC2 SLA

System SLAs

S3 SLA

CloudFront

SLARDS SLA

RTO RPO

Business Processes

Physical Security

ISO 27001

Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

• Amazon has been building large-scale data centers for many years

• Important attributes:• Non-descript facilities• Robust perimeter controls• Strictly controlled physical access• 2 or more levels of two-factor auth

• Controlled, need-based access • All access is logged and reviewed• Separation of Duties• employees with physical access don’t have logical

privileges• Maps to an Availability Zone

Storage Device Decommissioning

•All storage devices go through this process•Uses techniques from

•DoD 5220.22-M (“National Industrial Security Program Operating Manual”)

•NIST 800-88 (“Guidelines for Media Sanitization”)•Ultimately

•degaussed•physically destroyed

AWS CloudHSMDedicated access to HSM appliances managed &

monitored by AWS, but you control the keys

Increase performance for applications that use HSMs

for key storage or encryption

Comply with stringent regulatory and contractual

requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM

Security of Data at Rest• S3

• Server side encryption (AES-256) – per object keys managed by AWS• Client-side asymmetric encryption – integrated within APIs• Client-side encryption: Amazon stores 0s and 1s

• EC2 + EBS• Enable partition/disk level encryption• Windows: use EFS (local certificates/centralised X.509)• Linux: use cryptsetup/dm-crypt/others

• RDS MySQL• Use SQL native encryption (server side)• Client side encryption

• RDS Oracle• Client-side encryption

Security of Data in Flight• AWS APIs are Web services

• SOAP over HTTPS• REST over HTTPS• User and data authentication through request signatures

• User access to Web Console

• Admin access to Servers• Use SSH with asymmetric keys, or X.509 certificates• Use RDP + MPPE or SSL protection

• Secure Application-level Protocols

Network Traffic Flow Security• Security Groups- Inbound traffic must be explicitly specified

by protocol, port, and security group-VPC adds outbound filters

• VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters

• OS Firewall (e.g., iptables) may be implemented

-completely user controlled security layer -granular access control of discrete hosts- logging network events

Encrypted File System

Encrypted Swap File

OS

Fire

wal

l

Amaz

on S

ecur

ity G

roup

s

Inbound & Outbound Traffic

Amazon EC2 Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

… Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

Multi-tier Security Approach Example Web Tier

Application Tier

Database Tier

Ports 80 and 443 only open to the Internet

Engineering staff have ssh access to the App Tier, which acts as Bastion

All other Internet ports blocked by default

Sync with on-premises database

Amazon EC2 Security Group

Firewall

Amazon VPC Network Security Controls

Layered Defence

AWS Multi-Factor Authentication• Helps prevent anyone with unauthorized knowledge of your e-mail address

and password from impersonating you• Additional protection for account information• Works with

• Master Account• IAM Users

• Integrated into• AWS Management Console• Key pages on the AWS Portal• S3 (Secure Delete)

AWS Trusted Advisor

Available Programmatically via AWS Support APIs

Manage and Monitor Your Environments from Anywhere

• Answers to many security & privacy questions

• Security Whitepaper• Risk and Compliance Whitepaper• Security Best Practices Whitepaper• AWS Auditing Checklist

•Security Blog•Security bulletins•Penetration Testing http://aws.amazon.com/security/

http://aws.amazon.com/compliance/

Security & Compliance Resources