hundreds of thousands of customers in 190...
TRANSCRIPT
2013 AWS Worldwide Public Sector Summit Washington, D.C.
Security, Compliance, and Governance on the AWS Cloud
CJ Moses
GM, Government Cloud Solutions
2013 AWS Worldwide Public Sector Summit
Your Applications
Foundation Services
Compute Amazon EC2
Auto Scaling
Storage Amazon S3
Amazon EBS
Amazon Storage Gateway
Amazon Glacier
Database Amazon RDS
Amazon ElastiCache
Amazon DynamoDB
Amazon Reshift
Networking Amazon VPC
Elastic Load Balancing
Amazon Route 53
AWS Direct Connect
Management & Administration
Application Platform Services
Content Delivery Amazon CloudFront
Application Svcs Amazon Simple Workflow Service
Amazon CloudSearch
Amazon SNS, SQS, SES
Parallel Processing Elastic MapReduce
Libraries & SDKs Java, .NET, PHP, Python,
Ruby, Node.js, Android, iOS
Identity & Access AWS IAM
Identity Federation
Consolidated Billing
Web Interface Management Console
Monitoring Amazon CloudWatch
Deployment & Automation AWS Elastic Beanstalk
AWS CloudFormation
AWS OpsWorks
AWS Cloud HSM
AWS Global Infrastructure Regions
Availability Zones Edge Locations
AWS Platform
2013 AWS Worldwide Public Sector Summit
AWS Security and Compliance Center
• http://aws.amazon.com/security/
• http://aws.amazon.com/compliance/
• Answers to many security & privacy questions
– Overview of Security Processes whitepaper
– Risk and Compliance whitepaper
• Security bulletins
• Customer penetration testing
• Security best practices
• More information on:
– AWS Identity & Access Management (AWS IAM)
– AWS Multi-Factor Authentication (AWS MFA)
2013 AWS Worldwide Public Sector Summit
Security is a Shared Responsibility
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
Account management
Authorization policies
+ =
Customer
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation
2013 AWS Worldwide Public Sector Summit
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption &
Data Integrity Authentication
Server-side Encryption
(File System and/or Data) Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
Am
azo
n
Cu
sto
mer
• SOC 1/SSAE 16/ISAE 3402
• SOC 2
• ISO 27001/ 2 Certification
• Payment Card Industry (PCI)
• Data Security Standard (DSS)
• NIST Compliant Controls
• DoD Compliant Controls
• FedRAMP
• HIPAA and ITAR Compliant
• Customers implement their
own set of controls
• Multiple customers with
FISMA Low and Moderate
ATOs
Shared responsibility
2013 AWS Worldwide Public Sector Summit
9 AWS regions
42 AWS edge locations
Global Infrastructure
2013 AWS Worldwide Public Sector Summit
US REGIONS GLOBAL REGIONS
Availability
Zone A
Availability
Zone B
Availability
Zone C
EU (Ireland)
Availability
Zone A
Availability
Zone B
South America (Sao Paulo)
Availability
Zone A
Availability
Zone B
Asia Pacific (Sydney)
Availability
Zone A
Availability
Zone B
GovCloud (OR)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
US East (VA)
Availability
Zone A
Availability
Zone B
US West (CA)
Availability
Zone A
Availability
Zone B
Asia Pacific (Singapore)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Asia Pacific (Tokyo)
Availability
Zone A
Availability
Zone B
Availability
Zone C
US West (OR)
Customer Decides Where Applications and Data Reside Note: Conceptual drawing only. The number of Availability Zones may vary.
AWS Regions & Availability Zones
2013 AWS Worldwide Public Sector Summit
9 AWS regions
42 AWS edge locations
Global Infrastructure
GovCloud (US)
2013 AWS Worldwide Public Sector Summit
AWS GovCloud (US)
• The AWS GovCloud (US) Region: built for government customers
– Sensitive / CUI (controlled, unclassified information) workloads
– ITAR workloads
– All customers are either government agencies or businesses who serve government
– “Community cloud”
• The same but different…
– Generally the same APIs as AWS commercial clouds, but
– Amazon Virtual Private Cloud networking only (no EC2 NAT)
– Distinct console, credentials and AWS IAM (Identity & Access Management) database
– FIPS 140-2 certified VPN and API endpoints
2013 AWS Worldwide Public Sector Summit
US East
(VA)
Asia Pacific
(Tokyo)
US West
(CA)
Asia Pacific
(Singapore)
US West
(OR)
Asia Pacific
(Sydney)
EU
(Ireland)
South America
(Sao Paulo)
GovCloud
(US)
AWS GovCloud (US)
Account
IAM Group
IAM User 1
IAM User 2
AWS Public
Account
IAM Group
IAM User 1
IAM User 2
Billing is linked
Credentials
2013 AWS Worldwide Public Sector Summit
Physical Security of Data Centers
• Amazon has been building large-scale data centers for many years
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– 2 or more levels of two-factor authentication
• Controlled, need-based access
• All access is logged and reviewed
• Separation of Duties
– Employees with physical access don’t have logical privileges
• Maps to an Availability Zone
2013 AWS Worldwide Public Sector Summit
Continuous Availability Model
• AWS is Built for “Continuous Availability”
• Scalable, fault tolerant services
• All Datacenters (AZs) are always on
– No “Disaster Recovery Datacenter”
– Managed to the same standards
• Robust Internet connectivity
– Each AZ has redundant, Tier 1 Service Providers
– Resilient network infrastructure
2013 AWS Worldwide Public Sector Summit
AWS Configuration Management
• Most updates are done in such a manner that they will not impact
the customer
• Changes are authorized, logged, tested, approved, and
documented
• AWS will communicate with customers, either via email, or through
the AWS Service Health Dashboard
(http://status.aws.amazon.com/) when there is a chance they may
be affected
2013 AWS Worldwide Public Sector Summit
Data Backup & Replication
• AWS favors replication over traditional backup – Equivalent to more traditional backup solutions
– Higher data availability and throughput
– No tapes with AWS customer data
• Makes data available in multiple edge locations – Amazon CloudFront, Amazon Route 53
• Cross Region Amazon EBS snapshot and AMI copy
• Data replicated to multiple Availability Zones within a single Region – Amazon S3, Amazon S3 RRS, Amazon DynamoDB, Amazon SimpleDB, Amazon SQS, Amazon RDS Multi-AZ,
Amazon EBS Snapshots, etc…
• Data replicated to multiple physical locations within a single Availability Zone – Amazon EBS, Amazon RDS
• Data NOT automatically replicated – Amazon EC2 instance store (a.k.a. ephemeral drives)
2013 AWS Worldwide Public Sector Summit
Storage Device Decommissioning
• All storage devices go through process
– Equivalent to more traditional backup solutions
– Higher data availability and throughput
– No tapes with AWS customer data
• Uses techniques from
– DoD 5220.22-M (“National Industrial Security Program Operating Manual “)
– NIST 800-88 (“Guidelines for Media Sanitization”)
• Ultimately
– degaussed
– physically destroyed
2013 AWS Worldwide Public Sector Summit
{
"Version": "2008-10-17
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::tw-cloudfront-source/*“
}
]
}
Amazon S3 Security
• Access controls at bucket and object level:
– Read, Write, Full
• Owner has full control
• Customer Encryption
– SSL Supported
– Server Side Encryption
• Durability 99.999999999%
• Availability 99.99%
• Versioning (MFA Delete)
• Detailed Access Logging
• Signed URLs
2013 AWS Worldwide Public Sector Summit
Network Security Considerations
• Distributed Denial of Service (DDoS): – Standard mitigation techniques in effect
• Man in the Middle (MITM): – All endpoints protected by SSL
– Fresh EC2 host keys generated at boot
• IP Spoofing: – Prohibited at host OS level
• Unauthorized Port Scanning: – Violation of AWS TOS
– Detected, stopped, and blocked
– Inbound ports blocked by default
• Packet Sniffing: – Promiscuous mode is ineffective
– Protection at hypervisor level
2013 AWS Worldwide Public Sector Summit
Amazon EC2 Security
• Host operating system
– Individual SSH keyed logins via bastion host for AWS admins
– All accesses logged and audited
• Guest (a.k.a. Instance) operating system
– Customer controlled (customer owns root/admin)
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default deny mode
– Customer controls configuration via Security Groups
• Signed API calls
– Require X.509 certificate or customer’s secret AWS key
2013 AWS Worldwide Public Sector Summit
Virtual Memory and Local Disk
• Proprietary disk management prevents one
instance from reading the disk contents of
another
• Disk is wiped upon creation
• Disks can be encrypted by the customer for
added layer of security
2013 AWS Worldwide Public Sector Summit
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n …
… Virtual Interfaces
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
Amazon EC2 Instance Isolation
2013 AWS Worldwide Public Sector Summit
Amazon
EC2
OS Firewall
AWS Security Group
Inbound
Traffic
Network Traffic Flow Security
• AWS Security Groups
– Inbound traffic must be explicitly specified by protocol, port, and security group
– VPC adds outbound filters
• Amazon VPC also adds Network Access Control Lists (ACLs):
– Inbound and outbound stateless filters
• OS Firewall (e.g., iptables) may be implemented
– Completely user controlled security layer
– Granular access control of discrete hosts
– Logging network events
2013 AWS Worldwide Public Sector Summit
Amazon Virtual Private Cloud (VPC)
• Create a logically isolated environment in Amazon’s highly scalable infrastructure
• Specify your private IP address range into one or more public or private subnets
• Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists
• Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups
• Attach an Elastic IP address to any instance in your Amazon VPC so it can be reached directly from the Internet
• Bridge your Amazon VPC and your onsite IT infrastructure with an industry standard encrypted Amazon VPN connection
• Use a wizard to easily create your Amazon VPC in 4 different topologies
2013 AWS Worldwide Public Sector Summit
EC2
10.218.2.35
EC2
10.1.2.3
EC2
10.8.56.23
EC2
10.27.45.16
EC2
10.16.22.33
EC2
10.27.45.16 AZ A AZ B
23.20.148.59 23.20.103.11 72.44.21.7 23.19.11.5 72.43.2.17 72.18.7.3
AWS Region – EC2 classic is one big 10.0.0.0/8 network
Internet
EC2
Customer 1
EC2
Customer 2
EC2
Customer 3
Amazon EC2 Classic
2013 AWS Worldwide Public Sector Summit
AZ A
EC2
10.0.2.11
EC2
10.0.2.12
EC2
10.0.1.11
EC2
10.0.1.12
AZ B
VPC 10.0.0.0/16
SN 10.0.1.0/24 SN 10.0.2.0/24
AWS Region – Amazon VPC network isolation
Internet GW
(23.20.103.11) (72.44.21.7)
Internet
Amazon VPC
2013 AWS Worldwide Public Sector Summit
Amazon VPC Network Security Controls
2013 AWS Worldwide Public Sector Summit
Amazon VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• Can identify specific EC2 Instances as dedicated
• Optionally configure entire Amazon VPC as dedicated
2013 AWS Worldwide Public Sector Summit
AWS CloudHSM
• Protect and store your cryptographic keys with industry standard, tamper-resistant AWS CloudHSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).
• Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.
• Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.
• Use AWS CloudHSM in conjunction with your compatible on-premise HSMs to replicate keys among on-premise HSMs and AWS CloudHSMs. This increases key durability and makes it easy to migrate cryptographic applications from your datacenter to AWS.
• SafeNet Luna SA HSM
2013 AWS Worldwide Public Sector Summit
AWS CloudHSM
2013 AWS Worldwide Public Sector Summit
AWS system entitlements
Roles Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups
AWS Identity and Access Management
• Users and Groups within Accounts
• Unique security credentials – Access keys
– Login/Password
– Enforce password complexity
– optional MFA device
• Policies control access to AWS APIs
• API calls must be signed by a secret key
• Deep integration into some Services – Amazon S3: policies on objects and
buckets
• AWS Management Console supports User log on
• Not for Operating Systems or Applications – use LDAP, Active Directory/ADFS, etc...
2013 AWS Worldwide Public Sector Summit
AWS system entitlements
Roles Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups
AWS Multi-Factor Authentication
• Helps prevent access based on unauthorized knowledge of your e-mail address and password
• Additional protection for account information
• Works with master account and AWS IAM users
• Integrated into
– AWS Management Console
– Key pages on the AWS Portal
– Amazon S3 (Secure Delete)
• Virtual MFA (using OATH standard)
2013 AWS Worldwide Public Sector Summit
End User 4
End User 3
Co
ns
olid
ate
d B
illin
g
Ide
nti
ty &
Ac
ce
ss
Ma
na
ge
me
nt
End User 1
End User 2
End User 5
Linked Account
Customer 1
End User 3
End User 1
End User 2
End User 3
End User 2
End User 1
End User 4
Reseller User
3
Reseller User
1
Reseller User
2
Reseller User
4
Linked Account
Reseller
Internal Use
Linked Account
Customer 2
Linked Account
Customer 3
Payor Account
End User
Group
Account Management/Isolation
2013 AWS Worldwide Public Sector Summit
The Capability/Transparency Trade-up
What You Get
- Flexible, useful environment
- High investment and capability in
security
- Certifications, reports
- Reduced compliance ops burden
What You Give Up
- Low-level operational details of
the infrastructure
- Control over low-level capabilities
- Ability to physically examine
servers
2013 AWS Worldwide Public Sector Summit
Accreditation & Compliance, Old and New
Old world
• Audits done by an in-house team
• Regardless of actual security, check
the box
• Check once a year
• Workload-specific security
New world
• Audits done by third party auditors
• Superior security drives broad
compliance
• Continuous monitoring, checking
• Security based on all workload
scenarios
2013 AWS Worldwide Public Sector Summit
Expert Audits: the Validation Scalpel
SME
SME
SME
SME
SME
SME=subject matter expert
2013 AWS Worldwide Public Sector Summit
Customers Getting Certified
Customer
Controls Verified Reliance
Practices Controls
+ Customer
Controls Reports
Tested
2013 AWS Worldwide Public Sector Summit
Benefits of Scale Apply to Security and Compliance
The entire customer community benefits from the world-class AWS security team, market-leading capabilities, and on-going security improvements
Everyone’s Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements Requirements Requirements
2013 AWS Worldwide Public Sector Summit
FedRAMP Compliance Paths
1. Joint Authorization Board Approval (P-ATO)
– JAB (members from DHS, GSA, DoD) approves
package for hypothetical workloads
2. Agency ATO
– Agency approves FedRAMP package for actual workloads
3. CSP-supplied documentation, with 3PAO
– No agency review/approval, but with 3PAO sign off on the audit
4. CSP-supplied documentation, without 3PAO
– No agency review/approval, and no 3PAO sign off on the audit
AWS is focused on paths 2 & 3 in the near term, later 1
2013 AWS Worldwide Public Sector Summit
FedRAMP: Spectrum of Approaches
Progressive Conservative
“We don’t care
about FedRAMP;
we’ll issue our own
ATO.”
“Our agency will
authorize our new AWS
system with a
FedRAMP ATO.”
“Our agency won’t
speak to AWS
without a FedRAMP
ATO.”
“Our agency isn’t sure
how we are handling
FedRAMP; we’ll proceed
towards our own ATO for
now.”
“Our agency requires a
FedRAMP JAB P-ATO.
We’ll start working with
AWS but will wait for
that.”
Government COTR
Government ISSO
Agency Security Official
Government PM
Government ISSO
2013 AWS Worldwide Public Sector Summit
Private Connections
Workload Migrations
Access Control Integration
Work with Existing
Management Tools
On-Premises Apps
Your Data Centers
Cloud Apps
Governance: Extension and Integration
2013 AWS Worldwide Public Sector Summit
Active Directory
VMware Images
Network Configuration
Your Data
Your On-Premises Apps
Users & Access Rules
VM Import/Export
Your Private Network
Our Storage
Your Cloud Apps
AmazDirect Connect Amazon VPC
IAM
AWS Storage
Gateway
Many Capabilities to Support Hybrid Architectures
Your Data Centers
2013 AWS Worldwide Public Sector Summit
AWS Ecosystem Includes Existing Management Tools
Single Pane of Glass Workload Migration
Your Data
Center
Inventory VMs
App 1
Your Data Center
App 2
2013 AWS Worldwide Public Sector Summit
Re-thinking Incident Response in the Cloud
• Challenge laid down by NASA JPL Office of the Inspector General: how
do you isolate and then investigate potentially compromised virtual
machines?
• Easy in the old world – unjack the network, haul off to forensics lab
• What is the cloud equivalent?
• JPL cloud architects working with AWS came up with a solution that
OIG considers better than on-premises solutions
2013 AWS Worldwide Public Sector Summit
Schematic of Solution
Subnet
10.0.1.0/24
Virtual router
Web server 10.0.1.60
Internet gateway
Workstation 10.0.1.101
Change security
group to “Isolate”
Attach Elastic Network
Interface with security group
“forensics-target”
Elastic Network Interface
10.0.201.60
Security group: “Forensics-target”
(forensics target security group)
Attach Elastic Network
Interface with security group
“forensics-target”
Completely isolated
subnet
10.0.201.0/24
Elastic Network Interface
10.0.201.101
Security group: “Forensics-source”
(forensics source security group)
Attach Elastic Network Interface with security group “forensics-source”
Attach Elastic Network Interface with security group “forensics-source”
2013 AWS Worldwide Public Sector Summit
Governance Tool: AWS Trusted Advisor
• Online service from AWS Premium Support
– Analyzes account for various kinds of issues
and possible concerns
– Soon available as an API for integration with
your tools or 3rd party solutions
• Four categories:
– Cost savings
– Security
– Fault tolerance
– Performance
2013 AWS Worldwide Public Sector Summit
AWS Cloud Governance Service Enablers
Governance Area AWS Technologies
Roles and Responsibilities • Identity and Access Management: Groups, Policies, Roles
Configuration Management • Private, “hardened” AMIs
• AWS Cloud Formation Templates
• AWS Elastic Beanstalk
• AWS OpsWorks
Financial Controls • Linked Accounts, Consolidated Billing
• Tagging of resources
• Amazon CloudWatch Billing Alarms
Monitoring and Reporting • Amazon Cloud Watch
• Amazon CloudWatch Alarms
• Amazon Simple Notification Service
2013 AWS Worldwide Public Sector Summit
AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Information Assurance:
Processing
• Corporate “Gold master” AMIs (operating system images)
• Amazon VPC network isolation for all workloads
• Dedicated Amazon EC2 Instances
• AWS CloudHSM service
Information Assurance:
Storage
• Amazon S3 AES 256 bit server-side encryption, client-side
encryption
• Amazon EBS Volume Encryption
• Amazon RDS database encryption features
• Complete destruction of all storage media on
decommissioning
Information Assurance Transmission • SSL termination for all AWS endpoints
• HW/SW VPN Connections
• AWS Direct Connect
2013 AWS Worldwide Public Sector Summit
AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Network Security • Private addressing (Amazon Virtual Private Cloud)
• Network ACLs
• Security Groups
• Virtual Private Gateways
Access Controls • Identity and Access Management Policies across all services
• Amazon S3 Bucket Policies
• Amazon EC2 Instance Roles
Identification and Authentication • Identity and Access Management
• Federated Identity Management (AWS as relying party)
• Multi-Factor Authentication
• Group Policies and Roles
• Strong password policies
2013 AWS Worldwide Public Sector Summit
AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Disaster Recovery and Continuity of
Operations
Data
• Amazon EBS Snapshots
• Amazon S3 Near-Line Storage
• Amazon Glacier Near-Offline Storage
• AWS Storage Gateway
• Bulk Data via AWS Import/Export
• Managed AWS No-SQL/SQL Database Services
• Extensive 3rd Party Solutions
• Workload
• Amazon Elastic Load Balancers, Amazon EC2 Auto Scaling,
Amazon CloudWatch
• Amazon Route 53 – Health Checks, Latency Based Routing
• Amazon CloudFront – Content Delivery Network
• Multi-AZ, Multi-Region Workload Deployment
Questions???
Security, Compliance and Governance on the AWS Cloud
2013 AWS Worldwide Public Sector Summit
Security Token Service (STS)
• Temporary security credentials containing
– Identity for authentication
– Access Policy to control permissions
– Configurable Expiration (1 – 36 hours)
• Supports
– AWS Identities (including IAM Users)
– Federated Identities (users customers authenticate)
• Scales to millions of users
– No need to create an IAM identity for every user
• Use Cases
– Identity Federation to AWS APIs
– Mobile and browser-based applications
– Consumer applications with unlimited users
2013 AWS Worldwide Public Sector Summit
Identity Syncing with IAM
2013 AWS Worldwide Public Sector Summit
Identity Federation > AWS APIs
2013 AWS Worldwide Public Sector Summit
An email you don’t want to get
2013 AWS Worldwide Public Sector Summit
Availability Zone 1a
Internet
VPC Customer
webserver1
10.0.1.60/24
App tier
Forensics source
VPC DMZ Subnet
Virtual Private Gateway
Customer Data Center
Customer Gateway
VPN Connection
Internet Gateway (IGW + EIPs = direct Internet access)
Availability Zone 1b
webserver2
10.0.2.60/24
VPC Subnets
Availability Zone 1b
webserver3
10.0.3.50/24
VPC Subnets
www.aws-wwps.com
server1.aws-wwps.com
107.23.18.21
server2.aws-wwps.com
107.23.56.82
server3.aws-wwps.com
107.23.51.43
VPC Private Subnet
App tier
VPC Private Subnet
App tier
VPC Private Subnet
ELB
2013 AWS Worldwide Public Sector Summit
Dimensions of Shared Responsibility & Control
• Operation within the Service: The functions the customer controls and
configurations they choose (e.g., in Amazon EC2, Amazon RDS)
• Security Configurability: The tools AWS gives customers to configure their
security stance (e.g., access policies, security groups) vary considerably from
service to service
• Security Features Which Span Services: Some security configuration features
are global (e.g., IAM), others service-specific
• Cross-Layer Security Controls: Means by which customers integrate their
existing controls into AWS (e.g., key management, Active Directory, Drupal user
management) and vice versa (e.g., IAM Roles for Instances)
2013 AWS Worldwide Public Sector Summit
1. Operation within the Service
• Customers choose controls they implement, specific configurations/ operations
• Example: Amazon EC2 instances
– Manage root/administrative access to guest OS
– Install software; responsible for patching and maintenance
– Manage Amazon EC2 key pairs, potentially x509 SSL certs
• Examples: Amazon Relational Database Service, Amazon Redshift
– Administration of RDBMS but not underlying OSes
• Examples: Amazon S3, Amazon DynamoDB
– Fully managed service, zero operational access
– Rich authorization capabilities via AWS IAM
2013 AWS Worldwide Public Sector Summit
2. Security Configurability
• AWS services provide rich security controls tailored to each service –
customers choose which and how to implement
• Example: Amazon VPC responsibility and control options
– Configure security groups
– Control network ACLs
– Configure network routing, VPNs, etc.
• Example: Amazon S3 responsibility and control options
– Rich support for AWS IAM policies, plus service specific access controls
– Logging capability records all access (including logging daemon!)
• Example: Amazon CloudWatch
– Minimal security configuration available
2013 AWS Worldwide Public Sector Summit
3. Security Features Which Span Services
• The security impact of some services is more global, others more service-
specific; importance/responsibility thus varies
• Broader potential impact to other services
– Example: Identity and Access Management manages access to other services
– Example: Amazon EC2 runs customer code and can be used to access many
services (see Amazon EC2 IAM roles)
• Narrower potential impact to other services
– Example: Amazon S3 provides a critical and foundational service for many other
AWS services, with rich security features/configurability, but impact of the security
configuration is mostly limited to the service itself
2013 AWS Worldwide Public Sector Summit
4. Cross-Layer Security Controls
• Customers can integrate their existing controls into AWS (typically implemented
within Amazon EC2 instances, but not always, e.g., IAM federation)
• Examples:
– SSH key management; AWS CloudHSM integration
– Active Directory or SAML-P within Amazon EC2
– Federation from AD or Shibboleth to AWS IAM
– OS-level firewalls (e.g., RHEL, Windows) and OS-level IDS/IPS systems
– Encrypted file system on Amazon Elastic Block Storage (EBS)
– Application level security
– X.509 certificate management for web servers or ELB
– Virtual security appliances (e.g., Checkpoint, Sophos, Xceedium, Layer 7)
Thank You