hundreds of thousands of customers in 190...

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Security, Compliance, and Governance on the AWS Cloud

CJ Moses

GM, Government Cloud Solutions

2013 AWS Worldwide Public Sector Summit

Your Applications

Foundation Services

Compute Amazon EC2

Auto Scaling

Storage Amazon S3

Amazon EBS

Amazon Storage Gateway

Amazon Glacier

Database Amazon RDS

Amazon ElastiCache

Amazon DynamoDB

Amazon Reshift

Networking Amazon VPC

Elastic Load Balancing

Amazon Route 53

AWS Direct Connect

Management & Administration

Application Platform Services

Content Delivery Amazon CloudFront

Application Svcs Amazon Simple Workflow Service

Amazon CloudSearch

Amazon SNS, SQS, SES

Parallel Processing Elastic MapReduce

Libraries & SDKs Java, .NET, PHP, Python,

Ruby, Node.js, Android, iOS

Identity & Access AWS IAM

Identity Federation

Consolidated Billing

Web Interface Management Console

Monitoring Amazon CloudWatch

Deployment & Automation AWS Elastic Beanstalk

AWS CloudFormation

AWS OpsWorks

AWS Cloud HSM

AWS Global Infrastructure Regions

Availability Zones Edge Locations

AWS Platform


AWS Security and Compliance Center

• http://aws.amazon.com/security/

• http://aws.amazon.com/compliance/

• Answers to many security & privacy questions

– Overview of Security Processes whitepaper

– Risk and Compliance whitepaper

• Security bulletins

• Customer penetration testing

• Security best practices

• More information on:

– AWS Identity & Access Management (AWS IAM)

– AWS Multi-Factor Authentication (AWS MFA)

http://aws.amazon.com/security/

http://aws.amazon.com/compliance/

http://aws.amazon.com/compliance/


Security is a Shared Responsibility

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Applications

Proper service configuration

Account management

Authorization policies

+ =

Customer

• Re-focus your security professionals on a subset of the problem

• Take advantage of high levels of uniformity and automation


Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption &

Data Integrity Authentication

Server-side Encryption

(File System and/or Data) Network Traffic Protection

(Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Am

azo

n

Cu

sto

mer

• SOC 1/SSAE 16/ISAE 3402

• SOC 2

• ISO 27001/ 2 Certification

• Payment Card Industry (PCI)

• Data Security Standard (DSS)

• NIST Compliant Controls

• DoD Compliant Controls

• FedRAMP

• HIPAA and ITAR Compliant

• Customers implement their

own set of controls

• Multiple customers with

FISMA Low and Moderate

ATOs

Shared responsibility


9 AWS regions

42 AWS edge locations

Global Infrastructure


US REGIONS GLOBAL REGIONS

Availability

Zone A

Availability

Zone B

Availability

Zone C

EU (Ireland)

Availability

Zone A

Availability

Zone B

South America (Sao Paulo)

Availability

Zone A

Availability

Zone B

Asia Pacific (Sydney)

Availability

Zone A

Availability

Zone B

GovCloud (OR)

Availability

Zone A

Availability

Zone B

Availability

Zone C

Availability

Zone D

US East (VA)

Availability

Zone A

Availability

Zone B

US West (CA)

Availability

Zone A

Availability

Zone B

Asia Pacific (Singapore)

Availability

Zone A

Availability

Zone B

Availability

Zone C

Asia Pacific (Tokyo)

Availability

Zone A

Availability

Zone B

Availability

Zone C

US West (OR)

Customer Decides Where Applications and Data Reside Note: Conceptual drawing only. The number of Availability Zones may vary.

AWS Regions & Availability Zones


9 AWS regions

42 AWS edge locations

Global Infrastructure

GovCloud (US)


AWS GovCloud (US)

• The AWS GovCloud (US) Region: built for government customers

– Sensitive / CUI (controlled, unclassified information) workloads

– ITAR workloads

– All customers are either government agencies or businesses who serve government

– “Community cloud”

• The same but different…

– Generally the same APIs as AWS commercial clouds, but

– Amazon Virtual Private Cloud networking only (no EC2 NAT)

– Distinct console, credentials and AWS IAM (Identity & Access Management) database

– FIPS 140-2 certified VPN and API endpoints


US East

(VA)

Asia Pacific

(Tokyo)

US West

(CA)

Asia Pacific

(Singapore)

US West

(OR)

Asia Pacific

(Sydney)

EU

(Ireland)

South America

(Sao Paulo)

GovCloud

(US)

AWS GovCloud (US)

Account

IAM Group

IAM User 1

IAM User 2

AWS Public

Account

IAM Group

IAM User 1

IAM User 2

Billing is linked

Credentials


Physical Security of Data Centers

• Amazon has been building large-scale data centers for many years

• Important attributes:

– Non-descript facilities

– Robust perimeter controls

– Strictly controlled physical access

– 2 or more levels of two-factor authentication

• Controlled, need-based access

• All access is logged and reviewed

• Separation of Duties

– Employees with physical access don’t have logical privileges

• Maps to an Availability Zone


Continuous Availability Model

• AWS is Built for “Continuous Availability”

• Scalable, fault tolerant services

• All Datacenters (AZs) are always on

– No “Disaster Recovery Datacenter”

– Managed to the same standards

• Robust Internet connectivity

– Each AZ has redundant, Tier 1 Service Providers

– Resilient network infrastructure


AWS Configuration Management

• Most updates are done in such a manner that they will not impact

the customer

• Changes are authorized, logged, tested, approved, and

documented

• AWS will communicate with customers, either via email, or through

the AWS Service Health Dashboard

(http://status.aws.amazon.com/) when there is a chance they may

be affected


Data Backup & Replication

• AWS favors replication over traditional backup – Equivalent to more traditional backup solutions

– Higher data availability and throughput

– No tapes with AWS customer data

• Makes data available in multiple edge locations – Amazon CloudFront, Amazon Route 53

• Cross Region Amazon EBS snapshot and AMI copy

• Data replicated to multiple Availability Zones within a single Region – Amazon S3, Amazon S3 RRS, Amazon DynamoDB, Amazon SimpleDB, Amazon SQS, Amazon RDS Multi-AZ,

Amazon EBS Snapshots, etc…

• Data replicated to multiple physical locations within a single Availability Zone – Amazon EBS, Amazon RDS

• Data NOT automatically replicated – Amazon EC2 instance store (a.k.a. ephemeral drives)


Storage Device Decommissioning

• All storage devices go through process

– Equivalent to more traditional backup solutions

– Higher data availability and throughput

– No tapes with AWS customer data

• Uses techniques from

– DoD 5220.22-M (“National Industrial Security Program Operating Manual “)

– NIST 800-88 (“Guidelines for Media Sanitization”)

• Ultimately

– degaussed

– physically destroyed


{

"Version": "2008-10-17

"Statement": [

{

"Sid": "AllowPublicRead",

"Effect": "Allow",

"Principal": {

"AWS": "*"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::tw-cloudfront-source/*“

}

]

}

Amazon S3 Security

• Access controls at bucket and object level:

– Read, Write, Full

• Owner has full control

• Customer Encryption

– SSL Supported

– Server Side Encryption

• Durability 99.999999999%

• Availability 99.99%

• Versioning (MFA Delete)

• Detailed Access Logging

• Signed URLs


Network Security Considerations

• Distributed Denial of Service (DDoS): – Standard mitigation techniques in effect

• Man in the Middle (MITM): – All endpoints protected by SSL

– Fresh EC2 host keys generated at boot

• IP Spoofing: – Prohibited at host OS level

• Unauthorized Port Scanning: – Violation of AWS TOS

– Detected, stopped, and blocked

– Inbound ports blocked by default

• Packet Sniffing: – Promiscuous mode is ineffective

– Protection at hypervisor level


Amazon EC2 Security

• Host operating system

– Individual SSH keyed logins via bastion host for AWS admins

– All accesses logged and audited

• Guest (a.k.a. Instance) operating system

– Customer controlled (customer owns root/admin)

– AWS admins cannot log in

– Customer-generated keypairs

• Stateful firewall

– Mandatory inbound firewall, default deny mode

– Customer controls configuration via Security Groups

• Signed API calls

– Require X.509 certificate or customer’s secret AWS key


Virtual Memory and Local Disk

• Proprietary disk management prevents one

instance from reading the disk contents of

another

• Disk is wiped upon creation

• Disks can be encrypted by the customer for

added layer of security


Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n …

… Virtual Interfaces

Firewall

Customer 1

Security Groups

Customer 2

Security Groups

Customer n

Security Groups

Amazon EC2 Instance Isolation


Amazon

EC2

OS Firewall

AWS Security Group

Inbound

Traffic

Network Traffic Flow Security

• AWS Security Groups

– Inbound traffic must be explicitly specified by protocol, port, and security group

– VPC adds outbound filters

• Amazon VPC also adds Network Access Control Lists (ACLs):

– Inbound and outbound stateless filters

• OS Firewall (e.g., iptables) may be implemented

– Completely user controlled security layer

– Granular access control of discrete hosts

– Logging network events


Amazon Virtual Private Cloud (VPC)

• Create a logically isolated environment in Amazon’s highly scalable infrastructure

• Specify your private IP address range into one or more public or private subnets

• Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists

• Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups

• Attach an Elastic IP address to any instance in your Amazon VPC so it can be reached directly from the Internet

• Bridge your Amazon VPC and your onsite IT infrastructure with an industry standard encrypted Amazon VPN connection

• Use a wizard to easily create your Amazon VPC in 4 different topologies


EC2

10.218.2.35

EC2

10.1.2.3

EC2

10.8.56.23

EC2

10.27.45.16

EC2

10.16.22.33

EC2

10.27.45.16 AZ A AZ B

23.20.148.59 23.20.103.11 72.44.21.7 23.19.11.5 72.43.2.17 72.18.7.3

AWS Region – EC2 classic is one big 10.0.0.0/8 network

Internet

EC2

Customer 1

EC2

Customer 2

EC2

Customer 3

Amazon EC2 Classic


AZ A

EC2

10.0.2.11

EC2

10.0.2.12

EC2

10.0.1.11

EC2

10.0.1.12

AZ B

VPC 10.0.0.0/16

SN 10.0.1.0/24 SN 10.0.2.0/24

AWS Region – Amazon VPC network isolation

Internet GW

(23.20.103.11) (72.44.21.7)

Internet

Amazon VPC


Amazon VPC Network Security Controls


Amazon VPC - Dedicated Instances

• Option to ensure physical hosts are not shared with other customers

• Can identify specific EC2 Instances as dedicated

• Optionally configure entire Amazon VPC as dedicated


AWS CloudHSM

• Protect and store your cryptographic keys with industry standard, tamper-resistant AWS CloudHSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).

• Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.

• Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.

• Use AWS CloudHSM in conjunction with your compatible on-premise HSMs to replicate keys among on-premise HSMs and AWS CloudHSMs. This increases key durability and makes it easy to migrate cryptographic applications from your datacenter to AWS.

• SafeNet Luna SA HSM


AWS CloudHSM


AWS system entitlements

Roles Account

Administrators Developers Applications

Bob

Kevin

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

Multi-factor authentication

Groups

AWS Identity and Access Management

• Users and Groups within Accounts

• Unique security credentials – Access keys

– Login/Password

– Enforce password complexity

– optional MFA device

• Policies control access to AWS APIs

• API calls must be signed by a secret key

• Deep integration into some Services – Amazon S3: policies on objects and

buckets

• AWS Management Console supports User log on

• Not for Operating Systems or Applications – use LDAP, Active Directory/ADFS, etc...


AWS system entitlements

Roles Account

Administrators Developers Applications

Bob

Kevin

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

Multi-factor authentication

Groups

AWS Multi-Factor Authentication

• Helps prevent access based on unauthorized knowledge of your e-mail address and password

• Additional protection for account information

• Works with master account and AWS IAM users

• Integrated into

– AWS Management Console

– Key pages on the AWS Portal

– Amazon S3 (Secure Delete)

• Virtual MFA (using OATH standard)


End User 4

End User 3

Co

ns

olid

ate

d B

illin

g

Ide

nti

ty &

Ac

ce

ss

Ma

na

ge

me

nt

End User 1

End User 2

End User 5

Linked Account

Customer 1

End User 3

End User 1

End User 2

End User 3

End User 2

End User 1

End User 4

Reseller User

3

Reseller User

1

Reseller User

2

Reseller User

4

Linked Account

Reseller

Internal Use

Linked Account

Customer 2

Linked Account

Customer 3

Payor Account

End User

Group

Account Management/Isolation


The Capability/Transparency Trade-up

What You Get

- Flexible, useful environment

- High investment and capability in

security

- Certifications, reports

- Reduced compliance ops burden

What You Give Up

- Low-level operational details of

the infrastructure

- Control over low-level capabilities

- Ability to physically examine

servers


Accreditation & Compliance, Old and New

Old world

• Audits done by an in-house team

• Regardless of actual security, check

the box

• Check once a year

• Workload-specific security

New world

• Audits done by third party auditors

• Superior security drives broad

compliance

• Continuous monitoring, checking

• Security based on all workload

scenarios


Expert Audits: the Validation Scalpel

SME

SME

SME

SME

SME

SME=subject matter expert


Customers Getting Certified

Customer

Controls Verified Reliance

Practices Controls

+ Customer

Controls Reports

Tested


Benefits of Scale Apply to Security and Compliance

The entire customer community benefits from the world-class AWS security team, market-leading capabilities, and on-going security improvements

Everyone’s Systems and Applications

Security Infrastructure

Security Infrastructure

Requirements Requirements Requirements


FedRAMP Compliance Paths

1. Joint Authorization Board Approval (P-ATO)

– JAB (members from DHS, GSA, DoD) approves

package for hypothetical workloads

2. Agency ATO

– Agency approves FedRAMP package for actual workloads

3. CSP-supplied documentation, with 3PAO

– No agency review/approval, but with 3PAO sign off on the audit

4. CSP-supplied documentation, without 3PAO

– No agency review/approval, and no 3PAO sign off on the audit

AWS is focused on paths 2 & 3 in the near term, later 1


FedRAMP: Spectrum of Approaches

Progressive Conservative

“We don’t care

about FedRAMP;

we’ll issue our own

ATO.”

“Our agency will

authorize our new AWS

system with a

FedRAMP ATO.”

“Our agency won’t

speak to AWS

without a FedRAMP

ATO.”

“Our agency isn’t sure

how we are handling

FedRAMP; we’ll proceed

towards our own ATO for

now.”

“Our agency requires a

FedRAMP JAB P-ATO.

We’ll start working with

AWS but will wait for

that.”

Government COTR

Government ISSO

Agency Security Official

Government PM

Government ISSO


Private Connections

Workload Migrations

Access Control Integration

Work with Existing

Management Tools

On-Premises Apps

Your Data Centers

Cloud Apps

Governance: Extension and Integration


Active Directory

VMware Images

Network Configuration

Your Data

Your On-Premises Apps

Users & Access Rules

VM Import/Export

Your Private Network

Our Storage

Your Cloud Apps

AmazDirect Connect Amazon VPC

IAM

AWS Storage

Gateway

Many Capabilities to Support Hybrid Architectures

Your Data Centers


AWS Ecosystem Includes Existing Management Tools

Single Pane of Glass Workload Migration

Your Data

Center

Inventory VMs

App 1

Your Data Center

App 2


Re-thinking Incident Response in the Cloud

• Challenge laid down by NASA JPL Office of the Inspector General: how

do you isolate and then investigate potentially compromised virtual

machines?

• Easy in the old world – unjack the network, haul off to forensics lab

• What is the cloud equivalent?

• JPL cloud architects working with AWS came up with a solution that

OIG considers better than on-premises solutions


Schematic of Solution

Subnet

10.0.1.0/24

Virtual router

Web server 10.0.1.60

Internet gateway

Workstation 10.0.1.101

Change security

group to “Isolate”

Attach Elastic Network

Interface with security group

“forensics-target”

Elastic Network Interface

10.0.201.60

Security group: “Forensics-target”

(forensics target security group)

Attach Elastic Network

Interface with security group

“forensics-target”

Completely isolated

subnet

10.0.201.0/24

Elastic Network Interface

10.0.201.101

Security group: “Forensics-source”

(forensics source security group)

Attach Elastic Network Interface with security group “forensics-source”

Attach Elastic Network Interface with security group “forensics-source”


Governance Tool: AWS Trusted Advisor

• Online service from AWS Premium Support

– Analyzes account for various kinds of issues

and possible concerns

– Soon available as an API for integration with

your tools or 3rd party solutions

• Four categories:

– Cost savings

– Security

– Fault tolerance

– Performance


AWS Cloud Governance Service Enablers

Governance Area AWS Technologies

Roles and Responsibilities • Identity and Access Management: Groups, Policies, Roles

Configuration Management • Private, “hardened” AMIs

• AWS Cloud Formation Templates

• AWS Elastic Beanstalk

• AWS OpsWorks

Financial Controls • Linked Accounts, Consolidated Billing

• Tagging of resources

• Amazon CloudWatch Billing Alarms

Monitoring and Reporting • Amazon Cloud Watch

• Amazon CloudWatch Alarms

• Amazon Simple Notification Service


AWS Cloud Governance Service Enablers (cont.)


Information Assurance:

Processing

• Corporate “Gold master” AMIs (operating system images)

• Amazon VPC network isolation for all workloads

• Dedicated Amazon EC2 Instances

• AWS CloudHSM service

Information Assurance:

Storage

• Amazon S3 AES 256 bit server-side encryption, client-side

encryption

• Amazon EBS Volume Encryption

• Amazon RDS database encryption features

• Complete destruction of all storage media on

decommissioning

Information Assurance Transmission • SSL termination for all AWS endpoints

• HW/SW VPN Connections

• AWS Direct Connect




Network Security • Private addressing (Amazon Virtual Private Cloud)

• Network ACLs

• Security Groups

• Virtual Private Gateways

Access Controls • Identity and Access Management Policies across all services

• Amazon S3 Bucket Policies

• Amazon EC2 Instance Roles

Identification and Authentication • Identity and Access Management

• Federated Identity Management (AWS as relying party)

• Multi-Factor Authentication

• Group Policies and Roles

• Strong password policies




Disaster Recovery and Continuity of

Operations

Data

• Amazon EBS Snapshots

• Amazon S3 Near-Line Storage

• Amazon Glacier Near-Offline Storage

• AWS Storage Gateway

• Bulk Data via AWS Import/Export

• Managed AWS No-SQL/SQL Database Services

• Extensive 3rd Party Solutions

• Workload

• Amazon Elastic Load Balancers, Amazon EC2 Auto Scaling,

Amazon CloudWatch

• Amazon Route 53 – Health Checks, Latency Based Routing

• Amazon CloudFront – Content Delivery Network

• Multi-AZ, Multi-Region Workload Deployment

Questions???

Security, Compliance and Governance on the AWS Cloud


Security Token Service (STS)

• Temporary security credentials containing

– Identity for authentication

– Access Policy to control permissions

– Configurable Expiration (1 – 36 hours)

• Supports

– AWS Identities (including IAM Users)

– Federated Identities (users customers authenticate)

• Scales to millions of users

– No need to create an IAM identity for every user

• Use Cases

– Identity Federation to AWS APIs

– Mobile and browser-based applications

– Consumer applications with unlimited users


Identity Syncing with IAM


Identity Federation > AWS APIs


An email you don’t want to get


Availability Zone 1a

Internet

VPC Customer

webserver1

10.0.1.60/24

App tier

Forensics source

VPC DMZ Subnet

Virtual Private Gateway

Customer Data Center

Customer Gateway

VPN Connection

Internet Gateway (IGW + EIPs = direct Internet access)

Availability Zone 1b

webserver2

10.0.2.60/24

VPC Subnets

Availability Zone 1b

webserver3

10.0.3.50/24

VPC Subnets

www.aws-wwps.com

server1.aws-wwps.com

107.23.18.21


107.23.56.82


107.23.51.43

VPC Private Subnet

App tier

VPC Private Subnet

App tier

VPC Private Subnet

ELB


Dimensions of Shared Responsibility & Control

• Operation within the Service: The functions the customer controls and

configurations they choose (e.g., in Amazon EC2, Amazon RDS)

• Security Configurability: The tools AWS gives customers to configure their

security stance (e.g., access policies, security groups) vary considerably from

service to service

• Security Features Which Span Services: Some security configuration features

are global (e.g., IAM), others service-specific

• Cross-Layer Security Controls: Means by which customers integrate their

existing controls into AWS (e.g., key management, Active Directory, Drupal user

management) and vice versa (e.g., IAM Roles for Instances)


1. Operation within the Service

• Customers choose controls they implement, specific configurations/ operations

• Example: Amazon EC2 instances

– Manage root/administrative access to guest OS

– Install software; responsible for patching and maintenance

– Manage Amazon EC2 key pairs, potentially x509 SSL certs

• Examples: Amazon Relational Database Service, Amazon Redshift

– Administration of RDBMS but not underlying OSes

• Examples: Amazon S3, Amazon DynamoDB

– Fully managed service, zero operational access

– Rich authorization capabilities via AWS IAM


2. Security Configurability

• AWS services provide rich security controls tailored to each service –

customers choose which and how to implement

• Example: Amazon VPC responsibility and control options

– Configure security groups

– Control network ACLs

– Configure network routing, VPNs, etc.

• Example: Amazon S3 responsibility and control options

– Rich support for AWS IAM policies, plus service specific access controls

– Logging capability records all access (including logging daemon!)

• Example: Amazon CloudWatch

– Minimal security configuration available


3. Security Features Which Span Services

• The security impact of some services is more global, others more service-

specific; importance/responsibility thus varies

• Broader potential impact to other services

– Example: Identity and Access Management manages access to other services

– Example: Amazon EC2 runs customer code and can be used to access many

services (see Amazon EC2 IAM roles)

• Narrower potential impact to other services

– Example: Amazon S3 provides a critical and foundational service for many other

AWS services, with rich security features/configurability, but impact of the security

configuration is mostly limited to the service itself


4. Cross-Layer Security Controls

• Customers can integrate their existing controls into AWS (typically implemented

within Amazon EC2 instances, but not always, e.g., IAM federation)

• Examples:

– SSH key management; AWS CloudHSM integration

– Active Directory or SAML-P within Amazon EC2

– Federation from AD or Shibboleth to AWS IAM

– OS-level firewalls (e.g., RHEL, Windows) and OS-level IDS/IPS systems

– Encrypted file system on Amazon Elastic Block Storage (EBS)

– Application level security

– X.509 certificate management for web servers or ELB

– Virtual security appliances (e.g., Checkpoint, Sophos, Xceedium, Layer 7)

Thank You

hundreds of thousands of customers in 190...

Documents