the aws shared security responsibility model in practice

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

The AWS Shared Security Responsibility Model in Practice

Patrick ShumateSolutions Architect, Amazon Web Services

AWS Global Footprint


US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)Asia Pacific (Seoul)

Asia Pacific (Mumbai )



US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)




São Paulo

EU Central (Frankfurt)


China (Beijing)

Asia Pacific (Seoul)

RegionAn independent collection of AWS resources in a defined geography

A solid foundation for meeting location-dependent privacy and compliance requirements



US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)




China (Beijing)

São Paulo


Asia Pacific (Mumbai )



US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)




China (Beijing)

São Paulo


Availability ZoneDesigned as independent failure zones

Physically separated within a typical metropolitan region


Edge Locationcollections of servers in geographically dispersed data centers

deliver content to end users with lower latency


13 (11) Regions35 (28) Availability Zones54 Edge locationsOver 1 million active customers

Every day, AWS adds enough new server capacity to support Amazon.com when it was a

$7 billion global enterprise.

https://aws.amazon.com/about-aws/global-infrastructure/

Data Locality

Customer chooses where to place data

AWS regions are geographically isolated by design

Data is not replicated to other AWS regions and doesn’t move unless you choose to move it

Data Locality in practiceBlock level storage

Instance Storage (Elastic Cloud Compute - EC2)

Elastic Block Storage (EBS)

Object level storageSimple Storage Service (S3)

Database storageRelational Database Service (RDS)

NoSQL (DynamoDB)

Columnar (Redshift)

Caching (Elasticache)

Shared Responsibility

Who manages which parts?

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentCu

stom

ers

AWS Shared Responsibility ModelCustomers are responsible for their security and compliance IN the Cloud

AWS is responsible for the security OFthe Cloud

AWS Shared Responsibility Model – Deep Dive

Will one model work for all services?

Infrastructure Services

ContainerServices

AbstractServices

Network Traffic ProtectionEncryption / Integrity / Identity

AWS Foundation ServicesCompute Storage Database Networking



Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Platform & Applications Management

Customer content

Cust

omer

s

AWS Shared Responsibility Model:for Infrastructure Services

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

AWS IAM

Customer IAM


Server-Side EncryptionFire System and/or Data

API Endpoints

Mgmt Protocols

API Calls

Infrastructure ServiceExample – EC2

• Foundation Services — Networking, Compute, Storage• AWS Global Infrastructure• AWS API Endpoints

AWS

• Customer Data• Customer Application• Operating System• Network & Firewall• Customer IAM (Corporate Directory

Service)

• High Availability, Scaling• Instance Management• Data Protection (Transit, Rest, Backup)

• AWS IAM (Users, Groups, Roles, Policies)C

usto

mer

s

RESPONSIBILITIES




Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Firewall

Configuration


Operating System, Network Configuration

Customer content

Cust

omer

s

AWS Shared Responsibility Model:for Container Services Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AWS IAM

Customer IAM

API Endpoints

Mgmt Protocols

API Calls

Infrastructure ServiceExample – RDS

• Foundational Services – Networking, Compute, Storage

• AWS Global Infrastructure

• AWS API Endpoints• Operating System• Platform / Application

AWS

• Customer Data• Firewall (VPC)• Customer IAM (DB Users, Table

Permissions)

• AWS IAM (Users, Groups, Roles, Policies)

• High Availability• Data Protection (Transit, Rest,

Backup)• Scaling

Cus

tom

ers

RESPONSIBILITIES






Customer content

Cust

omer

s

AWS Shared Responsibility Model:for Abstract Services

Managed by

Managed by

Data Protection by the PlatformProtection of Data at Rest

Network Traffic Protection by the PlatformProtection of Data at in Transit

(optional)

Opaque Data: 1’s and 0’s

(in flight / at rest)

Client-Side Data Encryption & Data Integrity Authentication

API Endpoints

AWS IAM

API Calls

• Foundational Services • AWS Global Infrastructure• AWS API Endpoints• Operating System

• Platform / Application• Data Protection (Rest - SSE, Transit)

• High Availability / Scaling

AWS

• Customer Data• Data Protection (Rest – CSE)

• AWS IAM (Users, Groups, Roles, Policies)

Cus

tom

ers

Infrastructure ServiceExample – S3

Summary of Customer Responsibility in the Cloud

Customer IAM

AWS IAM

Firewall

Data

AWS IAM

Data

Applications

Operating System

Networking/Firewall

Data

Customer IAM

AWS IAM

InfrastructureServices

ContainerServices

AbstractServices

Shared Responsibility

What about security OF the cloud?

Security Shared Responsibility Model

AWS is responsible for the security OF

the cloud





Auditing - Comparisonon-prem vs on AWS

Start with bare concreteFunctionally optional – you can build a secure system without itAudits done by an in-house teamAccountable to yourselfTypically check once a yearWorkload-specific compliance checksMust keep pace and invest in security innovation

on-prem

Start on base of accredited servicesFunctionally necessary – high watermark of requirementsAudits done by third party expertsAccountable to everyoneContinuous monitoringCompliance approach based on all workload scenariosSecurity innovation drives broad compliance

on AWS

What this means

You benefit from an environment built for the most security sensitive organizations

AWS manages 1,800+ security controls so you don’t have to

You get to define the right security controls for your workload sensitivity

You always have full ownership and control of your data

AWS Assurance Programs





Meet your own security objectives

Customer scope and effort is reduced

Better results through focused efforts

Built on AWS consistent baseline controls

Your own external audits

Cust

omer

s Your own accreditation

Your own certifications

Compliance Resources

https://aws.amazon.com/compliance/resources/

Education — AWS Security & ComplianceAWS Security Fundamentals

3 hour eLearning courseTarget audience – Security Auditors/AnalystsIt’s Free

AWS Security Operations3 day Instructor Lead TrainingTarget audience – Security Engineer/Architects12 Modules + Labs

Self paces labs available on http://qwiklabs.comhttps://aws.amazon.com/training/course-descriptions/

[email protected]

the aws shared security responsibility model in practice

Technology