• No results found

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

N/A
N/A
Protected

Academic year: 2021

Share "Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud"

Copied!
31
0
0

Loading.... (view fulltext now)

Full text

(1)

Fortress 

in the Cloud

Simone Brunozzi, 

(2)

Certifications & Accreditations

Sarbanes-Oxley (SOX) compliance ISO 27001 Certification

PCI DSS Level I Certification HIPAA compliant architecture SAS 70 Type II Audit

FISMA Low ATO

 Pursuing FISMA Moderate ATO  Pursuing DIACAP MAC II I -Sensitive  FedRAMP

Service Health Dashboard

Shared Responsibility Model

Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance

Application level security, including password and role based access Host-based firewalls, including Intrusion Detection/Prevention Systems

Encryption/Decryption of data. Hardware Security Modules Separation of Access

Physical Security

Multi-level, multi-factor controlled access environment

Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access

Multi-factor, controlled, need-based access to administrative host

All access logged, monitored, reviewed

AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data

AWS Cloud Security Model Overview

VM Security

Multi-factor access to Amazon Account

Instance Isolation

• Customer-controlled firewall at the hypervisor level

• Neighboring instances prevented access

• Virtualized disk management layer ensure only account owners can access storage disks (EBS)

Support for SSL end point encryption for API calls

Network Security

Instance firewalls can be configured in security groups;

The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).

Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS

(3)
(4)

AWS Security Resources

http://aws.amazon.com/security/

Security Whitepaper

Risk and Compliance Whitepaper

Latest Versions May 2011

Regularly Updated

(5)

AWS Certifications

Shared Responsibility Model Sarbanes-Oxley (SOX)

ISO 27001 Certification

Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70 Type II Audit

FISMA A&As

 Multiple NIST Low Approvals to Operate (ATO)

 Actively pursuing NIST Moderate, completed ST&E  FedRAMP

DIACAP MAC III Sensitive IATO

(6)

SAS70 Type II

We publish a Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report every six months and maintains a

favorable unbiased and unqualified opinion from its independent auditors.

AWS identifies those controls relating to the operational

performance and security to safeguard customer data.

Auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls,

attesting that the controls are operating as designed. This report is available to customers under NDA who require a

(7)

ISO 27001

AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all

regions worldwide;

(8)

PCI DSS Level 1

AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS).

Merchants and other service providers can run their applications on our PCI-compliant technology

infrastructure for storing, processing, and transmitting credit card information in the cloud.

(9)

Physical Security

Amazon has been building large-scale data centers for many years

Important attributes:

 Non-descript facilities

 Robust perimeter controls

 Strictly controlled physical access  2 or more levels of two-factor auth

(10)
(11)

Data Backups

Data in Amazon S3, Amazon SimpleDB, and

Amazon EBS is stored redundantly in multiple

physical locations

EBS redundancy in a single Availability Zone

Amazon S3 and Amazon SimpleDB replicate

customer objects across storage systems in

multiple Availability Zones to ensure durability

Data stored on Amazon EC2 local disks must

be proactively copied to Amazon EBS or

(12)

• Enables a customer to create multiple Users  and manage the permissions for each of  these Users.  • Secure by default; new Users have no access  to AWS until permissions are explicitly  granted. Us • AWS IAM enables customers to minimize the  use of their AWS Account credentials.   Instead all interactions with AWS Services  and resources should be with AWS IAM User  security credentials.er • Customers can enable MFA devices for their  AWS Account as well as for the Users they  have created under their AWS Account with  AWS IAM.

(13)

AWS Multi-Factor

Authentication

(14)

AWS MFA Benefits

Helps prevent anyone with unauthorized

knowledge of your e-mail address and password from impersonating you

Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console Adds an extra layer of protection to sensitive

(15)

Amazon EC2 Security

Host operating system

 Individual SSH keyed logins via bastion host for AWS admins

 All accesses logged and audited

Guest operating system

 Customer controlled at root level

 AWS admins cannot log in

 Customer-generated keypairs

Stateful firewall

 Mandatory inbound firewall, default deny mode

Signed API calls

(16)

Amazon EC2 Instance Isolation

Physical Interfaces Customer 1 Hypervisor Customer 2

Customer n

Virtual Interfaces Firewall Customer 1

(17)

Virtual Memory & Local Disk

Amazon EC2 Amazon EC2 Instances Instances Amazon EC2 Amazon EC2 Instance Instance Encrypted  Encrypted  File System File System Encrypted  Encrypted  Swap File Swap File • • Proprietary Amazon disk management prevents one Instance from Proprietary Amazon disk management prevents one Instance from  reading the disk contents of another reading the disk contents of another •

• Local disk storage can also be encrypted by the customer for an added Local disk storage can also be encrypted by the customer for an added  layer of security

(18)

Network Traffic Flow Security

Amazon EC2 Amazon EC2 Instances Instances Amazon EC2 Amazon EC2 Instance Instance Encrypted  Encrypted  File System File System Encrypted  Encrypted  Swap File Swap File iptables iptables Amazon  Security  Group s Amazon  Security  Group s Inbound Traffic Inbound Traffic •

• Inbound traffic must be explicitly specified by protocol, port, and Inbound traffic must be explicitly specified by protocol, port, and  security group

security group •

• iptables may be implemented as a completely user controlled secuiptables may be implemented as a completely user controlled security rity  layer for granular access control of discrete hosts, including o

layer for granular access control of discrete hosts, including other ther  Amazon Web Services (Amazon S3/SimpleDB, etc.)

(19)
(20)

Network Security Considerations

DDoS (Distributed Denial of Service):

 Standard mitigation techniques in effect

MITM (Man in the Middle):

 All endpoints protected by SSL

 Fresh EC2 host keys generated at boot

IP Spoofing:

 Prohibited at host OS level

Unauthorized Port Scanning:

 Violation of AWS TOS

 Detected, stopped, and blocked

 Ineffective anyway since inbound ports blocked by default

Packet Sniffing:

 Promiscuous mode is ineffective  Protection at hypervisor level

Configuration Management:

 Configuration changes are authorized, logged, tested, approved, and

documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or

(21)
(22)
(23)

Amazon VPC Capabilities

Create an isolated environment within AWS

Establish subnets to control who and what can access your resources

Connect your isolated AWS resources and your IT infrastructure via a VPN connection

Launch AWS resources within the isolated network Use your existing security and networking

technologies to examine traffic to/from your isolated resources

Extend existing security/management policies

(24)
(25)

Amazon S3 Security

• Access controls at bucket and

object level:

– Read, Write, Full

• Bucket Policies

– Conditional rules based on account, request IP etc.

• Customer Encryption

– SSL Supported

• Durability 99.999999999%

• Availability 99.99%

• Versioning (MFA Delete)

• Detailed Access Logging

• Storage Device Decommissioning

(26)

Amazon Relational Database Service Security

Access based on Database Security Groups

 Default Deny All – Allowances by:

• IP range

• EC2 Security Group

SSL to protect data in transit

(27)

Amazon SimpleDB Security

Access based on AWS account ID Domains accessible based on ACL SSL to protect data in transit

User created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy

Encrypt data elements not used as keys

 *Note: That encrypting data elements limits your

(28)

Amazon SQS Security

Scalable Message Queuing Service

Designed to be highly available, reliable

and durable

Access based on AWS account ID, APL

and AWS IAM

 Access Policy Language enables the creation of complex rules to enable access to queues based on identity (AWS account number), source IP address, date, time, and more.  AWS IAM user however only has access to the

operations and queues which they have been granted access to via policy

(29)

Amazon CloudFront Security

API is only accessible via SSL-encrypted

endpoints and must be authenticated

Origin data stored in Amazon S3

Private content option will only deliver files authorized by securely signed requests

Data Security and Durability provided by

Amazon S3

Comprehensive

access logs

Configurable for

(30)

Amazon Elastic MapReduce Security

Access based on AWS account ID Authenticated APIs

Sets up Security Groups:

 Master Node external access only via SSH  Slave Nodes don’t allow external access

(31)

Thank you

Simone Brunozzi 

[email protected]

References

Related documents

The AWS Toolkit for Visual Studio enables you to create and configure security groups to use with Amazon Elastic Compute Cloud (Amazon EC2) instances and AWS CloudFormation.. When

In this section, we present Cost and Utilization Opti- mization (CUO) mechanism that receives as input the static (e.g., type, cost) and dynamic (cpu utilization, running

Amazon Elastic Compute Cloud (EC2) is used to get Amazon’s high computing resources for which an Amazon Machine Image (AMI) is required.. An AMI is an encrypted machine image (a

Elastic Load Balancing (Amazon ELB) automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. EC2 = a VM, hosted on AWS’s

The scope of services covered in this report includes AWS CloudHSM, AWS Direct Connect, Amazon DynamoDB, Amazon Elastic Block Store (EBS), Amazon Elastic Cloud Compute (EC2),

such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and

For that, we examined ovarian PRLR expression as well as that of several P4 production- modulating molecules and we found a consistent expression pattern along gestation for

Using AWS CloudFormation you can leverage other services such as such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS), Amazon Simple