Fortress
in the Cloud
Simone Brunozzi,
Certifications & Accreditations
Sarbanes-Oxley (SOX) compliance ISO 27001 Certification
PCI DSS Level I Certification HIPAA compliant architecture SAS 70 Type II Audit
FISMA Low ATO
Pursuing FISMA Moderate ATO Pursuing DIACAP MAC II I -Sensitive FedRAMP
Service Health Dashboard
Shared Responsibility Model
Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance
Application level security, including password and role based access Host-based firewalls, including Intrusion Detection/Prevention Systems
Encryption/Decryption of data. Hardware Security Modules Separation of Access
Physical Security
Multi-level, multi-factor controlled access environment
Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access
Multi-factor, controlled, need-based access to administrative host
All access logged, monitored, reviewed
AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
AWS Cloud Security Model Overview
VM Security
Multi-factor access to Amazon Account
Instance Isolation
• Customer-controlled firewall at the hypervisor level
• Neighboring instances prevented access
• Virtualized disk management layer ensure only account owners can access storage disks (EBS)
Support for SSL end point encryption for API calls
Network Security
Instance firewalls can be configured in security groups;
The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS
AWS Security Resources
•
http://aws.amazon.com/security/
•
Security Whitepaper
•
Risk and Compliance Whitepaper
•
Latest Versions May 2011
•
Regularly Updated
AWS Certifications
Shared Responsibility Model Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70 Type II Audit
FISMA A&As
Multiple NIST Low Approvals to Operate (ATO)
Actively pursuing NIST Moderate, completed ST&E FedRAMP
DIACAP MAC III Sensitive IATO
SAS70 Type II
We publish a Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report every six months and maintains a
favorable unbiased and unqualified opinion from its independent auditors.
AWS identifies those controls relating to the operational
performance and security to safeguard customer data.
Auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls,
attesting that the controls are operating as designed. This report is available to customers under NDA who require a
ISO 27001
AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all
regions worldwide;
PCI DSS Level 1
AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS).
Merchants and other service providers can run their applications on our PCI-compliant technology
infrastructure for storing, processing, and transmitting credit card information in the cloud.
Physical Security
Amazon has been building large-scale data centers for many years
Important attributes:
Non-descript facilities
Robust perimeter controls
Strictly controlled physical access 2 or more levels of two-factor auth
Data Backups
Data in Amazon S3, Amazon SimpleDB, and
Amazon EBS is stored redundantly in multiple
physical locations
EBS redundancy in a single Availability Zone
Amazon S3 and Amazon SimpleDB replicate
customer objects across storage systems in
multiple Availability Zones to ensure durability
Data stored on Amazon EC2 local disks must
be proactively copied to Amazon EBS or
• Enables a customer to create multiple Users and manage the permissions for each of these Users. • Secure by default; new Users have no access to AWS until permissions are explicitly granted. Us • AWS IAM enables customers to minimize the use of their AWS Account credentials. Instead all interactions with AWS Services and resources should be with AWS IAM User security credentials.er • Customers can enable MFA devices for their AWS Account as well as for the Users they have created under their AWS Account with AWS IAM.
AWS Multi-Factor
Authentication
AWS MFA Benefits
Helps prevent anyone with unauthorized
knowledge of your e-mail address and password from impersonating you
Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console Adds an extra layer of protection to sensitive
Amazon EC2 Security
Host operating system
Individual SSH keyed logins via bastion host for AWS admins
All accesses logged and audited
Guest operating system
Customer controlled at root level
AWS admins cannot log in
Customer-generated keypairs
Stateful firewall
Mandatory inbound firewall, default deny mode
Signed API calls
Amazon EC2 Instance Isolation
Physical Interfaces Customer 1 Hypervisor Customer 2…
Customer n…
Virtual Interfaces Firewall Customer 1Virtual Memory & Local Disk
Amazon EC2 Amazon EC2 Instances Instances Amazon EC2 Amazon EC2 Instance Instance Encrypted Encrypted File System File System Encrypted Encrypted Swap File Swap File • • Proprietary Amazon disk management prevents one Instance from Proprietary Amazon disk management prevents one Instance from reading the disk contents of another reading the disk contents of another •• Local disk storage can also be encrypted by the customer for an added Local disk storage can also be encrypted by the customer for an added layer of security
Network Traffic Flow Security
Amazon EC2 Amazon EC2 Instances Instances Amazon EC2 Amazon EC2 Instance Instance Encrypted Encrypted File System File System Encrypted Encrypted Swap File Swap File iptables iptables Amazon Security Group s Amazon Security Group s Inbound Traffic Inbound Traffic •• Inbound traffic must be explicitly specified by protocol, port, and Inbound traffic must be explicitly specified by protocol, port, and security group
security group •
• iptables may be implemented as a completely user controlled secuiptables may be implemented as a completely user controlled security rity layer for granular access control of discrete hosts, including o
layer for granular access control of discrete hosts, including other ther Amazon Web Services (Amazon S3/SimpleDB, etc.)
Network Security Considerations
DDoS (Distributed Denial of Service):
Standard mitigation techniques in effect
MITM (Man in the Middle):
All endpoints protected by SSL
Fresh EC2 host keys generated at boot
IP Spoofing:
Prohibited at host OS level
Unauthorized Port Scanning:
Violation of AWS TOS
Detected, stopped, and blocked
Ineffective anyway since inbound ports blocked by default
Packet Sniffing:
Promiscuous mode is ineffective Protection at hypervisor level
Configuration Management:
Configuration changes are authorized, logged, tested, approved, and
documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or
Amazon VPC Capabilities
Create an isolated environment within AWS
Establish subnets to control who and what can access your resources
Connect your isolated AWS resources and your IT infrastructure via a VPN connection
Launch AWS resources within the isolated network Use your existing security and networking
technologies to examine traffic to/from your isolated resources
Extend existing security/management policies
Amazon S3 Security
• Access controls at bucket and
object level:
– Read, Write, Full
• Bucket Policies
– Conditional rules based on account, request IP etc.
• Customer Encryption
– SSL Supported
• Durability 99.999999999%
• Availability 99.99%
• Versioning (MFA Delete)
• Detailed Access Logging
• Storage Device Decommissioning
Amazon Relational Database Service Security
Access based on Database Security Groups Default Deny All – Allowances by:
• IP range
• EC2 Security Group
SSL to protect data in transit
Amazon SimpleDB Security
Access based on AWS account ID Domains accessible based on ACL SSL to protect data in transit
User created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy
Encrypt data elements not used as keys
*Note: That encrypting data elements limits your
Amazon SQS Security
Scalable Message Queuing Service
Designed to be highly available, reliable
and durable
Access based on AWS account ID, APL
and AWS IAM
Access Policy Language enables the creation of complex rules to enable access to queues based on identity (AWS account number), source IP address, date, time, and more. AWS IAM user however only has access to the
operations and queues which they have been granted access to via policy
Amazon CloudFront Security
API is only accessible via SSL-encrypted
endpoints and must be authenticated
Origin data stored in Amazon S3
Private content option will only deliver files authorized by securely signed requests
Data Security and Durability provided by
Amazon S3
Comprehensive
access logs
Configurable for
Amazon Elastic MapReduce Security
Access based on AWS account ID Authenticated APIs
Sets up Security Groups:
Master Node external access only via SSH Slave Nodes don’t allow external access