aws security overview q3 2010 v2
DESCRIPTION
TRANSCRIPT
AWS:
OVERVIEW OF
SECURITY
PROCESSES
Stephen Schmidt
Chief Information Security Officer
OVERVIEW
• Certifications
• SAS70 Type II
• Physical Security
• Backups
• Amazon EC2 Security
• Network Security
• Amazon S3 Security
• Amazon SimpleDB Security
• Amazon SQS Security
• Amazon CloudFront Security
• Amazon Elastic MapReduce
AWS SECURITY RESOURCES
• http://aws.amazon.com/security/
• Security Whitepaper
• Latest Version 8/24/2010
• Updated bi-annually
• Feedback is welcome
AWS CERTIFICATIONS
• Shared Responsibility Model
• Sarbanes-Oxley (SOX)
• SAS70 Type II Audit
• FISMA A&A– NIST Low Approvals to Operate
– Actively pursuing NIST Moderate
– FedRAMP
• Pursuing ISO 27001 Certification
• Customers have deployed various compliant applications such as HIPAA (healthcare)
SAS70 TYPE II
• Based on the Control Objectives for Information and related Technology (COBIT), which is a set of established best practices (transitioning to ISO 27001)
• Covers Access (Security), Change Management and Operations of Amazon EC2 and Amazon S3
• Audit conducted by an independent accounting firm (E&Y) on a recurring basis
SAS70 TYPE II – CONTROL OBJECTIVES
• Control Objective 1: Security Organization
• Control Objective 2: Amazon Employee Lifecycle
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security
• Control Objective 6: Environmental Safeguards
• Control Objective 7: Change Management
• Control Objective 8: Data Integrity, Availability and Redundancy
• Control Objective 9: Incident Handling
PHYSICAL SECURITY
• Amazon has been building large-scale data centers for many years
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– 2 or more levels of two-factor auth
• Controlled, need-based access for
AWS employees (least privilege)
• All access is logged and reviewed
FAULT SEPARATION AND GEOGRAPHIC
DIVERSITY
EU West Region (IRE)
Availability Zone A
Availability Zone B
US East Region (N. VA)
Availability Zone A
Availability Zone C
Availability Zone B
Amazon CloudWatch
Note: Conceptual drawing only. The number of Availability Zones may vary
APAC Region (Singapore)
vailabilityZone A
Availability Zone B
Availability Zone DUS West Region (N. CA)
Availability Zone A
Availability Zone B
Availability Zone A
Availability Zone B
DATA BACKUPS
• Data stored in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations
• Amazon EBS redundancy remains within a single Availability Zone
• Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability– Equivalent to more traditional backup solutions, but
offers much higher data availability and throughput
• Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy
AWS MULTI-FACTOR AUTHENTICATION
A recommended opt-in security feature of your
Amazon Web Services (AWS) account
AWS MFA BENEFITS
• Helps prevent anyone with unauthorized
knowledge of your e-mail address and password
from impersonating you
• Requires a device in your physical possession to
gain access to secure pages on the AWS Portal or
to gain access to the AWS Management Console
• Adds an extra layer of protection to sensitive
information, such as your AWS access identifiers
• Extends protection to your AWS resources such as
Amazon EC2 instances and Amazon S3 data
• A brand new service designed for our entire range of users
• Multiple user identities per AWS account
• Enhanced security
• Better control
• Integrated with other services
IAM – AWS IDENTITY AND ACCESS MANAGEMENT
• Create users and groups within an AWS account
• Each user has unique security credentials:– Access keys
– Login/Password
– MFA device
• Put users in groups
• Create policy statements for users or groups
• Control access to resources
• Control access to APIs
IAM – AWS IDENTITY AND ACCESS MANAGEMENT
AMAZON EC2 SECURITY
• Host operating system– Individual SSH keyed logins via bastion host for AWS admins
– All accesses logged and audited
• Guest operating system– Customer controlled at root level
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall– Mandatory inbound firewall, default deny mode
• Signed API calls– Require X.509 certificate or customer’s secret AWS key
AMAZON EC2 INSTANCE ISOLATION
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
VIRTUAL MEMORY & LOCAL DISK
Amazon EC2Instances
Amazon EC2Instance
Encrypted File System
Encrypted Swap File
• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an added layer of security
NETWORK TRAFFIC FLOW SECURITY
Amazon EC2Instances
Amazon EC2Instance
Encrypted File System
Encrypted Swap File
ipta
ble
s
Am
azo
n S
ecu
rity
Gro
up
sInbound Traffic
• Inbound traffic must be explicitly specified by protocol, port, and security group
• iptables may be implemented as a completely user controlled security layer for granular access control of discrete hosts, including other Amazon Web Services (Amazon S3/SimpleDB, etc.)
MULTI-TIER SECURITY ARCHITECTURE
Web Tier
Application Tier
Database Tier
EBS VolumePorts 80 and 443 only open to the Internet
Engineering staff have ssh access to the App Tier, which acts as Bastion
All other Internet ports blocked by default
Authorized 3rd parties can be granted ssh access to
select AWS resources, such as the Database Tier
Amazon EC2 Security Group Firewall
AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers
NETWORK SECURITY
CONSIDERATIONS• DDoS (Distributed Denial of Service):
– Standard mitigation techniques in effect
• MITM (Man in the Middle):– All endpoints protected by SSL– Fresh EC2 host keys generated at boot
• IP Spoofing:– Prohibited at host OS level
• Unauthorized Port Scanning:– Violation of AWS TOS– Detected, stopped, and blocked– Ineffective anyway since inbound ports blocked by default
• Packet Sniffing:– Promiscuous mode is ineffective– Protection at hypervisor level
• Configuration Management:– Configuration changes are authorized, logged, tested, approved, and
documentedMost updates are done in such a manner that they will not impact the customerAWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.
NETWORK TRAFFIC CONFIDENTIALITY
Amazon EC2 Instances
Amazon EC2Instance
Encrypted File System
Encrypted Swap File
• All traffic should be cryptographically controlled• Inbound and outbound traffic to corporate networks should be
wrapped within industry standard VPN tunnels (option to use Amazon VPC)
Corporate Network
Internet Traffic
VPN
Customer’s
Network
Amazon
Web Services
CloudSecure VPN
Connection over
the Internet
Subnets
Customer’s
isolated AWS
resources
AMAZON VPC
RouterVPN
Gateway
AMAZON VPC CAPABILITIES
• Create an isolated environment within AWS
• Establish subnets to control who and what can
access your resources
• Connect your isolated AWS resources and your IT
infrastructure via a VPN connection
• Launch AWS resources within the isolated network
• Use your existing security and networking
technologies to examine traffic to/from your
isolated resources
• Extend your existing security and management
policies within your IT infrastructure to your isolated
AWS resources as if they were running within your
infrastructure
VPC SUPPORTED DEVICES
• Any device that :
– Establishes IKE Security Association using Pre-Shared Keys
– Establishes IPsec Security Associations in Tunnel mode
– Utilizes the AES 128-bit encryption function
– Utilizes the SHA-1 hashing function
– Utilizes Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
– Establishes Border Gateway Protocol (BGP) peerings
– Binds tunnel to logical interface (route-based VPN)
– Utilize IPsec Dead Peer Detection
AMAZON S3 SECURITY
• Access controls at bucket and object level:
– Read, Write, Full
• Owner has full control
• Customer Encryption– SSL Supported
• Durability 99.999999999%
• Availability 99.99%
• Versioning (MFA Delete)
• Detailed Access Logging
• Storage Device
Decommissioning
– DoD 5220.22-M/NIST 800-
88 to destroy data
YOUR INPUT IS IMPORTANT…
• Thoughts/questions about our SAS70 Type II
Audit?
• Other certifications, compliance requirements or
audits to explore?
• What risk & compliance services should AWS
consider offering natively?
• How can we further promote AWS security
posture?
THANK YOUaws.amazon.com
© 2008-2009 Amazon.com, Inc., or its affiliates. This
presentation is provided for informational purposes only.
Amazon Web Services LLC is not responsible for any
damages related to the information in this presentation,
which is provided “as is” without warranty of any kind,
whether express, implied, or statutory. Nothing in this
presentation creates any warranties or representations
from Amazon Web Services LLC, its affiliates, suppliers,
or licensors. This presentation does not modify the
applicable terms and conditions governing your use of
Amazon Web Services technologies, including the
Amazon Web Services website. This presentation
represents Amazon Web Services' current product
offerings as of the date of issue of this document, which
are subject to change without notice.
This presentation is dated August 2010. Please visit
aws.amazon.com to ensure that you have the latest
version.