Download - AWS Webcast - Security Best Practices on AWS

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

Security Best Practices on AWS

Understanding AWS Security, the Shared Responsibility Model, and

some security best practices


Cloud Security is:


Every Customer Has Access to the Same

Security Capabilities

And gets to choose what’s right for their business needs • Governments

• Financial Sector

• Pharmaceuticals

• Entertainment

• Start-ups

• Social Media

• Home Users

• Retail


Visible Cloud Security

This

Or

This?


Auditable Cloud Security


Transparent Cloud Security

http://aws.amazon.com/compliance/



ISO 27001 Certification

Covers the AWS Information Security Management System

Follows ISO 27002 best practice guidance

Includes all Regions

Certification in the standard requires: • Systematic evaluation of information security risks

• Evaluate the impact of company threats and vulnerabilities

• Design and implement comprehensive information security controls

• Adopt an overarching management process to ensure that the information

security controls meet the information security needs on an ongoing basis


Service Organization Controls

What it contains Who uses it

SOC 1 Attests that the AWS internal controls for financial reporting are appropriately designed and the controls are operating effectively

User auditors & users’ controller’s office. Shared under NDA by AWS.

SOC 2 Expanded evaluation of controls to include AICPA Trust Services Principles

Management, regulators & others. Shared under NDA by AWS.

SOC 3 Summary of SOC 2 and provides AICPA SysTrust Security Seal. Management, regulators & others. Publicly available.

American Institute of Certified Public Accountants report


PCI DSS Level 1 Service Provider

PCI DSS 2.0 compliant

Covers core infrastructure & services • EC2, EBS, VPC, ELB, DirectConnect, S3, Glacier, RDS, DynamoDB,

SimpleDB, EMR, RedShift, CloudHSM, and IAM

Use services normally, no special configuration

Leverage the work of our QSA

AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) • can support forensic investigations

Certified in all regions


FedRAMP (FISMA) Moderate

U.S. Civilian Government Agency Specific

FedRAMP Approval To Operate (ATO)

FISMA Moderate (NIST 800-53) • Much more stringent than other commercial standards

• 205 high-level controls spanning 18 domains • Access Control, Awareness & Training, Audit & Accountability, Security

Assessment & Authorization, Configuration Management, Contingency Planning, ID & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environment Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisition, System & Communications Protections, System & Information Integrity, Program Management


Shared Assessments SIG

Standard Information Gathering (“SIG”) Questionnaire shared under NDA • www.sharedassessments.org

Robust, easy to use set of questions to gather and assess • Information Technology • Operating and Security Risks (and corresponding controls)

Based on referenced industry standards • Including, but not limited to, FFIEC, ISO, COBIT and PCI

Excel format with AWS provided answers Updated periodically to stay current


Additional Initiatives

U.S. Health Insurance Portability and Accountability Act (HIPAA) • AWS enables covered entities and their business associates subject to the

U.S. HIPAA to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers.

Cloud Security Alliance (CSA) Questionnaire • Answers in the Risk and Compliance Whitepaper

Motion Picture Association of America (MPAA) • Answers in the Risk and Compliance Whitepaper

• Best practices for storing, processing and delivering protected media & content


Security & Compliance Control Objectives

Control Objective 1: Security Organization

Control Objective 2: Amazon User Access

Control Objective 3: Logical Security

Control Objective 4: Secure Data Handling

Control Objective 5: Physical Security and Environmental Safeguards

Control Objective 6: Change Management

Control Objective 7: Data Integrity, Availability and Redundancy

Control Objective 8: Incident Handling



(cont’d)

Control Objective 1: Security Organization

• Who we are

• Proper control & access within the organization

Control Objective 2: Amazon User Access

• How we vet our staff

• Minimization of access



(cont’d)

Control Objective 3: Logical Security

• Our staff start with no system access

• Need-based access grants

• Rigorous system separation

• System access grants regularly evaluated & automatically

revoked



(cont’d)

Control Objective 4: Secure Data Handling

• Storage media destroyed before being permitted outside our datacenters

• Media destruction consistent with US Dept. of Defense Directive 5220.22

Control Objective 5: Physical Security and Environmental Safeguards

• Keeping our facilities safe

• Maintaining the physical operating parameters of our datacenters



(cont’d)

Control Objective 6: Change Management

• Continuous operation

Control Objective 7: Data Integrity, Availability and Redundancy

• Ensuring your data remains safe, intact, & available

Control Objective 8: Incident Handling

• Process & procedures for mitigating and managing potential issues


Shared Responsibility

AWS • Facilities

• Physical Security

• Physical Infrastructure

• Network Infrastructure

• Virtualization Infrastructure

Customer

• Choice of Guest OS

• Application Configuration Options

• Account Management Flexibility

• Security Groups

• Network ACLs

• Network Configuration Control


You Decide Where Applications and Data

Reside


Network Security


Amazon EC2 Security

Host operating system (AWS controlled) • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and audited

Guest operating system (Customer controlled) • AWS admins cannot log in • Customer-generated keypairs

Stateful firewall • Mandatory inbound firewall, default deny mode • Customer controls configuration via Security Groups

Signed API calls • Require customer’s secret AWS key


Physical interfaces

Customer 1

Hypervisor

Customer 2 Customer n …

… Virtual interfaces

Firewall

Customer 1 Security groups

Customer 2 Security groups

Customer n Security groups


Tiering Security Groups


Tiering Security Groups Dynamically created rules based on Security Group

membership

Effectively create tiered network architectures

“Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32

Firewall

Web Server

App Server

Firewall

Firewall

DB Server

Web

(HTTP)

808

0

330

6

22

22

Bastion Host

Firewall

22


Amazon VPC Architecture

Customer’s

network

Amazon

Web Services

cloud

Secure VPN

connection

over the

Internet

Subnets

Router Internet

NA

T

AWS Direct

Connect –

Dedicated

Path/Bandwi

dth

Customer’s

isolated AWS

resources


Amazon VPC Network Security Controls


VPC - Dedicated Instances

Option to ensure physical hosts are not shared with other customers

$2/hr flat fee per region + small hourly charge

Can identify specific Instances as dedicated

Optionally configure entire VPC as dedicated


AWS Deployment Models Logical Server

and

Application

Isolation

Granular

Information

Access Policy

Logical

Network

Isolation

Physical

server

Isolation

Government Only

Physical Network

and Facility

Isolation

ITAR

Compliant

(US Persons

Only)

Sample Workloads

Commercial

Cloud Public-facing apps, web

sites, dev, test, etc.

Virtual Private

Cloud (VPC) Datacenter extension,

TIC environment, email,

FISMA low and

Moderate

AWS GovCloud

(US) US Persons Compliant

and Government

Specific Apps


The Importance of Access Control

One of customers’ top considerations when moving to the cloud

CONTROL

Why do we want control? • Appropriate access to do appropriate actions

• I want to implement security best practices

• I want to be at least as secure as on premise

• I must comply with certain industry specific security regulations


• Users and Groups within Accounts

• Unique security credentials • Access keys • AWS Management Console Login/Password • Enforce password complexity • Optional MFA device

• Policies control access to AWS APIs

• All API calls must be signed by secret key

• Resource level integration into many Services

• EC2: tags control access to resources

• S3: policies on objects and buckets

• Not for Operating Systems or Applications

• Use LDAP, Active Directory/ADFS, etc...

AWS Identity and Access Management (IAM)


Authentication Methods

• Username + Password

• Optional multifactor authentication

• Access + Secret Keys

• Optional multifactor authentication • Access + Secret Keys for REST calls

• SSH Keys for access to EC2

instances

Web UI API CLI


Multi-Factor Authentication (MFA)

Extra level of security

Works with

• AWS root account

• IAM users

Multiple form factors

• Virtual MFA on your phone

• Hardware MFA key fobs

No additional cost!

• Except for the cost of the

hardware key fob

xxxxxxxxxxxxxxxxxxxxxxxxxxx


AWS CloudHSM

Secure Key Storage • Dedicated access to tamper-resistant HSM appliances (SafeNet® Luna SA) • Designed to comply with Common Criteria EAL4+ and NIST FIPS 140-2 • You retain full control of your keys and cryptographic operations

Contractual and Regulatory Compliance • Helps comply with the most stringent regulatory and contractual requirements for key

protection.

Reliable and Durable Key Storage • Available in multiple AZs and Regions

Simple and Secure Connectivity • Connected to your VPC • Improved Application Performance between EC2 and HSM


Premium Support Trusted Advisor

Security Checks

• Security Group Rules (Hosts & Ports)

• IAM Use

• S3 Policies

Fault Tolerance Checks

• Snapshots

• Multi-AZ

• VPN Tunnel Redundancy


Enable Root Account MFA!

If you don’t see:

Go to:

http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5

R80UD/Securing-access-to-AWS-using-MFA-Part-1

http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-1




















AWS Security, Compliance, & Architecture

Resources http://aws.amazon.com/security/

Security whitepaper

Security best practices

Security bulletins

Customer security testing process


Risk and compliance whitepaper

http://aws.amazon.com/architecture/

Reference Architectures

Whitepapers

Webinars

http://blogs.aws.amazon.com/security/

Stay up to date on security and compliance in AWS

Feedback is always welcome!

http://aws.amazon.com/security/

http://aws.amazon.com/security/

http://aws.amazon.com/architecture/




Thank You!!!

[email protected]

Any questions?

Download - AWS Webcast - Security Best Practices on AWS

Top Related