SlideShare a Scribd company logo
1 of 18
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS                                                                                         Customer




© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
• AWS Responsibility:                                                                       • Customer Responsibility:




© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Parameter                                                                             Customer                                   Provider
                                                                                          Responsibility                             Responsibility
      1. Service availability                                                                                                             X
      2. Incident response                                                                                                                X
      3. Service elasticity and load tolerance                                                                                            X
      4. Data lifecycle                                                                                                                   X
      5. Technical compliance and vulnerability                                                                                           X
         management
      6. Change management                                                                                                                        X
      7. Isolation                                                                                                                                X
      8. Log management and forensics                                                                                                             X


© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Areas                                                                                 Customer                                Provider
                                                                                            Responsibility                          Responsibility
        Governance                                                                               X
        Compliance                                                                                                                              X
        Trust                                                                                                                                   X
        Architecture                                                                                                                            X
        Identity and Access Management                                                                   X
        Software Isolation                                                                                                                      X
        Data Protection                                                                                                                         X
        Availability                                                                                                                            X
        Incident Response                                                                                X                                      X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Domain                                                                                      Customer                          Provider
                                                                                                       Responsibility                    Responsibility
             Governance and Enterprise Risk Management                                                      X
             Legal issues: Contracts and E-Discovery                                                                                                X
             Compliance and Audit                                                                                                                   X
             Information Management and Data Security                                                             X
             Portability and Interoperability                                                                                                       X
             Traditional Security, Business Continuity, and DR                                                    X                                 X
             Data Center Operations                                                                                                                 X
             Incident Response, Notification, and Remediation                                                     X                                 X
             Application Security                                                                                 X
             Encryption and Key Management                                                                        X
             Identity and Access Management                                                                       X
             Virtualization                                                                                                                         X
             Security as a Service                                                                                                                  X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Certifications & Accreditations                                                              Physical Security
                                                                                                 Multi-level, multi-factor controlled access
       SOC 1 (previously SAS 70) Type II                                                         environment
       SOC 2 Type II Security                                                                    Controlled, need-based access for AWS employees
       Audit, supporting SOX compliance                                                          (least privilege)
       ISO 27001 Certification                                                                Management Plane Administrative Access
       PCI DSS Level I Compliance                                                                Multi-factor, controlled, need-based access to
                                                                                                 administrative host
       FISMA Moderate ATO (currently pursuing FedRAMP)
                                                                                                 All access logged, monitored, reviewed
       DIACAP MAC III-Sensitive
                                                                                                 AWS administrators DO NOT have logical access
       Aligned to CSA’s control matrix                                                           inside a customer’s VMs, including applications and
       MPAA compliant                                                                            data
       HIPAA compliant architecture

 VM Security                                                                                  Network Security
    Multi-factor access to Amazon account                                                        Instance firewalls can be configured in security
    Instance isolation                                                                           groups
     • Customer-controlled firewall at the hypervisor                                            The traffic may be restricted by protocol, by service
       level                                                                                     port, as well as by source IP address (individual IP or
     • Neighboring instances prevented access                                                    classless inter-domain routing (CIDR) block)
     • Virtualized disk management layer ensure only                                             Virtual Private Cloud (VPC) provides IPSec VPN
       account owners can access storage disks                                                   access from existing enterprise data center to a set
                                                                                                 of logically isolated AWS resources
    Support for SSL end point encryption for API calls
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Applications/Bu                         PCI DSS          SSAE 16           SOC 2         SOX          FFIEC        Federal, Tax,          GLBA         Non-US          HIPAA/
                                                                                                                         7216                                             HITECH
   Business            App 1                    X                               X(4)
   Unit (BU) #1
                       App 2                    X                X                            X                                               X(5)
                       App 3                    X               X(1)            X(1)          X                                               X(6)           X(9)
                       App 4                    X
                       App 5                                    X(2)            X(2)                                                                         X(8)            X(8)
   BU #2               App A                                     X                                                            X               X(7)
                       App B                                                                  X                               X
                       App C                                                                                                                    X
   BU #3                                                                                                                                        X
   BU #4                                        X                                                           X                                                                     X
   Global BU                                    X                                                                                                              X
   Shared Services                              X               X(3)                                                                                         X(9)
   CIO office        App 6                      X                                             X                                                              X(9)

   BU #5                                        X                                             X             X                                   X


© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
• PE - Physical and Environmental
                                                                                                     Protection
                                                                                                   • PL – Planning
                                                                                                   • PS – Personnel Security
                                                                                                   • RA – Risk Assessment
                                                                                                   • SA – System and Services
                                                                                                     Acquisition
                                                                                                   • SC – System and
                                                                                                     Communications Protection
                                                                                                   • SI – System and Information
                                                                                                     Integrity
                                                                                                   • PM – Program Management

© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
     AWS account security roles                                                             Protecting data at rest
         Manage IAM users                                                                       Protecting data in flight
         AWS credentials                                                                        Security zoning and segmentation
         Initial OS-level access to EC2                                                         Secure periphery systems: User
          instances                                                                               repositories, DNS, NTP
         Managing AWS groups                                                                    Threat protection layers
         Temporary credentials                                                                  Testing security
         Identity federation & replication                                                      Measurement and metrics
         Data classification                                                                    DoS & DDoS mitigation and protection
         Security controls /access to data                                                      Manage security monitoring alerting,
          classes                                                                                 audit trail and incident response
         Data storage requirements and secure
          access




© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
We are sincerely eager to
 hear your feedback on this
presentation and on re:Invent.

     Please fill out an evaluation
       form when you have a
                chance.


© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

More Related Content

More from Amazon Web Services

OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSAmazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightAmazon Web Services
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotAmazon Web Services
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Amazon Web Services
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 

More from Amazon Web Services (20)

OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSight
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
 

SEC102 Security and Compliance in the AWS Cloud - AWS re: Invent 2012

  • 1. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 3. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 4. AWS Customer © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 5. • AWS Responsibility: • Customer Responsibility: © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 6. Parameter Customer Provider Responsibility Responsibility 1. Service availability X 2. Incident response X 3. Service elasticity and load tolerance X 4. Data lifecycle X 5. Technical compliance and vulnerability X management 6. Change management X 7. Isolation X 8. Log management and forensics X © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 7. Areas Customer Provider Responsibility Responsibility Governance X Compliance X Trust X Architecture X Identity and Access Management X Software Isolation X Data Protection X Availability X Incident Response X X © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 8. Domain Customer Provider Responsibility Responsibility Governance and Enterprise Risk Management X Legal issues: Contracts and E-Discovery X Compliance and Audit X Information Management and Data Security X Portability and Interoperability X Traditional Security, Business Continuity, and DR X X Data Center Operations X Incident Response, Notification, and Remediation X X Application Security X Encryption and Key Management X Identity and Access Management X Virtualization X Security as a Service X © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 9. Certifications & Accreditations Physical Security Multi-level, multi-factor controlled access SOC 1 (previously SAS 70) Type II environment SOC 2 Type II Security Controlled, need-based access for AWS employees Audit, supporting SOX compliance (least privilege) ISO 27001 Certification Management Plane Administrative Access PCI DSS Level I Compliance Multi-factor, controlled, need-based access to administrative host FISMA Moderate ATO (currently pursuing FedRAMP) All access logged, monitored, reviewed DIACAP MAC III-Sensitive AWS administrators DO NOT have logical access Aligned to CSA’s control matrix inside a customer’s VMs, including applications and MPAA compliant data HIPAA compliant architecture VM Security Network Security Multi-factor access to Amazon account Instance firewalls can be configured in security Instance isolation groups • Customer-controlled firewall at the hypervisor The traffic may be restricted by protocol, by service level port, as well as by source IP address (individual IP or • Neighboring instances prevented access classless inter-domain routing (CIDR) block) • Virtualized disk management layer ensure only Virtual Private Cloud (VPC) provides IPSec VPN account owners can access storage disks access from existing enterprise data center to a set of logically isolated AWS resources Support for SSL end point encryption for API calls © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 10. Applications/Bu PCI DSS SSAE 16 SOC 2 SOX FFIEC Federal, Tax, GLBA Non-US HIPAA/ 7216 HITECH Business App 1 X X(4) Unit (BU) #1 App 2 X X X X(5) App 3 X X(1) X(1) X X(6) X(9) App 4 X App 5 X(2) X(2) X(8) X(8) BU #2 App A X X X(7) App B X X App C X BU #3 X BU #4 X X X Global BU X X Shared Services X X(3) X(9) CIO office App 6 X X X(9) BU #5 X X X X © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 11. • PE - Physical and Environmental Protection • PL – Planning • PS – Personnel Security • RA – Risk Assessment • SA – System and Services Acquisition • SC – System and Communications Protection • SI – System and Information Integrity • PM – Program Management © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 12. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 13. AWS account security roles  Protecting data at rest  Manage IAM users  Protecting data in flight  AWS credentials  Security zoning and segmentation  Initial OS-level access to EC2  Secure periphery systems: User instances repositories, DNS, NTP  Managing AWS groups  Threat protection layers  Temporary credentials  Testing security  Identity federation & replication  Measurement and metrics  Data classification  DoS & DDoS mitigation and protection  Security controls /access to data  Manage security monitoring alerting, classes audit trail and incident response  Data storage requirements and secure access © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 14. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 15. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 16. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 17. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 18. We are sincerely eager to hear your feedback on this presentation and on re:Invent. Please fill out an evaluation form when you have a chance. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.