Aws security overview q3 2010 v2

1,250 views
1,194 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,250
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Aws security overview q3 2010 v2

  1. 1. AWS: OVERVIEW OF SECURITY PROCESSES Stephen Schmidt Chief Information Security Officer steves@amazon.com
  2. 2. O VERVIEW • Certifications • SAS70 Type II • Physical Security • Backups • Amazon EC2 Security • Network Security • Amazon S3 Security • Amazon SimpleDB Security • Amazon SQS Security • Amazon CloudFront Security • Amazon Elastic MapReduce
  3. 3. AWS S ECURITY R ESOURCES • http://aws.amazon.com/security/ • Security Whitepaper • Latest Version 8/24/2010 • Updated bi-annually • Feedback is welcome
  4. 4. AWS C ERTIFICATIONS • Shared Responsibility Model • Sarbanes-Oxley (SOX) • SAS70 Type II Audit • FISMA A&A – NIST Low Approvals to Operate – Actively pursuing NIST Moderate – FedRAMP • Pursuing ISO 27001 Certification • Customers have deployed various compliant applications such as HIPAA (healthcare)
  5. 5. SAS70 T YPE II • Based on the Control Objectives for Information and related Technology (COBIT), which is a set of established best practices (transitioning to ISO 27001) • Covers Access (Security), Change Management and Operations of Amazon EC2 and Amazon S3 • Audit conducted by an independent accounting firm (E&Y) on a recurring basis
  6. 6. SAS70 T YPE II – C ONTROL O BJECTIVES • Control Objective 1: Security Organization • Control Objective 2: Amazon Employee Lifecycle • Control Objective 3: Logical Security • Control Objective 4: Secure Data Handling • Control Objective 5: Physical Security • Control Objective 6: Environmental Safeguards • Control Objective 7: Change Management • Control Objective 8: Data Integrity, Availability and Redundancy • Control Objective 9: Incident Handling
  7. 7. PHYSICAL SECURITY • Amazon has been building large-scale data centers for many years • Important attributes: – Non-descript facilities – Robust perimeter controls – Strictly controlled physical access – 2 or more levels of two-factor auth • Controlled, need-based access for AWS employees (least privilege) • All access is logged and reviewed
  8. 8. FAULT SEPARATION AND G EOGRAPHIC D IVERSITY US East Region (N. VA) EU West Region (IRE) Availability Availability Zone A Zone B Availability Availability Zone A Zone B Availability Availability Zone C Zone D US West Region (N. CA) APAC Region (Singapore) Availability Availability Availability vailability Availability Availability Zone A Zone B Zone A Zone A Zone BB Zone Amazon CloudWatch Note: Conceptual drawing only. The number of Availability Zones may vary
  9. 9. D ATA B ACKUPS • Data stored in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations • Amazon EBS redundancy remains within a single Availability Zone • Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability – Equivalent to more traditional backup solutions, but offers much higher data availability and throughput • Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy
  10. 10. AWS M ULTI-FACTOR AUTHENTICATION A recommended opt-in security feature of your Amazon Web Services (AWS) account
  11. 11. AWS MFA B ENEFITS • Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you • Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console • Adds an extra layer of protection to sensitive information, such as your AWS access identifiers • Extends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data
  12. 12. IAM – AWS I DENTITY AND ACCESS MANAGEMENT • A brand new service designed for our entire range of users • Multiple user identities per AWS account • Enhanced security • Better control • Integrated with other services
  13. 13. IAM – AWS I DENTITY AND ACCESS MANAGEMENT • Create users and groups within an AWS account • Each user has unique security credentials: – Access keys – Login/Password – MFA device • Put users in groups • Create policy statements for users or groups • Control access to resources • Control access to APIs
  14. 14. AMAZON EC2 S ECURITY • Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited • Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs • Stateful firewall – Mandatory inbound firewall, default deny mode • Signed API calls – Require X.509 certificate or customer’s secret AWS key
  15. 15. AMAZON EC2 I NSTANCE ISOLATION Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
  16. 16. VIRTUAL MEMORY & LOCAL D ISK Amazon EC2 Instances Encrypted File System Amazon EC2 Instance Encrypted Swap File • Proprietary Amazon disk management prevents one Instance from reading the disk contents of another • Local disk storage can also be encrypted by the customer for an added layer of security
  17. 17. N ETWORK TRAFFIC FLOW SECURITY Inbound Traffic Amazon EC2 Amazon Security Groups Instances iptables Encrypted File System Amazon EC2 Instance Encrypted Swap File • Inbound traffic must be explicitly specified by protocol, port, and security group • iptables may be implemented as a completely user controlled security layer for granular access control of discrete hosts, including other Amazon Web Services (Amazon S3/SimpleDB, etc.)
  18. 18. MULTI- TIER S ECURITY A RCHITECTURE AWS employs a private network with Web Tier ssh support for secure access between tiers and is configurable to limit access between tiers Application Tier Database Tier EBS Volume Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Authorized 3rd parties can Amazon EC2 be granted ssh access to Security Group select AWS resources, such Firewall as the Database Tier All other Internet ports blocked by default
  19. 19. NETWORK SECURITY CONSIDERATIONS • DDoS (Distributed Denial of Service): – Standard mitigation techniques in effect • MITM (Man in the Middle): – All endpoints protected by SSL – Fresh EC2 host keys generated at boot • IP Spoofing: – Prohibited at host OS level • Unauthorized Port Scanning: – Violation of AWS TOS – Detected, stopped, and blocked – Ineffective anyway since inbound ports blocked by default • Packet Sniffing: – Promiscuous mode is ineffective – Protection at hypervisor level • Configuration Management: – Configuration changes are authorized, logged, tested, approved, and documented Most updates are done in such a manner that they will not impact the customer AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.
  20. 20. N ETWORK TRAFFIC C ONFIDENTIALITY Amazon EC2 Instances Internet Traffic Encrypted File System Amazon EC2 Instance Corporate Encrypted Network Swap File VPN • All traffic should be cryptographically controlled • Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)
  21. 21. AMAZON VPC Customer’s isolated AWS resources Subnets Router VPN Gateway Amazon Web Services Cloud Secure VPN Connection over the Internet Customer’s Network
  22. 22. AMAZON VPC C APABILITIES • Create an isolated environment within AWS • Establish subnets to control who and what can access your resources • Connect your isolated AWS resources and your IT infrastructure via a VPN connection • Launch AWS resources within the isolated network • Use your existing security and networking technologies to examine traffic to/from your isolated resources • Extend your existing security and management policies within your IT infrastructure to your isolated AWS resources as if they were running within your infrastructure
  23. 23. VPC S UPPORTED D EVICES • Any device that : – Establishes IKE Security Association using Pre-Shared Keys – Establishes IPsec Security Associations in Tunnel mode – Utilizes the AES 128-bit encryption function – Utilizes the SHA-1 hashing function – Utilizes Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode – Establishes Border Gateway Protocol (BGP) peerings – Binds tunnel to logical interface (route-based VPN) – Utilize IPsec Dead Peer Detection
  24. 24. AMAZON S3 S ECURITY • Access controls at bucket and object level: – Read, Write, Full • Owner has full control • Customer Encryption – SSL Supported • Durability 99.999999999% • Availability 99.99% • Versioning (MFA Delete) • Detailed Access Logging • Storage Device Decommissioning – DoD 5220.22-M/NIST 800- 88 to destroy data
  25. 25. YOUR INPUT IS IMPORTANT … • Thoughts/questions about our SAS70 Type II Audit? • Other certifications, compliance requirements or audits to explore? • What risk & compliance services should AWS consider offering natively? • How can we further promote AWS security posture?
  26. 26. THANK YOU aws.amazon.com steves@amazon.com
  27. 27. © 2008-2009 Amazon.com, Inc., or its affiliates. This presentation is provided for informational purposes only. Amazon Web Services LLC is not responsible for any damages related to the information in this presentation, which is provided “as is” without warranty of any kind, whether express, implied, or statutory. Nothing in this presentation creates any warranties or representations from Amazon Web Services LLC, its affiliates, suppliers, or licensors. This presentation does not modify the applicable terms and conditions governing your use of Amazon Web Services technologies, including the Amazon Web Services website. This presentation represents Amazon Web Services' current product offerings as of the date of issue of this document, which are subject to change without notice. This presentation is dated August 2010. Please visit aws.amazon.com to ensure that you have the latest version.

×