Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
2. Dimensions of Shared Responsibility & Control
1. Operation within the Service: The functions the
customer controls and configurations they choose
(e.g., in EC2)
2. Security Configurability: The tools AWS gives
customers to configure their security stance
(e.g., access policies, security groups)
3. Security Features Which Span Services: Some
security configuration features are global, others
service-specific (e.g., IAM)
4. Layered Security Controls: How customers can
integrate their existing controls into AWS
(e.g., Active Directory, Drupal user management)
3. 1. Operation within the Service
Customers may choose the controls they implement
and specific configurations/operations
Example: EC2 instances
Manage root/administrative access to guest OS
Install software
Start and stop services
Manage EC2 key pairs
Example: Relational Database Service
Administration of RDBMS but not OS
Example: DynamoDB
Fully managed service
Integrates with IAM
4. 2. Security Configurability
AWS services provide rich security controls tailored to
each service – customers choose which to implement
Example VPC responsibility and control options
Configure security groups
Control network ACLs
Configure network routing
Example S3 responsibility and control options
Rich support for IAM policies
Service specific access controls
Logging
Example RDS responsibility and control options
Configure database security groups
Database username and password management
5. 3. Security Features Which Span Services
Some Security Features are global, others service-
specific. Choosing which is right for your application
is critical.
Broader potential impact to other services
Example: Identity and Access Management can provide
access to many other services
Example: EC2 can be used to access many services
(See EC2 IAM roles)
Narrower potential impact to other services
Example: S3 provides a critical and foundational service
for many other AWS services, but impact of the security
configuration is limited to the service itself
6. 4. Layered Security Controls
How customers can integrate their existing controls
into AWS (typically implemented within EC2
instances)
Examples
Active Directory or ADFS within EC2
Encrypted file system on Elastic Block Storage (EBS)
OS-level firewalls (e.g., RHEL, Windows) or IDS systems
Virtual appliances (e.g., Checkpoint, Sophos, Xceedium)
Application level security
Installing X.509 certificates in Web servers
7. Types of Access Credentials Used on AWS
Amazon Access Keys (for APIs)
REST/Query Protocol requests (e.g., Java SDK)
Usernames and Passwords for interactive scenarios
Management console
X.509 Certificates
SOAP access to some services
Amazon EC2 Key Pairs
Access to running EC2 instances
Amazon CloudFront Key Pairs
Create signed urls to access private CloudFront content
Public key, private key, key pair ID
8. EC2 Security Groups (SGs)
SGs specify the allowed inbound network traffic by
port, protocol, and originating IP addresses
SGs are applied before traffic gets to guest OS
EC2 instances can be assigned to Security Groups
Customer 1 Customer 2 … Customer n
Hypervisor
Virtual Interfaces
Customer 1
Security Groups
Customer 2
Security Groups … Customer n
Security Groups
Firewall
Physical Interfaces
9. MySQL RDS Security
Database Security Group
Acts like a firewall controlling network access
DB Security Group to allow access from EC2 Instances
with specific EC2 Security Group/VPC Security Group
membership or IP ranges
Same rules apply to all DB Instances associated with
DB Security Group
Keys to Access RDS APIs
X.509 certificates or AWS Access keys
Database username and password
10. S3 Security
Encryption in-transit
HTTPS option to protect data in transit
Encryption at rest
Server side: AWS AES-256 bit encryption option
Client side: Encrypt your data before it gets to AWS
Access control
Predefined “Canned”
Custom configured
11. Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable
infrastructure
Specify your private IP address range into one or more public or private
subnets
Control inbound and outbound access to and from individual subnets
using stateless Network Access Control Lists
Protect your instances with stateful filters for inbound and outbound
traffic using Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be
reached directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry
standard encrypted VPN connection