Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In Depth: AWS Shared Security Model


Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (

Published in: Technology, Business

In Depth: AWS Shared Security Model

  1. 1. AWS Shared Security Larry Pizette
  2. 2. Dimensions of Shared Responsibility & Control1. Operation within the Service: The functions the customer controls and configurations they choose (e.g., in EC2)2. Security Configurability: The tools AWS gives customers to configure their security stance (e.g., access policies, security groups)3. Security Features Which Span Services: Some security configuration features are global, others service-specific (e.g., IAM)4. Layered Security Controls: How customers can integrate their existing controls into AWS (e.g., Active Directory, Drupal user management)
  3. 3. 1. Operation within the Service Customers may choose the controls they implement and specific configurations/operations Example: EC2 instances  Manage root/administrative access to guest OS  Install software  Start and stop services  Manage EC2 key pairs Example: Relational Database Service  Administration of RDBMS but not OS Example: DynamoDB  Fully managed service  Integrates with IAM
  4. 4. 2. Security Configurability AWS services provide rich security controls tailored to each service – customers choose which to implement Example VPC responsibility and control options  Configure security groups  Control network ACLs  Configure network routing Example S3 responsibility and control options  Rich support for IAM policies  Service specific access controls  Logging Example RDS responsibility and control options  Configure database security groups  Database username and password management
  5. 5. 3. Security Features Which Span Services Some Security Features are global, others service- specific. Choosing which is right for your application is critical. Broader potential impact to other services  Example: Identity and Access Management can provide access to many other services  Example: EC2 can be used to access many services (See EC2 IAM roles) Narrower potential impact to other services  Example: S3 provides a critical and foundational service for many other AWS services, but impact of the security configuration is limited to the service itself
  6. 6. 4. Layered Security Controls How customers can integrate their existing controls into AWS (typically implemented within EC2 instances) Examples  Active Directory or ADFS within EC2  Encrypted file system on Elastic Block Storage (EBS)  OS-level firewalls (e.g., RHEL, Windows) or IDS systems  Virtual appliances (e.g., Checkpoint, Sophos, Xceedium)  Application level security  Installing X.509 certificates in Web servers
  7. 7. Types of Access Credentials Used on AWS Amazon Access Keys (for APIs)  REST/Query Protocol requests (e.g., Java SDK) Usernames and Passwords for interactive scenarios  Management console X.509 Certificates  SOAP access to some services Amazon EC2 Key Pairs  Access to running EC2 instances Amazon CloudFront Key Pairs  Create signed urls to access private CloudFront content  Public key, private key, key pair ID
  8. 8. EC2 Security Groups (SGs) SGs specify the allowed inbound network traffic by port, protocol, and originating IP addresses SGs are applied before traffic gets to guest OS EC2 instances can be assigned to Security Groups Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
  9. 9. MySQL RDS Security Database Security Group  Acts like a firewall controlling network access  DB Security Group to allow access from EC2 Instances with specific EC2 Security Group/VPC Security Group membership or IP ranges  Same rules apply to all DB Instances associated with DB Security Group Keys to Access RDS APIs  X.509 certificates or AWS Access keys Database username and password
  10. 10. S3 Security Encryption in-transit  HTTPS option to protect data in transit Encryption at rest  Server side: AWS AES-256 bit encryption option  Client side: Encrypt your data before it gets to AWS Access control  Predefined “Canned”  Custom configured
  11. 11. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection
  12. 12. VPC V1
  13. 13. VPC V2
  14. 14. Thank you!