Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Brief Security Overview


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Brief Security Overview

  1. 1. BRIEF SECURITY OVERVIEW CJ Moses Senior Manager, AWS Security [email_address]
  2. 2. AWS SECURITY RESOURCES <ul><li> </li></ul><ul><li>Security Whitepaper </li></ul><ul><li>Latest Version 11/09 </li></ul><ul><li>Updated bi-annually </li></ul><ul><li>Feedback is welcome </li></ul>
  3. 3. AWS CERTIFICATIONS <ul><li>Shared Responsibility Model </li></ul><ul><li>Sarbanes-Oxley (SOX) </li></ul><ul><li>SAS70 Type II Audit </li></ul><ul><li>Working on FISMA (NIST) C&A </li></ul><ul><li>Pursuing ISO 27001 Certification </li></ul><ul><li>Customers have deployed various compliant applications such as HIPAA (healthcare) and PCI DSS (credit card) </li></ul>
  4. 4. FAULT SEPARATION AND GEOGRAPHIC DIVERSITY Note: Conceptual drawing only. The number of Regions & Availability Zones may vary Availability Zone D Availability Zone A Availability Zone B US East Region (N. VA) Availability Zone A Availability Zone C Availability Zone B Amazon CloudWatch Auto Scaling Elastic Load Balancing
  5. 5. DATA BACKUPS <ul><li>Data stored in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations </li></ul><ul><li>Amazon EBS redundancy remains within a single Availability Zone </li></ul><ul><li>Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability </li></ul><ul><ul><li>Equivalent to more traditional backup solutions, but offers much higher data availability and throughput </li></ul></ul><ul><li>Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS and/or Amazon S3 for redundancy </li></ul>
  6. 6. AWS MULTI-FACTOR AUTHENTICATION A recommended opt-in security feature of your Amazon Web Services (AWS) account
  7. 7. AWS MFA BENEFITS <ul><li>Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you </li></ul><ul><li>Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console </li></ul><ul><li>Adds an extra layer of protection to sensitive information, such as your AWS access identifiers </li></ul><ul><li>Extends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data </li></ul>
  8. 8. AMAZON EC2 SECURITY <ul><li>Host operating system </li></ul><ul><ul><li>Individual SSH keyed logins via bastion host for AWS admins </li></ul></ul><ul><ul><li>All accesses logged and audited </li></ul></ul><ul><li>Guest operating system </li></ul><ul><ul><li>Customer controlled at root level </li></ul></ul><ul><ul><li>AWS admins cannot log in </li></ul></ul><ul><ul><li>Customer-generated keypairs </li></ul></ul><ul><li>Stateful firewall </li></ul><ul><ul><li>Mandatory inbound firewall, default deny mode </li></ul></ul><ul><li>Signed API calls </li></ul><ul><ul><li>Require X.509 certificate or customer’s secret AWS key </li></ul></ul>
  9. 9. AMAZON EC2 INSTANCE ISOLATION Physical Interfaces Customer 1 Hypervisor Customer 2 Customer n … … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups
  10. 10. NETWORK SECURITY CONSIDERATIONS <ul><li>DDoS (Distributed Denial of Service): </li></ul><ul><ul><li>Standard mitigation techniques in effect </li></ul></ul><ul><li>MITM (Man in the Middle): </li></ul><ul><ul><li>All endpoints protected by SSL </li></ul></ul><ul><ul><li>Fresh EC2 host keys generated at boot </li></ul></ul><ul><li>IP Spoofing: </li></ul><ul><ul><li>Prohibited at host OS level </li></ul></ul><ul><li>Unauthorized Port Scanning: </li></ul><ul><ul><li>Violation of AWS TOS </li></ul></ul><ul><ul><li>Detected, stopped, and blocked </li></ul></ul><ul><ul><li>Ineffective anyway since inbound ports </li></ul></ul><ul><ul><li>blocked by default </li></ul></ul><ul><li>Packet Sniffing: </li></ul><ul><ul><li>Promiscuous mode is ineffective </li></ul></ul><ul><ul><li>Protection at hypervisor level </li></ul></ul><ul><li>Configuration Management: </li></ul><ul><ul><li>Configuration changes are authorized, logged, tested, approved, and documented </li></ul></ul><ul><ul><li>Most updates are done in such a manner that they will not impact the customer </li></ul></ul><ul><ul><li>AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard ( ) when there is a chance that their Service use may be affected. </li></ul></ul>
  11. 11. AMAZON VPC Customer’s Network Amazon Web Services Cloud Secure VPN Connection over the Internet Subnets Customer’s isolated AWS resources Router VPN Gateway
  12. 12. AMAZON VPC CAPABILITIES <ul><li>Create an isolated environment within AWS </li></ul><ul><li>Establish subnets to control who and what can access your resources </li></ul><ul><li>Connect your isolated AWS resources and your IT infrastructure via a VPN connection </li></ul><ul><li>Launch AWS resources within the isolated network </li></ul><ul><li>Use your existing security and networking technologies to examine traffic to/from your isolated resources </li></ul><ul><li>Extend your existing security and management policies within your IT infrastructure to your isolated AWS resources as if they were running within your infrastructure </li></ul>
  13. 13. SUPPORTED AWS FEATURES <ul><li>Currently </li></ul><ul><ul><li>Amazon EBS </li></ul></ul><ul><ul><li>Single AZ in us-east-1 </li></ul></ul><ul><ul><li>Amazon CloudWatch </li></ul></ul><ul><ul><li>On-Demand and Reserved Instances </li></ul></ul><ul><ul><li>Linux/UNIX and Windows </li></ul></ul><ul><li>Upcoming features </li></ul><ul><ul><li>Direct Internet access </li></ul></ul><ul><ul><li>Multiple AZs </li></ul></ul><ul><ul><li>Elastic IPs </li></ul></ul><ul><ul><li>Security groups </li></ul></ul><ul><ul><li>Amazon DevPay </li></ul></ul><ul><ul><li>Auto Scaling </li></ul></ul><ul><ul><li>Elastic Load Balancing </li></ul></ul>
  14. 14. VPC SUPPORTED DEVICES <ul><li>Cisco Integrated Services routers running Cisco IOS 12.4 (or later) software </li></ul><ul><li>Juniper J-Series routers running JunOS 9.5 (or later) software </li></ul><ul><li>or any device that : </li></ul><ul><li>Establishes IKE Security Association using Pre-Shared Keys </li></ul><ul><li>Establishes IPsec Security Associations in Tunnel mode </li></ul><ul><li>Utilizes the AES 128-bit encryption function </li></ul><ul><li>Utilizes the SHA-1 hashing function </li></ul><ul><li>Utilizes Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode </li></ul><ul><li>Establishes Border Gateway Protocol (BGP) peerings </li></ul><ul><li>Binds tunnel to logical interface (route-based VPN) </li></ul><ul><li>Utilize IPsec Dead Peer Detection </li></ul>
  15. 15. AMAZON S3 SECURITY <ul><li>Access controls at bucket and object level: </li></ul><ul><ul><li>Read,Write, Full </li></ul></ul><ul><li>Owner has full control </li></ul><ul><li>SSL in transit </li></ul><ul><li>Owner should encrypt when stored </li></ul><ul><li>Time-limited URLs </li></ul><ul><li>Versioning (MFA Delete) </li></ul><ul><li>Detailed Access Logging </li></ul><ul><li>Storage Device Decommissioning </li></ul><ul><ul><li>DoD 5220.22-M/NIST 800-88 to destroy data </li></ul></ul>
  16. 16. THANK YOU [email_address]
  17. 17. © 2008-2009, Inc., or its affiliates. This presentation is provided for informational purposes only. Amazon Web Services LLC is not responsible for any damages related to the information in this presentation, which is provided “as is” without warranty of any kind, whether express, implied, or statutory. Nothing in this presentation creates any warranties or representations from Amazon Web Services LLC, its affiliates, suppliers, or licensors. This presentation does not modify the applicable terms and conditions governing your use of Amazon Web Services technologies, including the Amazon Web Services website. This presentation represents Amazon Web Services' current product offerings as of the date of issue of this document, which are subject to change without notice. This presentation is dated April 2010. Please visit to ensure that you have the latest version.