The document discusses cloud security features offered by AWS, including universal access to security capabilities for all customers, visibility into infrastructure, auditing capabilities, transparency through certifications, and a shared responsibility model between AWS and customers. It provides details on several security and compliance control objectives focused on areas like security organization, user access, logical security, data handling, physical security, change management, and incident handling. Finally, it discusses specific AWS security services and features like CloudHSM for key management and different deployment models.

1. Stephen Schmidt
VP, Security Engineering
Chief Information Security Officer

2. Cloud Security is:
• Universal
• Visible
• Auditable
• Transparent
• Shared
• Familiar

3. Universal Cloud Security
Every Customer Has Access to the Same Security Capabilities, and Gets
to Choose What’s Right for Their Business
• Governments
• Financial Sector
• Pharmaceuticals
• Entertainment
• Start-Ups
• Social Media
• Home Users
• Retail

4. Visible Cloud Security
AWS
allows
you
to
see
your
en#re
infrastructure
at
the
click
of
a
mouse.
Can
you
map
your
current
network?
This
Or
This?

5. Auditable Cloud Security
How
do
you
know
AWS
is
right
for
your
business?
- 3rd
Party
Audits
• Independent
auditors
- ArCfacts
• Plans,
Policies
and
Procedures
- Logs
• Obtained
• Retained
• Analyzed

6. Transparent Cloud Security
Choose the audit/certification that’s right
for you:
• ISO-27001
• SOC-1, SOC-2
• FedRAMP
• PCI

7. Control Objective 1: Security Organization
• Who we are
• Proper control & access within the organization
Control Objective 2: Amazon User Access
• How we vet our staff
• Minimization of access
Security & Compliance Control Objectives

8. Security & Compliance Control Objectives
Control Objective 3: Logical Security
• Our staff start with no systems access
• Need-based access grants
• Rigorous systems separation
• Systems access grants regularly re-evaluated & automatically revoked

9. Security & Compliance Control Objectives
Control Objective 4: Secure Data Handling
• Storage media destroyed before being permitted outside our datacenters
• Media destruction consistent with US Dept. of Defense Directive 5220.22
Control Objective 5: Physical Security and Environmental Safeguards
• Keeping our facilities safe
• Maintaining the physical operating parameters of our datacenters

10. Security & Compliance Control Objectives
Control Objective 6: Change Management
• Continuous Operation
Control Objective 7: Data Integrity, Availability and Redundancy
• Ensuring your data remains safe, intact & available
Control Objective 8: Incident Handling
• Processes & procedures for mitigating and managing potential issues

11. Shared Responsibility
• Let
AWS
do
the
heavy
liIing
• This
is
what
we
do
–
and
we
do
it
all
the
Cme
• As
the
AWS
customer
you
can
focus
on
your
business
and
not
be
distracted
by
the
muck
AWS
• FaciliCes
• Physical
Security
• Physical
Infrastructure
• Network
Infrastructure
• VirtualizaCon
Infrastructure
Customer
• Choice
of
Guest
OS
• ApplicaCon
ConfiguraCon
OpCons
• Account
Management
flexibility
• Security
Groups
• Network
ACLs

12. Physical Security
Distributed
Regions
–
MulCple
Availability
Zones
Asia%Pacific%(Sydney)%

13. Network Security
• DDoS attacks defended at the border
• Man in the Middle attacks
• SSL endpoints
• IP Spoofing prohibited
• Port scanning prohibited
• Packet Sniffing prevented

14. Amazon EC2 Security
Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Stateful firewall
• Mandatory inbound firewall, default deny mode
Signed API calls
• Require X.509 certificate or customer’s secret AWS key

15. Amazon Virtual Private Cloud (VPC)
• Create a logically isolated environment in Amazon’s highly scalable infrastructure
• Specify your private IP address range into one or more public or private subnets
• Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
• Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
• Bridge your VPC and your onsite IT infrastructure with an industry standard
encrypted VPN connection and/or AWS Direct Connect

16. Amazon VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• $10/hr flat fee per Region + small hourly charge
• Can identify specific Instances as dedicated
• Optionally configure entire VPC as dedicated

17. Customers have requirements that require them to use specific encryption
key management procedures not previously possible on AWS
• Requirements are based on contractual or regulatory mandates for keeping
encryption keys stored in a specific manner or with specific access controls
• Good key management is critical
Customers want to run applications and store data in AWS but previously had
to retain keys in HSMs in on-premises datacenters
• Applications may slow down due to network latency
• Requires several DCs to provide high availability, disaster recovery and durability
of keys
Customer Challenge: Encryption

18. • AWS offers several data protection mechanisms including access control,
encryption, etc.
• AWS CloudHSM complements existing AWS data protection and encryption
solutions
• With AWS CloudHSM customers can:
• Encrypt data inside AWS
• Store keys in AWS within a Hardware Security Module
• Decide how to encrypt data – the AWS CloudHSM implements
cryptographic functions and key storage for customer applications
• Use third party validated hardware for key storage
AWS Data Protection Solutions

19. HSM – Hardware Security Module
• A hardware device that performs cryptographic operations and key storage
• Used for strong protection of private keys
• Tamper resistant – keys are protected physically and logically
– If a tampering attempt is detected, the appliance destroys the keys
• Device administration and security administration are logically separate
– Physical control of the appliance does not grant access to the keys
• Certified by 3rd parties to comply with government standards for physical and
logical security:
– FIPS 140-2
– Common Criteria EAL4+
• Example vendors include: SafeNet, Thales
• Historically located in on-premises datacenters
HSM

20. What is AWS CloudHSM?
• Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances
• Physically managed and monitored by AWS, but customers control their
own keys
• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
AWS
CloudHSM

21. AWS CloudHSM Service Highlights
• Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM
• Contractual and Regulatory Compliance – helps customers comply with
the most stringent regulatory and contractual requirements for key
protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in
multiple Availability Zones and Regions to help customers build highly
available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the
customer’s VPC
• Better Application Performance – reduce network latency and increase
the performance of AWS applications that use HSMs

22. • Large Silicon Valley company: video DRM
• Start-up document rights management service: enterprise document protection
• Amazon Web Services: Root of trust for Public Key Infrastructure (PKI)
authentication system
• Very large financial services organization: Root of trust for key management
system for virtual machine authentication & encryption
Customer use cases

23. Key Storage & Secure Operations for AWS
CloudHSMs are in the customer’s VPC
and isolated from other AWS networksE
Secure key storage in tamper-resistant/
tamper-evident hardware available in
multiple regions and AZs
D
Application performance improves (due to
close network proximity with AWS
workloads)
C
Customers control and manage their own
keys
B
AWS manages the HSM appliance but
does not have access to customers’
keys
A
AWS
Amazon Virtual Private Cloud
AWS CloudHSM Amazon VPC Instance
SSL
Application
HSM Client
C
D
E
B
A

24. On-Premises Integration with AWS CloudHSM
HSM
Customers’ applications continue to
use standard crypto APIs
(PKCS#11, MS CAPI, JCA/JCE,
etc.).
SafeNet HSM client replaces
existing crypto service provider
libraries and connects to the HSM to
implement API calls in hardware
SafeNet HSM
Client
can
share
load
and
store
keys
redundantly
across
mulCple
HSMs
Key
material
is
securely
replicated
to
HSM(s)
in
the
customer’s
datacenter
B
A
C
D
AWS
Amazon
Virtual
Private
Cloud
AWS
CloudHSMAmazon
VPC
Instance
Corporate
Datacenter
SSL
VPN INTERNET
AWS
Direct
Connect
Application
HSM Client
A
C
D
B
SSL

25. AWS Deployment Models
Logical Server and
Application
Isolation
Granular
Information Access
Policy
Logical
Network
Isolation
Physical server
Isolation
Government Only
Physical Network and
Facility Isolation
ITAR Compliant
(US Persons
Only)
Sample Workloads
Commercial
Cloud ü
ü
Public
facing
apps.
Web
sites,
Dev
test
etc.
Virtual
Private
Cloud
(VPC)
ü
ü
ü
ü
Data
Center
extension,
TIC
environment,
email,
FISMA
low
and
Moderate
AWS
GovCloud
(US) ü
ü
ü
ü
ü
ü
US
Persons
Compliant
and
Government
Specific
Apps.

26. AWS Security Resources
• http://aws.amazon.com/security/
• Security Whitepaper
• Risk and Compliance Whitepaper
• Regularly Updated
• Feedback is welcome

27. Thank you.

28. Bronze Sponsors
Silver Sponsors
Gold Sponsor