Thursday, March 10, 2016

AWS Security Whitepaper Overview

Shared Security Responsibility Model

In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.


AWS Security Responsibilities
  • Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.  
  • AWS provide several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations
    AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB
  • For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
Customer Security Responsibilities
  • AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
  • Management of the guest OS (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
  • For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additional tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service.
 

AWS Global Infrastructure Security 

 

AWS Compliance Program
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3
And meet several industry-specific standards, including:
  • Criminal Justice Information Services (CJIS)
  • Cloud Security Alliance (CSA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Motion Picture Association of America (MPAA) 

 

Physical and Environmental Security 


Storage Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices. 


Network Security 


Amazon Corporate Segregation
AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access. The Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host.
Networking Monitoring & Protection
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.

AWS network provides protection against traditional network security issues :-
  1. DDOS - AWS uses proprietary DDoS mitigation techniques. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
  2. Man in the Middle attacks - AWS APIs are available via SSL-protected endpoints which provide server authentication
  3. IP spoofing - AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  4. Port Scanning - Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Penetration/Vulnerability testing can be performed only on your own instances, with mandatory advance approval, and must not violate the AWS Acceptable Use Policy.
  5. Packet Sniffing by other tenants - It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.

 

Secure Design Principles

AWS’s development process follows :-
  • Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
  • Static code analysis tools are run as a part of the standard build process
  • Recurring penetration testing performed by carefully selected industry experts

 

AWS Account Security Features

AWS account security features includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks

AWS Credentials
Individual User Accounts
Do not use the Root account, instead create an IAM User for each User and provide them with a unique set of Credentials and grant least privilege as required to perform their job function

Secure HTTPS Access Points
Use HTTPS for data transmissions, which which uses public-key cryptography to prevent eavesdropping, tampering, and forgery, which is provided by all AWS services 
 
Security Logs
Use Amazon CloudTrail which provides logs of all requests for AWS resources within your account and captures information about every API call to every AWS resource you use, including sign-in events

Trusted Advisor Security Checks
Use Trusted Advisor service which helps inspect AWS environment and provide recommendations when opportunities may exist to optimize cost, improve system performance, or close security gaps

Exam Scenario Questions

  1. In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
    • Penetration testing
    • Operating system account security management
    • Threat modeling
    • User group access management
    • Static code analysis 
  2. You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
    • Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access
    • Protect against IP spoofing or packet sniffing
    • Assure all communication between EC2 instances and ELB is encrypted
    • Install latest security patches on ELB. RDS and EC2 instances
  3. In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
    • Controlling physical access to compute resources
    • Patch management on the EC2 instances operating system
    • Encryption of EBS (Elastic Block Storage) volumes
    • Life-cycle management of IAM credentials
    • Decommissioning storage devices
    • Security Group and ACL (Access Control List) settings 
  4. Per the AWS Acceptable Use Policy, penetration testing of EC2 instances: 
    • May be performed by AWS, and will be performed by AWS upon customer request.
    • May be performed by AWS, and is periodically performed by AWS.
    • Are expressly prohibited under all circumstances.
    • May be performed by the customer on their own instances with prior authorization from AWS.
    • May be performed by the customer on their own instances, only if performed from EC2 instances

References


 

75 comments:

  1. Amazon Web Services (AWS) BGP
    This video demonstrates how to configure the Amazon Web Services BGP to set up a VPN between a Check Point Security Gateway and Amazon VPC
    http://www.s4techno.com/blog/2015/12/24/amazon-web-services-aws-bgp/

    ReplyDelete
  2. Thanks for providing this informative information you may also refer.
    http://www.s4techno.com/blog/2016/08/10/interview-questions-of-aws/

    ReplyDelete
  3. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging…
    Aws Online Training

    ReplyDelete
  4. Appreciation for really being thoughtful and also for deciding on
    certain marvelous guides most people really want to be aware of.


    AWS Training in Bangalore

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Thanks for sharing link, AWS is most widely used cloud services all over the world and it is very secure to work. According to my research 24x7 sever support is best AWS management services provider.

    ReplyDelete
  7. Above Article is very much informatic , Thank you for Sharing

    with us . For More info on amazon web services

    , Plz look once our aws online training

    ReplyDelete
  8. Above Article is very much informatic , Thank you for Sharing

    with us . For More info on amazon web services

    , Plz look once our aws online training

    ReplyDelete
  9. Above Article is very much informatic , Thank you for Sharing

    with us . For More info on amazon web services

    , Plz look once our aws online training

    ReplyDelete
  10. I appreciate your work on Aws. It's such a wonderful read on Aws. Keep sharing stuffs like this. I am also educating people on similar technologies so if you are interested to know more you can watch this:-
    https://www.youtube.com/watch?v=okS4N1xRCDM

    ReplyDelete
  11. Wow..super blog thanks for sharing keep update with new and more updates with us. If you want more updates on AWS at fast AWS Online Training Bangalore

    ReplyDelete
  12. It is really a great work and the way in which you are sharing the knowledge about AWS DR solutions is excellent.

    ReplyDelete
  13. This concept is a good way to enhance the knowledge.thanks for sharing. please keep it up
    salesforce Online course Bangalore

    ReplyDelete
  14. Very nice information, thanks for providing. AWS Online Training

    ReplyDelete

  15. Thanks for sharing this in here. You are running a great blog, keep up this good work.
    AWS Training in chennai | AWS Training institute in velachery

    ReplyDelete

  16. Really it was an awesome article… very interesting to read…
    Thanks for sharing.........


    Salesforce online training in bengalore

    ReplyDelete
  17. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    https://www.emexotechnologies.com/courses/other-technology-trainings/python-training/"> Python Training in electronic city

    https://www.emexotechnologies.com/courses/big-data-analytics-training/data-science-with-python-training/">DataScience with Python Training in electronic city

    https://www.emexotechnologies.com/courses/cloud-computing-training/amazon-web-services-aws-training/"> AWS Training in electronic city

    https://www.emexotechnologies.com/courses/big-data-analytics-training/big-data-hadoop-training/"> Big Data Hadoop Training in electronic city

    https://www.emexotechnologies.com/courses/other-technology-trainings/devops-training/"> Devops Training in electronic city

    ReplyDelete
  18. This is very interesting and useful for many learners. . Thanks for sharing this valuable post..
    AWS Training in Hyderabad
    AWS Training in Ameerpet

    ReplyDelete
  19. This is great blog. If you want to know more about this visit here AWS Security.

    ReplyDelete
  20. "• Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating IOT Online Training
    "

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. Amazon has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.For more information visit.
    aws online training | aws training in hyderabad | aws online training in hyderabad

    ReplyDelete
  23. There is a good blog and huge series on this blog. I am very pleased with the good idea on this blog and thank you for using the best method on this blog.
    Get online Training in AWS Development

    ReplyDelete
  24. Excellent Submit! Many thanks a great deal regarding revealing this kind of quite submit, it absolutely was so excellent to learn Hipaa Compliance Aws and also beneficial to increase my own information since up to date a single, retain blogging….

    ReplyDelete
  25. Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming.
    machine learning course in bangalore

    ReplyDelete
  26. Good Post. I like your blog. Thanks for Sharing
    AWS Course in Noida

    ReplyDelete
  27. I am so happy after read your blog. It’s very useful blog for us.

    php professional training center in Noida

    ReplyDelete
  28. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

    ReplyDelete
  29. I am so happy after read your blog. It’s very useful blog for us.

    Corporate training for employees

    ReplyDelete
  30. Thank you for sharing .The data that you provided in the blog is informative and effective. aws training in bangalore

    ReplyDelete
  31. Thanks for the nice blog. It was very useful to me. I am happy I found this blog. Thank you for sharing with us, I always learn something new from your post. Oracle apps training in Noida

    ReplyDelete
  32. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. This is a very well written article. I will be sure to bookmark it and come back to read more of your useful information. Oracle certified institutes

    ReplyDelete
  33. I've been following your weblog for a while now and finally got the courage to go
    ahead and give you a shoutout from Dallas Texas! Just wanted to mention keep up the great work! I’ve been surfing online greater than 3 hours nowadays, yet I never
    found any fascinating article like yours. It is pretty value sufficient for me.
    Python training in Noida

    ReplyDelete

  34. I think this is a useful post and it is valuable and learned.
    I simply want to tell you that I am new to weblog and definitely liked this blog site.
    Android training institute

    ReplyDelete
  35. Saved as a favorite, I really like your blog! Hola!
    I've been following your weblog for a while now and finally got the courage to go
    ahead and give you a shout out from Dallas Texas! Just wanted to mention keep up the great work!
    I’ve been surfing online greater than 3 hours nowadays, yet I never
    found any fascinating article like yours. It is fairly value sufficient for me.
    In my opinion, if all webmasters and bloggers made good content as you probably did, the web will likely be a lot more useful than ever before.
    It’s my first visit to this blog, it seems that you are fond of writing since so long because the selection of topics is so nice also the information which you have mentioned here is real and impressive. Really appreciate. Artificial intelligence classes in noida

    ReplyDelete
  36. It's useful. Please keep me posted for more updates.
    Hey, really great stuff! I didn't know much about that topic before reading this.
    I think this is a useful post and it is valuable and learned.
    I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog.Cloud Computing training in noida


    ReplyDelete
  37. You absolutely have wonderful stories. Cheers for sharing with us your blog. When I am searching for a different sort of information, at that time I found yours blog. Great Information sharing. I am very happy to read this article .. thanks for giving us go through info. Fantastic nice. I appreciate this post. Awesome Article. Keep sharing amazing posts on. Node Js classes in noida

    ReplyDelete
  38. I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. When I am searching for a different sort of information, at that time I found yours blog. Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post.
    CCNA certification training

    ReplyDelete
  39. I've been following your weblog for a while now and finally got the courage to go ahead and give you a shout out from Dallas Texas! Just wanted to mention keep up the great work!
    6 months training

    ReplyDelete
  40. Best QA / QC Course in India, Hyderabad. sanjaryacademy is a well-known institute. We have offer professional Engineering Course like Piping Design Course, QA / QC Course,document Controller course,pressure Vessel Design Course, Welding Inspector Course, Quality Management Course, #Safety officer course.
    QA / QC Course
    QA / QC Course in india
    QA / QC Course in hyderabad

    ReplyDelete
  41. This is a very well written article. I will be sure to bookmark it and come back to read more of your useful information. Amazon web services developer training

    ReplyDelete
  42. Great Post and thanks for sharing this info with us. Waiting for more like this.
    AWS Technical Essentials Training

    ReplyDelete
  43. Very nice job... Thanks for sharing this amazing ExcelR Machine Learning Course Pune and educative blog post!

    ReplyDelete
  44. Good Post! it was so good to read and useful to improve my knowledge as an updated one, keep blogging. After seeing your article I want to say that also a well-written article with some very good information which is very useful for the readers....thanks for sharing it and do share more posts like this.
    AWS Training

    ReplyDelete
  45. really easily understandable one. The students can obtain help from the professional and expert authorities with abundant knowledge. The example that you given above are easy to learn. Thank you for such a useful blog.

    Aws Training in Chennai

    Aws Training in Velachery

    Aws Training in Tambaram

    Aws Training in Porur

    Aws Training in Omr

    Aws Training in Annanagar

    ReplyDelete
  46. I m here to learn more about aws Thanks for Sharing
    Here you can check DevOps Online Training.

    aws Online Training

    ReplyDelete
  47. Thank you for sharing wonderful information with us to get some idea about it.
    Workday Integration Course India
    Workday Online Integration Course

    ReplyDelete
  48. There are different methods to keep the web applications safe from being harmed. But before implementing the web application penetration testing services, here are some points which every web application penetration testing company in dubai considers

    ReplyDelete
  49. If you want to have services for DDoS and Web Application in Abu Dhabi, then Securium Solutions is the best DDoS and Web Application Company in Abu Dhabi.

    ReplyDelete
  50. If you are looking for the company that validates PCI DSS Compliance Company in Abu Dhabi, then you can totally count on Securium Solutions for such accountancy.

    ReplyDelete
  51. If you are looking for the company that validates PCI DSS Compliance Company in Abu Dhabi, then you can totally count on Securium Solutions for such accountancy.

    ReplyDelete
  52. What a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up.
    data science training in malaysia

    ReplyDelete
  53. I will truly value the essayist's decision for picking this magnificent article fitting to my matter.Here is a profound depiction about the article matter which helped me more.
    best data science training in hyderabad

    ReplyDelete
  54. It's essential to comprehend the Shared Security Responsibility Model of AWS. Users are given the ability to fully utilize the cloud while being reminded of their responsibility to protect their data and apps.
    Data Analytics Courses in India

    ReplyDelete
  55. Hello Blogger,
    This AWS Security Whitepaper provides a comprehensive overview of the shared security responsibility model, outlining the division of responsibilities between AWS and the customer. It also delves into various security aspects, such as network security, secure design principles, and AWS account security features. A valuable resource for understanding AWS security best practices.
    Data Analytics Courses in Nashik

    ReplyDelete
  56. This write-up serves as an excellent reference for anyone seeking a solid understanding of AWS security concepts. It provides a well-organized and informative overview of AWS security practices, and the inclusion of exam questions is a helpful bonus.
    Data Analytics Courses In Dubai

    ReplyDelete
  57. Understanding AWS's Shared Security Responsibility Model is crucial. The option to fully utilise the cloud is provided to users, but they are also reminded of their obligation to protect their data and programmes.
    Data Analytics Courses in Agra

    ReplyDelete
  58. Thank you so much for posting this wonderful blog on aws security whitepaper overview.
    Visit - Data Analytics Courses in Delhi

    ReplyDelete
  59. The blog post incredibly shares the comprehensive overview on AWS Security Whitepaper.
    Digital Marketing Courses in Italy

    ReplyDelete
  60. I want to thank you for the efforts you made to write this awesome article. This article inspired me to read more. keep it up. Very nice blogs.
    Data analytics framework

    ReplyDelete