Amazon Web Services Cloud Security
Cloud security ranks very high on the list of concerns for potential Cloud users. AWS went to great lengths to address these concerns and is attacking security issues on multiple levels:
• physical security
• providing secure data and services
Cloud security is shared between cloud service provider and customer. Both parties are thus responsible for managing and securing IT environment. AWS provides highly secure and controlled platform with many security features customers can use. AWS manages and controls host operating system, virtualization layer and physical security of the facilities in which the service operates.
Following are excerpts from AWS materials that illustrate depth and sophistication of security capabilities.
It is customers responsibility to configure environment so it is safe to use. The customer assumes responsibility and management of, but not limited to, the guest operating system. Customers can enhance or tailor security by using technologies like host based firewalls, host based intrusion detection/prevention, encryption and key management.
AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices.
Amazon EC2 locations are composed of regions and Availability Zones. Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones and provide inexpensive, low latency network connectivity to other Availability Zones in the same region.
Identity and access management
IAM enables you to create and manage users in AWS, and it also enables you to grant access to AWS resources for users managed outside of AWS in your corporate directory.
IAM enables identity federation between your corporate directory and AWS services. This enables you to use your existing corporate identities to grant secure and direct access to AWS resources, such as S3 buckets, without creating a new AWS identity for those users.
Multi-Factor Authentication (MFA)
It is an opt-in feature that requires a valid six-digit, single-use code from an authentication device in your physical possession, in addition to your standard AWS credentials, before access is granted.
AWS Application Programming Interface (API) endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
When unauthorized port scanning is detected it is stopped and blocked.
Packet sniffing by other tenants
It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them.
Host Operating System
Administrators with a business need to access the management plane are required to use multifactor authentication to gain access to purpose-built administration hosts. These administrative hosts are systems that are specifically designed, built, configured, and hardened to protect the management plane of the cloud. All such access is logged and audited. When an employee no longer has a business need to access the management plane, the privileges and access to these hosts and relevant systems are revoked.
Guest Operating System
Virtual instances are completely controlled by the customer. Customers have full root access or administrative control over accounts, services, and applications.
Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny-all mode and Amazon EC2 customers must explicitly open the ports needed to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block.
The guest OS has no elevated access to the CPU.
Different instances running on the same physical machine are isolated from each other via the Xen hypervisor.
Virtual Private Cloud
Each VPC is a distinct, isolated network within the cloud.Security within Amazon Virtual Private Cloud begins with the very concept of a VPC and extends to include the security
groups, network access control lists (ACLs), routing, and external gateways.. Each of these items is complementary to providing a secure, isolated network that can be extended through selective enabling of direct Internet access or private connectivity to another network.
VPC allows customers to launch Amazon EC2 instances that are physically isolated at the host hardware level. They will run on single tenant hardware. A VPC can be created with ‘dedicated’ tenancy, in which case all instances launched into the VPC will utilize this feature. Alternatively, a VPC may be created with ‘default’ tenancy, but customers may specify ‘dedicated’ tenancy for particular instances launched into the VPC.
Network Access Control Lists
To add a further layer of security within Amazon VPC, customers can configure Network ACLs. These are stateless traffic filters that apply to all traffic inbound or outbound from a subnet within VPC.
AWS is compliant with various certifications and third-party attestations. These include:
• SAS70 Type II. This report includes detailed controls AWS operates along with an independent auditor opinion about the effective operation of those controls.
• PCI DSS Level 1. AWS has been independently validated to comply with the PCI Data Security Standard as a shared host service provider.
• ISO 27001. AWS has achieved ISO 27001 certification of the Information Security Management System (ISMS) covering infrastructure, data centers, and services.
- » Three reasons why killing passwords will improve your cloud security
- » Best security practices for migrating to the cloud: A guide
- » Eradicate human error and make your cloud implementation a picnic
- » Moving from DevOps to modern ops: Why there is no room for silos when it comes to cloud security
- » Why the future of data security in the cloud is programmable