image source: http://core0.staticworld.net/images/article/2012/09/hackers_security_password-100004008-orig.jpg
Amazon Web Services (AWS) has made special effort in marketing that AWS is "safe". Even the U.S. government is starting to migrate some of its IT operation to Amazon. Amazon has a special “region” for the U.S. government – AWS GovCloud, where it has its specific regulatory and compliance requirement for sensitive data.
Let us take a look at what security AWS has to offer and let you decide if it is good enough for you to use.
Shared Security Model
Depending on the feature used, Amazon does not have full control on the application that is running on its infrastructure. Amazon present a "Shared" security model where whatever is under the control and/or management of Amazon it will provide world-class security and compliance. For the portion that is under the control of the customer such as applying security patches and updates to the Microsoft Windows Operating System, it is the responsibility of the customer to keep that portion safe while Amazon will provide as much assistance/resources for the customer to accomplish such task.
image source: http://evident.io/images/blog-9-25-image-4.png
Amazon also provide the ability for the customer to prove regulatory compliance such as HIPPA, ISO 27001 etc. For AWS Compliance we can go to this website for more information. Penetrating testing can be performed by customer (with written approval) to validate if their resources in the AWS Infrastructure is secure.
Security provided by AWS can be looked at in 4 areas:
- AWS Infrastructure Security
- AWS Access Security
- AWS Account Security
- AWS Service-specific Security
Let's take a quick look at these 4 areas.
AWS Infrastructure Security
As described on my last post, AWS infrastructure is divided into Regions, Availability Zone and Edge Locations.
Regions are defined geographically and can be think of as physical Data Centers. According to Amazon's web site on security these data centers are highly secured physically with security guards on duty 24X7, state-of-the art electronic surveillance and multi-factor access control systems. AWS has a strong incident-response team to address any kind of failure within the AWS Infrastructure.
As the name suggested Availability Zones are defines such that they are physically separated within a typical metropolitan area. This helps to provide data availability in case of the lost of a data center. Data availability is one of the 3 main security aspect.
Network is part of AWS Infrastructure. Security Groups (virtual firewall that controls the traffic for one or more instances) is deployed for EC2. Also, dedicated fiber links between regions and if necessary, customer can paid for dedicated link from the customer's location into AWS's local region. The use of security certification and/or SSL for access into AWS either via web access or API.
AWS Access Security
AWS separates its production network with its corporate network which minimize the risk of rouge AWS employee gaining access to the customer's data. For AWS employees who needs to gain access to any components in the AWS infrastructure must gain written approval and through the AWS Access Management System. AWS employees are required to have criminal background checks.
AWS Account Security
To follow security best practice, AWS provide customer with the ability to create user account with different roles such that each account is granted least amount of privilege via the AWS Identity and Access Management system (AWS IAM).
Also, AWS provides features such as:
- Key Management and rotation
- Temporary Security credentials
- Multi-factor Authentication (MFA)
for additional access security. These are all industry security best practices. Security certificate are used heavily in AWS and to rotate the access key and certificates is just like changing the password for a user. Most enterprise with a Microsoft Active Directory mandates user to change their password in a configured interval. Also, multi-factor authentication such as the use of Access Token minimize the risk of user password being compromised because attacker will have to process the Access Token to gain access to AWS.
AWS Service-specific Security
Each AWS service has security build-in. Since AWS as a long list of services, we can not go into specific detail as to how each service provides security for the user. For a more detailed description of service-specific security go to http://aws.amazon.com/security to get the latest version of the "AWS: Overview of Security Processes".
Amazon Web Services Part 1: Do you know all of these icons?