Sunday, November 23, 2014

Amazon Web Services Part 2: Security Offerings

In the early days of cloud computing, the major stumbling block for moving to the public cloud is - SECURITY.
image source:

Amazon Web Services (AWS) has made special effort in marketing that AWS is "safe". Even the U.S. government is starting to migrate some of its IT operation to Amazon.  Amazon has a special “region” for the U.S. government – AWS GovCloud, where it has its specific regulatory and compliance requirement for sensitive data.

Let us take a look at what security AWS has to offer and let you decide if it is good enough for you to use. 

Shared Security Model
Depending on the feature used, Amazon does not have full control on the application that is running on its infrastructure.  Amazon present a "Shared" security model where whatever is under the control and/or management of Amazon it will provide world-class security and compliance.  For the portion that is under the control of the customer such as applying security patches and updates to the Microsoft Windows Operating System, it is the responsibility of the customer to keep that portion safe while Amazon will provide as much assistance/resources for the customer to accomplish such task.

image source:

Amazon also provide the ability for the customer to prove regulatory compliance such as HIPPA, ISO 27001 etc.  For AWS Compliance we can go to this website for more information.  Penetrating testing can be performed by customer (with written approval) to validate if their resources in the AWS Infrastructure is secure.

AWS Security
Security provided by AWS can be looked at in 4 areas:
  1. AWS Infrastructure Security
  2. AWS Access Security
  3. AWS Account Security
  4. AWS Service-specific Security

Let's take a quick look at these 4 areas.

AWS Infrastructure Security
As described on my last post, AWS infrastructure is divided into Regions, Availability Zone and Edge Locations.  

Regions are defined geographically and can be think of as physical Data Centers.  According to Amazon's web site on security these data centers are highly secured physically with security guards on duty 24X7, state-of-the art electronic surveillance and multi-factor access control systems.  AWS has a strong incident-response team to address any kind of failure within the AWS Infrastructure.

As the name suggested Availability Zones are defines such that they are physically separated within a typical metropolitan area.   This helps to provide data availability in case of the lost of a data center.  Data availability is one of the 3 main security aspect.

Network is part of AWS Infrastructure. Security Groups (virtual firewall that controls the traffic for one or more instances) is deployed for EC2.  Also, dedicated fiber links between regions and if necessary, customer can paid for dedicated link from the customer's location into AWS's local region.  The use of security certification and/or SSL for access into AWS either via web access or API.

AWS Access Security
AWS separates its production network with its corporate network which minimize the risk of rouge AWS employee gaining access to the customer's data.  For AWS employees who needs to gain access to any components in the AWS infrastructure must gain written approval and through the AWS Access Management System. AWS employees are required to have criminal background checks.

AWS Account Security
To follow security best practice, AWS provide customer with the ability to create user account with different roles such that each account is granted least amount of privilege via the AWS Identity and Access Management system (AWS IAM).

Also, AWS provides features such as:
  • Key Management and rotation
  • Temporary Security credentials
  • Multi-factor Authentication (MFA)

for additional access security.  These are all industry security best practices.  Security certificate are used heavily in AWS and to rotate the access key and certificates is just like changing the password for a user.  Most enterprise with a Microsoft Active Directory mandates user to change their password in a configured interval.  Also, multi-factor authentication such as the use of Access Token minimize the risk of user password being compromised because attacker will have to process the Access Token to gain access to AWS.

AWS Service-specific Security
Each AWS service has security build-in.  Since AWS as a long list of services, we can not go into specific detail as to how each service provides security for the user.  For a more detailed description of service-specific security go to to get the latest version of the "AWS: Overview of Security Processes".

Related Post:
Amazon Web Services Part 1: Do you know all of these icons?


  1. If you want to know about security system on amazon just see this link: the best security system on amazon

  2. Bluehost is ultimately the best hosting provider with plans for all of your hosting requirements.

  3. Hats off to your presence of mind..I really enjoyed reading your blog. I really appreciate your information which you shared with us.
    Aws Online Training

  4. This comment has been removed by the author.

  5. Those guidelines additionally worked to become a good way to
    recognize that other people online have the identical fervor like mine
    to grasp great deal more around this condition.

    AWS Training in Bangalore

    AWS Training in Bangalore

  6. This is one awesome blog article. Much thanks again AWS Online Training

  7. Thanks for sharing link, AWS is most widely used cloud services all over the world and it is very secure to work. According to my research 24x7 sever support is best AWS management services provider.

  8. your detailed writeup part by part motivates me in knowing more about Amazon Web Services.. Thanks a lot and keep on posting more please..

    aws training in bangalore


  9. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.

    AWS Training in Bangalore

  10. Nice article, users are attracted when they see your post thanks for posting keep updating AWS Online Training Bangalore

  11. This concept is a good way to enhance the knowledge.thanks for sharing. please keep it up selenium Online Training Bangalore

  12. This concept is a good way to enhance the knowledge.thanks for sharing. please keep it up selenium Online Training Bangalore

  13. Informative Post! Thank you such a great amount for sharing. This pretty post, it was so great to peruse and helpful to enhance my insight as refreshed one, continue blogging... Vendor Reconciliation | CA Firms | Warehouse Audit

  14. AWS is biggest cloud service platform and it has become an absolute essential for candidates to be aware of cloud computing There are several institutes which provide AWS Training in Bangalore.

  15. I have read this post. collection of post is a nice one AWS Online Training

  16. I appreciate what you folks are as a rule up as well. This kind of astute work and scope! Keep up the brilliant works folks I've added you all to my blog roll.

    Dot Net online training in bengalore