implementedamazonec2

IntroductiontoAWSSecurityProcessesJune2016(Pleaseconsulthttp://aws.
amazon.
com/security/forthelatestversionofthispaper)THISPAPERHASBEENARCHIVEDForthelatesttechnicalcontent,seehttps://d0.
awsstatic.
com/whitepapers/Security/AWS_Security_Whitepaper.
pdfAmazonWebServices–OverviewofSecurityProcessesJune2016Page2of452016,AmazonWebServices,Inc.
oritsaffiliates.
Allrightsreserved.
NoticesThisdocumentisprovidedforinformationalpurposesonly.
ItrepresentsAWS'currentproductofferingsandpracticesasofthedateofissueofthisdocument,whicharesubjecttochangewithoutnotice.
CustomersareresponsibleformakingtheirownindependentassessmentoftheinformationinthisdocumentandanyuseofAWS'productsorservices,eachofwhichisprovided"asis"withoutwarrantyofanykind,whetherexpressorimplied.
Thisdocumentdoesnotcreateanywarranties,representations,contractualcommitments,conditionsorassurancesfromAWS,itsaffiliates,suppliersorlicensors.
TheresponsibilitiesandliabilitiesofAWStoitscustomersarecontrolledbyAWSagreements,andthisdocumentisnotpartof,nordoesitmodify,anyagreementbetweenAWSanditscustomers.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page3of45TableofContentsIntroduction.
5SharedSecurityResponsibilityModel.
5AWSSecurityResponsibilities.
6CustomerSecurityResponsibilities.
7AWSGlobalSecurityInfrastructure.
7AWSCompliancePrograms.
8PhysicalandEnvironmentalSecurity.
9FireDetectionandSuppression.
9Power9ClimateandTemperature.
9Management.
10StorageDeviceDecommissioning.
10BusinessContinuityManagement.
10Availability.
10IncidentResponse.
10Company-WideExecutiveReview11Communication11AWSAccess.
11AccountReviewandAudit.
11BackgroundChecks.
12CredentialsPolicy.
12SecureDesignPrinciples.
12ChangeManagement.
12Software.
12Infrastructure.
13AWSAccountSecurityFeatures13AWSCredentials.
14Passwords.
15AWSMulti-FactorAuthentication(AWSMFA)15AccessKeys16KeyPairs.
17X.
509Certificates18IndividualUserAccounts18AmazonWebServices–OverviewofSecurityProcessesJune2016Page4of45SecureHTTPSAccessPoints.
19SecurityLogs.
19AWSTrustedAdvisorSecurityChecks.
20NetworkingServices20AmazonElasticLoadBalancingSecurity20AmazonVirtualPrivateCloud(AmazonVPC)Security22AmazonRoute53Security.
28AmazonCloudFrontSecurity.
29AWSDirectConnectSecurity.
32Appendix–GlossaryofTerms.
33DocumentRevisions.
44Jun2016.
44Nov2014.
44Nov2013.
44May2013.
45AmazonWebServices–OverviewofSecurityProcessesJune2016Page5of45IntroductionAmazonWebServices(AWS)deliversascalablecloudcomputingplatformwithhighavailabilityanddependability,providingthetoolsthatenablecustomerstorunawiderangeofapplications.
Helpingtoprotecttheconfidentiality,integrity,andavailabilityofourcustomers'systemsanddataisoftheutmostimportancetoAWS,asismaintainingcustomertrustandconfidence.
Thisdocumentisintendedtoanswerquestionssuchas,"HowdoesAWShelpmeprotectmydata"Specifically,AWSphysicalandoperationalsecurityprocessesaredescribedforthenetworkandserverinfrastructureunderAWS'management,aswellasservice-specificsecurityimplementations.
SharedSecurityResponsibilityModelWhenusingAWSservices,customersmaintaincompletecontrolovertheircontentandareresponsibleformanagingcriticalcontentsecurityrequirements,including:WhatcontenttheychoosetostoreonAWSWhichAWSservicesareusedwiththecontentInwhatcountrythatcontentisstoredTheformatandstructureofthatcontentandwhetheritismasked,anonymisedorencryptedWhohasaccesstothatcontentandhowthoseaccessrightsaregranted,managedandrevokedBecauseAWScustomersretaincontrolovertheirdata,theyalsoretainresponsibilitiesrelatingtothatcontentaspartoftheAWS"sharedresponsibility"model.
ThissharedresponsibilitymodelisfundamentaltounderstandingtherespectiverolesofthecustomerandAWSinthecontextoftheCloudSecurityPrinciples.
Underthesharedresponsibilitymodel,AWSoperates,manages,andcontrolsthecomponentsfromthehostoperatingsystemandvirtualizationlayerdowntothephysicalsecurityofthefacilitiesinwhichtheservicesoperate.
Inturn,customersassumeresponsibilityforandmanagementoftheiroperatingsystem(includingupdatesandsecuritypatches),otherassociatedapplicationsoftware,aswellastheconfigurationoftheAWS-providedsecuritygroupfirewall.
Customersshouldcarefullyconsidertheservicestheychoose,astheirresponsibilitiesvarydependingontheservicestheyuse,theintegrationofthoseservicesintotheirITenvironments,andapplicablelawsandregulations.
Itispossibletoenhancesecurityand/ormeetmorestringentcompliancerequirementsbyleveragingtechnologysuchashost-basedfirewalls,host-basedintrusiondetection/prevention,andencryption.
AWSprovidestoolsandinformationtoassistcustomersintheireffortstoaccountforandvalidatethatcontrolsareoperatingeffectivelyintheirextendedITenvironment.
MoreinformationcanbefoundontheAWSCompliancecenterathttp://aws.
amazon.
com/compliance.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page6of45Figure1:AWSSharedSecurityResponsibilityModelTheamountofsecurityconfigurationworkyouhavetodovariesdependingonwhichservicesyouselectandhowsensitiveyourdatais.
However,therearecertainsecurityfeatures,suchasindividualuseraccountsandcredentials,SSL/TLSfordatatransmissions,anduseractivitylogging,thatyoushouldconfigurenomatterwhichAWSserviceyouuse.
Formoreinformationaboutthesesecurityfeatures,seethe"AWSAccountSecurityFeatures"sectionbelow.
AWSSecurityResponsibilitiesAWSisresponsibleforprotectingtheglobalinfrastructurethatrunsalloftheservicesofferedintheAWScloud.
Thisinfrastructureiscomprisedofthehardware,software,networking,andfacilitiesthatrunAWSservices.
ProtectingthisinfrastructureisAWS'numberonepriority,andwhileyoucan'tvisitourdatacentersorofficestoseethisprotectionfirsthand,weprovideseveralreportsfromthird-partyauditorswhohaveverifiedourcompliancewithavarietyofcomputersecuritystandardsandregulations(formoreinformation,visit(aws.
amazon.
com/compliance).
Notethatinadditiontoprotectingthisglobalinfrastructure,AWSisresponsibleforthesecurityconfigurationofitsproductsthatareconsideredmanagedservices.
ExamplesofthesetypesofservicesincludeAmazonDynamoDB,AmazonRDS,AmazonRedshift,AmazonElasticMapReduce,AmazonWorkSpaces,andseveralotherservices.
Theseservicesprovidethescalabilityandflexibilityofcloud-basedresourceswiththeadditionalbenefitofbeingmanaged.
Fortheseservices,AWSwillhandlebasicsecuritytaskslikeguestoperatingsystem(OS)anddatabasepatching,firewallconfiguration,AmazonWebServices–OverviewofSecurityProcessesJune2016Page7of45anddisasterrecovery.
Formostofthesemanagedservices,allyouhavetodoisconfigurelogicalaccesscontrolsfortheresourcesandprotectyouraccountcredentials.
Afewofthemmayrequireadditionaltasks,suchassettingupdatabaseuseraccounts,butoverallthesecurityconfigurationworkisperformedbytheservice.
CustomerSecurityResponsibilitiesWiththeAWScloud,youcanprovisionvirtualservers,storage,databases,anddesktopsinminutesinsteadofweeks.
Youcanalsousecloud-basedanalyticsandworkflowtoolstoprocessyourdataasyouneedit,andthenstoreitinthecloudorinyourowndatacenters.
WhichAWSservicesyouusewilldeterminehowmuchconfigurationworkyouhavetoperformaspartofyoursecurityresponsibilities.
AWSproductsthatfallintothewell-understoodcategoryofInfrastructureasaService(IaaS),suchasAmazonEC2andAmazonVPC,arecompletelyunderyourcontrolandrequireyoutoperformallofthenecessarysecurityconfigurationandmanagementtasks.
Forexample,forEC2instances,you'reresponsibleformanagementoftheguestOS(includingupdatesandsecuritypatches),anyapplicationsoftwareorutilitiesyouinstallontheinstances,andtheconfigurationoftheAWS-providedfirewall(calledasecuritygroup)oneachinstance.
Thesearebasicallythesamesecuritytasksthatyou'reusedtoperformingnomatterwhereyourserversarelocated.
AWSmanagedserviceslikeAmazonRDSorAmazonRedshiftprovidealloftheresourcesyouneedinordertoperformaspecifictask,butwithouttheconfigurationworkthatcancomewiththem.
Withmanagedservices,youdon'thavetoworryaboutlaunchingandmaintaininginstances,patchingtheguestOSordatabase,orreplicatingdatabases-AWShandlesthatforyou.
However,aswithallservices,youshouldprotectyourAWSAccountcredentialsandsetupindividualuseraccountswithAmazonIdentityandAccessManagement(IAM)sothateachofyourusershastheirowncredentialsandyoucanimplementsegregationofduties.
Wealsorecommendusingmulti-factorauthentication(MFA)witheachaccount,requiringtheuseofSSL/TLStocommunicatewithyourAWSresources,andsettingupAPI/useractivityloggingwithAWSCloudTrail.
Formoreinformationaboutadditionalmeasuresyoucantake,refertotheAWSSecurityResourceswebpage.
AWSGlobalSecurityInfrastructureAWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchasprocessingandstorage.
TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperationalsoftware(e.
g.
,hostOS,virtualizationsoftware,etc.
)thatsupporttheprovisioninganduseoftheseresources.
TheAWSglobalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecuritycompliancestandards.
AsanAWScustomer,youcanbeassuredthatyou'rebuildingwebarchitecturesontopofsomeofthemostsecurecomputinginfrastructureintheworld.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page8of45AWSComplianceProgramsAmazonWebServicesComplianceenablescustomerstounderstandtherobustcontrolsinplaceatAWStomaintainsecurityanddataprotectioninthecloud.
AssystemsarebuiltontopoftheAWScloudinfrastructure,complianceresponsibilitieswillbeshared.
Bytyingtogethergovernance-focused,audit-friendlyservicefeatureswithapplicablecomplianceorauditstandards,AWSComplianceenablersbuildontraditionalprograms;helpingcustomerstoestablishandoperateinanAWSsecuritycontrolenvironment.
TheITinfrastructurethatAWSprovidestoitscustomersisdesignedandmanagedinalignmentwithsecuritybestpracticesandavarietyofITsecuritystandards,including:SOC1/SSAE16/ISAE3402(formerlySAS70)SOC2SOC3FISMAFedRAMPDODSRGLevels2and4PCIDSSLevel1EUModelClausesISO9001/ISO27001/ISO27017/ISO27018ITARIRAPFIPS140-2MLPSLevel3MTCSInaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeetseveralindustry-specificstandards,including:CriminalJusticeInformationServices(CJIS)CloudSecurityAlliance(CSA)FamilyEducationalRightsandPrivacyAct(FERPA)HealthInsurancePortabilityandAccountabilityAct(HIPAA)MotionPictureAssociationofAmerica(MPAA)AmazonWebServices–OverviewofSecurityProcessesJune2016Page9of45AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,reports,certifications,accreditations,andotherthird-partyattestations.
MoreinformationisavailableintheRiskandCompliancewhitepaperavailableathttp://aws.
amazon.
com/compliance/.
PhysicalandEnvironmentalSecurityAWS'datacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.
AWShasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.
ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.
AWSdatacentersarehousedinnondescriptfacilities.
Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.
Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.
Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.
Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAmazonWebServices.
AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.
FireDetectionandSuppressionAutomaticfiredetectionandsuppressionequipmenthasbeeninstalledtoreducerisk.
Thefiredetectionsystemutilizessmokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerroomsandgeneratorequipmentrooms.
Theseareasareprotectedbyeitherwet-pipe,double-interlockedpre-action,orgaseoussprinklersystems.
PowerThedatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,andsevendaysaweek.
UninterruptiblePowerSupply(UPS)unitsprovideback-uppowerintheeventofanelectricalfailureforcriticalandessentialloadsinthefacility.
Datacentersusegeneratorstoprovideback-uppowerfortheentirefacility.
ClimateandTemperatureClimatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,whichpreventsoverheatingandreducesthepossibilityofserviceoutages.
Datacentersareconditionedtomaintainatmosphericconditionsatoptimallevels.
Personnelandsystemsmonitorandcontroltemperatureandhumidityatappropriatelevels.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page10of45ManagementAWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediatelyidentified.
Preventativemaintenanceisperformedtomaintainthecontinuedoperabilityofequipment.
StorageDeviceDecommissioningWhenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatisdesignedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.
AWSusestechniquesdetailedNIST800-88("GuidelinesforMediaSanitizationaspartofthedecommissioningprocess").
BusinessContinuityManagementAWS'infrastructurehasahighlevelofavailabilityandprovidescustomersthefeaturestodeployaresilientITarchitecture.
AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.
DatacenterBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.
AvailabilityDatacentersarebuiltinclustersinvariousglobalregions.
Alldatacentersareonlineandservingcustomers;nodatacenteris"cold.
"Incaseoffailure,automatedprocessesmovecustomerdatatrafficawayfromtheaffectedarea.
CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.
AWSprovidesyouwiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsaswellasacrossmultipleavailabilityzoneswithineachregion.
Eachavailabilityzoneisdesignedasanindependentfailurezone.
Thismeansthatavailabilityzonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlowerriskfloodplains(specificfloodzonecategorizationvariesbyRegion).
Inadditiontodiscreteuninterruptablepowersupply(UPS)andonsitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiestofurtherreducesinglepointsoffailure.
Availabilityzonesareallredundantlyconnectedtomultipletier-1transitproviders.
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandavailabilityzones.
Distributingapplicationsacrossmultipleavailabilityzonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,includingnaturaldisastersorsystemfailures.
IncidentResponseTheAmazonIncidentManagementteamemploysindustry-standarddiagnosticprocedurestodriveresolutionduringbusiness-impactingevents.
StaffoperatorsAmazonWebServices–OverviewofSecurityProcessesJune2016Page11of45provide24x7x365coveragetodetectincidentsandtomanagetheimpactandresolution.
Company-WideExecutiveReviewAmazon'sInternalAuditgroupregularlyreviewsAWSresiliencyplans,whicharealsoperiodicallyreviewedbymembersoftheSeniorExecutivemanagementteamandtheAuditCommitteeoftheBoardofDirectors.
CommunicationAWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheirindividualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.
Thesemethodsincludeorientationandtrainingprogramsfornewlyhiredemployees;regularmanagementmeetingsforupdatesonbusinessperformanceandothermatters;andelectronicmeanssuchasvideoconferencing,electronicmailmessages,andthepostingofinformationviatheAmazonintranet.
AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthecommunity.
Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthatimpactthecustomerexperience.
A"ServiceHealthDashboard"isavailableandmaintainedbythecustomersupportteamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.
The"AWSSecurityCenter"isavailabletoprovideyouwithsecurityandcompliancedetailsaboutAWS.
YoucanalsosubscribetoAWSSupportofferingsthatincludedirectcommunicationwiththecustomersupportteamandproactivealertstoanycustomerimpactingissues.
AWSAccessTheAWSProductionnetworkissegregatedfromtheAmazonCorporatenetworkandrequiresaseparatesetofcredentialsforlogicalaccess.
TheAmazonCorporatenetworkreliesonuserIDs,passwords,andKerberos,whiletheAWSProductionnetworkrequiresSSHpublic-keyauthenticationthroughabastionhost.
AWSdevelopersandadministratorsontheAmazonCorporatenetworkwhoneedtoaccessAWScloudcomponentsmustexplicitlyrequestaccessthroughtheAWSaccessmanagementsystem.
Allrequestsarereviewedandapprovedbytheappropriateownerormanager.
AccountReviewandAuditAccountsarereviewedevery90days;explicitre-approvalisrequiredoraccesstotheresourceisautomaticallyrevoked.
Accessisalsoautomaticallyrevokedwhenanemployee'srecordisterminatedinAmazon'sHumanResourcessystem.
WindowsandUNIXaccountsaredisabledandAmazon'spermissionmanagementsystemremovestheuserfromallsystems.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page12of45RequestsforchangesinaccessarecapturedintheAmazonpermissionsmanagementtoolauditlog.
Whenchangesinanemployee'sjobfunctionoccur,continuedaccessmustbeexplicitlyapprovedtotheresourceoritwillbeautomaticallyrevoked.
BackgroundChecksAWShasestablishedformalpoliciesandprocedurestodelineatetheminimumstandardsforlogicalaccesstoAWSplatformandinfrastructurehosts.
AWSconductscriminalbackgroundchecks,aspermittedbylaw,aspartofpre-employmentscreeningpracticesforemployeesandcommensuratewiththeemployee'spositionandlevelofaccess.
Thepoliciesalsoidentifyfunctionalresponsibilitiesfortheadministrationoflogicalaccessandsecurity.
CredentialsPolicyAWSSecurityhasestablishedacredentialspolicywithrequiredconfigurationsandexpirationintervals.
Passwordsmustbecomplexandareforcedtobechangedevery90days.
SecureDesignPrinciplesAWS'developmentprocessfollowssecuresoftwaredevelopmentbestpractices,whichincludeformaldesignreviewsbytheAWSSecurityTeam,threatmodeling,andcompletionofariskassessment.
Staticcodeanalysistoolsarerunasapartofthestandardbuildprocess,andalldeployedsoftwareundergoesrecurringpenetrationtestingperformedbycarefullyselectedindustryexperts.
OursecurityriskassessmentreviewsbeginduringthedesignphaseandtheengagementlaststhroughlaunchtoongoingoperationsChangeManagementRoutine,emergency,andconfigurationchangestoexistingAWSinfrastructureareauthorized,logged,tested,approved,anddocumentedinaccordancewithindustrynormsforsimilarsystems.
UpdatestoAWS'infrastructurearedonetominimizeanyimpactonthecustomerandtheiruseoftheservices.
AWSwillcommunicatewithcustomers,eitherviaemail,orthroughtheAWSServiceHealthDashboard(whenserviceuseislikelytobeadverselyaffected).
SoftwareAWSappliesasystematicapproachtomanagingchangesothatchangestocustomer-impactingservicesarethoroughlyreviewed,tested,approved,andwell-communicated.
TheAWSchangemanagementprocessisdesignedtoavoidunintendedservicedisruptionsandtomaintaintheintegrityofservicetothecustomer.
Changesdeployedintoproductionenvironmentsare:Reviewed:Peerreviewsofthetechnicalaspectsofachangearerequired.
Tested:Changesbeingappliedaretestedtohelpensuretheywillbehaveasexpectedandnotadverselyimpactperformance.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page13of45Approved:Allchangesmustbeauthorizedinordertoprovideappropriateoversightandunderstandingofbusinessimpact.
Changesaretypicallypushedintoproductioninaphaseddeploymentstartingwithlowestimpactareas.
Deploymentsaretestedonasinglesystemandcloselymonitoredsoimpactscanbeevaluated.
Serviceownershaveanumberofconfigurablemetricsthatmeasurethehealthoftheservice'supstreamdependencies.
Thesemetricsarecloselymonitoredwiththresholdsandalarminginplace.
RollbackproceduresaredocumentedintheChangeManagement(CM)ticket.
Whenpossible,changesarescheduledduringregularchangewindows.
Emergencychangestoproductionsystemsthatrequiredeviationsfromstandardchangemanagementproceduresareassociatedwithanincidentandareloggedandapprovedasappropriate.
Periodically,AWSperformsself-auditsofchangestokeyservicestomonitorquality,maintainhighstandards,andfacilitatecontinuousimprovementofthechangemanagementprocess.
Anyexceptionsareanalyzedtodeterminetherootcause,andappropriateactionsaretakentobringthechangeintocomplianceorrollbackthechangeifnecessary.
Actionsarethentakentoaddressandremediatetheprocessorpeopleissue.
InfrastructureAmazon'sCorporateApplicationsteamdevelopsandmanagessoftwaretoautomateITprocessesforUNIX/Linuxhostsintheareasofthird-partysoftwaredelivery,internallydevelopedsoftware,andconfigurationmanagement.
TheInfrastructureteammaintainsandoperatesaUNIX/Linuxconfigurationmanagementframeworktoaddresshardwarescalability,availability,auditing,andsecuritymanagement.
Bycentrallymanaginghoststhroughtheuseofautomatedprocessesthatmanagechange,AWSisabletoachieveitsgoalsofhighavailability,repeatability,scalability,security,anddisasterrecovery.
Systemsandnetworkengineersmonitorthestatusoftheseautomatedtoolsonacontinuousbasis,reviewingreportstorespondtohoststhatfailtoobtainorupdatetheirconfigurationandsoftware.
Internallydevelopedconfigurationmanagementsoftwareisinstalledwhennewhardwareisprovisioned.
ThesetoolsarerunonallUNIXhoststovalidatethattheyareconfiguredandthatsoftwareisinstalledincompliancewithstandardsdeterminedbytheroleassignedtothehost.
Thisconfigurationmanagementsoftwarealsohelpstoregularlyupdatepackagesthatarealreadyinstalledonthehost.
Onlyapprovedpersonnelenabledthroughthepermissionsservicemaylogintothecentralconfigurationmanagementservers.
AWSAccountSecurityFeaturesAWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSAccountandresourcessafefromunauthorizeduse.
Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,thecreationofseparateIAMuseraccounts,useractivityloggingforsecuritymonitoring,andTrustedAdvisorsecuritychecks.
YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSAmazonWebServices–OverviewofSecurityProcessesJune2016Page14of45servicesyouselect.
AWSCredentialsTohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSAccountandresources,AWSusesseveraltypesofcredentialsforauthentication.
Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.
Wealsoprovidetheoptionofrequiringmulti-factorauthentication(MFA)tologintoyourAWSAccountorIAMuseraccounts.
ThefollowingtablehighlightsthevariousAWScredentialsandtheiruses:CredentialTypeUseDescriptionPasswordsAWSrootaccountorIAMuseraccountlogintotheAWSManagementConsoleAstringofcharactersusedtologintoyourAWSaccountorIAMaccount.
AWSpasswordsmustbeaminimumof6charactersandmaybeupto128characters.
Multi-FactorAuthentication(MFA)AWSrootaccountorIAMuseraccountlogintotheAWSManagementConsoleAsix-digitsingle-usecodethatisrequiredinadditiontoyourpasswordtologintoyourAWSAccountorIAMuseraccount.
AccessKeysDigitallysignedrequeststoAWSAPIs(usingtheAWSSDK,CLI,orREST/QueryAPIs)IncludesanaccesskeyIDandasecretaccesskey.
YouuseaccesskeystodigitallysignprogrammaticrequeststhatyoumaketoAWS.
KeyPairsSSHlogintoEC2instancesCloudFrontsignedURLsWindowsinstancesTologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.
Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.
WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page15of45X.
509CertificatesDigitallysignedSOAPrequeststoAWSAPIsSSLservercertificatesforHTTPSX.
509certificatesareonlyusedtosignSOAP-basedrequests(currentlyusedonlywithAmazonS3).
YoucanhaveAWScreateanX.
509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheCredentialReport.
YoucandownloadaCredentialReportforyouraccountatanytimefromtheSecurityCredentialspage.
Thisreportlistsallofyouraccount'susersandthestatusoftheircredentials-whethertheyuseapassword,whethertheirpasswordexpiresandmustbechangedregularly,thelasttimetheychangedtheirpassword,thelasttimetheyrotatedtheiraccesskeys,andwhethertheyhaveMFAenabled.
Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorre-downloadthem.
However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.
Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.
Tohelpyoudothiswithoutpotentialimpacttoyourapplication'savailability,AWSsupportsmultipleconcurrentaccesskeysandcertificates.
Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetoyourapplication.
Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.
TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSAccountaswellasforIAMuseraccounts.
PasswordsPasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWSDiscussionForums,andtheAWSSupportCenter.
Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimebygoingtotheSecurityCredentialspage.
AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,soweencourageyoutocreateastrongpasswordthatcannotbeeasilyguessed.
YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyarechangedoften.
ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.
Formoreinformationaboutpasswordpolicies,gotoManagingPasswordsinUsingIAM.
AWSMulti-FactorAuthentication(AWSMFA)AmazonWebServices–OverviewofSecurityProcessesJune2016Page16of45AWSMulti-FactorAuthentication(AWSMFA)isanadditionallayerofsecurityforaccessingAWSservices.
Whenyouenablethisoptionalfeature,youwillneedtoprovideasix-digitsingle-usecodeinadditiontoyourstandardusernameandpasswordcredentialsbeforeaccessisgrantedtoyourAWSAccountsettingsorAWSservicesandresources.
Yougetthissingle-usecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.
Thisiscalledmulti-factorauthenticationbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(somethingyouknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).
YoucanenableMFAdevicesforyourAWSAccountaswellasfortheusersyouhavecreatedunderyourAWSAccountwithAWSIAM.
Inaddition,youaddMFAprotectionforaccessacrossAWSAccounts,forwhenyouwanttoallowauseryou'vecreatedunderoneAWSAccounttouseanIAMroletoaccessresourcesunderanotherAWSAccount.
YoucanrequiretheusertouseMFAbeforeassumingtheroleasanadditionallayerofsecurity.
AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.
VirtualMFAdevicesusethesameprotocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.
AvirtualMFAdeviceusesasoftwareapplicationthatgeneratessix-digitauthenticationcodesthatarecompatiblewiththeTime-BasedOne-TimePassword(TOTP)standard,asdescribedinRFC6238.
MostvirtualMFAapplicationsallowyoutohostmorethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.
However,youshouldbeawarethatbecauseavirtualMFAmightberunonalesssecuredevicesuchasasmartphone,avirtualMFAmightnotprovidethesamelevelofsecurityasahardwareMFAdevice.
YoucanalsoenforceMFAauthenticationforAWSserviceAPIsinordertoprovideanextralayerofprotectionoverpowerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.
YoudothisbyaddinganMFA-authenticationrequirementtoanIAMaccesspolicy.
YoucanattachtheseaccesspoliciestoIAMusers,IAMgroups,orresourcesthatsupportAccessControlLists(ACLs)likeAmazonS3buckets,SQSqueues,andSNStopics.
Itiseasytoobtainhardwaretokensfromaparticipatingthird-partyproviderorvirtualMFAapplicationsfromanAppStoreandtosetitupforuseviatheAWSwebsite.
MoreinformationaboutAWSMFAisavailableontheAWSwebsite.
AccessKeysAWSrequiresthatallAPIrequestsbesigned—thatis,theymustincludeadigitalsignaturethatAWScanusetoverifytheidentityoftherequestor.
Youcalculatethedigitalsignatureusingacryptographichashfunction.
Theinputtothehashfunctioninthiscaseincludesthetextofyourrequestandyoursecretaccesskey.
IfyouuseanyoftheAWSSDKstogeneraterequests,thedigitalsignatureAmazonWebServices–OverviewofSecurityProcessesJune2016Page17of45calculationisdoneforyou;otherwise,youcanhaveyourapplicationcalculateitandincludeitinyourRESTorQueryrequestsbyfollowingthedirectionsinourdocumentation.
Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisintransit,italsohelpsprotectagainstpotentialreplayattacks.
ArequestmustreachAWSwithin15minutesofthetimestampintherequest.
Otherwise,AWSdeniestherequest.
ThemostrecentversionofthedigitalsignaturecalculationprocessisSignatureVersion4,whichcalculatesthesignatureusingtheHMAC-SHA256protocol.
Version4providesanadditionalmeasureofprotectionoverpreviousversionsbyrequiringthatyousignthemessageusingakeythatisderivedfromyoursecretaccesskeyratherthanusingthesecretaccesskeyitself.
Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographicisolationofthesigningkey.
Becauseaccesskeyscanbemisusediftheyfallintothewronghands,weencourageyoutosavetheminasafeplaceandnotembedtheminyourcode.
ForcustomerswithlargefleetsofelasticallyscalingEC2instances,theuseofIAMrolescanbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.
IAMrolesprovidetemporarycredentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultipletimesaday.
KeyPairsAmazonEC2usespublic–keycryptographytoencryptanddecryptlogininformation.
Public–keycryptographyusesapublickeytoencryptapieceofdata,suchasapassword,thentherecipientusestheprivatekeytodecryptthedata.
Thepublicandprivatekeysareknownasakeypair.
Tologintoyourinstance,youmustcreateakeypair,specifythenameofthekeypairwhenyoulaunchtheinstance,andprovidetheprivatekeywhenyouconnecttotheinstance.
Linuxinstanceshavenopassword,andyouuseakeypairtologinusingSSH.
WithWindowsinstances,youuseakeypairtoobtaintheadministratorpasswordandthenloginusingRDP.
CreatingaKeyPairYoucanuseAmazonEC2tocreateyourkeypair.
Formoreinformation,seeCreatingYourKeyPairUsingAmazonEC2.
Alternatively,youcoulduseathird-partytoolandthenimportthepublickeytoAmazonEC2.
Formoreinformation,seeImportingYourOwnKeyPairtoAmazonEC2.
Eachkeypairrequiresaname.
BesuretochooseanamethatiseasytoAmazonWebServices–OverviewofSecurityProcessesJune2016Page18of45remember.
AmazonEC2associatesthepublickeywiththenamethatyouspecifyasthekeyname.
AmazonEC2storesthepublickeyonly,andyoustoretheprivatekey.
Anyonewhopossessesyourprivatekeycandecryptyourlogininformation,soit'simportantthatyoustoreyourprivatekeysinasecureplace.
ThekeysthatAmazonEC2usesare2048-bitSSH-2RSAkeys.
Youcanhaveuptofivethousandkeypairsperregion.
X.
509CertificatesX.
509certificatesareusedtosignSOAP-basedrequests.
X.
509certificatescontainapublickeyandadditionalmetadata(likeanexpirationdatethatAWSverifieswhenyouuploadthecertificate),andisassociatedwithaprivatekey.
Whenyoucreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,alongwithyourcertificate.
AWSverifiesthatyou'rethesenderbydecryptingthesignaturewiththepublickeythatisinyourcertificate.
AWSalsoverifiesthatthecertificateyousentmatchesthecertificatethatyouuploadedtoAWS.
ForyourAWSAccount,youcanhaveAWScreateanX.
509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
ForIAMusers,youmustcreatetheX.
509certificate(signingcertificate)byusingthird-partysoftware.
Incontrastwithrootaccountcredentials,AWScannotcreateanX.
509certificateforIAMusers.
Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.
InadditiontoSOAPrequests,X.
509certificatesareusedasSSL/TLSservercertificatesforcustomerswhowanttouseHTTPStoencrypttheirtransmissions.
TousethemforHTTPS,youcanuseanopen-sourcetoollikeOpenSSLtocreateauniqueprivatekey.
You'llneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoacertificateauthority(CA)toobtaintheservercertificate.
You'llthenusetheAWSCLItouploadthecertificate,privatekey,andcertificatechaintoIAM.
You'llalsoneedanX.
509certificatetocreateacustomizedLinuxAMIforEC2instances.
Thecertificateisonlyrequiredtocreateaninstance-backedAMI(asopposedtoanEBS-backedAMI).
YoucanhaveAWScreateanX.
509certificateandprivatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.
IndividualUserAccountsAWSprovidesacentralizedmechanismcalledAWSIdentityandAccessManagement(IAM)forcreatingandmanagingindividualuserswithinyourAWSAccount.
Ausercanbeanyindividual,system,orapplicationthatinteractswithAWSresources,eitherprogrammaticallyorthroughtheAWSManagementAmazonWebServices–OverviewofSecurityProcessesJune2016Page19of45ConsoleorAWSCommandLineInterface(CLI).
EachuserhasauniquenamewithintheAWSAccount,andauniquesetofsecuritycredentialsnotsharedwithotherusers.
AWSIAMeliminatestheneedtosharepasswordsorkeys,andenablesyoutominimizetheuseofyourAWSAccountcredentials.
WithIAM,youdefinepoliciesthatcontrolwhichAWSservicesyouruserscanaccessandwhattheycandowiththem.
Youcangrantusersonlytheminimumpermissionstheyneedtoperformtheirjobs.
SeetheAWSIdentityandAccessManagement(AWSIAM)sectionbelowformoreinformation.
SecureHTTPSAccessPointsForgreatercommunicationsecuritywhenaccessingAWSresources,youshoulduseHTTPSinsteadofHTTPfordatatransmissions.
HTTPSusestheSSL/TLSprotocol,whichusespublic-keycryptographytopreventeavesdropping,tampering,andforgery.
AllAWSservicesprovidesecurecustomeraccesspoints(alsocalledAPIendpoints)thatallowyoutoestablishsecureHTTPScommunicationsessions.
SeveralservicesalsonowoffermoreadvancedciphersuitesthatusetheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocol.
ECDHEallowsSSL/TLSclientstoprovidePerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.
Thishelpspreventthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.
SecurityLogsAsimportantascredentialsandencryptedendpointsareforpreventingsecurityproblems,logsarejustascrucialforunderstandingeventsafteraproblemhasoccurred.
Andtobeeffectiveasasecuritytool,alogmustincludenotjustalistofwhathappenedandwhen,butalsoidentifythesource.
Tohelpyouwithyourafter-the-factinvestigationsandnear-realtimeintrusiondetection,AWSCloudTrailprovidesalogofrequestsforAWSresourceswithinyouraccountforsupportedservices.
Foreachevent,youcanseewhatservicewasaccessed,whatactionwasperformed,andwhomadetherequest.
CloudTrailcapturesinformationabouteveryAPIcalltoeverysupportedAWSresource,includingsign-inevents.
OnceyouhaveenabledCloudTrail,eventlogsaredeliveredevery5minutes.
YoucanconfigureCloudTrailsothatitaggregateslogfilesfrommultipleregionsintoasingleAmazonS3bucket.
Fromthere,youcanthenuploadthemtoyourfavoritelogmanagementandanalysissolutionstoperformsecurityanalysisanddetectuserbehaviorpatterns.
Bydefault,logfilesarestoredsecurelyinAmazonS3,butyoucanalsoarchivethemtoAmazonGlaciertohelpmeetauditandcompliancerequirements.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page20of45InadditiontoCloudTrail'suseractivitylogs,youcanusetheAmazonCloudWatchLogsfeaturetocollectandmonitorsystem,application,andcustomlogfilesfromyourEC2instancesandothersourcesinnear-realtime.
Forexample,youcanmonitoryourwebserver'slogfilesforinvalidusermessagestodetectunauthorizedloginattemptstoyourguestOS.
AWSTrustedAdvisorSecurityChecksTheAWSTrustedAdvisorcustomersupportservicenotonlymonitorsforcloudperformanceandresiliency,butalsocloudsecurity.
TrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesmayexisttosavemoney,improvesystemperformance,orclosesecuritygaps.
Itprovidesalertsonseveralofthemostcommonsecuritymisconfigurationsthatcanoccur,includingleavingcertainportsopenthatmakeyouvulnerabletohackingandunauthorizedaccess,neglectingtocreateIAMaccountsforyourinternalusers,allowingpublicaccesstoAmazonS3buckets,notturningonuseractivitylogging(AWSCloudTrail),ornotusingMFAonyourrootAWSAccount.
YoualsohavetheoptionforaSecuritycontactatyourorganizationtoautomaticallyreceiveaweeklyemailwithanupdatedstatusofyourTrustedAdvisorsecuritychecks.
TheAWSTrustedAdvisorserviceprovidesfourchecksatnoadditionalchargetoallusers,includingthreeimportantsecuritychecks:specificportsunrestricted,IAMuse,andMFAonrootaccount.
AndwhenyousignupforBusiness-orEnterprise-levelAWSSupport,youreceivefullaccesstoallTrustedAdvisorchecks.
NetworkingServicesAmazonWebServicesprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthatyoudefine,establishaprivatenetworkconnectiontotheAWScloud,useahighlyavailableandscalableDNSserviceanddelivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliverywebservice.
AmazonElasticLoadBalancingSecurityAmazonElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallavailabilityzoneswithinaregion.
ElasticLoadBalancinghasalltheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefits:TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyontheloadbalancerOffersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyournetworkWhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyourElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptionsAmazonWebServices–OverviewofSecurityProcessesJune2016Page21of45Supportsend-to-endtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP(HTTPS)connections.
WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbemanagedcentrallyontheloadbalancer,ratherthanoneveryindividualinstance.
HTTPS/TLSusesalong-termsecretkeytogenerateashort-termsessionkeytobeusedbetweentheserverandthebrowsertocreatetheciphered(encrypted)message.
AmazonElasticLoadBalancingconfiguresyourloadbalancerwithapre-definedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourloadbalancer.
Thepre-definedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographicalgorithms.
However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(suchasPCI,SOX,etc.
)fromclientstoensurethatstandardsaremet.
Inthesecases,AmazonElasticLoadBalancingprovidesoptionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.
Youcanchoosetoenableordisabletheciphersdependingonyourspecificrequirements.
Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfiguretheloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclient-servernegotiation.
WhentheServerOrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserver'sprioritizationofciphersuitesratherthantheclient's.
Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnecttoyourloadbalancer.
Forevengreatercommunicationprivacy,AmazonElasticLoadBalancerallowstheuseofPerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.
Thispreventsthedecodingofcaptureddata,evenifthesecretlong-termkeyitselfiscompromised.
AmazonElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,whetheryou'reusingHTTPSorTCPloadbalancing.
Typically,clientconnectioninformation,suchasIPaddressandport,islostwhenrequestsareproxiedthroughaloadbalancer.
Thisisbecausetheloadbalancersendsrequeststotheserveronbehalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.
HavingtheoriginatingclientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnectionstatistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.
AmazonElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourloadbalancer.
ThisincludestheIPaddressandportoftherequestingclient,thebackendIPaddressoftheinstancethatprocessedAmazonWebServices–OverviewofSecurityProcessesJune2016Page22of45therequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,GEThttp://www.
example.
com:80/HTTP/1.
1).
Allrequestssenttotheloadbalancerarelogged,includingrequeststhatnevermadeittoback-endinstances.
AmazonVirtualPrivateCloud(AmazonVPC)SecurityNormally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2addressspace.
AmazonVPCenablesyoutocreateanisolatedportionoftheAWScloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addressesintherangeofyourchoice(e.
g.
,10.
0.
0.
0/16).
YoucandefinesubnetswithinyourVPC,groupingsimilarkindsofinstancesbasedonIPaddressrange,andthensetuproutingandsecuritytocontroltheflowoftrafficinandoutoftheinstancesandsubnets.
AWSoffersavarietyofVPCarchitecturetemplateswithconfigurationsthatprovidevaryinglevelsofpublicaccess:VPCwithasinglepublicsubnetonly.
Yourinstancesruninaprivate,isolatedsectionoftheAWScloudwithdirectaccesstotheInternet.
NetworkACLsandsecuritygroupscanbeusedtoprovidestrictcontroloverinboundandoutboundnetworktraffictoyourinstances.
VPCwithpublicandprivatesubnets.
Inadditiontocontainingapublicsubnet,thisconfigurationaddsaprivatesubnetwhoseinstancesarenotaddressablefromtheInternet.
InstancesintheprivatesubnetcanestablishoutboundconnectionstotheInternetviathepublicsubnetusingNetworkAddressTranslation(NAT).
VPCwithpublicandprivatesubnetsandhardwareVPNaccess.
ThisconfigurationaddsanIPsecVPNconnectionbetweenyourAmazonVPCandyourdatacenter,effectivelyextendingyourdatacentertothecloudwhilealsoprovidingdirectaccesstotheInternetforpublicsubnetinstancesinyourAmazonVPC.
Inthisconfiguration,customersaddaVPNapplianceontheircorporatedatacenterside.
VPCwithprivatesubnetonlyandhardwareVPNaccess.
Yourinstancesruninaprivate,isolatedsectionoftheAWScloudwithaprivatesubnetwhoseinstancesarenotaddressablefromtheInternet.
YoucanconnectthisprivatesubnettoyourcorporatedatacenterviaanIPsecVPNtunnel.
YoucanalsoconnecttwoVPCsusingaprivateIPaddress,whichallowsinstancesinthetwoVPCstocommunicatewitheachotherasiftheyarewithinthesamenetwork.
YoucancreateaVPCpeeringconnectionbetweenyourownVPCs,orwithaVPCinanotherAWSaccountwithinasingleregion.
SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.
EachoftheseitemsiscomplementarytoprovidingaAmazonWebServices–OverviewofSecurityProcessesJune2016Page23of45secure,isolatednetworkthatcanbeextendedthroughselectiveenablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.
AmazonEC2instancesrunningwithinanAmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.
Note,however,thatyoumustcreateVPCsecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2securitygroupsyouhavecreatedwillnotworkinsideyourAmazonVPC.
Also,AmazonVPCsecuritygroupshaveadditionalcapabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupaftertheinstanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,UDP,orICMP).
EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolatedfromallotherAmazonVPCs.
Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.
YoumaycreateandattachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothecontrolsbelow.
APIAccess:CallstocreateanddeleteAmazonVPCs,changerouting,securitygroup,andnetworkACLparameters,andperformotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSAccount'sSecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.
WithoutaccesstoyourSecretAccessKey,AmazonVPCAPIcallscannotbemadeonyourbehalf.
Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.
AmazonrecommendsalwaysusingSSL-protectedAPIendpoints.
AWSIAMalsoenablesacustomertofurthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.
SubnetsandRouteTables:YoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedintheAmazonVPCisconnectedtoonesubnet.
TraditionalLayer2securityattacks,includingMACspoofingandARPspoofing,areblocked.
EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessedbytheroutingtabletodeterminethedestination.
Firewall(SecurityGroups):LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolutionenablingfilteringonbothingressandegresstrafficfromaninstance.
Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.
TrafficcanberestrictedbyanyIPprotocol,byserviceport,aswellassource/destinationIPaddress(individualIPorClasslessInter-DomainRouting(CIDR)block).
Thefirewallisn'tcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPCAPIs.
AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationAmazonWebServices–OverviewofSecurityProcessesJune2016Page24of45ofduties.
Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopen,andforwhatdurationandpurpose.
Well-informedtrafficmanagementandsecuritydesignarestillrequiredonaper-instancebasis.
AWSfurtherencouragesyoutoapplyadditionalper-instancefilterswithhost-basedfirewallssuchasIPtablesortheWindowsFirewall.
Figure5:AmazonVPCNetworkArchitectureNetworkAccessControlLists:ToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.
ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.
TheseACLscancontainorderedrulestoallowordenytrafficbaseduponIPprotocol,byserviceport,aswellassource/destinationIPaddress.
Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionandenablingadditionalsecuritythroughseparationofduties.
Thediagrambelowdepictshowthesecuritycontrolsaboveinter-relatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page25of45Figure6:FlexibleNetworkTopologiesVirtualPrivateGateway:AvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanothernetwork.
Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtualprivategateways.
YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyourpremises.
Eachconnectionissecuredbyapre-sharedkeyinconjunctionwiththeIPaddressofthecustomergatewaydevice.
InternetGateway:AnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,otherAWSservices,andtheInternet.
EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithitorroutetrafficthroughaNATinstance.
Additionally,networkroutesareconfigured(seeabove)todirecttraffictotheInternetgateway.
AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacketinspection,application-layerfiltering,orothersecuritycontrols.
ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.
AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page26of45DedicatedInstances:WithinaVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(i.
e.
,theywillrunonsingle-tenanthardware).
AnAmazonVPCcanbecreatedwith'dedicated'tenancy,sothatallinstanceslaunchedintotheAmazonVPCwillutilizethisfeature.
Alternatively,anAmazonVPCmaybecreatedwith'default'tenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.
ElasticNetworkInterfaces:EachAmazonEC2instancehasadefaultnetworkinterfacethatisassignedaprivateIPaddressonyourAmazonVPCnetwork.
Youcancreateandattachanadditionalnetworkinterface,knownasanelasticnetworkinterface(ENI),toanyAmazonEC2instanceinyourAmazonVPCforatotaloftwonetworkinterfacesperinstance.
Attachingmorethanonenetworkinterfacetoaninstanceisusefulwhenyouwanttocreateamanagementnetwork,usenetworkandsecurityappliancesinyourAmazonVPC,orcreatedual-homedinstanceswithworkloads/rolesondistinctsubnets.
AnENI'sattributes,includingtheprivateIPaddress,elasticIPaddresses,andMACaddress,willfollowtheENIasitisattachedordetachedfromaninstanceandreattachedtoanotherinstance.
MoreinformationaboutAmazonVPCisavailableontheAWSwebsite:http://aws.
amazon.
com/vpc/AdditionalNetworkAccessControlwithEC2-VPCIfyoulaunchinstancesinaregionwhereyoudidnothaveinstancesbeforeAWSlaunchedthenewEC2-VPCfeature(alsocalledDefaultVPC),allinstancesareautomaticallyprovisionedinaready-to-usedefaultVPC.
YoucanchoosetocreateadditionalVPCs,oryoucancreateVPCsforinstancesinregionswhereyoualreadyhadinstancesbeforewelaunchedEC2-VPC.
IfyoucreateaVPClater,usingregularVPC,youspecifyaCIDRblock,createsubnets,entertheroutingandsecurityforthosesubnets,andprovisionanInternetgatewayorNATinstanceifyouwantoneofyoursubnetstobeabletoreachtheInternet.
WhenyoulaunchEC2instancesintoanEC2-VPC,mostofthisworkisautomaticallyperformedforyou.
WhenyoulaunchaninstanceintoadefaultVPCusingEC2-VPC,wedothefollowingtosetitupforyou:CreateadefaultsubnetineachAvailabilityZoneCreateanInternetgatewayandconnectittoyourdefaultVPCCreateamainroutetableforyourdefaultVPCwitharulethatsendsalltrafficdestinedfortheInternettotheInternetgatewayCreateadefaultsecuritygroupandassociateitwithyourdefaultVPCCreateadefaultnetworkaccesscontrollist(ACL)andassociateitwithyourdefaultVPCAssociatethedefaultDHCPoptionssetforyourAWSaccountwithyourdefaultVPCInadditiontothedefaultVPChavingitsownprivateIPrange,EC2instanceslaunchedinadefaultVPCcanalsoreceiveapublicIP.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page27of45ThefollowingtablesummarizesthedifferencesbetweeninstanceslaunchedintoEC2-Classic,instanceslaunchedintoadefaultVPC,andinstanceslaunchedintoanon-defaultVPC.
CharacteristicEC2-ClassicEC2-VPC(DefaultVPC)RegularVPCPublicIPaddressYourinstancereceivesapublicIPaddress.
YourinstancelaunchedinadefaultsubnetreceivesapublicIPaddressbydefault,unlessyouspecifyotherwiseduringlaunch.
Yourinstancedoesn'treceiveapublicIPaddressbydefault,unlessyouspecifyotherwiseduringlaunch.
PrivateIPaddressYourinstancereceivesaprivateIPaddressfromtheEC2-Classicrangeeachtimeit'sstarted.
YourinstancereceivesastaticprivateIPaddressfromtheaddressrangeofyourdefaultVPC.
YourinstancereceivesastaticprivateIPaddressfromtheaddressrangeofyourVPC.
MultipleprivateIPaddressesWeselectasingleIPaddressforyourinstance.
MultipleIPaddressesarenotsupported.
YoucanassignmultipleprivateIPaddressestoyourinstance.
YoucanassignmultipleprivateIPaddressestoyourinstance.
ElasticIPaddressAnEIPisdisassociatedfromyourinstancewhenyoustopit.
AnEIPremainsassociatedwithyourinstancewhenyoustopit.
AnEIPremainsassociatedwithyourinstancewhenyoustopit.
DNShostnamesDNShostnamesareenabledbydefault.
DNShostnamesareenabledbydefault.
DNShostnamesaredisabledbydefault.
SecuritygroupAsecuritygroupcanreferencesecuritygroupsthatbelongtootherAWSaccounts.
AsecuritygroupcanreferencesecuritygroupsforyourVPConly.
AsecuritygroupcanreferencesecuritygroupsforyourVPConly.
SecuritygroupassociationYoumustterminateyourinstancetochangeitssecuritygroup.
Youcanchangethesecuritygroupofyourrunninginstance.
Youcanchangethesecuritygroupofyourrunninginstance.
SecuritygrouprulesYoucanaddrulesforinboundtrafficonly.
Youcanaddrulesforinboundandoutboundtraffic.
Youcanaddrulesforinboundandoutboundtraffic.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page28of45TenancyYourinstancerunsonsharedhardware;youcannotrunaninstanceonsingle-tenanthardware.
Youcanrunyourinstanceonsharedhardwareorsingle-tenanthardware.
Youcanrunyourinstanceonsharedhardwareorsingle-tenanthardware.
NotethatsecuritygroupsforinstancesinEC2-ClassicareslightlydifferentthansecuritygroupsforinstancesinEC2-VPC.
Forexample,youcanaddrulesforinboundtrafficforEC2-Classic,butyoucanaddrulesforbothinboundandoutboundtraffictoEC2-VPC.
InEC2-Classic,youcan'tchangethesecuritygroupsassignedtoaninstanceafterit'slaunched,butinEC2-VPC,youcanchangesecuritygroupsassignedtoaninstanceafterit'slaunched.
Inaddition,youcan'tusethesecuritygroupsthatyou'vecreatedforusewithEC2-ClassicwithinstancesinyourVPC.
YoumustcreatesecuritygroupsspecificallyforusewithinstancesinyourVPC.
TherulesyoucreateforusewithasecuritygroupforaVPCcan'treferenceasecuritygroupforEC2-Classic,andviceversa.
AmazonRoute53SecurityAmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)servicethatanswersDNSqueries,translatingdomainnamesintoIPaddressessocomputerscancommunicatewitheachother.
Route53canbeusedtoconnectuserrequeststoinfrastructurerunninginAWS–suchasanAmazonEC2instanceoranAmazonS3bucket–ortoinfrastructureoutsideofAWS.
AmazonRoute53letsyoumanagetheIPaddresses(records)listedforyourdomainnamesanditanswersrequests(queries)totranslatespecificdomainnamesintotheircorrespondingIPaddresses.
QueriesforyourdomainareautomaticallyroutedtoanearbyDNSserverusinganycastinordertoprovidethelowestlatencypossible.
Route53makesitpossibleforyoutomanagetrafficgloballythroughavarietyofroutingtypes,includingLatencyBasedRouting(LBR),GeoDNS,andWeightedRound-Robin(WRR)—allofwhichcanbecombinedwithDNSFailoverinordertohelpcreateavarietyoflow-latency,fault-tolerantarchitectures.
ThefailoveralgorithmsimplementedbyAmazonRoute53aredesignednotonlytoroutetraffictoendpointsthatarehealthy,butalsotohelpavoidmakingdisasterscenariosworseduetomisconfiguredhealthchecksandapplications,endpointoverloads,andpartitionfailures.
Route53alsooffersDomainNameRegistration–youcanpurchaseandmanagedomainnamessuchasexample.
comandRoute53willautomaticallyconfiguredefaultDNSsettingsforyourdomains.
Youcanbuy,manage,andtransfer(bothinandout)domainsfromawideselectionofgenericandcountry-specifictop-leveldomains(TLDs).
Duringtheregistrationprocess,youhavetheoptiontoenableprivacyprotectionforyourdomain.
ThisoptionwillhidemostofyourpersonalAmazonWebServices–OverviewofSecurityProcessesJune2016Page29of45informationfromthepublicWhoisdatabaseinordertohelpthwartscrapingandspamming.
AmazonRoute53isbuiltusingAWS'highlyavailableandreliableinfrastructure.
ThedistributednatureoftheAWSDNSservershelpsensureaconsistentabilitytorouteyourenduserstoyourapplication.
Route53alsohelpsensuretheavailabilityofyourwebsitebyprovidinghealthchecksandDNSfailovercapabilities.
YoucaneasilyconfigureRoute53tocheckthehealthofyourwebsiteonaregularbasis(evensecurewebsitesthatareavailableonlyoverSSL),andtoswitchtoabackupsiteiftheprimaryoneisunresponsive.
LikeallAWSServices,AmazonRoute53requiresthateveryrequestmadetoitscontrolAPIbeauthenticatedsoonlyauthenticateduserscanaccessandmanageRoute53.
APIrequestsaresignedwithanHMAC-SHA1orHMAC-SHA256signaturecalculatedfromtherequestandtheuser'sAWSSecretAccesskey.
Additionally,theAmazonRoute53controlAPIisonlyaccessibleviaSSL-encryptedendpoints.
ItsupportsbothIPv4andIPv6routing.
YoucancontrolaccesstoAmazonRoute53DNSmanagementfunctionsbycreatingusersunderyourAWSAccountusingAWSIAM,andcontrollingwhichRoute53operationstheseusershavepermissiontoperform.
AmazonCloudFrontSecurityAmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdatatransferspeeds.
Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.
Requestsforcustomers'objectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossibleperformance.
AmazonCloudFrontisoptimizedtoworkwithotherAWSservices,likeAmazonS3,AmazonEC2,ElasticLoadBalancing,andAmazonRoute53.
Italsoworksseamlesslywithanynon-AWSoriginserverthatstorestheoriginal,definitiveversionsofyourfiles.
AmazonCloudFrontrequireseveryrequestmadetoitscontrolAPIbeauthenticatedsoonlyauthorizeduserscancreate,modify,ordeletetheirownAmazonCloudFrontdistributions.
RequestsaresignedwithanHMAC-SHA1signaturecalculatedfromtherequestandtheuser'sprivatekey.
Additionally,theAmazonCloudFrontcontrolAPIisonlyaccessibleviaSSL-enabledendpoints.
ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.
Theservicemayfromtimetotimeremoveobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.
DurabilityisprovidedbyAmazonS3,whichworksastheoriginserverforAmazonCloudFrontholdingtheoriginal,definitivecopiesofobjectsdeliveredbyAmazonCloudFront.
IfyouwantcontroloverwhoisabletodownloadcontentfromAmazonCloudFront,youcanenabletheservice'sprivatecontentfeature.
ThisfeaturehastwoAmazonWebServices–OverviewofSecurityProcessesJune2016Page30of45components:thefirstcontrolshowcontentisdeliveredfromtheAmazonCloudFrontedgelocationtoviewersontheInternet.
ThesecondcontrolshowtheAmazonCloudFrontedgelocationsaccessobjectsinAmazonS3.
CloudFrontalsosupportsGeoRestriction,whichrestrictsaccesstoyourcontentbasedonthegeographiclocationofyourviewers.
TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneormore"OriginAccessIdentities"andassociatethesewithyourdistributions.
WhenanOriginAccessIdentityisassociatedwithanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.
YoucanthenuseAmazonS3'sACLfeature,whichlimitsaccesstothatOriginAccessIdentitysotheoriginalcopyoftheobjectisnotpubliclyreadable.
TocontrolwhoisabletodownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasigned-URLverificationsystem.
Tousethissystem,youfirstcreateapublic-privatekeypair,anduploadthepublickeytoyouraccountviatheAWSManagementConsole.
Second,youconfigureyourAmazonCloudFrontdistributiontoindicatewhichaccountsyouwouldauthorizetosignrequests–youcanindicateuptofiveAWSAccountsyoutrusttosignrequests.
Third,asyoureceiverequestsyouwillcreatepolicydocumentsindicatingtheconditionsunderwhichyouwantAmazonCloudFronttoserveyourcontent.
Thesepolicydocumentscanspecifythenameoftheobjectthatisrequested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.
YouthencalculatetheSHA1hashofyourpolicydocumentandsignthisusingyourprivatekey.
Finally,youincludeboththeencodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.
WhenAmazonCloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.
AmazonCloudFrontwillonlyserverequeststhathaveavalidpolicydocumentandmatchingsignature.
NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourCloudFrontdistribution.
Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.
AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).
Bydefault,CloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.
However,youcanalsoconfigureCloudFronttorequireHTTPSforallrequestsorhaveCloudFrontredirectHTTPrequeststoHTTPS.
YoucanevenconfigureCloudFrontdistributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page31of45Figure7:AmazonCloudFrontEncryptedTransmissionYoucanconfigureoneormoreCloudFrontoriginstorequireCloudFrontfetchobjectsfromyouroriginusingtheprotocolthattheviewerusedtorequesttheobjects.
Forexample,whenyouusethisCloudFrontsettingandtheviewerusesHTTPStorequestanobjectfromCloudFront,CloudFrontalsousesHTTPStoforwardtherequesttoyourorigin.
AmazonCloudFrontsupportstheTLSv1.
1andTLSv1.
2protocolsforHTTPSconnectionsbetweenCloudFrontandyourcustomoriginwebserver(alongwithSSLv3andTLSv1.
0)andaselectionofciphersuitesthatincludestheEllipticCurveDiffie-HellmanEphemeral(ECDHE)protocolonconnectionstobothviewersandtheorigin.
ECDHEallowsSSL/TLSclientstoprovidePerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.
Thishelpspreventthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlong-termkeyitselfiscompromised.
Notethatifyou'reusingyourownserverasyourorigin,andyouwanttouseHTTPSbothbetweenviewersandCloudFrontandbetweenCloudFrontandyourorigin,youmustinstallavalidSSLcertificateontheHTTPserverthatissignedbyathird-partycertificateauthority,forexample,VeriSignorDigiCert.
Bydefault,youcandelivercontenttoviewersoverHTTPSbyusingyourCloudFrontdistributiondomainnameinyourURLs;forexample,https://dxxxxx.
cloudfront.
net/image.
jpg.
IfyouwanttodeliveryourcontentoverHTTPSusingyourowndomainnameandyourownSSLcertificate,youcanuseSNICustomSSLorDedicatedIPCustomSSL.
WithServerNameIdentification(SNI)CustomSSL,CloudFrontreliesontheSNIextensionoftheTLSprotocol,whichissupportedbymostmodernwebbrowsers.
However,someusersmaynotbeabletoaccessyourcontentbecausesomeolderbrowsersdonotsupportSNI.
WithDedicatedIPCustomSSL,CloudFrontdedicatesIPaddressestoyourSSLcertificateateachCloudFrontedgelocationsothatCloudFrontcanassociatetheincomingrequestswiththeproperSSLcertificate.
AmazonCloudFrontaccesslogscontainacomprehensivesetofinformationaboutrequestsforcontent,includingtheobjectrequested,thedateandtimeoftherequest,AmazonWebServices–OverviewofSecurityProcessesJune2016Page32of45theedgelocationservingtherequest,theclientIPaddress,thereferrer,andtheuseragent.
Toenableaccesslogs,justspecifythenameoftheAmazonS3buckettostorethelogsinwhenyouconfigureyourAmazonCloudFrontdistribution.
AWSDirectConnectSecurityWithAWSDirectConnect,youcanprovisionadirectlinkbetweenyourinternalnetworkandanAWSregionusingahigh-throughput,dedicatedconnection.
Doingthismayhelpreduceyournetworkcosts,improvethroughput,orprovideamoreconsistentnetworkexperience.
Withthisdedicatedconnectioninplace,youcanthencreatevirtualinterfacesdirectlytotheAWScloud(forexample,toAmazonEC2andAmazonS3).
WithAWSDirectConnect,youbypassInternetserviceprovidersinyournetworkpath.
YoucanprocurerackspacewithinthefacilityhousingtheAWSDirectConnectlocationanddeployyourequipmentnearby.
Oncedeployed,youcanconnectthisequipmenttoAWSDirectConnectusingacross-connect.
EachAWSDirectConnectlocationenablesconnectivitytothegeographicallynearestAWSregion.
YoucanaccessallAWSservicesavailableinthatregion.
AWSDirectConnectlocationsintheUScanalsoaccessthepublicendpointsoftheotherAWSregionsusingapublicvirtualinterface.
Usingindustrystandard802.
1qVLANs,thededicatedconnectioncanbepartitionedintomultiplevirtualinterfaces.
ThisallowsyoutousethesameconnectiontoaccesspublicresourcessuchasobjectsstoredinAmazonS3usingpublicIPaddressspace,andprivateresourcessuchasAmazonEC2instancesrunningwithinanAmazonVPCusingprivateIPspace,whilemaintainingnetworkseparationbetweenthepublicandprivateenvironments.
AWSDirectConnectrequirestheuseoftheBorderGatewayProtocol(BGP)withanAutonomousSystemNumber(ASN).
Tocreateavirtualinterface,youuseanMD5cryptographickeyformessageauthorization.
MD5createsakeyedhashusingyoursecretkey.
YoucanhaveAWSautomaticallygenerateaBGPMD5keyoryoucanprovideyourown.
FurtherReadinghttps://aws.
amazon.
com/security/security-resources/IntroductiontoAWSSecurityProcessesOverviewofAWSSecurity-StorageServicesOverviewofAWSSecurity-DatabaseServicesOverviewofAWSSecurity-ComputeServicesOverviewofAWSSecurity-ApplicationServicesOverviewofAWSSecurity-Analytics,MobileandApplicationServicesOverviewofAWSSecurity–NetworkServicesAmazonWebServices–OverviewofSecurityProcessesJune2016Page33of45Appendix–GlossaryofTermsAccessKeyID:AstringthatAWSdistributesinordertouniquelyidentifyeachAWSuser;itisanalphanumerictokenassociatedwithyourSecretAccessKey.
Accesscontrollist(ACL):Alistofpermissionsorrulesforaccessinganobjectornetworkresource.
InAmazonEC2,securitygroupsactasACLsattheinstancelevel,controllingwhichusershavepermissiontoaccessspecificinstances.
InAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.
InAmazonVPC,ACLsactlikenetworkfirewallsandcontrolaccessatthesubnetlevel.
AMI:AnAmazonMachineImage(AMI)isanencryptedmachineimagestoredinAmazonS3.
Itcontainsalltheinformationnecessarytobootinstancesofacustomer'ssoftware.
API:ApplicationProgrammingInterface(API)isaninterfaceincomputersciencethatdefinesthewaysbywhichanapplicationprogrammayrequestservicesfromlibrariesand/oroperatingsystems.
Archive:AnarchiveinAmazonGlacierisafilethatyouwanttostoreandisabaseunitofstorageinAmazonGlacier.
Itcanbeanydatasuchasaphoto,video,ordocument.
EacharchivehasauniqueIDandanoptionaldescription.
Authentication:Authenticationistheprocessofdeterminingwhethersomeoneorsomethingis,infact,whoorwhatitisdeclaredtobe.
Notonlydousersneedtobeauthenticated,buteveryprogramthatwantstocallthefunctionalityexposedbyanAWSAPImustbeauthenticated.
AWSrequiresthatyouauthenticateeveryrequestbydigitallysigningitusingacryptographichashfunction.
AutoScaling:AnAWSservicethatallowscustomerstoautomaticallyscaletheirAmazonEC2capacityupordownaccordingtoconditionstheydefine.
AvailabilityZone:AmazonEC2locationsarecomposedofregionsandavailabilityzones.
AvailabilityzonesaredistinctlocationsthatareengineeredtobeinsulatedfromAmazonWebServices–OverviewofSecurityProcessesJune2016Page34of45failuresinotheravailabilityzonesandprovideinexpensive,lowlatencynetworkconnectivitytootheravailabilityzonesinthesameregion.
Bastionhost:Acomputerspecificallyconfiguredtowithstandattack,usuallyplacedontheexternal/publicsideofademilitarizedzone(DMZ)oroutsidethefirewall.
YoucansetupanAmazonEC2instanceasanSSHbastionbysettingupapublicsubnetaspartofanAmazonVPC.
Bucket:AcontainerforobjectsstoredinAmazonS3.
Everyobjectiscontainedwithinabucket.
Forexample,iftheobjectnamedphotos/puppy.
jpgisstoredinthejohnsmithbucket,thenitisaddressableusingtheURL:http://johnsmith.
s3.
amazonaws.
com/photos/puppy.
jpg.
Certificate:AcredentialthatsomeAWSproductsusetoauthenticateAWSAccountsandusers.
AlsoknownasanX.
509certificate.
Thecertificateispairedwithaprivatekey.
CIDRBlock:ClasslessInter-DomainRoutingBlockofIPaddresses.
Client-sideencryption:EncryptingdataontheclientsidebeforeuploadingittoAmazonS3.
CloudFormation:AnAWSprovisioningtoolthatletscustomersrecordthebaselineconfigurationoftheAWSresourcesneededtoruntheirapplicationssothattheycanprovisionandupdatetheminanorderlyandpredictablefashion.
Cognito:AnAWSservicethatsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.
Itworkswithmultipleexistingidentityprovidersandalsosupportsunauthenticatedguestusers.
Credentials:ItemsthatauserorprocessmusthaveinordertoconfirmtoAWSservicesduringtheauthenticationprocessthattheyareauthorizedtoaccesstheservice.
AWScredentialsincludepasswords,secretaccesskeysaswellasX.
509certificatesandmulti-factortokens.
Dedicatedinstance:AmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(i.
e.
,theywillrunonsingle-tenanthardware).
Digitalsignature:Adigitalsignatureisacryptographicmethodfordemonstratingtheauthenticityofadigitalmessageordocument.
Avaliddigitalsignaturegivesarecipientreasontobelievethatthemessagewascreatedbyanauthorizedsender,andthatitwasnotalteredintransit.
DigitalsignaturesareusedAmazonWebServices–OverviewofSecurityProcessesJune2016Page35of45bycustomersforsigningrequeststoAWSAPIsaspartoftheauthenticationprocess.
DirectConnectService:AmazonservicethatallowsyoutoprovisionadirectlinkbetweenyourinternalnetworkandanAWSregionusingahigh-throughput,dedicatedconnection.
Withthisdedicatedconnectioninplace,youcanthencreatelogicalconnectionsdirectlytotheAWScloud(forexample,toAmazonEC2andAmazonS3)andAmazonVPC,bypassingInternetserviceprovidersinthenetworkpath.
DynamoDBService:AmanagedNoSQLdatabaseservicefromAWSthatprovidesfastandpredictableperformancewithseamlessscalability.
EBS:AmazonElasticBlockStore(EBS)providesblock-levelstoragevolumesforusewithAmazonEC2instances.
AmazonEBSvolumesareoff-instancestoragethatpersistsindependentlyfromthelifeofaninstance.
ElastiCache:AnAWSwebservicethatallowsyoutosetup,manage,andscaledistributedin-memorycacheenvironmentsinthecloud.
Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieveinformationfromafast,managed,in-memorycachingsystem,insteadofrelyingentirelyonslowerdisk-baseddatabases.
ElasticBeanstalk:AnAWSdeploymentandmanagementtoolthatautomatesthefunctionsofcapacityprovisioning,loadbalancing,andautoscalingforcustomers'applications.
ElasticIPAddress:Astatic,publicIPaddressthatyoucanassigntoanyinstanceinanAmazonVPC,therebymakingtheinstancepublic.
ElasticIPaddressesalsoenableyoutomaskinstancefailuresbyrapidlyremappingyourpublicIPaddressestoanyinstanceintheVPC.
ElasticLoadBalancing:AnAWSservicethatisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtraffictoinstancesacrossallavailabilityzoneswithinaregion.
ElasticLoadBalancinghasalltheadvantagesofanon-premisesloadbalancer,plusseveralsecuritybenefitssuchastakingovertheencryption/decryptionworkfromEC2instancesandmanagingitcentrallyontheloadbalancer.
ElasticMapReduce(EMR)Service:AnAWSservicethatutilizesahostedHadoopframeworkrunningontheweb-scaleinfrastructureofAmazonEC2andAmazonS3.
ElasticMapReduceenablescustomerstoeasilyandcost-effectivelyprocessextremelylargequantitiesofdata("bigdata").
AmazonWebServices–OverviewofSecurityProcessesJune2016Page36of45ElasticNetworkInterface:WithinanAmazonVPC,anElasticNetworkInterfaceisanoptionalsecondnetworkinterfacethatyoucanattachtoanEC2instance.
AnElasticNetworkInterfacecanbeusefulforcreatingamanagementnetworkorusingnetworkorsecurityappliancesintheAmazonVPC.
Itcanbeeasilydetachedfromaninstanceandreattachedtoanotherinstance.
Endpoint:AURLthatistheentrypointforanAWSservice.
Toreducedatalatencyinyourapplications,mostAWSservicesallowyoutoselectaregionalendpointtomakeyourrequests.
Somewebservicesallowyoutouseageneralendpointthatdoesn'tspecifyaregion;thesegenericendpointsresolvetotheservice'sus-east-1endpoint.
YoucanconnecttoanAWSendpointviaHTTPorsecureHTTP(HTTPS)usingSSL.
Federatedusers:User,systems,orapplicationsthatarenotcurrentlyauthorizedtoaccessyourAWSservices,butthatyouwanttogivetemporaryaccessto.
ThisaccessisprovidedusingtheAWSSecurityTokenService(STS)APIs.
Firewall:Ahardwareorsoftwarecomponentthatcontrolsincomingand/oroutgoingnetworktrafficaccordingtoaspecificsetofrules.
UsingfirewallrulesinAmazonEC2,youspecifytheprotocols,ports,andsourceIPaddressrangesthatareallowedtoreachyourinstances.
Theserulesspecifywhichincomingnetworktrafficshouldbedeliveredtoyourinstance(e.
g.
,acceptwebtrafficonport80).
AmazonVPCsupportsacompletefirewallsolutionenablingfilteringonbothingressandegresstrafficfromaninstance.
Thedefaultgroupenablesinboundcommunicationfromothermembersofthesamegroupandoutboundcommunicationtoanydestination.
TrafficcanberestrictedbyanyIPprotocol,byserviceport,aswellassource/destinationIPaddress(individualIPorClasslessInter-DomainRouting(CIDR)block).
GuestOS:Inavirtualmachineenvironment,multipleoperatingsystemscanrunonasinglepieceofhardware.
EachoneoftheseinstancesisconsideredaguestonthehosthardwareandutilizesitsownOS.
Hash:AcryptographichashfunctionisusedtocalculateadigitalsignatureforsigningrequeststoAWSAPIs.
Acryptographichashisaone-wayfunctionthatreturnsauniquehashvaluebasedontheinput.
Theinputtothehashfunctionincludesthetextofyourrequestandyoursecretaccesskey.
Thehashfunctionreturnsahashvaluethatyouincludeintherequestasyoursignature.
HMAC-SHA1/HMAC-SHA256:Incryptography,akeyed-HashMessageAuthenticationCode(HMACorKHMAC),isatypeofmessageauthenticationcode(MAC)calculatedusingaspecificalgorithminvolvingacryptographichashfunctionAmazonWebServices–OverviewofSecurityProcessesJune2016Page37of45incombinationwithasecretkey.
AswithanyMAC,itmaybeusedtosimultaneouslyverifyboththedataintegrityandtheauthenticityofamessage.
Anyiterativecryptographichashfunction,suchasSHA-1orSHA-256,maybeusedinthecalculationofanHMAC;theresultingMACalgorithmistermedHMAC-SHA1orHMAC-SHA256accordingly.
ThecryptographicstrengthoftheHMACdependsuponthecryptographicstrengthoftheunderlyinghashfunction,onthesizeandqualityofthekeyandthesizeofthehashoutputlengthinbits.
Hardwaresecuritymodule(HSM):AnHSMisanappliancethatprovidessecurecryptographickeystorageandoperationswithinatamper-resistanthardwaredevice.
HSMsaredesignedtosecurelystorecryptographickeymaterialandusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.
TheAWSCloudHSMserviceprovidescustomerswithdedicated,single-tenantaccesstoanHSMappliance.
Hypervisor:Ahypervisor,alsocalledVirtualMachineMonitor(VMM),iscomputersoftware/hardwareplatformvirtualizationsoftwarethatallowsmultipleoperatingsystemstorunonahostcomputerconcurrently.
IdentityandAccessManagement(IAM):AWSIAMenablesyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWSAccount.
Identitypool:AstoreofuseridentityinformationinAmazonCognitothatisspecifictoyourAWSAccount.
IdentitypoolsuseIAMroles,whicharepermissionsthatarenottiedtoaspecificIAMuserorgroupandthatusetemporarysecuritycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.
IdentityProvider:Anonlineserviceresponsibleforissuingidentificationinformationforuserswhowouldliketointeractwiththeserviceorwithothercooperatingservices.
ExamplesofidentityprovidersincludeFacebook,Google,andAmazon.
Import/ExportService:AnAWSservicefortransferringlargeamountsofdatatoAmazonS3orEBSstoragebyphysicallyshippingaportablestoragedevicetoasecureAWSfacility.
Instance:Aninstanceisavirtualizedserver,alsoknownasavirtualmachine(VM),withitsownhardwareresourcesandguestOS.
InEC2,aninstancerepresentsonerunningcopyofanAmazonMachineImage(AMI).
IPaddress:AnInternetProtocol(IP)addressisanumericallabelthatisassignedAmazonWebServices–OverviewofSecurityProcessesJune2016Page38of45todevicesparticipatinginacomputernetworkutilizingtheInternetProtocolforcommunicationbetweenitsnodes.
IPspoofing:CreationofIPpacketswithaforgedsourceIPaddress,calledspoofing,withthepurposeofconcealingtheidentityofthesenderorimpersonatinganothercomputingsystem.
Key:Incryptography,akeyisaparameterthatdeterminestheoutputofacryptographicalgorithm(calledahashingalgorithm).
Akeypairisasetofsecuritycredentialsyouusetoproveyouridentityelectronicallyandconsistsofapublickeyandaprivatekey.
Keyrotation:Theprocessofperiodicallychangingthecryptographickeysusedforencryptingdataordigitallysigningrequests.
Justlikechangingpasswords,rotatingkeysminimizestheriskofunauthorizedaccessifanattackersomehowobtainsyourkeyordeterminesthevalueofit.
AWSsupportsmultipleconcurrentaccesskeysandcertificates,whichallowscustomerstorotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimetotheirapplication.
MobileAnalytics:AnAWSserviceforcollecting,visualizing,andunderstandingmobileapplicationusagedata.
Itenablesyoutotrackcustomerbehaviors,aggregatemetrics,andidentifymeaningfulpatternsinyourmobileapplications.
Multi-factorauthentication(MFA):Theuseoftwoormoreauthenticationfactors.
Authenticationfactorsincludesomethingyouknow(likeapassword)orsomethingyouhave(likeatokenthatgeneratesarandomnumber).
AWSIAMallowstheuseofasix-digitsingle-usecodeinadditiontotheusernameandpasswordcredentials.
Customersgetthissingle-usecodefromanauthenticationdevicethattheykeepintheirphysicalpossession(eitheraphysicaltokendeviceoravirtualtokenfromtheirsmartphone).
NetworkACLs:StatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinanAmazonVPC.
NetworkACLscancontainorderedrulestoallowordenytrafficbaseduponIPprotocol,byserviceport,aswellassource/destinationIPaddress.
Object:ThefundamentalentitiesstoredinAmazonS3.
Objectsconsistofobjectdataandmetadata.
ThedataportionisopaquetoAmazonS3.
Themetadataisasetofname-valuepairsthatdescribetheobject.
TheseincludesomedefaultmetadatasuchasthedatelastmodifiedandstandardHTTPmetadatasuchasContent-Type.
ThedevelopercanalsospecifycustommetadataatthetimetheObjectisstored.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page39of45Paravirtualization:Incomputing,paravirtualizationisavirtualizationtechniquethatpresentsasoftwareinterfacetovirtualmachinesthatissimilarbutnotidenticaltothatoftheunderlyinghardware.
Peering:AVPCpeeringconnectionisanetworkingconnectionbetweentwoVPCsthatenablesyoutoroutetrafficbetweenthemusingprivateIPaddresses.
InstancesineitherVPCcancommunicatewitheachotherasiftheyarewithinthesamenetwork.
Portscanning:Aportscanisaseriesofmessagessentbysomeoneattemptingtobreakintoacomputertolearnwhichcomputernetworkservices,eachassociatedwitha"well-known"portnumber,thecomputerprovides.
Region:AnamedsetofAWSresourcesinthesamegeographicalarea.
Eachregioncontainsatleasttwoavailabilityzones.
Replication:Thecontinuouscopyingofdatafromadatabaseinordertomaintainasecondversionofthedatabase,usuallyfordisasterrecoverypurposes.
CustomerscanusemultipleAZsfortheirAmazonRDSdatabasereplicationneeds,oruseReadReplicasifusingMySQL.
RelationalDatabaseService(RDS):AnAWSservicethatallowsyoutocreatearelationaldatabase(DB)instanceandflexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.
AmazonRDSisavailableforAmazonAurora,MySQL,PostgreSQL,Oracle,MicrosoftSQLServer,andMariaDBdatabaseengines.
Role:AnentityinAWSIAMthathasasetofpermissionsthatcanbeassumedbyanotherentity.
UserolestoenableapplicationsrunningonyourAmazonEC2instancestosecurelyaccessyourAWSresources.
Yougrantaspecificsetofpermissionstoarole,usetheroletolaunchanAmazonEC2instance,andletEC2automaticallyhandleAWScredentialmanagementforyourapplicationsthatrunonAmazonEC2.
Route53:AnauthoritativeDNSsystemthatprovidesanupdatemechanismthatdeveloperscanusetomanagetheirpublicDNSnames,answeringDNSqueriesandtranslatingdomainnamesintoIPaddresssocomputerscancommunicatewitheachother.
SecretAccessKey:AkeythatAWSassignstoyouwhenyousignupforanAWSAccount.
TomakeAPIcallsortoworkwiththecommandlineinterface,eachAWSuserneedstheSecretAccessKeyandAccessKeyID.
TheusersignseachrequestAmazonWebServices–OverviewofSecurityProcessesJune2016Page40of45withtheSecretAccessKeyandincludestheAccessKeyIDintherequest.
TohelpensurethesecurityofyourAWSAccount,theSecretAccessKeyisaccessibleonlyduringkeyandusercreation.
Youmustsavethekey(forexample,inatextfilethatyoustoresecurely)ifyouwanttobeabletoaccessitagain.
Securitygroup:Asecuritygroupgivesyoucontrolovertheprotocols,ports,andsourceIPaddressrangesthatareallowedtoreachyourAmazonEC2instances;inotherwords,itdefinesthefirewallrulesforyourinstance.
Theserulesspecifywhichincomingnetworktrafficshouldbedeliveredtoyourinstance(e.
g.
,acceptwebtrafficonport80).
SecurityTokenService(STS):TheAWSSTSAPIsreturntemporarysecuritycredentialsconsistingofasecuritytoken,anAccessKeyID,andaSecretAccessKey.
YoucanuseSTStoissuesecuritycredentialstouserswhoneedtemporaryaccesstoyourresources.
TheseuserscanbeexistingIAMusers,non-AWSusers(federatedidentities),systems,orapplicationsthatneedtoaccessyourAWSresources.
Server-sideencryption(SSE):AnoptionforAmazonS3storageforautomaticallyencryptingdataatrest.
WithAmazonS3SSE,customerscanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.
Decryptionhappensautomaticallywhendataisretrieved.
Service:Softwareorcomputingabilityprovidedacrossanetwork(e.
g.
,AmazonEC2,AmazonS3).
Shard:InAmazonKinesis,ashardisauniquelyidentifiedgroupofdatarecordsinanAmazonKinesisstream.
AKinesisstreamiscomposedofmultipleshards,eachofwhichprovidesafixedunitofcapacity.
Signature:Referstoadigitalsignature,whichisamathematicalwaytoconfirmtheauthenticityofadigitalmessage.
AWSusessignaturescalculatedwithacryptographicalgorithmandyourprivatekeytoauthenticatetherequestsyousendtoourwebservices.
SimpleDataBase(SimpleDB):Anon-relationaldatastorethatallowsAWScustomerstostoreandquerydataitemsviawebservicesrequests.
AmazonSimpleDBcreatesandmanagesmultiplegeographicallydistributedreplicasofthecustomer'sdataautomaticallytoenablehighavailabilityanddatadurability.
SimpleEmailService(SES):AnAWSservicethatprovidesascalablebulkandtransactionalemail-sendingserviceforbusinessesanddevelopers.
Inordertomaximizedeliverabilityanddependabilityforsenders,AmazonSEStakesproactiveAmazonWebServices–OverviewofSecurityProcessesJune2016Page41of45stepstopreventquestionablecontentfrombeingsent,sothatISPsviewtheserviceasatrustedemailorigin.
SimpleMailTransferProtocol(SMTP):AnInternetstandardfortransmittingemailacrossIPnetworks,SMTPisusedbytheAmazonSimpleEmailService.
CustomerswhousedAmazonSEScanuseanSMTPinterfacetosendemail,butmustconnecttoanSMTPendpointviaTLS.
SimpleNotificationService(SNS):AnAWSservicethatmakesiteasytosetup,operate,andsendnotificationsfromthecloud.
AmazonSNSprovidesdeveloperswiththeabilitytopublishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.
SimpleQueueService(SQS):AscalablemessagequeuingservicefromAWSthatenablesasynchronousmessage-basedcommunicationbetweendistributedcomponentsofanapplication.
ThecomponentscanbecomputersorAmazonEC2instancesoracombinationofboth.
SimpleStorageService(AmazonS3):AnAWSservicethatprovidessecurestorageforobjectfiles.
AccesstoobjectscanbecontrolledatthefileorbucketlevelandcanfurtherrestrictedbasedonotherconditionssuchasrequestIPsource,requesttime,etc.
FilescanalsobeencryptedautomaticallyusingAES-256encryption.
SimpleWorkflowService(SWF):AnAWSservicethatallowscustomerstobuildapplicationsthatcoordinateworkacrossdistributedcomponents.
UsingAmazonSWF,developerscanstructurethevariousprocessingstepsinanapplicationas"tasks"thatdriveworkindistributedapplications.
AmazonSWFcoordinatesthesetasks,managingtaskexecutiondependencies,scheduling,andconcurrencybasedonadeveloper'sapplicationlogic.
Singlesign-on:Thecapabilitytologinoncebutaccessmultipleapplicationsandsystems.
Asecuresinglesign-oncapabilitycanbeprovidedtoyourfederatedusers(AWSandnon-AWSusers)bycreatingaURLthatpassesthetemporarysecuritycredentialstotheAWSManagementConsole.
Snapshot:Acustomer-initiatedbackupofanEBSvolumethatisstoredinAmazonS3,oracustomer-initiatedbackupofanRDSdatabasethatisstoredinAmazonRDS.
AsnapshotcanbeusedasthestartingpointforanewEBSvolumeorAmazonRDSdatabaseortoprotectthedataforlong-termdurabilityandrecovery.
SecureSocketsLayer(SSL):AcryptographicprotocolthatprovidessecurityAmazonWebServices–OverviewofSecurityProcessesJune2016Page42of45overtheInternetattheApplicationLayer.
BoththeTLS1.
0andSSL3.
0protocolspecificationsusecryptographicmechanismstoimplementthesecurityservicesthatestablishandmaintainasecureTCP/IPconnection.
Thesecureconnectionpreventseavesdropping,tampering,ormessageforgery.
YoucanconnecttoanAWSendpointviaHTTPorsecureHTTP(HTTPS)usingSSL.
Statefulfirewall:Incomputing,astatefulfirewall(anyfirewallthatperformsstatefulpacketinspection(SPI)orstatefulinspection)isafirewallthatkeepstrackofthestateofnetworkconnections(suchasTCPstreams,UDPcommunication)travelingacrossit.
StorageGateway:AnAWSservicethatsecurelyconnectsacustomer'son-premisessoftwareappliancewithAmazonS3storagebyusingaVMthatthecustomerdeploysonahostintheirdatacenterrunningVMwareESXiHypervisor.
Dataisasynchronouslytransferredfromthecustomer'son-premisesstoragehardwaretoAWSoverSSL,andthenstoredencryptedinAmazonS3usingAES-256.
Temporarysecuritycredentials:AWScredentialsthatprovidetemporaryaccesstoAWSservices.
TemporarysecuritycredentialscanbeusedtoprovideidentityfederationbetweenAWSservicesandnon-AWSusersinyourownidentityandauthorizationsystem.
Temporarysecuritycredentialsconsistofsecuritytoken,anAccessKeyID,andaSecretAccessKey.
Transcoder:Asystemthattranscodes(converts)amediafile(audioorvideo)fromoneformat,size,orqualitytoanother.
AmazonElasticTranscodermakesiteasyforcustomerstotranscodevideofilesinascalableandcost-effectivefashion.
TransportLayerSecurity(TLS):AcryptographicprotocolthatprovidessecurityovertheInternetattheApplicationLayer.
CustomerswhousedAmazon'sSimpleEmailServicemustconnecttoanSMTPendpointviaTLS.
Treehash:Atreehashisgeneratedbycomputingahashforeachmegabyte-sizedsegmentofthedata,andthencombiningthehashesintreefashiontorepresentever-growingadjacentsegmentsofthedata.
AmazonGlacierchecksthehashagainstthedatatohelpensurethatithasnotbeenalteredenroute.
Vault:InAmazonGlacier,avaultisacontainerforstoringarchives.
Whenyoucreateavault,youspecifyanameandselectanAWSregionwhereyouwanttocreatethevault.
Eachvaultresourcehasauniqueaddress.
Versioning:EveryobjectinAmazonS3hasakeyandaversionID.
ObjectswithAmazonWebServices–OverviewofSecurityProcessesJune2016Page43of45thesamekey,butdifferentversionIDscanbestoredinthesamebucket.
VersioningisenabledatthebucketlayerusingPUTBucketversioning.
VirtualInstance:OnceanAMIhasbeenlaunched,theresultingrunningsystemisreferredtoasaninstance.
AllinstancesbasedonthesameAMIstartoutidenticalandanyinformationonthemislostwhentheinstancesareterminatedorfail.
VirtualMFA:Thecapabilityforausertogetthesix-digit,single-useMFAcodefromtheirsmartphoneratherthanfromatoken/fob.
MFAistheuseofanadditionalfactor(thesingle-usecode)inconjunctionwithausernameandpasswordforauthentication.
VirtualPrivateCloud(VPC):AnAWSservicethatenablescustomerstoprovisionanisolatedsectionoftheAWScloud,includingselectingtheirownIPaddressrange,definingsubnets,andconfiguringroutingtablesandnetworkgateways.
VirtualPrivateNetwork(VPN):Thecapabilitytocreateaprivate,securenetworkbetweentwolocationsoverapublicnetworksuchastheInternet.
AWScustomerscanaddanIPsecVPNconnectionbetweentheirAmazonVPCandtheirdatacenter,effectivelyextendingtheirdatacentertothecloudwhilealsoprovidingdirectaccesstotheInternetforpublicsubnetinstancesintheirAmazonVPC.
Inthisconfiguration,customersaddaVPNapplianceontheircorporatedatacenterside.
WorkSpaces:AnAWSmanageddesktopservicethatenablesyoutoprovisioncloud-baseddesktopsforyourusersandallowsthemtosigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.
X.
509:Incryptography,X.
509isastandardforaPublicKeyInfrastructure(PKI)forsinglesign-onandPrivilegeManagementInfrastructure(PMI).
X.
509specifiesstandardformatsforpublickeycertificates,certificaterevocationlists,attributecertificates,andacertificationpathvalidationalgorithm.
SomeAWSproductsuseX.
509certificatesinsteadofaSecretAccessKeyforaccesstocertaininterfaces.
Forexample,AmazonEC2usesaSecretAccessKeyforaccesstoitsQueryinterface,butitusesasigningcertificateforaccesstoitsSOAPinterfaceandcommandlinetoolinterface.
WorkDocs:AnAWSmanagedenterprisestorageandsharingservicewithfeedbackcapabilitiesforusercollaboration.
AmazonWebServices–OverviewofSecurityProcessesJune2016Page44of45DocumentRevisionsJun2016UpdatedcomplianceprogramsUpdatedregionsNov2014UpdatedcomplianceprogramsUpdatedsharedsecurityresponsibilitymodelUpdatedAWSAccountsecurityfeaturesReorganizedservicesintocategoriesUpdatedseveralserviceswithnewfeatures:CloudWatch,CloudTrail,CloudFront,EBS,ElastiCache,Redshift,Route53,S3,TrustedAdvisor,andWorkSpacesAddedCognitoSecurityAddedMobileAnalyticsSecurityAddedWorkDocsSecurityNov2013UpdatedregionsUpdatedseveralserviceswithnewfeatures:CloudFront,DirectConnect,DynamoDB,EBS,ELB,EMR,AmazonGlacier,IAM,OpsWorks,RDS,Redshift,Route53,StorageGateway,andVPCAddedAppStreamSecurityAddedCloudTrailSecurityAddedKinesisSecurityAddedWorkSpacesSecurityAmazonWebServices–OverviewofSecurityProcessesJune2016Page45of45May2013UpdatedIAMtoincorporaterolesandAPIaccessUpdatedMFAforAPIaccessforcustomer-specifiedprivilegedactionsUpdatedRDStoaddeventnotification,multi-AZ,andSSLtoSQLServer2012UpdatedVPCtoaddmultipleIPaddresses,staticroutingVPN,andVPCByDefaultUpdatedseveralotherserviceswithnewfeatures:CloudFront,CloudWatch,EBS,ElastiCache,ElasticBeanstalk,Route53,S3,StorageGatewayAddedGlacierSecurityAddedRedshiftSecurityAddedDataPipelineSecurityAddedTranscoderSecurityAddedTrustedAdvisorSecurityAddedOpsWorksSecurityAddedCloudHSMSecurity