AWS Cloud Security Model Overview Shared Responsibility Model Certifications & Accreditations
Customer/SI Partner/ISV controls Sarbanes-Oxley (SOX) compliance guest OS-level security, including ISO 27001 Certification patching and maintenance PCI DSS Level I Certification Application level security, including HIPAA compliant architecture password and role based access SAS 70 Type II Audit Host-based firewalls, including FISMA Low ATO Intrusion Detection/Prevention Systems
Pursuing FISMA Moderate ATO
Pursuing DIACAP MAC II I -Sensitive Encryption/Decryption of data.
FedRAMP Hardware Security Modules Service Health Dashboard Separation of Access
Physical Security VM Security Network Security Multi-level, multi-factor controlled Multi-factor access to Amazon Instance firewalls can be configured access environment Account in security groups; Controlled, need-based access for Instance Isolation The traffic may be restricted by AWS employees (least privilege) • Customer-controlled firewall at protocol, by service port, as well as Management Plane Administrative Access the hypervisor level by source IP address (individual IP Multi-factor, controlled, need-based • Neighboring instances or Classless Inter-Domain Routing access to administrative host prevented access (CIDR) block). All access logged, monitored, • Virtualized disk management Virtual Private Cloud (VPC) reviewed layer ensure only account provides IPSec VPN access from existing enterprise data center to a AWS Administrators DO NOT have owners can access storage set of logically isolated AWS access inside a customer’s VMs, disks (EBS) resources including applications and data Support for SSL end point
encryption for API calls
AWS Certifications Sarbanes-Oxley (SOX) compliant SAS70 Type II audit Goal: validate efficacy and efficiency of internal controls SAS 70 continues as a compliment to ISO 27001 ISO 27001 certification in all regions Finalized in November 2010 Standard is licensed content –purchase a copy from ISO Copy of report is available to you National Institute of Standards & Technology (NIST) Certification in progress Customers have deployed HIPAA-compliant healthcare applications now (whitepaper at aws.amazon.com)
SAS70 Type II Amazon Web Services publishes a Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security to safeguard customer data. Through the SAS 70 report, the auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls, attesting that the controls are operating as designed. This report is available to customers under NDA who require a SAS70 Type II to meet their own audit and compliance needs.
AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). We have established a formal program to maintain the certification.
PCI DSS Level 1
AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) are included in the PCI compliance validation.
AWS Security Resources http://aws.amazon.com/security/ Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011 Regularly Updated Feedback is welcome