Security on Amazon Web Services (AWS)

  1. Home
  2. Security on Amazon Web Services (AWS)

In this, we will learn about the Security on Amazon Web Services (AWS).

Amazon Web Services (AWS) delivers a scalable cloud computing platform that is high availability and dependable which provides the tools to enable to implement a wide range of applications. Now, these tools assist us in protecting the confidentiality, integrity, and availability of the systems and data.

Shared Responsibility Model

  • When we move the computer systems and data to the cloud, security responsibilities become shared between us and the Cloud Services Provider (CSP) selected.
  • In which case, AWS is responsible for securing the underlying infrastructure that supports the cloud. And, we are responsible for anything that put on the cloud or connect to the cloud.
  • The shared responsibility model helps to reduce the operational burden in many ways. However, in some cases, it may even improve the default security posture without any additional action on our part.

AWS Security Responsibilities

Amazon Web Services is responsible for the protection of the global infrastructure that runs all of the services offered in the AWS Cloud. the infrastructure in composition of the hardware, software, networking, and facilities that run AWS Cloud services. One of the priorities of AWS is to protect this infrastructure. Even if we cannot visit the data centers or offices to see this protection firsthand, we provide several reports from third party auditors, which have verified our compliance with a variety of relevant computer security standards and regulations.

Customer Security Responsibilities

We can use cloud-based analytics and workflow tools to process the data as required. And, then store it in our own datacenters or in the cloud. The AWS Cloud services used determines how much configuration work we have to perform as part of the security responsibilities.

AWS Global Infrastructure Security

AWS global infrastructure considers facilities, networks, hardware, and operational software that support the provisioning and use of these resources. However, the AWS Security best practices and a variety of security compliance standards decides the AWS global infrastructure’s design and how it would be managed.

Physical and Environmental Security

AWS Security data centers are state of the art, that uses innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. Amazon has a long history of developing, building, and maintaining large-scale datacenters. Only employees and contractors with a clear business need for such access and information are granted access to AWS datacenters.

Even if a person continues to work for Amazon or AWS, his access to these rights is withdrawn when he no longer has a business need for them. AWS workers’ physical access to datacenters is documented and reviewed on a regular basis.

Fire Detection and Suppression – AWS Security

AWS data centers have automatic fire detection and suppression equipment to reduce risk. Smoke detection sensors are used in all datacenter settings, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms by the fire detection system. Further, the protection to these areas is provided by wet-pipe, double-interlocked pre-action or gaseous sprinkler systems.

AWS Security – Power Systems

AWS datacenter electrical power systems are designed to be fully redundant and maintainable without impact to operations. In the event of an electrical failure for critical and essential loads in the facility, the uninterruptible Power Supply (UPS) units provide backup power. AWS datacenters use generators to provide backup power for the entire facility.

Climate and Temperature

In order to prevent overheating and reduce the possibility of service outage climate control is required to maintain a constant operating temperature for servers and other hardware. AWS datacenters have been built to maintain atmospheric conditions at optimal levels so that temperature and humidity are controlled at appropriate levels by the personnel and systems monitor.

Security – Management AWS

The AWS monitors and controls electrical, mechanical, and HVAC systems and equipment so that any issues are immediately identified. In order to maintain the continued operability of equipment preventive maintenance is performed by the AWS staff.

Storage Device De-commissioning

A decommissioning process is included in the AWS procedure when a storage device’s useful life ends that has been designed to prevent customer data from being exposed to unauthorized individuals.

Availability

There are no “cold” AWS datacenters since they are all up and serving clients. Automated mechanisms shift data traffic away from the afflicted location in the event of a failure. Core applications are deployed in a N+1 architecture to ensure that traffic may be load-balanced to the remaining sites in the event of a datacenter failure.

Incident Response

In order to drive resolution during business-impacting events the Amazon Incident Management Team employs industry-standard diagnostic procedures. Staff operators provide 24 hours a day, 7 days a week coverage. This is to detect incidents and manage the impact and resolution.

Communication

In order to help employees understand their individual roles and responsibilities and to communicate significant events in a timely manner various methods of internal communication are implemented by AWS at a global level. Orientation and training programs are included in these methods for newly hired employees, regular management meetings for updates on business performance and other matters, and electronic means such as video conferencing, electronic mail messages, and the posting of information via the Amazon intranet.

Network Security

A world-class network infrastructure that is carefully monitored and managed is implemented to enable to build geographically dispersed, fault-tolerant web architectures with cloud resources, by AWS.

Secure Network Architecture

Network devices, such as firewalls and other border devices, are used to monitor and regulate communications at the network’s external boundary and at crucial internal boundaries. ACLs, or access control lists, are used to regulate and enforce traffic flow on each controlled interface.

Secure Access Points

In order to support customers with Federal Information Processing Standard (FIPS) cryptographic requirements, the SSL-terminating load balancers in AWS GovCloud (US) are FIPS 140-2 compliant. Additionally, AWS has implemented network devices that has been created to manage interfacing communications with Internet Service Providers (ISPs). For more than one communication service at each Internet-facing edge of the AWS network, AWS employs a redundant connection. Furthermore, these connections each have dedicated network devices.

Transmission Protection

AWS offers the Amazon Virtual Private Cloud (Amazon VPC) that provides a private subnet within the AWS Cloud. Moreover, it offers the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and the datacenter. This is for customers who require additional layers of network security.

Network Monitoring and Protection

AWS Network provides significant protection against traditional network security issues, and we can implement further protection. Following are a few examples of the network monitoring and protection services and features that AWS offers –

  • Distributed Denial of Service (DDoS): It attacks AWS API endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer.
  • Man-in-the-Middle (MITM): It attacks All of the AWS APIs are available via SSL-protected endpoints that provide server authentication. Amazon EC2 Amazon Machine Images (AMIs) automatically generate new Secure Shell (SSH) host certificates on first boot and log them to the instance’s console.
  • IP spoofing Amazon EC2: These instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or Machine Access Control (MAC) address other than its own.
  • Port scanning: Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. Every reported violation is investigated as violations of the AWS Acceptable Use Policy are taken seriously. Via the available contacts on the AWS website customers can report suspected abuse. The unauthorized port scanning is stopped and blocked detected by AWS, once it’s detected.
  • Packet sniffing by other tenants: Although we can place the interfaces into promiscuous mode, the Hypervisor will not deliver any traffic to them that is not addressed to them.

AWS Compliance Program

IT infrastructure that AWS provides is designed and managed in alignment with security best practices and a variety of IT security standards, including, but not limited to the following –

  • Service Organization Controls (SOC) 1/Statements on Standards for Attestation
  • Engagements (SSAE) 16/International Standard on Assurance Engagements (ISAE)
  • 3402 (formerly Statement on Auditing Standards [SAS] 70), SOC 2, and SOC 3
  • Federal Information Security Management Act (FISMA)
  • Federal Risk and Authorization Management Program (FedRAMP)
  • Department of Defense (DoD) Security Requirements Guide (SRG) Levels 2 and 4
  • Payment Card Industry Data Security Standard (PCI DSS) Level 1
  • International Organization for Standardization (ISO) 9001, ISO 27001, ISO 27017,
  • and ISO 27018
  • International Traffic in Arms Regulations (ITAR)
  • FIPS 140-2
  • Singapore Multi-Tier Cloud Security Standard (MTCS) Level 3
  • Germany Cloud Computing Compliance Controls Catalog (C5)
  • United Kingdom Cyber Essentials Plus
  • Australia Information Security Registered Assessors Program (IRAP)
In addition, the flexibility and control that the AWS platform allows us to deploy solutions that meet several industry-specific standards, including:
  • Criminal Justice Information Services (CJIS)
  • Cloud Security Alliance (CSA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Motion Picture Association of America (MPAA)

Pass the AWS Exam Now!

Menu