DOCSLIB.ORG

Amazon Web Services: Overview of Security Processes August 2015

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Amazon Web Services: Overview of Security Processes August 2015 Amazon Web Services – Overview of Security Processes August 2015 Amazon Web Services: Overview of Security Processes August 2015 (Please consult http://aws.amazon.com/security/ for the latest version of this paper) Page 1 of 75 Amazon Web Services – Overview of Security Processes August 2015 Table of Contents Introduction ............................................................................................................................................................................ 5 Shared Security Responsibility Model .................................................................................................................................... 5 AWS Security Responsibilities ............................................................................................................................................. 6 Customer Security Responsibilities ..................................................................................................................................... 6 AWS Global Infrastructure Security ........................................................................................................................................ 7 AWS Compliance Program .................................................................................................................................................. 7 Physical and Environmental Security .................................................................................................................................. 8 Fire Detection and Suppression ...................................................................................................................................... 8 Power .............................................................................................................................................................................. 8 Climate and Temperature ............................................................................................................................................... 8 Management ................................................................................................................................................................... 8 Storage Device Decommissioning ................................................................................................................................... 8 Business Continuity Management ...................................................................................................................................... 9 Availability ....................................................................................................................................................................... 9 Incident Response ........................................................................................................................................................... 9 Company-Wide Executive Review .................................................................................................................................. 9 Communication ............................................................................................................................................................... 9 Network Security ............................................................................................................................................................... 10 Secure Network Architecture ....................................................................................................................................... 10 Secure Access Points ..................................................................................................................................................... 10 Transmission Protection ............................................................................................................................................... 10 Amazon Corporate Segregation .................................................................................................................................... 10 Fault-Tolerant Design .................................................................................................................................................... 11 Network Monitoring and Protection ............................................................................................................................ 12 AWS Access ....................................................................................................................................................................... 14 Account Review and Audit ............................................................................................................................................ 14 Background Checks ....................................................................................................................................................... 14 Credentials Policy .......................................................................................................................................................... 14 Secure Design Principles ................................................................................................................................................... 14 Change Management ........................................................................................................................................................ 15 Software ........................................................................................................................................................................ 15 Infrastructure ................................................................................................................................................................ 15 AWS Account Security Features ............................................................................................................................................ 16 AWS Credentials ................................................................................................................................................................ 16 Page 2 of 75 Amazon Web Services – Overview of Security Processes August 2015 Passwords ..................................................................................................................................................................... 17 AWS Multi-Factor Authentication (AWS MFA) ............................................................................................................. 17 Access Keys ................................................................................................................................................................... 18 Key Pairs ........................................................................................................................................................................ 18 X.509 Certificates .......................................................................................................................................................... 18 Individual User Accounts ................................................................................................................................................... 19 Secure HTTPS Access Points .............................................................................................................................................. 19 Security Logs ..................................................................................................................................................................... 19 AWS Trusted Advisor Security Checks .............................................................................................................................. 20 AWS Service-Specific Security ............................................................................................................................................... 20 Compute Services .............................................................................................................................................................. 20 Amazon Elastic Compute Cloud (Amazon EC2) Security ............................................................................................... 20 Auto Scaling Security .................................................................................................................................................... 24 Networking Services .......................................................................................................................................................... 25 Amazon Elastic Load Balancing Security ....................................................................................................................... 25 Amazon Virtual Private Cloud (Amazon VPC) Security ................................................................................................. 26 Amazon Route 53 Security ............................................................................................................................................ 31 Amazon CloudFront Security ........................................................................................................................................ 32 AWS Direct Connect Security ........................................................................................................................................ 34 Storage Services ...............................................................................................................................................................
Load more

Recommended publications
  • Commvault on AWS Comprehensive Cloud Data Management for Hybrid IT Table of Contents
    Commvault on AWS Comprehensive Cloud Data Management for Hybrid IT Table of Contents The Data Management Challenge 3 Commvault and Amazon Web Services 4 Benefits 7 Case Study: Dow Jones 8 Getting Started 9 2 The Data Management Challenge Today, more data is being generated than ever before. Keeping up with the rapid pace of data growth presents a series of challenges. Enterprise organizations are collecting petabytes of customer and application data that must be backed up and accessible to meet compliance requirements. Increased regulation around data retention policies make it more difficult to manage backup and archive storage, as critical data may be required to be kept for years and maybe difficult to find. Further complicating matters, point solutions often overlap and leave gaps where data is unprotected and require additional staff to manage them. These issues lead to increased costs, yet many IT departments are facing budget cuts and cannot expand upon their capital to meet increased performance demands. Today’s hybrid IT organizations realize cloud can help solve many data storage issues. With cloud storage comes the need for a comprehensive data management platform to manage data both on-premises and in the cloud. Savvy organizations streamline IT operations and reduce cloud waste with flexible orchestration to automate resource provisioning, policies and routine tasks. This eBook will demonstrate how Commvault and Amazon Web Services (AWS) deliver a cost-effective data management solution that addresses all of these challenges with a single, scalable solution. 3 Commvault and Amazon Web Services Unlike most backup and recovery solutions, Commvault offers a single data platform solution for all backup and recovery needs; as opposed to having to several point solutions for each use case (i.e.
    [Show full text]
  • Timeline 1994 July Company Incorporated 1995 July Amazon
    Timeline 1994 July Company Incorporated 1995 July Amazon.com Sells First Book, “Fluid Concepts & Creative Analogies: Computer Models of the Fundamental Mechanisms of Thought” 1996 July Launches Amazon.com Associates Program 1997 May Announces IPO, Begins Trading on NASDAQ Under “AMZN” September Introduces 1-ClickTM Shopping November Opens Fulfillment Center in New Castle, Delaware 1998 February Launches Amazon.com Advantage Program April Acquires Internet Movie Database June Opens Music Store October Launches First International Sites, Amazon.co.uk (UK) and Amazon.de (Germany) November Opens DVD/Video Store 1999 January Opens Fulfillment Center in Fernley, Nevada March Launches Amazon.com Auctions April Opens Fulfillment Center in Coffeyville, Kansas May Opens Fulfillment Centers in Campbellsville and Lexington, Kentucky June Acquires Alexa Internet July Opens Consumer Electronics, and Toys & Games Stores September Launches zShops October Opens Customer Service Center in Tacoma, Washington Acquires Tool Crib of the North’s Online and Catalog Sales Division November Opens Home Improvement, Software, Video Games and Gift Ideas Stores December Jeff Bezos Named TIME Magazine “Person Of The Year” 2000 January Opens Customer Service Center in Huntington, West Virginia May Opens Kitchen Store August Announces Toys “R” Us Alliance Launches Amazon.fr (France) October Opens Camera & Photo Store November Launches Amazon.co.jp (Japan) Launches Marketplace Introduces First Free Super Saver Shipping Offer (Orders Over $100) 2001 April Announces Borders Group Alliance August Introduces In-Store Pick Up September Announces Target Stores Alliance October Introduces Look Inside The BookTM 2002 June Launches Amazon.ca (Canada) July Launches Amazon Web Services August Lowers Free Super Saver Shipping Threshold to $25 September Opens Office Products Store November Opens Apparel & Accessories Store 2003 April Announces National Basketball Association Alliance June Launches Amazon Services, Inc.
    [Show full text]
  • Amazon Dynamodb
    Dynamo Amazon DynamoDB Nicolas Travers Inspiré de Advait Deo Vertigo N. Travers ESILV : Dynamo Amazon DynamoDB – What is it ? • Fully managed nosql database service on AWS • Data model in the form of tables • Data stored in the form of items (name – value attributes) • Automatic scaling ▫ Provisioned throughput ▫ Storage scaling ▫ Distributed architecture • Easy Administration • Monitoring of tables using CloudWatch • Integration with EMR (Elastic MapReduce) ▫ Analyze data and store in S3 Vertigo N. Travers ESILV : Dynamo Amazon DynamoDB – What is it ? key=value key=value key=value key=value Table Item (64KB max) Attributes • Primary key (mandatory for every table) ▫ Hash or Hash + Range • Data model in the form of tables • Data stored in the form of items (name – value attributes) • Secondary Indexes for improved performance ▫ Local secondary index ▫ Global secondary index • Scalar data type (number, string etc) or multi-valued data type (sets) Vertigo N. Travers ESILV : Dynamo DynamoDB Architecture • True distributed architecture • Data is spread across hundreds of servers called storage nodes • Hundreds of servers form a cluster in the form of a “ring” • Client application can connect using one of the two approaches ▫ Routing using a load balancer ▫ Client-library that reflects Dynamo’s partitioning scheme and can determine the storage host to connect • Advantage of load balancer – no need for dynamo specific code in client application • Advantage of client-library – saves 1 network hop to load balancer • Synchronous replication is not achievable for high availability and scalability requirement at amazon • DynamoDB is designed to be “always writable” storage solution • Allows multiple versions of data on multiple storage nodes • Conflict resolution happens while reads and NOT during writes ▫ Syntactic conflict resolution ▫ Symantec conflict resolution Vertigo N.
    [Show full text]
  • AWS Managed Services (AMS)
    AWS Managed Services (AMS) Application Developer's Guide AMS Advanced Operations Plan Version September 16, 2020 AWS Managed Services (AMS) Application Developer's Guide AMS Advanced Operations Plan AWS Managed Services (AMS) Application Developer's Guide: AMS Advanced Operations Plan Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Managed Services (AMS) Application Developer's Guide AMS Advanced Operations Plan Table of Contents Application Onboarding to AMS Introduction ........................................................................................ 1 What is Application Onboarding? ................................................................................................. 1 What we do, what we do not do .................................................................................................. 1 AMS Amazon Machine Images (AMIs) ............................................................................................ 2 Security enhanced AMIs ...................................................................................................... 4 Key terms .................................................................................................................................
    [Show full text]
  • Amazon Web Services: Overview of Security Processes
    Amazon Web Services: Overview of Security Processes March 2020 For the latest technical content, see Best Practices for Security, Identity & Compliance https://aws.amazon.com/architecture/ security-identity-compliance Archived Notices Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. © 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved. Archived Contents Introduction .......................................................................................................................... 1 Shared Security Responsibility Model ................................................................................ 1 AWS Security Responsibilities ......................................................................................... 2 Customer Security Responsibilities ................................................................................. 2 AWS Global Infrastructure Security
    [Show full text]
  • Performance at Scale with Amazon Elasticache
    Performance at Scale with Amazon ElastiCache July 2019 Notices Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. © 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. Contents Introduction .......................................................................................................................... 1 ElastiCache Overview ......................................................................................................... 2 Alternatives to ElastiCache ................................................................................................. 2 Memcached vs. Redis ......................................................................................................... 3 ElastiCache for Memcached ............................................................................................... 5 Architecture with ElastiCache for Memcached ...............................................................
    [Show full text]
  • Performance Efficiency Pillar
    Performance Efficiency Pillar AWS Well-Architected Framework Performance Efficiency Pillar AWS Well-Architected Framework Performance Efficiency Pillar: AWS Well-Architected Framework Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Performance Efficiency Pillar AWS Well-Architected Framework Table of Contents Abstract and Introduction ................................................................................................................... 1 Abstract .................................................................................................................................... 1 Introduction .............................................................................................................................. 1 Performance Efficiency ....................................................................................................................... 2 Design Principles ........................................................................................................................ 2 Definition .................................................................................................................................
    [Show full text]
  • Amazon Silk Developer Guide Amazon Silk Developer Guide
    Amazon Silk Developer Guide Amazon Silk Developer Guide Amazon Silk: Developer Guide Copyright © 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront, AWS CloudTrail, AWS CodeDeploy, Amazon Cognito, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Amazon Kinesis, Kindle, Kindle Fire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC, and Amazon WorkDocs. In addition, Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon in the U.S. and/or other countries. Amazon©s trademarks and trade dress may not be used in connection with any product or service that is not Amazon©s, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS documentation posted on the Alpha server is for internal testing and review purposes only. It is not intended for external customers. Amazon Silk Developer Guide Table of Contents What Is Amazon Silk? .................................................................................................................... 1 Split Browser Architecture ......................................................................................................
    [Show full text]
  • Amazon Documentdb Deep Dive
    DAT326 Amazon DocumentDB deep dive Joseph Idziorek Antra Grover Principal Product Manager Software Development Engineer Amazon Web Services Fulfillment By Amazon © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is the purpose of a document database? What customer problems does Amazon DocumentDB (with MongoDB compatibility) solve and how? Customer use case and learnings: Fulfillment by Amazon What did we deliver for customers this year? What’s next? © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Purpose-built databases Relational Key value Document In-memory Graph Search Time series Ledger Why document databases? Denormalized data Normalized data model model { 'name': 'Bat City Gelato', 'price': '$', 'rating': 5.0, 'review_count': 46, 'categories': ['gelato', 'ice cream'], 'location': { 'address': '6301 W Parmer Ln', 'city': 'Austin', 'country': 'US', 'state': 'TX', 'zip_code': '78729'} } Why document databases? GET https://api.yelp.com/v3/businesses/{id} { 'name': 'Bat City Gelato', 'price': '$', 'rating': 5.0, 'review_count': 46, 'categories': ['gelato', 'ice cream'], 'location': { 'address': '6301 W Parmer Ln', 'city': 'Austin', 'country': 'US', 'state': 'TX', 'zip_code': '78729'} } Why document databases? response = yelp_api.search_query(term='ice cream', location='austin, tx', sort_by='rating', limit=5) Why document databases? for i in response['businesses']: col.insert_one(i) db.businesses.aggregate([ { $group: { _id: "$price", ratingAvg: { $avg: "$rating"}} } ]) db.businesses.find({
    [Show full text]
  • Consistency in Cloud-Based Database Systems
    https://doi.org/10.31449/inf.v43i1.2650 Informatica 43 (2019) 313–319 313 Consistency in Cloud-based Database Systems Zohra Mahfoud USTHB University, Algeria E-mail: [email protected] Nadia Nouali-Taboudjemat CERIST Research Center, Algeria E-mail: [email protected] Keywords: cloud computing, consistency, distributed databases, relational databases, No-SQL, CAP Received: July 15, 2019 Cloud computing covers the large spectrum of services available on the internet. Cloud services use replication to ensure high availability. Within database replication, various copies of the same data item are stored in different sites, this situation requires managing the consistency of the multiple copies. In fact, the requirement for consistency level can be different according to application natures and other metrics; a delay of some minutes in visualizing latest posts in social networks can be tolerated, while some seconds can make a loss of a bid in an auction system. Wide variety of database management systems are used actually by cloud services, they support different levels of consistency to meet the diversity of needs. This paper draws a presentation of the main characteristics of cloud computing and data management systems and describes different consistency models. Then it discusses the most famous cloud-based database management systems from the point of view of their data and consistency models. Povzetek: Prispevek analizira podatkovna skladišča v oblakih predvsem s stališča konsistentnosti. 1 Introduction Cloud computing refers to the large spectrum of services cloud systems and describes the implemented models of available on the internet. These services manage big data and consistency. Section 6 concludes the paper.
    [Show full text]
  • Introduction to Amazon EC2 Running IBM
    Introduction to Amazon EC2 Running IBM Featuring Mike Culver, Technical Evangelist for Amazon Web Services Melody Ng, Manager, Data Management Emerging Partnerships & Technologies for IBM Jason Chan, Linux and Virtualization Lead, Data Management Emerging Partnerships & Technologies for IBM Majed Itani, Chief Software Architect for SugarCRM Webinar — Introduction to Amazon EC2 Running IBM Introducon IBM SugarCRM Q&A Q&A Amazon Has Three Parts 1 2 3 What You Want… Develop Test Operate What You Get… Undifferenated heavy liing • Hardware costs • Soware costs • Maintenance • Load balancing • Scaling Develop Test Operate • Ulizaon • Idle machines • Bandwidth management • Server hosng • Storage Management • High availability Continuous Process Improvement Makes it Worse Undifferenated heavy liing • Hardware costs • Soware costs • Maintenance • Load balancing • Scaling Develop Test Operate • Ulizaon • Idle machines • Bandwidth management • Server hosng • Storage Management • High availability The 70/30 Switch Differenated Value Undifferenated Heavy Liing Creaon Undifferenated Differenated Value Creaon Heavy Liing We Think of the Cloud as a Set of Building Block Services Infrastructure As a Service Payments As a Service Amazon Simple Storage Service Amazon Flexible Payments Amazon Elastic Compute Cloud Service Amazon Simple Queue Service Amazon DevPay Amazon SimpleDB Amazon CloudFront Fulfillment and Associates Amazon Elastic MapReduce Amazon Fulfillment Web Service Amazon Associates Web Service People As a Service Amazon Mechanical Turk What is Amazon
    [Show full text]
  • A Motion Is Requested to Authorize the Execution of a Contract for Amazon Business Procurement Services Through the U.S. Communities Government Purchasing Alliance
    MOT 2019-8118 Page 1 of 98 VILLAGE OF DOWNERS GROVE Report for the Village Council Meeting 3/19/2019 SUBJECT: SUBMITTED BY: Authorization of a contract for Amazon Business procurement Judy Buttny services Finance Director SYNOPSIS A motion is requested to authorize the execution of a contract for Amazon Business procurement services through the U.S. Communities Government Purchasing Alliance. STRATEGIC PLAN ALIGNMENT The goals for 2017-2019 includes Steward of Financial Sustainability, and Exceptional, Continual Innovation. FISCAL IMPACT There is no cost to utilize Amazon Business procurement services through the U.S. Communities Government Purchasing Alliance. RECOMMENDATION Approval on the March 19, 2019 Consent Agenda. BACKGROUND U.S. Communities Government Purchasing Alliance is the largest public sector cooperative purchasing organization in the nation. All contracts are awarded by a governmental entity utilizing industry best practices, processes and procedures. The Village of Downers Grove has been a member of the U.S. Communities Government Purchasing Alliance since 2008. Through cooperative purchasing, the Village is able to take advantage of economy of scale and reduce the cost of goods and services. U.S. Communities has partnered with Amazon Services to offer local government agencies the ability to utilize Amazon Business for procurement services at no cost to U.S. Communities members. Amazon Business offers business-only prices on millions of products in a competitive digital market place and a multi-level approval workflow. Staff can efficiently find quotes and purchase products for the best possible price, and the multi-level approval workflow ensures this service is compliant with the Village’s competitive process for purchases under $7,000.
    [Show full text]