Amazon Web Services – Overview of Security Processes August 2015 Amazon Web Services: Overview of Security Processes August 2015 (Please consult http://aws.amazon.com/security/ for the latest version of this paper) Page 1 of 75 Amazon Web Services – Overview of Security Processes August 2015 Table of Contents Introduction ............................................................................................................................................................................ 5 Shared Security Responsibility Model .................................................................................................................................... 5 AWS Security Responsibilities ............................................................................................................................................. 6 Customer Security Responsibilities ..................................................................................................................................... 6 AWS Global Infrastructure Security ........................................................................................................................................ 7 AWS Compliance Program .................................................................................................................................................. 7 Physical and Environmental Security .................................................................................................................................. 8 Fire Detection and Suppression ...................................................................................................................................... 8 Power .............................................................................................................................................................................. 8 Climate and Temperature ............................................................................................................................................... 8 Management ................................................................................................................................................................... 8 Storage Device Decommissioning ................................................................................................................................... 8 Business Continuity Management ...................................................................................................................................... 9 Availability ....................................................................................................................................................................... 9 Incident Response ........................................................................................................................................................... 9 Company-Wide Executive Review .................................................................................................................................. 9 Communication ............................................................................................................................................................... 9 Network Security ............................................................................................................................................................... 10 Secure Network Architecture ....................................................................................................................................... 10 Secure Access Points ..................................................................................................................................................... 10 Transmission Protection ............................................................................................................................................... 10 Amazon Corporate Segregation .................................................................................................................................... 10 Fault-Tolerant Design .................................................................................................................................................... 11 Network Monitoring and Protection ............................................................................................................................ 12 AWS Access ....................................................................................................................................................................... 14 Account Review and Audit ............................................................................................................................................ 14 Background Checks ....................................................................................................................................................... 14 Credentials Policy .......................................................................................................................................................... 14 Secure Design Principles ................................................................................................................................................... 14 Change Management ........................................................................................................................................................ 15 Software ........................................................................................................................................................................ 15 Infrastructure ................................................................................................................................................................ 15 AWS Account Security Features ............................................................................................................................................ 16 AWS Credentials ................................................................................................................................................................ 16 Page 2 of 75 Amazon Web Services – Overview of Security Processes August 2015 Passwords ..................................................................................................................................................................... 17 AWS Multi-Factor Authentication (AWS MFA) ............................................................................................................. 17 Access Keys ................................................................................................................................................................... 18 Key Pairs ........................................................................................................................................................................ 18 X.509 Certificates .......................................................................................................................................................... 18 Individual User Accounts ................................................................................................................................................... 19 Secure HTTPS Access Points .............................................................................................................................................. 19 Security Logs ..................................................................................................................................................................... 19 AWS Trusted Advisor Security Checks .............................................................................................................................. 20 AWS Service-Specific Security ............................................................................................................................................... 20 Compute Services .............................................................................................................................................................. 20 Amazon Elastic Compute Cloud (Amazon EC2) Security ............................................................................................... 20 Auto Scaling Security .................................................................................................................................................... 24 Networking Services .......................................................................................................................................................... 25 Amazon Elastic Load Balancing Security ....................................................................................................................... 25 Amazon Virtual Private Cloud (Amazon VPC) Security ................................................................................................. 26 Amazon Route 53 Security ............................................................................................................................................ 31 Amazon CloudFront Security ........................................................................................................................................ 32 AWS Direct Connect Security ........................................................................................................................................ 34 Storage Services ...............................................................................................................................................................