9.2 Overview of Security Processes - Part 1
Last updated
Was this helpful?
Last updated
Was this helpful?
AWS is responsible for securing the underlying infrastructure that supports the cloud, and you are responsible for anything you put on the cloud or connect to the cloud.
AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.
AWS is responsible for the security configuration of its products that are considered Managed Services. For example, DynamoDB, RDS, Redshift, EMR, WorkSpaces. It means you don't need to worry about the underlying instances or operating systems of this services. (like Application as a Service).
IaaS - such as EC2, VPC, S3, are completely under your control and require you to perform all of the necessary security configuration and management tasks.
Managed Services - AWS is responsible for patching, antivirus, etc. However, you are responsible for account management and user access. It is recommended that MFA be implemented, communicate to these services using SSL/TLS and that API/user activity logging be setup with CloudTrail. (CloudWatch is for monitoring. CloudTrail is for logging).
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
AWS uses the techniques detailed in DoD 5220.22-M or NIST 800-88 to destroy data as part of the decommissioning process.
All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Transmission Protection - You can connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
For customers who require additional layers of network security, AWS offers tha Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and your data center (Direct Connect).
Amazon Corporate Segregation - Logically, the AWS Production network is segregated from the Amazon Corporate network by means of a complex set of network security/segregation devices. For example, "amazon.com" network is segregated from AWS network.
DDoS
Man in the middle attacks (MITM)
IP Spoofing - The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Port Scanning - Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. You may request permission to conduct vulnerability scans as required to meet your specific compliance requirements. These scans must be limited to your own instances and must not violate the AWS Acceptable Use Policy. You must request a vulnerability scan in advance.
Packet Sniffing by other tenants.
Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may exist to save money, improve system performance, or close security gaps.
It provides alerts on several of the most common security misconfigurations that can occur, including leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to create IAM accounts for your internal users, allowing public access to S3 buckets, not turning on user activity logging (CloudTrail), or not using MFA on your root AWS Account.
X.509 Certificates is use when you want to share a file only with your close friend using a link through CloudFront (CDN).
