You are on page 1of 77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonWebServices:OverviewofSecurityProcesses
November2014

(Pleaseconsulthttp://aws.amazon.com/security/forthelatestversionofthispaper)

Page1of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

TableofContents
Introduction............................................................................................................................................................................5
SharedSecurityResponsibilityModel....................................................................................................................................5
AWSSecurityResponsibilities.............................................................................................................................................6
CustomerSecurityResponsibilities.....................................................................................................................................6
AWSGlobalInfrastructureSecurity........................................................................................................................................7
AWSComplianceProgram..................................................................................................................................................7
PhysicalandEnvironmentalSecurity..................................................................................................................................7
FireDetectionandSuppression......................................................................................................................................8
Power..............................................................................................................................................................................8
ClimateandTemperature...............................................................................................................................................8
Management...................................................................................................................................................................8
StorageDeviceDecommissioning...................................................................................................................................8
BusinessContinuityManagement......................................................................................................................................8
Availability.......................................................................................................................................................................8
IncidentResponse...........................................................................................................................................................9
CompanyWideExecutiveReview..................................................................................................................................9
Communication...............................................................................................................................................................9
NetworkSecurity.................................................................................................................................................................9
SecureNetworkArchitecture.........................................................................................................................................9
SecureAccessPoints.....................................................................................................................................................10
TransmissionProtection...............................................................................................................................................10
AmazonCorporateSegregation....................................................................................................................................10
FaultTolerantDesign....................................................................................................................................................10
NetworkMonitoringandProtection............................................................................................................................12
AWSAccess.......................................................................................................................................................................14
AccountReviewandAudit............................................................................................................................................14
BackgroundChecks.......................................................................................................................................................14
CredentialsPolicy..........................................................................................................................................................14
SecureDesignPrinciples...................................................................................................................................................14
ChangeManagement........................................................................................................................................................14
Software........................................................................................................................................................................15
Infrastructure................................................................................................................................................................15
AWSAccountSecurityFeatures............................................................................................................................................16
AWSCredentials................................................................................................................................................................16
Passwords.....................................................................................................................................................................17

Page2of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSMultiFactorAuthentication(AWSMFA).............................................................................................................17
AccessKeys...................................................................................................................................................................17
KeyPairs........................................................................................................................................................................18
X.509Certificates..........................................................................................................................................................18
IndividualUserAccounts...................................................................................................................................................19
SecureHTTPSAccessPoints..............................................................................................................................................19
SecurityLogs.....................................................................................................................................................................19
AWSTrustedAdvisorSecurityChecks..............................................................................................................................20
AWSServiceSpecificSecurity...............................................................................................................................................20
ComputeServices..............................................................................................................................................................20
AmazonElasticComputeCloud(AmazonEC2)Security...............................................................................................20
AutoScalingSecurity....................................................................................................................................................24
NetworkingServices..........................................................................................................................................................25
AmazonElasticLoadBalancingSecurity.......................................................................................................................25
AmazonVirtualPrivateCloud(AmazonVPC)Security.................................................................................................26
AmazonRoute53Security............................................................................................................................................31
AmazonCloudFrontSecurity........................................................................................................................................32
AWSDirectConnectSecurity........................................................................................................................................34
StorageServices................................................................................................................................................................34
AmazonSimpleStorageService(AmazonS3)Security................................................................................................34
AWSGlacierSecurity.....................................................................................................................................................37
AWSStorageGatewaySecurity....................................................................................................................................38
AWSImport/ExportSecurity.........................................................................................................................................39
DatabaseServices.............................................................................................................................................................41
AmazonDynamoDBSecurity........................................................................................................................................41
AmazonRelationalDatabaseService(AmazonRDS)Security......................................................................................42
AmazonRedshiftSecurity.............................................................................................................................................45
AmazonElastiCacheSecurity........................................................................................................................................48
ApplicationServices..........................................................................................................................................................49
AmazonCloudSearchSecurity......................................................................................................................................49
AmazonSimpleQueueService(AmazonSQS)Security................................................................................................50
AmazonSimpleNotificationService(AmazonSNS)Security.......................................................................................50
AmazonSimpleWorkflowService(AmazonSWF)Security..........................................................................................51
AmazonSimpleEmailService(AmazonSES)Security..................................................................................................51
AmazonElasticTranscoderServiceSecurity.................................................................................................................52
AmazonAppStreamSecurity........................................................................................................................................53
AnalyticsServices..............................................................................................................................................................54
AmazonElasticMapReduce(AmazonEMR)Security...................................................................................................54

Page3of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonKinesisSecurity...............................................................................................................................................54
AWSDataPipelineSecurity..........................................................................................................................................55
DeploymentandManagementServices...........................................................................................................................56
AWSIdentityandAccessManagement(AWSIAM).....................................................................................................56
AmazonCloudWatchSecurity......................................................................................................................................57
AWSElasticBeanstalkSecurity.....................................................................................................................................58
AWSCloudFormationSecurity......................................................................................................................................59
AWSOpsWorksSecurity...............................................................................................................................................60
AWSCloudHSMSecurity...............................................................................................................................................61
AWSCloudTrailSecurity...............................................................................................................................................62
MobileServices.................................................................................................................................................................62
AmazonCognito............................................................................................................................................................62
AmazonMobileAnalytics.............................................................................................................................................63
Applications.......................................................................................................................................................................64
AmazonWorkSpaces....................................................................................................................................................64
AmazonZocalo..............................................................................................................................................................65
AppendixGlossaryofTerms..............................................................................................................................................67

Page4of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Introduction
AmazonWebServices(AWS)deliversascalablecloudcomputingplatformwithhighavailabilityanddependability,
providingthetoolsthatenablecustomerstorunawiderangeofapplications.Helpingtoprotecttheconfidentiality,
integrity,andavailabilityofourcustomerssystemsanddataisoftheutmostimportancetoAWS,asismaintaining
customertrustandconfidence.Thisdocumentisintendedtoanswerquestionssuchas,HowdoesAWShelpme
protectmydata?Specifically,AWSphysicalandoperationalsecurityprocessesaredescribedforthenetworkand
serverinfrastructureunderAWSsmanagement,aswellasservicespecificsecurityimplementations.

SharedSecurityResponsibilityModel
BeforewegointothedetailsofhowAWSsecuresitsresources,weshouldtalkabouthowsecurityinthecloudisslightly
differentthansecurityinyouronpremisesdatacenters.Whenyoumovecomputersystemsanddatatothecloud,
securityresponsibilitiesbecomesharedbetweenyouandyourcloudserviceprovider.Inthiscase,AWSisresponsible
forsecuringtheunderlyinginfrastructurethatsupportsthecloud,andyoureresponsibleforanythingyouputonthe
cloudorconnecttothecloud.Thissharedsecurityresponsibilitymodelcanreduceyouroperationalburdeninmany
ways,andinsomecasesmayevenimproveyourdefaultsecurityposturewithoutadditionalactiononyourpart.

Figure1:AWSSharedSecurityResponsibilityModel

Theamountofsecurityconfigurationworkyouhavetodovariesdependingonwhichservicesyouselectandhow
sensitiveyourdatais.However,therearecertainsecurityfeaturessuchasindividualuseraccountsandcredentials,
SSL/TLSfordatatransmissions,anduseractivityloggingthatyoushouldconfigurenomatterwhichAWSserviceyou
use.Formoreinformationaboutthesesecurityfeatures,seetheAWSAccountSecurityFeaturessectionbelow.

Page5of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSSecurityResponsibilities
AmazonWebServicesisresponsibleforprotectingtheglobalinfrastructurethatrunsalloftheservicesofferedinthe
AWScloud.Thisinfrastructureiscomprisedofthehardware,software,networking,andfacilitiesthatrunAWSservices.
ProtectingthisinfrastructureisAWSsnumberonepriority,andwhileyoucantvisitourdatacentersorofficestosee
thisprotectionfirsthand,weprovideseveralreportsfromthirdpartyauditorswhohaveverifiedourcompliancewitha
varietyofcomputersecuritystandardsandregulations(formoreinformation,visit(aws.amazon.com/compliance).
Notethatinadditiontoprotectingthisglobalinfrastructure,AWSisresponsibleforthesecurityconfigurationofits
productsthatareconsideredmanagedservices.ExamplesofthesetypesofservicesincludeAmazonDynamoDB,
AmazonRDS,AmazonRedshift,AmazonElasticMapReduce,AmazonWorkSpaces,andseveralotherservices.These
servicesprovidethescalabilityandflexibilityofcloudbasedresourceswiththeadditionalbenefitofbeingmanaged.For
theseservices,AWSwillhandlebasicsecuritytaskslikeguestoperatingsystem(OS)anddatabasepatching,firewall
configuration,anddisasterrecovery.Formostofthesemanagedservices,allyouhavetodoisconfigurelogicalaccess
controlsfortheresourcesandprotectyouraccountcredentials.Afewofthemmayrequireadditionaltasks,suchas
settingupdatabaseuseraccounts,butoverallthesecurityconfigurationworkisperformedbytheservice.

CustomerSecurityResponsibilities
WiththeAWScloud,youcanprovisionvirtualservers,storage,databases,anddesktopsinminutesinsteadofweeks.
Youcanalsousecloudbasedanalyticsandworkflowtoolstoprocessyourdataasyouneedit,andthenstoreitinyour
owndatacentersorinthecloud.WhichAWSservicesyouusewilldeterminehowmuchconfigurationworkyouhaveto
performaspartofyoursecurityresponsibilities.
AWSproductsthatfallintothewellunderstoodcategoryofInfrastructureasaService(IaaS)suchasAmazonEC2,
AmazonVPC,andAmazonS3arecompletelyunderyourcontrolandrequireyoutoperformallofthenecessary
securityconfigurationandmanagementtasks.Forexample,forEC2instances,youreresponsibleformanagementof
theguestOS(includingupdatesandsecuritypatches),anyapplicationsoftwareorutilitiesyouinstallontheinstances,
andtheconfigurationoftheAWSprovidedfirewall(calledasecuritygroup)oneachinstance.Thesearebasicallythe
samesecuritytasksthatyoureusedtoperformingnomatterwhereyourserversarelocated.
AWSmanagedserviceslikeAmazonRDSorAmazonRedshiftprovidealloftheresourcesyouneedinordertoperforma
specifictaskbutwithouttheconfigurationworkthatcancomewiththem.Withmanagedservices,youdonthaveto
worryaboutlaunchingandmaintaininginstances,patchingtheguestOSordatabase,orreplicatingdatabasesAWS
handlesthatforyou.Butaswithallservices,youshouldprotectyourAWSAccountcredentialsandsetupindividual
useraccountswithAmazonIdentityandAccessManagement(IAM)sothateachofyourusershastheirowncredentials
andyoucanimplementsegregationofduties.Wealsorecommendusingmultifactorauthentication(MFA)witheach
account,requiringtheuseofSSL/TLStocommunicatewithyourAWSresources,andsettingupAPI/useractivitylogging
withAWSCloudTrail.Formoreinformationaboutadditionalmeasuresyoucantake,refertotheAWSSecurityBest
PracticeswhitepaperandrecommendedreadingontheAWSSecurityResourceswebpage.

Page6of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSGlobalInfrastructureSecurity
AWSoperatestheglobalcloudinfrastructurethatyouusetoprovisionavarietyofbasiccomputingresourcessuchas
processingandstorage.TheAWSglobalinfrastructureincludesthefacilities,network,hardware,andoperational
software(e.g.,hostOS,virtualizationsoftware,etc.)thatsupporttheprovisioninganduseoftheseresources.TheAWS
globalinfrastructureisdesignedandmanagedaccordingtosecuritybestpracticesaswellasavarietyofsecurity
compliancestandards.AsanAWScustomer,youcanbeassuredthatyourebuildingwebarchitecturesontopofsome
ofthemostsecurecomputinginfrastructureintheworld.

AWSComplianceProgram
TheAWSComplianceProgramenablescustomerstounderstandtherobustsecurityinplaceandthenhelpsthem
streamlinetheircompliancewithindustryandgovernmentrequirementsforsecurityanddataprotection.TheIT
infrastructurethatAWSprovidestoitscustomersisdesignedandmanagedinalignmentwithsecuritybestpracticesand
avarietyofITsecuritystandards,including:

SOC1/SSAE16/ISAE3402(formerlySAS70)

SOC2

SOC3

FISMA,DIACAP,andFedRAMP

DODCSMLevels15

PCIDSSLevel1

ISO27001

ITAR

FIPS1402

MTCSLevel3

Inaddition,theflexibilityandcontrolthattheAWSplatformprovidesallowscustomerstodeploysolutionsthatmeet
severalindustryspecificstandards,including:

HIPAA

CloudSecurityAlliance(CSA)

MotionPictureAssociationofAmerica(MPAA)

AWSprovidesawiderangeofinformationregardingitsITcontrolenvironmenttocustomersthroughwhitepapers,
reports,certifications,accreditations,andotherthirdpartyattestations.MoreinformationisavailableintheRiskand
Compliancewhitepaperavailableonthewebsite:http://aws.amazon.com/compliance/.

PhysicalandEnvironmentalSecurity
AWSsdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Amazonhasmany
yearsofexperienceindesigning,constructing,andoperatinglargescaledatacenters.Thisexperiencehasbeenapplied
totheAWSplatformandinfrastructure.AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictly
controlledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,

Page7of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwofactorauthenticationa
minimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationand
aresignedinandcontinuallyescortedbyauthorizedstaff.
AWSonlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusiness
needforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessis
immediatelyrevoked,eveniftheycontinuetobeanemployeeofAmazonorAmazonWebServices.Allphysicalaccess
todatacentersbyAWSemployeesisloggedandauditedroutinely.

FireDetectionandSuppression
Automaticfiredetectionandsuppressionequipmenthasbeeninstalledtoreducerisk.Thefiredetectionsystemutilizes
smokedetectionsensorsinalldatacenterenvironments,mechanicalandelectricalinfrastructurespaces,chillerrooms
andgeneratorequipmentrooms.Theseareasareprotectedbyeitherwetpipe,doubleinterlockedpreaction,or
gaseoussprinklersystems.

Power
Thedatacenterelectricalpowersystemsaredesignedtobefullyredundantandmaintainablewithoutimpactto
operations,24hoursaday,andsevendaysaweek.UninterruptiblePowerSupply(UPS)unitsprovidebackuppowerin
theeventofanelectricalfailureforcriticalandessentialloadsinthefacility.Datacentersusegeneratorstoprovide
backuppowerfortheentirefacility.

ClimateandTemperature
Climatecontrolisrequiredtomaintainaconstantoperatingtemperatureforserversandotherhardware,which
preventsoverheatingandreducesthepossibilityofserviceoutages.Datacentersareconditionedtomaintain
atmosphericconditionsatoptimallevels.Personnelandsystemsmonitorandcontroltemperatureandhumidityat
appropriatelevels.

Management
AWSmonitorselectrical,mechanical,andlifesupportsystemsandequipmentsothatanyissuesareimmediately
identified.Preventativemaintenanceisperformedtomaintainthecontinuedoperabilityofequipment.

StorageDeviceDecommissioning
Whenastoragedevicehasreachedtheendofitsusefullife,AWSproceduresincludeadecommissioningprocessthatis
designedtopreventcustomerdatafrombeingexposedtounauthorizedindividuals.AWSusesthetechniquesdetailed
inDoD5220.22M(NationalIndustrialSecurityProgramOperatingManual)orNIST80088(GuidelinesforMedia
Sanitization)todestroydataaspartofthedecommissioningprocess.Alldecommissionedmagneticstoragedevicesare
degaussedandphysicallydestroyedinaccordancewithindustrystandardpractices.

BusinessContinuityManagement
AmazonsinfrastructurehasahighlevelofavailabilityandprovidescustomersthefeaturestodeployaresilientIT
architecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.Data
centerBusinessContinuityManagementatAWSisunderthedirectionoftheAmazonInfrastructureGroup.

Availability
Datacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodata
centeriscold.Incaseoffailure,automatedprocessesmovecustomerdatatrafficawayfromtheaffectedarea.Core
Page8of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

applicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficient
capacitytoenabletraffictobeloadbalancedtotheremainingsites.
AWSprovidesyouwiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsaswellas
acrossmultipleavailabilityzoneswithineachregion.Eachavailabilityzoneisdesignedasanindependentfailurezone.
Thismeansthatavailabilityzonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower
riskfloodplains(specificfloodzonecategorizationvariesbyRegion).Inadditiontodiscreteuninterruptablepower
supply(UPS)andonsitebackupgenerationfacilities,theyareeachfedviadifferentgridsfromindependentutilitiesto
furtherreducesinglepointsoffailure.Availabilityzonesareallredundantlyconnectedtomultipletier1transit
providers.
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandavailabilityzones.Distributing
applicationsacrossmultipleavailabilityzonesprovidestheabilitytoremainresilientinthefaceofmostfailuremodes,
includingnaturaldisastersorsystemfailures.

IncidentResponse
TheAmazonIncidentManagementteamemploysindustrystandarddiagnosticprocedurestodriveresolutionduring
businessimpactingevents.Staffoperatorsprovide24x7x365coveragetodetectincidentsandtomanagetheimpact
andresolution.

CompanyWideExecutiveReview
AmazonsInternalAuditgrouphasrecentlyreviewedtheAWSservicesresiliencyplans,whicharealsoperiodically
reviewedbymembersoftheSeniorExecutivemanagementteamandtheAuditCommitteeoftheBoardofDirectors.

Communication
AWShasimplementedvariousmethodsofinternalcommunicationatagloballeveltohelpemployeesunderstandtheir
individualrolesandresponsibilitiesandtocommunicatesignificanteventsinatimelymanner.Thesemethodsinclude
orientationandtrainingprogramsfornewlyhiredemployees;regularmanagementmeetingsforupdatesonbusiness
performanceandothermatters;andelectronicsmeanssuchasvideoconferencing,electronicmailmessages,andthe
postingofinformationviatheAmazonintranet.
AWShasalsoimplementedvariousmethodsofexternalcommunicationtosupportitscustomerbaseandthe
community.Mechanismsareinplacetoallowthecustomersupportteamtobenotifiedofoperationalissuesthat
impactthecustomerexperience.A"ServiceHealthDashboard"isavailableandmaintainedbythecustomersupport
teamtoalertcustomerstoanyissuesthatmaybeofbroadimpact.TheAWSSecurityCenterisavailabletoprovide
youwithsecurityandcompliancedetailsaboutAWS.YoucanalsosubscribetoAWSSupportofferingsthatinclude
directcommunicationwiththecustomersupportteamandproactivealertstoanycustomerimpactingissues.

NetworkSecurity
TheAWSnetworkhasbeenarchitectedtopermityoutoselectthelevelofsecurityandresiliencyappropriateforyour
workload.Toenableyoutobuildgeographicallydispersed,faulttolerantwebarchitectureswithcloudresources,AWS
hasimplementedaworldclassnetworkinfrastructurethatiscarefullymonitoredandmanaged.

SecureNetworkArchitecture
Networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsat
theexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevices

Page9of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

employrulesets,accesscontrollists(ACL),andconfigurationstoenforcetheflowofinformationtospecificinformation
systemservices.
ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.
ACLpoliciesareapprovedbyAmazonInformationSecurity.ThesepoliciesareautomaticallypushedusingAWSsACL
Managetool,tohelpensurethesemanagedinterfacesenforcethemostuptodateACLs.

SecureAccessPoints
AWShasstrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensive
monitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPI
endpoints,andtheyallowsecureHTTPaccess(HTTPS),whichallowsyoutoestablishasecurecommunicationsession
withyourstorageorcomputeinstanceswithinAWS.TosupportcustomerswithFIPS1402requirements,theAmazon
VirtualPrivateCloudVPNendpointsandSSLterminatingloadbalancersinAWSGovCloud(US)operateusingFIPS1402
level2validatedhardware.
Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswith
Internetserviceproviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceat
eachInternetfacingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.

TransmissionProtection
YoucanconnecttoanAWSaccesspointviaHTTPorHTTPSusingSecureSocketsLayer(SSL),acryptographicprotocol
thatisdesignedtoprotectagainsteavesdropping,tampering,andmessageforgery.
Forcustomerswhorequireadditionallayersofnetworksecurity,AWSofferstheAmazonVirtualPrivateCloud(VPC),
whichprovidesaprivatesubnetwithintheAWScloud,andtheabilitytouseanIPsecVirtualPrivateNetwork(VPN)
devicetoprovideanencryptedtunnelbetweentheAmazonVPCandyourdatacenter.FormoreinformationaboutVPC
configurationoptions,refertotheAmazonVirtualPrivateCloud(AmazonVPC)Securitysectionbelow.

AmazonCorporateSegregation

Logically,theAWSProductionnetworkissegregatedfromtheAmazonCorporatenetworkbymeansofacomplexsetof
networksecurity/segregationdevices.AWSdevelopersandadministratorsonthecorporatenetworkwhoneedto
accessAWScloudcomponentsinordertomaintainthemmustexplicitlyrequestaccessthroughtheAWSticketing
system.Allrequestsarereviewedandapprovedbytheapplicableserviceowner.
ApprovedAWSpersonnelthenconnecttotheAWSnetworkthroughabastionhostthatrestrictsaccesstonetwork
devicesandothercloudcomponents,loggingallactivityforsecurityreview.AccesstobastionhostsrequireSSHpublic
keyauthenticationforalluseraccountsonthehost.FormoreinformationonAWSdeveloperandadministratorlogical
access,seeAWSAccessbelow.

FaultTolerantDesign
AmazonsinfrastructurehasahighlevelofavailabilityandprovidesyouwiththecapabilitytodeployaresilientIT
architecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.
Datacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodata
centeriscold.Incaseoffailure,automatedprocessesmovecustomerdatatrafficawayfromtheaffectedarea.Core
applicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficient

Page10of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

capacitytoenabletraffictobeloadbalancedtotheremainingsites.
AWSprovidesyouwiththeflexibilitytoplaceinstancesandstoredatawithinmultiplegeographicregionsaswellas
acrossmultipleavailabilityzoneswithineachregion.Eachavailabilityzoneisdesignedasanindependentfailurezone.
Thismeansthatavailabilityzonesarephysicallyseparatedwithinatypicalmetropolitanregionandarelocatedinlower
riskfloodplains(specificfloodzonecategorizationvariesbyregion).Inadditiontoutilizingdiscreteuninterruptable
powersupply(UPS)andonsitebackupgenerators,theyareeachfedviadifferentgridsfromindependentutilitiesto
furtherreducesinglepointsoffailure.Availabilityzonesareallredundantlyconnectedtomultipletier1transit
providers.
YoushouldarchitectyourAWSusagetotakeadvantageofmultipleregionsandavailabilityzones.Distributing
applicationsacrossmultipleavailabilityzonesprovidestheabilitytoremainresilientinthefaceofmostfailure
scenarios,includingnaturaldisastersorsystemfailures.However,youshouldbeawareoflocationdependentprivacy
andcompliancerequirements,suchastheEUDataPrivacyDirective.Dataisnotreplicatedbetweenregionsunless
proactivelydonesobythecustomer,thusallowingcustomerswiththesetypesofdataplacementandprivacy
requirementstheabilitytoestablishcompliantenvironments.Itshouldbenotedthatallcommunicationsbetween
regionsisacrosspublicInternetinfrastructure;therefore,appropriateencryptionmethodsshouldbeusedtoprotect
sensitivedata.
Asofthiswriting,thereareelevenregions:USEast(NorthernVirginia),USWest(Oregon),USWest(Northern
California),AWSGovCloud(US),EU(Ireland),EU(Frankfurt),AsiaPacific(Singapore),AsiaPacific(Tokyo),AsiaPacific
(Sydney),SouthAmerica(SaoPaulo),andChina(Beijing).
AWSGovCloud(US)isanisolatedAWSRegiondesignedtoallowUSgovernmentagenciesandcustomerstomove
workloadsintothecloudbyhelpingthemmeetcertainregulatoryandcompliancerequirements.TheAWSGovCloud
(US)frameworkallowsUSgovernmentagenciesandtheircontractorstocomplywithU.S.InternationalTrafficinArms
Regulations(ITAR)regulationsaswellastheFederalRiskandAuthorizationManagementProgram(FedRAMP)
requirements.AWSGovCloud(US)hasreceivedanAgencyAuthorizationtoOperate(ATO)fromtheUSDepartmentof
HealthandHumanServices(HHS)utilizingaFedRAMPaccreditedThirdPartyAssessmentOrganization(3PAO)for
severalAWSservices.
TheAWSGovCloud(US)Regionprovidesthesamefaulttolerantdesignasotherregions,withtwoAvailabilityZones.In
addition,theAWSGovCloud(US)regionisamandatoryAWSVirtualPrivateCloud(VPC)servicebydefaulttocreatean
isolatedportionoftheAWScloudandlaunchAmazonEC2instancesthathaveprivate(RFC1918)addresses.More
informationaboutGovCloudisavailableontheAWSwebsite:http://aws.amazon.com/govcloudus/

Page11of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Figure2:RegionsandAvailabilityZones
NotethatthenumberofAvailabilityZonesmaychange.

NetworkMonitoringandProtection
AWSutilizesawidevarietyofautomatedmonitoringsystemstoprovideahighlevelofserviceperformanceand
availability.AWSmonitoringtoolsaredesignedtodetectunusualorunauthorizedactivitiesandconditionsatingress
andegresscommunicationpoints.Thesetoolsmonitorserverandnetworkusage,portscanningactivities,application
usage,andunauthorizedintrusionattempts.Thetoolshavetheabilitytosetcustomperformancemetricsthresholdsfor
unusualactivity.
SystemswithinAWSareextensivelyinstrumentedtomonitorkeyoperationalmetrics.Alarmsareconfiguredto
automaticallynotifyoperationsandmanagementpersonnelwhenearlywarningthresholdsarecrossedonkey
operationalmetrics.Anoncallscheduleisusedsopersonnelarealwaysavailabletorespondtooperationalissues.This
includesapagersystemsoalarmsarequicklyandreliablycommunicatedtooperationspersonnel.
Documentationismaintainedtoaidandinformoperationspersonnelinhandlingincidentsorissues.Iftheresolutionof
anissuerequirescollaboration,aconferencingsystemisusedwhichsupportscommunicationandloggingcapabilities.
Trainedcallleadersfacilitatecommunicationandprogressduringthehandlingofoperationalissuesthatrequire
collaboration.Postmortemsareconvenedafteranysignificantoperationalissue,regardlessofexternalimpact,and
CauseofError(COE)documentsaredraftedsotherootcauseiscapturedandpreventativeactionsaretakeninthe
future.Implementationofthepreventativemeasuresistrackedduringweeklyoperationsmeetings.

Page12of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSsecuritymonitoringtoolshelpidentifyseveraltypesofdenialofservice(DoS)attacks,includingdistributed,
flooding,andsoftware/logicattacks.WhenDoSattacksareidentified,theAWSincidentresponseprocessisinitiated.In
additiontotheDoSpreventiontools,redundanttelecommunicationprovidersateachregionaswellasadditional
capacityprotectagainstthepossibilityofDoSattacks.
TheAWSnetworkprovidessignificantprotectionagainsttraditionalnetworksecurityissues,andyoucanimplement
furtherprotection.Thefollowingareafewexamples:

DistributedDenialOfService(DDoS)Attacks.AWSAPIendpointsarehostedonlarge,Internetscale,world
classinfrastructurethatbenefitsfromthesameengineeringexpertisethathasbuiltAmazonintotheworlds
largestonlineretailer.ProprietaryDDoSmitigationtechniquesareused.Additionally,AWSsnetworksaremulti
homedacrossanumberofproviderstoachieveInternetaccessdiversity.

ManintheMiddle(MITM)Attacks.AlloftheAWSAPIsareavailableviaSSLprotectedendpointswhich
provideserverauthentication.AmazonEC2AMIsautomaticallygeneratenewSSHhostcertificatesonfirstboot
andlogthemtotheinstancesconsole.YoucanthenusethesecureAPIstocalltheconsoleandaccessthehost
certificatesbeforeloggingintotheinstanceforthefirsttime.WeencourageyoutouseSSLforallofyour
interactionswithAWS.

IPSpoofing.AmazonEC2instancescannotsendspoofednetworktraffic.TheAWScontrolled,hostbased
firewallinfrastructurewillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanits
own.

PortScanning.UnauthorizedportscansbyAmazonEC2customersareaviolationoftheAWSAcceptableUse
Policy.ViolationsoftheAWSAcceptableUsePolicyaretakenseriously,andeveryreportedviolationis
investigated.Customerscanreportsuspectedabuseviathecontactsavailableonourwebsiteat:
http://aws.amazon.com/contactus/reportabuse/.WhenunauthorizedportscanningisdetectedbyAWS,itis
stoppedandblocked.PortscansofAmazonEC2instancesaregenerallyineffectivebecause,bydefault,all
inboundportsonAmazonEC2instancesareclosedandareonlyopenedbyyou.Yourstrictmanagementof
securitygroupscanfurthermitigatethethreatofportscans.Ifyouconfigurethesecuritygrouptoallowtraffic
fromanysourcetoaspecificport,thenthatspecificportwillbevulnerabletoaportscan.Inthesecases,you
mustuseappropriatesecuritymeasurestoprotectlisteningservicesthatmaybeessentialtotheirapplication
frombeingdiscoveredbyanunauthorizedportscan.Forexample,awebservermustclearlyhaveport80
(HTTP)opentotheworld,andtheadministratorofthisserverisresponsibleforthesecurityoftheHTTPserver
software,suchasApache.Youmayrequestpermissiontoconductvulnerabilityscansasrequiredtomeetyour
specificcompliancerequirements.Thesescansmustbelimitedtoyourowninstancesandmustnotviolatethe
AWSAcceptableUsePolicy.Advancedapprovalforthesetypesofscanscanbeinitiatedbysubmittingarequest
viathewebsiteat:https://awsportal.amazon.com/gp/aws/htmlforms
controller/contactus/AWSSecurityPenTestRequest

Packetsniffingbyothertenants.Itisnotpossibleforavirtualinstancerunninginpromiscuousmodetoreceive
orsnifftrafficthatisintendedforadifferentvirtualinstance.Whileyoucanplaceyourinterfacesinto
promiscuousmode,thehypervisorwillnotdeliveranytraffictothemthatisnotaddressedtothem.Eventwo
virtualinstancesthatareownedbythesamecustomerlocatedonthesamephysicalhostcannotlistentoeach
otherstraffic.AttackssuchasARPcachepoisoningdonotworkwithinAmazonEC2andAmazonVPC.While
AmazonEC2doesprovideampleprotectionagainstonecustomerinadvertentlyormaliciouslyattemptingto
viewanothersdata,asastandardpracticeyoushouldencryptsensitivetraffic.

Page13of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Inadditiontomonitoring,regularvulnerabilityscansareperformedonthehostoperatingsystem,webapplication,and
databasesintheAWSenvironmentusingavarietyoftools.Also,AWSSecurityteamssubscribetonewsfeedsfor
applicablevendorflawsandproactivelymonitorvendorswebsitesandotherrelevantoutletsfornewpatches.AWS
customersalsohavetheabilitytoreportissuestoAWSviatheAWSVulnerabilityReportingwebsiteat:
http://aws.amazon.com/security/vulnerabilityreporting/

AWSAccess
TheAWSProductionnetworkissegregatedfromtheAmazonCorporatenetworkandrequiresaseparatesetof
credentialsforlogicalaccess.TheAmazonCorporatenetworkreliesonuserIDs,passwords,andKerberos,whilethe
AWSProductionnetworkrequiresSSHpublickeyauthenticationthroughabastionhost.
AWSdevelopersandadministratorsontheAmazonCorporatenetworkwhoneedtoaccessAWScloudcomponents
mustexplicitlyrequestaccessthroughtheAWSaccessmanagementsystem.Allrequestsarereviewedandapprovedby
theappropriateownerormanager.

AccountReviewandAudit
Accountsarereviewedevery90days;explicitreapprovalisrequiredoraccesstotheresourceisautomaticallyrevoked.
AccessisalsoautomaticallyrevokedwhenanemployeesrecordisterminatedinAmazonsHumanResourcessystem.
WindowsandUNIXaccountsaredisabledandAmazonspermissionmanagementsystemremovestheuserfromall
systems.
RequestsforchangesinaccessarecapturedintheAmazonpermissionsmanagementtoolauditlog.Whenchangesinan
employeesjobfunctionoccur,continuedaccessmustbeexplicitlyapprovedtotheresourceoritwillbeautomatically
revoked.

BackgroundChecks
AWShasestablishedformalpoliciesandprocedurestodelineatetheminimumstandardsforlogicalaccesstoAWS
platformandinfrastructurehosts.AWSconductscriminalbackgroundchecks,aspermittedbylaw,aspartofpre
employmentscreeningpracticesforemployeesandcommensuratewiththeemployeespositionandlevelofaccess.
Thepoliciesalsoidentifyfunctionalresponsibilitiesfortheadministrationoflogicalaccessandsecurity.

CredentialsPolicy
AWSSecurityhasestablishedacredentialspolicywithrequiredconfigurationsandexpirationintervals.Passwordsmust
becomplexandareforcedtobechangedevery90days.

SecureDesignPrinciples
AWSsdevelopmentprocessfollowssecuresoftwaredevelopmentbestpractices,whichincludeformaldesignreviews
bytheAWSSecurityTeam,threatmodeling,andcompletionofariskassessment.Staticcodeanalysistoolsarerunasa
partofthestandardbuildprocess,andalldeployedsoftwareundergoesrecurringpenetrationtestingperformedby
carefullyselectedindustryexperts.Oursecurityriskassessmentreviewsbeginduringthedesignphaseandthe
engagementlaststhroughlaunchtoongoingoperations.

ChangeManagement
Routine,emergency,andconfigurationchangestoexistingAWSinfrastructureareauthorized,logged,tested,approved,
anddocumentedinaccordancewithindustrynormsforsimilarsystems.UpdatestoAWSsinfrastructurearedoneto

Page14of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

minimizeanyimpactonthecustomerandtheiruseoftheservices.AWSwillcommunicatewithcustomers,eithervia
email,orthroughtheAWSServiceHealthDashboard(http://status.aws.amazon.com/)whenserviceuseislikelytobe
adverselyaffected.

Software
AWSappliesasystematicapproachtomanagingchangesothatchangestocustomerimpactingservicesarethoroughly
reviewed,tested,approved,andwellcommunicated.TheAWSchangemanagementprocessisdesignedtoavoid
unintendedservicedisruptionsandtomaintaintheintegrityofservicetothecustomer.Changesdeployedinto
productionenvironmentsare:

Reviewed:Peerreviewsofthetechnicalaspectsofachangearerequired.

Tested:Changesbeingappliedaretestedtohelpensuretheywillbehaveasexpectedandnotadverselyimpact
performance.

Approved:Allchangesmustbeauthorizedinordertoprovideappropriateoversightandunderstandingof
businessimpact.

Changesaretypicallypushedintoproductioninaphaseddeploymentstartingwithlowestimpactareas.Deployments
aretestedonasinglesystemandcloselymonitoredsoimpactscanbeevaluated.Serviceownershaveanumberof
configurablemetricsthatmeasurethehealthoftheservicesupstreamdependencies.Thesemetricsareclosely
monitoredwiththresholdsandalarminginplace.RollbackproceduresaredocumentedintheChangeManagement
(CM)ticket.
Whenpossible,changesarescheduledduringregularchangewindows.Emergencychangestoproductionsystemsthat
requiredeviationsfromstandardchangemanagementproceduresareassociatedwithanincidentandareloggedand
approvedasappropriate.
Periodically,AWSperformsselfauditsofchangestokeyservicestomonitorquality,maintainhighstandards,and
facilitatecontinuousimprovementofthechangemanagementprocess.Anyexceptionsareanalyzedtodeterminethe
rootcause,andappropriateactionsaretakentobringthechangeintocomplianceorrollbackthechangeifnecessary.
Actionsarethentakentoaddressandremediatetheprocessorpeopleissue.

Infrastructure
AmazonsCorporateApplicationsteamdevelopsandmanagessoftwaretoautomateITprocessesforUNIX/Linuxhosts
intheareasofthirdpartysoftwaredelivery,internallydevelopedsoftware,andconfigurationmanagement.The
InfrastructureteammaintainsandoperatesaUNIX/Linuxconfigurationmanagementframeworktoaddresshardware
scalability,availability,auditing,andsecuritymanagement.Bycentrallymanaginghoststhroughtheuseofautomated
processesthatmanagechange,Amazonisabletoachieveitsgoalsofhighavailability,repeatability,scalability,security,
anddisasterrecovery.Systemsandnetworkengineersmonitorthestatusoftheseautomatedtoolsonacontinuous
basis,reviewingreportstorespondtohoststhatfailtoobtainorupdatetheirconfigurationandsoftware.
Internallydevelopedconfigurationmanagementsoftwareisinstalledwhennewhardwareisprovisioned.Thesetools
arerunonallUNIXhoststovalidatethattheyareconfiguredandthatsoftwareisinstalledincompliancewithstandards
determinedbytheroleassignedtothehost.Thisconfigurationmanagementsoftwarealsohelpstoregularlyupdate
packagesthatarealreadyinstalledonthehost.Onlyapprovedpersonnelenabledthroughthepermissionsservicemay
logintothecentralconfigurationmanagementservers.

Page15of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSAccountSecurityFeatures
AWSprovidesavarietyoftoolsandfeaturesthatyoucanusetokeepyourAWSAccountandresourcessafefrom
unauthorizeduse.Thisincludescredentialsforaccesscontrol,HTTPSendpointsforencrypteddatatransmission,the
creationofseparateIAMuseraccounts,useractivityloggingforsecuritymonitoring,andTrustedAdvisorsecurity
checks.YoucantakeadvantageofallofthesesecuritytoolsnomatterwhichAWSservicesyouselect.

AWSCredentials
TohelpensurethatonlyauthorizedusersandprocessesaccessyourAWSAccountandresources,AWSusesseveral
typesofcredentialsforauthentication.Theseincludepasswords,cryptographickeys,digitalsignatures,andcertificates.
Wealsoprovidetheoptionofrequiringmultifactorauthentication(MFA)tologintoyourAWSAccountorIAMuser
accounts.ThefollowingtablehighlightsthevariousAWScredentialsandtheiruses.
CredentialType

Use

Description

Passwords

AWSrootaccountorIAMuser
accountlogintotheAWS
ManagementConsole

AstringofcharactersusedtologintoyourAWS
accountorIAMaccount.AWSpasswordsmustbea
minimumof6charactersandmaybeupto128
characters.

MultiFactor
Authentication(MFA)

AWSrootaccountorIAMuser
accountlogintotheAWS
ManagementConsole

Asixdigitsingleusecodethatisrequiredinaddition
toyourpasswordtologintoyourAWSAccountor
IAMuseraccount.

AccessKeys

DigitallysignedrequeststoAWS
APIs(usingtheAWSSDK,CLI,or
REST/QueryAPIs)

IncludesanaccesskeyIDandasecretaccesskey.
Youuseaccesskeystodigitallysignprogrammatic
requeststhatyoumaketoAWS.

KeyPairs

X.509Certificates

SSHlogintoEC2instances

CloudFrontsignedURLs

DigitallysignedSOAP
requeststoAWSAPIs

SSLservercertificatesfor
HTTPS

AkeypairisrequiredtoconnecttoanEC2instance
launchedfromapublicAMI.ThekeysthatAmazon
EC2usesare1024bitSSH2RSAkeys.Youcanhave
akeypairgeneratedautomaticallyforyouwhenyou
launchtheinstanceoryoucanuploadyourown.
X.509certificatesareonlyusedtosignSOAPbased
requests(currentlyusedonlywithAmazonS3).You
canhaveAWScreateanX.509certificateandprivate
keythatyoucandownload,oryoucanuploadyour
owncertificatebyusingtheSecurityCredentials
page.

YoucandownloadaCredentialReportforyouraccountatanytimefromtheSecurityCredentialspage.Thisreportlists
allofyouraccountsusersandthestatusoftheircredentialswhethertheyuseapassword,whethertheirpassword
expiresandmustbechangedregularly,thelasttimetheychangedtheirpassword,thelasttimetheyrotatedtheir
accesskeys,andwhethertheyhaveMFAenabled.
Forsecurityreasons,ifyourcredentialshavebeenlostorforgotten,youcannotrecoverthemorredownloadthem.
However,youcancreatenewcredentialsandthendisableordeletetheoldsetofcredentials.
Infact,AWSrecommendsthatyouchange(rotate)youraccesskeysandcertificatesonaregularbasis.Tohelpyoudo
thiswithoutpotentialimpacttoyourapplicationsavailability,AWSsupportsmultipleconcurrentaccesskeysand

Page16of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

certificates.Withthisfeature,youcanrotatekeysandcertificatesintoandoutofoperationonaregularbasiswithout
anydowntimetoyourapplication.Thiscanhelptomitigateriskfromlostorcompromisedaccesskeysorcertificates.
TheAWSIAMAPIenablesyoutorotatetheaccesskeysofyourAWSAccountaswellasforIAMuseraccounts.

Passwords
PasswordsarerequiredtoaccessyourAWSAccount,individualIAMuseraccounts,AWSDiscussionForums,andthe
AWSSupportCenter.Youspecifythepasswordwhenyoufirstcreatetheaccount,andyoucanchangeitatanytimeby
goingtotheSecurityCredentialspage.AWSpasswordscanbeupto128characterslongandcontainspecialcharacters,
soweencourageyoutocreateastrongpasswordthatcannotbeeasilyguessed.
YoucansetapasswordpolicyforyourIAMuseraccountstoensurethatstrongpasswordsareusedandthattheyare
changedoften.ApasswordpolicyisasetofrulesthatdefinethetypeofpasswordanIAMusercanset.Formore
informationaboutpasswordpolicies,gotoManagingPasswordsinUsingIAM.

AWSMultiFactorAuthentication(AWSMFA)
AWSMultiFactorAuthentication(AWSMFA)isanadditionallayerofsecurityforaccessingAWSservices.Whenyou
enablethisoptionalfeature,youwillneedtoprovideasixdigitsingleusecodeinadditiontoyourstandardusername
andpasswordcredentialsbeforeaccessisgrantedtoyourAWSAccountsettingsorAWSservicesandresources.Youget
thissingleusecodefromanauthenticationdevicethatyoukeepinyourphysicalpossession.Thisiscalledmultifactor
authenticationbecausemorethanoneauthenticationfactorischeckedbeforeaccessisgranted:apassword(something
youknow)andtheprecisecodefromyourauthenticationdevice(somethingyouhave).YoucanenableMFAdevicesfor
yourAWSAccountaswellasfortheusersyouhavecreatedunderyourAWSAccountwithAWSIAM.Inaddition,you
addMFAprotectionforaccessacrossAWSAccounts,forwhenyouwanttoallowauseryouvecreatedunderoneAWS
AccounttouseanIAMroletoaccessresourcesunderanotherAWSAccount.YoucanrequiretheusertouseMFA
beforeassumingtheroleasanadditionallayerofsecurity.
AWSMFAsupportstheuseofbothhardwaretokensandvirtualMFAdevices.VirtualMFAdevicesusethesame
protocolsasthephysicalMFAdevices,butcanrunonanymobilehardwaredevice,includingasmartphone.Avirtual
MFAdeviceusesasoftwareapplicationthatgeneratessixdigitauthenticationcodesthatarecompatiblewiththeTime
BasedOneTimePassword(TOTP)standard,asdescribedinRFC6238.MostvirtualMFAapplicationsallowyoutohost
morethanonevirtualMFAdevice,whichmakesthemmoreconvenientthanhardwareMFAdevices.However,you
shouldbeawarethatbecauseavirtualMFAmightberunonalesssecuredevicesuchasasmartphone,avirtualMFA
mightnotprovidethesamelevelofsecurityasahardwareMFAdevice.
YoucanalsoenforceMFAauthenticationforAWSserviceAPIsinordertoprovideanextralayerofprotectionover
powerfulorprivilegedactionssuchasterminatingAmazonEC2instancesorreadingsensitivedatastoredinAmazonS3.
YoudothisbyaddinganMFAauthenticationrequirementtoanIAMaccesspolicy.Youcanattachtheseaccesspolicies
toIAMusers,IAMgroups,orresourcesthatsupportAccessControlLists(ACLs)likeAmazonS3buckets,SQSqueues,
andSNStopics.
ItiseasytoobtainhardwaretokensfromaparticipatingthirdpartyproviderorvirtualMFAapplicationsfroman
AppStoreandtosetitupforuseviatheAWSwebsite.MoreinformationaboutAWSMFAisavailableontheAWS
website:http://aws.amazon.com/mfa/

AccessKeys
AWSrequiresthatallAPIrequestsbesignedthatis,theymustincludeadigitalsignaturethatAWScanusetoverify
theidentityoftherequestor.Youcalculatethedigitalsignatureusingacryptographichashfunction.Theinputtothe

Page17of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

hashfunctioninthiscaseincludesthetextofyourrequestandyoursecretaccesskey.IfyouuseanyoftheAWSSDKsto
generaterequests,thedigitalsignaturecalculationisdoneforyou;otherwise,youcanhaveyourapplicationcalculateit
andincludeitinyourRESTorQueryrequestsbyfollowingthedirectionsinourdocumentation[LINK].
Notonlydoesthesigningprocesshelpprotectmessageintegritybypreventingtamperingwiththerequestwhileitisin
transit,italsohelpsprotectagainstpotentialreplayattacks.ArequestmustreachAWSwithin15minutesofthetime
stampintherequest.Otherwise,AWSdeniestherequest.
ThemostrecentversionofthedigitalsignaturecalculationprocessisSignatureVersion4,whichcalculatesthesignature
usingtheHMACSHA256protocol.Version4providesanadditionalmeasureofprotectionoverpreviousversionsby
requiringthatyousignthemessageusingakeythatisderivedfromyoursecretaccesskeyratherthanusingthesecret
accesskeyitself.Inaddition,youderivethesigningkeybasedoncredentialscope,whichfacilitatescryptographic
isolationofthesigningkey.
Becauseaccesskeyscanbemisusediftheyfallintothewronghands,weencourageyoutosavetheminasafeplaceand
notembedtheminyourcode.ForcustomerswithlargefleetsofelasticallyscalingEC2instances,theuseofIAMroles
canbeamoresecureandconvenientwaytomanagethedistributionofaccesskeys.IAMrolesprovidetemporary
credentials,whichnotonlygetautomaticallyloadedtothetargetinstance,butarealsoautomaticallyrotatedmultiple
timesaday.

KeyPairs
AmazonEC2instancescreatedfromapublicAMIuseapublic/privatekeypairratherthanapasswordforsigninginvia
SecureShell(SSH).Thepublickeyisembeddedinyourinstance,andyouusetheprivatekeytosigninsecurelywithouta
password.AfteryoucreateyourownAMIs,youcanchooseothermechanismstosecurelylogintoyournewinstances.
Youcanhaveakeypairgeneratedautomaticallyforyouwhenyoulaunchtheinstanceoryoucanuploadyourown.
Savetheprivatekeyinasafeplaceonyoursystem,andrecordthelocationwhereyousavedit.
ForAmazonCloudFront,youusekeypairstocreatesignedURLsforprivatecontent,suchaswhenyouwantto
distributerestrictedcontentthatsomeonepaidfor.YoucreateAmazonCloudFrontkeypairsbyusingtheSecurity
Credentialspage.CloudFrontkeypairscanbecreatedonlybytherootaccountandcannotbecreatedbyIAMusers.

X.509Certificates
X.509certificatesareusedtosignSOAPbasedrequests.X.509certificatescontainapublickeyandadditionalmetadata
(likeanexpirationdatethatAWSverifieswhenyouuploadthecertificate),andisassociatedwithaprivatekey.When
youcreatearequest,youcreateadigitalsignaturewithyourprivatekeyandthenincludethatsignatureintherequest,
alongwithyourcertificate.AWSverifiesthatyou'rethesenderbydecryptingthesignaturewiththepublickeythatisin
yourcertificate.AWSalsoverifiesthatthecertificateyousentmatchesthecertificatethatyouuploadedtoAWS.
ForyourAWSAccount,youcanhaveAWScreateanX.509certificateandprivatekeythatyoucandownload,oryoucan
uploadyourowncertificatebyusingtheSecurityCredentialspage.ForIAMusers,youmustcreatetheX.509certificate
(signingcertificate)byusingthirdpartysoftware.Incontrastwithrootaccountcredentials,AWScannotcreateanX.509
certificateforIAMusers.Afteryoucreatethecertificate,youattachittoanIAMuserbyusingIAM.
InadditiontoSOAPrequests,X.509certificatesareusedasSSL/TLSservercertificatesforcustomerswhowanttouse
HTTPStoencrypttheirtransmissions.TousethemforHTTPS,youcanuseanopensourcetoollikeOpenSSLtocreatea
uniqueprivatekey.YoullneedtheprivatekeytocreatetheCertificateSigningRequest(CSR)thatyousubmittoa
certificateauthority(CA)toobtaintheservercertificate.YoullthenusetheAWSCLItouploadthecertificate,private
Page18of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

key,andcertificatechaintoIAM.
YoullalsoneedanX.509certificatetocreateacustomizedLinuxAMIforEC2instances.Thecertificateisonlyrequired
tocreateaninstancebackedAMI(asopposedtoanEBSbackedAMI).YoucanhaveAWScreateanX.509certificateand
privatekeythatyoucandownload,oryoucanuploadyourowncertificatebyusingtheSecurityCredentialspage.

IndividualUserAccounts
AWSprovidesacentralizedmechanismcalledAWSIdentityandAccessManagement(IAM)forcreatingandmanaging
individualuserswithinyourAWSAccount.Ausercanbeanyindividual,system,orapplicationthatinteractswithAWS
resources,eitherprogrammaticallyorthroughtheAWSManagementConsoleorAWSCommandLineInterface(CLI).
EachuserhasauniquenamewithintheAWSAccount,andauniquesetofsecuritycredentialsnotsharedwithother
users.AWSIAMeliminatestheneedtosharepasswordsorkeys,andenablesyoutominimizetheuseofyourAWS
Accountcredentials.
WithIAM,youdefinepoliciesthatcontrolwhichAWSservicesyouruserscanaccessandwhattheycandowiththem.
Youcangrantusersonlytheminimumpermissionstheyneedtoperformtheirjobs.SeetheAWSIdentityandAccess
Management(AWSIAM)sectionbelowformoreinformation.

SecureHTTPSAccessPoints
ForgreatercommunicationsecuritywhenaccessingAWSresources,youshoulduseHTTPSinsteadofHTTPfordata
transmissions.HTTPSusestheSSL/TLSprotocol,whichusespublickeycryptographytopreventeavesdropping,
tampering,andforgery.AllAWSservicesprovidesecurecustomeraccesspoints(alsocalledAPIendpoints)thatallow
youtoestablishsecureHTTPScommunicationsessions.
SeveralservicesalsonowoffermoreadvancedciphersuitesthatusetheEllipticCurveDiffieHellmanEphemeral
(ECDHE)protocol.ECDHEallowsSSL/TLSclientstoprovidePerfectForwardSecrecy,whichusessessionkeysthatare
ephemeralandnotstoredanywhere.Thishelpspreventthedecodingofcaptureddatabyunauthorizedthirdparties,
evenifthesecretlongtermkeyitselfiscompromised.

SecurityLogs
Asimportantascredentialsandencryptedendpointsareforpreventingsecurityproblems,logsarejustascrucialfor
understandingeventsafteraproblemhasoccurred.Andtobeeffectiveasasecuritytool,alogmustincludenotjusta
listofwhathappenedandwhen,butalsoidentifythesource.Tohelpyouwithyourafterthefactinvestigationsand
nearrealtimeintrusiondetection,AWSCloudTrailprovidesalogofallrequestsforAWSresourceswithinyouraccount.
Foreachevent,youcanseewhatservicewasaccessed,whatactionwasperformed, andwhomadetherequest.
CloudTrailcapturesinformationabouteveryAPIcalltoeveryAWSresourceyouuse,includingsigninevents.
OnceyouhaveenabledCloudTrail,eventlogsaredeliveredevery5minutes.YoucanconfigureCloudTrailsothatit
aggregateslogfilesfrommultipleregionsintoasingleAmazonS3bucket.Fromthere,youcanthenuploadthemtoyour
favoritelogmanagementandanalysissolutionstoperformsecurityanalysisanddetectuserbehaviorpatterns.By
default,logfilesarestoredsecurelyinAmazonS3,butyoucanalsoarchivethemtoAmazonGlaciertohelpmeetaudit
andcompliancerequirements.
InadditiontoCloudTrailsuseractivitylogs,youcanusetheAmazonCloudWatchLogsfeaturetocollectandmonitor
system,application,andcustomlogfilesfromyourEC2instancesandothersourcesinnearrealtime.Forexample,you

Page19of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

canmonitoryourwebserver'slogfilesforinvalidusermessagestodetectunauthorizedloginattemptstoyourguestOS.

AWSTrustedAdvisorSecurityChecks
TheAWSTrustedAdvisorcustomersupportservicenotonlymonitorsforcloudperformanceandresiliency,butalso
cloudsecurity.TrustedAdvisorinspectsyourAWSenvironmentandmakesrecommendationswhenopportunitiesmay
existtosavemoney,improvesystemperformance,orclosesecuritygaps.Itprovidesalertsonseveralofthemost
commonsecuritymisconfigurationsthatcanoccur,includingleavingcertainportsopenthatmakeyouvulnerableto
hackingandunauthorizedaccess,neglectingtocreateIAMaccountsforyourinternalusers,allowingpublicaccessto
AmazonS3buckets,notturningonuseractivitylogging(AWSCloudTrail),ornotusingMFAonyourrootAWSAccount.
YoualsohavetheoptionforaSecuritycontactatyourorganizationtoautomaticallyreceiveaweeklyemailwithan
updatedstatusofyourTrustedAdvisorsecuritychecks.
TheAWSTrustedAdvisorserviceprovidesfourchecksatnoadditionalchargetoallusers,includingthreeimportant
securitychecks:specificportsunrestricted,IAMuse,andMFAonrootaccount.AndwhenyousignupforBusinessor
EnterpriselevelAWSSupport,youreceivefullaccesstoallTrustedAdvisorchecks.

AWSServiceSpecificSecurity
NotonlyissecuritybuiltintoeverylayeroftheAWSinfrastructure,butalsointoeachoftheservicesavailableonthat
infrastructure.AWSservicesarearchitectedtoworkefficientlyandsecurelywithallAWSnetworksandplatforms.Each
serviceprovidesextensivesecurityfeaturestoenableyoutoprotectsensitivedataandapplications.

ComputeServices
AmazonWebServicesprovidesavarietyofcloudbasedcomputingservicesthatincludeawideselectionofcompute
instancesthatcanscaleupanddownautomaticallytomeettheneedsofyourapplicationorenterprise.

AmazonElasticComputeCloud(AmazonEC2)Security
AmazonElasticComputeCloud(EC2)isakeycomponentinAmazonsInfrastructureasaService(IaaS),providing
resizablecomputingcapacityusingserverinstancesinAWSsdatacenters.AmazonEC2isdesignedtomakewebscale
computingeasierbyenablingyoutoobtainandconfigurecapacitywithminimalfriction.Youcreateandlaunch
instances,whicharecollectionsofplatformhardwareandsoftware.
MultipleLevelsofSecurity
SecuritywithinAmazonEC2isprovidedonmultiplelevels:theoperatingsystem(OS)ofthehostplatform,thevirtual
instanceOSorguestOS,afirewall,andsignedAPIcalls.Eachoftheseitemsbuildsonthecapabilitiesoftheothers.The
goalistopreventdatacontainedwithinAmazonEC2frombeinginterceptedbyunauthorizedsystemsorusersandto
provideAmazonEC2instancesthemselvesthatareassecureaspossiblewithoutsacrificingtheflexibilityin
configurationthatcustomersdemand.
TheHypervisor
AmazonEC2currentlyutilizesahighlycustomizedversionoftheXenhypervisor,takingadvantageofparavirtualization
(inthecaseofLinuxguests).Becauseparavirtualizedguestsrelyonthehypervisortoprovidesupportforoperationsthat
normallyrequireprivilegedaccess,theguestOShasnoelevatedaccesstotheCPU.TheCPUprovidesfourseparate
privilegemodes:03,calledrings.Ring0isthemostprivilegedand3theleast.ThehostOSexecutesinRing0.However,
ratherthanexecutinginRing0asmostoperatingsystemsdo,theguestOSrunsinalesserprivilegedRing1and

Page20of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

applicationsintheleastprivilegedRing3.Thisexplicitvirtualizationofthephysicalresourcesleadstoaclearseparation
betweenguestandhypervisor,resultinginadditionalsecurityseparationbetweenthetwo.
InstanceIsolation
DifferentinstancesrunningonthesamephysicalmachineareisolatedfromeachotherviatheXenhypervisor.Amazon
isactiveintheXencommunity,whichprovidesawarenessofthelatestdevelopments.Inaddition,theAWSfirewall
resideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance'svirtualinterface.All
packetsmustpassthroughthislayer,thusaninstancesneighborshavenomoreaccesstothatinstancethananyother
hostontheInternetandcanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusing
similarmechanisms.
Customerinstanceshavenoaccesstorawdiskdevices,butinsteadarepresentedwithvirtualizeddisks.TheAWS
proprietarydiskvirtualizationlayerautomaticallyresetseveryblockofstorageusedbythecustomer,sothatone
customersdataisneverunintentionallyexposedtoanother.Inaddition,memoryallocatedtoguestsisscrubbed(setto
zero)bythehypervisorwhenitisunallocatedtoaguest.Thememoryisnotreturnedtothepooloffreememory
availablefornewallocationsuntilthememoryscrubbingiscomplete.
AWSrecommendscustomersfurtherprotecttheirdatausingappropriatemeans.Onecommonsolutionistorunan
encryptedfilesystemontopofthevirtualizeddiskdevice.

Figure3:AmazonEC2MultipleLayersofSecurity

HostOperatingSystem:Administratorswithabusinessneedtoaccessthemanagementplanearerequiredtousemulti
factorauthenticationtogainaccesstopurposebuiltadministrationhosts.Theseadministrativehostsaresystemsthat
arespecificallydesigned,built,configured,andhardenedtoprotectthemanagementplaneofthecloud.Allsuchaccess
isloggedandaudited.Whenanemployeenolongerhasabusinessneedtoaccessthemanagementplane,theprivileges
andaccesstothesehostsandrelevantsystemscanberevoked.

Page21of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

GuestOperatingSystem:Virtualinstancesarecompletelycontrolledbyyou,thecustomer.Youhavefullrootaccessor
administrativecontroloveraccounts,services,andapplications.AWSdoesnothaveanyaccessrightstoyourinstances
ortheguestOS.AWSrecommendsabasesetofsecuritybestpracticestoincludedisablingpasswordonlyaccessto
yourguests,andutilizingsomeformofmultifactorauthenticationtogainaccesstoyourinstances(orataminimum
certificatebasedSSHVersion2access).Additionally,youshouldemployaprivilegeescalationmechanismwithlogging
onaperuserbasis.Forexample,iftheguestOSisLinux,afterhardeningyourinstanceyoushouldutilizecertificate
basedSSHv2toaccessthevirtualinstance,disableremoterootlogin,usecommandlinelogging,andusesudofor
privilegeescalation.Youshouldgenerateyourownkeypairsinordertoguaranteethattheyareunique,andnotshared
withothercustomersorwithAWS.
AWSalsosupportstheuseoftheSecureShell(SSH)networkprotocoltoenableyoutologinsecurelytoyour
UNIX/LinuxEC2instances.AuthenticationforSSHusedwithAWSisviaapublic/privatekeypairtoreducetheriskof
unauthorizedaccesstoyourinstance.YoucanalsoconnectremotelytoyourWindowsinstancesusingRemoteDesktop
Protocol(RDP)byutilizinganRDPcertificategeneratedforyourinstance.
YoualsocontroltheupdatingandpatchingofyourguestOS,includingsecurityupdates.AmazonprovidedWindowsand
LinuxbasedAMIsareupdatedregularlywiththelatestpatches,soifyoudonotneedtopreservedataorcustomizations
onyourrunningAmazonAMIinstances,youcansimplyrelaunchnewinstanceswiththelatestupdatedAMI.Inaddition,
updatesareprovidedfortheAmazonLinuxAMIviatheAmazonLinuxyumrepositories.
Firewall:AmazonEC2providesacompletefirewallsolution;thismandatoryinboundfirewallisconfiguredinadefault
denyallmodeandAmazonEC2customersmustexplicitlyopentheportsneededtoallowinboundtraffic.Thetraffic
mayberestrictedbyprotocol,byserviceport,aswellasbysourceIPaddress(individualIPorClasslessInterDomain
Routing(CIDR)block).
Thefirewallcanbeconfiguredingroupspermittingdifferentclassesofinstancestohavedifferentrules.Consider,for
example,thecaseofatraditionalthreetieredwebapplication.Thegroupforthewebserverswouldhaveport80
(HTTP)and/orport443(HTTPS)opentotheInternet.Thegroupfortheapplicationserverswouldhaveport8000
(applicationspecific)accessibleonlytothewebservergroup.Thegroupforthedatabaseserverswouldhaveport3306
(MySQL)openonlytotheapplicationservergroup.Allthreegroupswouldpermitadministrativeaccessonport22
(SSH),butonlyfromthecustomerscorporatenetwork.Highlysecureapplicationscanbedeployedusingthisexpressive
mechanism.Seediagrambelow:

Page22of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Figure4:AmazonEC2SecurityGroupFirewall

ThefirewallisntcontrolledthroughtheguestOS;ratheritrequiresyourX.509certificateandkeytoauthorizechanges,
thusaddinganextralayerofsecurity.AWSsupportstheabilitytograntgranularaccesstodifferentadministrative
functionsontheinstancesandthefirewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparation
ofduties.Thelevelofsecurityaffordedbythefirewallisafunctionofwhichportsyouopen,andforwhatdurationand
purpose.Thedefaultstateistodenyallincomingtraffic,andyoushouldplancarefullywhatyouwillopenwhenbuilding
andsecuringyourapplications.Wellinformedtrafficmanagementandsecuritydesignarestillrequiredonaper
instancebasis.AWSfurtherencouragesyoutoapplyadditionalperinstancefilterswithhostbasedfirewallssuchas
IPtablesortheWindowsFirewallandVPNs.Thiscanrestrictbothinboundandoutboundtraffic.
APIAccess:APIcallstolaunchandterminateinstances,changefirewallparameters,andperformotherfunctionsareall
signedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSAccountsSecretAccessKeyortheSecret
AccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,AmazonEC2APIcallscannotbe
madeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintainconfidentiality.Amazonrecommends
alwaysusingSSLprotectedAPIendpoints.
Permissions:AWSIAMalsoenablesyoutofurthercontrolwhatAPIsauserhaspermissionstocall.
ElasticBlockStorage(AmazonEBS)Security
AmazonElasticBlockStorage(EBS)allowsyoutocreatestoragevolumesfrom1GBto1TBthatcanbemountedas
devicesbyAmazonEC2instances.Storagevolumesbehavelikeraw,unformattedblockdevices,withusersupplied
devicenamesandablockdeviceinterface.YoucancreateafilesystemontopofAmazonEBSvolumes,orusethemin
anyotherwayyouwoulduseablockdevice(likeaharddrive).AmazonEBSvolumeaccessisrestrictedtotheAWS
Accountthatcreatedthevolume,andtotheusersundertheAWSAccountcreatedwithAWSIAMiftheuserhasbeen
grantedaccesstotheEBSoperations,thusdenyingallotherAWSAccountsandusersthepermissiontovieworaccess
thevolume.

Page23of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

DatastoredinAmazonEBSvolumesisredundantlystoredinmultiplephysicallocationsaspartofnormaloperationof
thoseservicesandatnoadditionalcharge.However,AmazonEBSreplicationisstoredwithinthesameavailabilityzone,
notacrossmultiplezones;therefore,itishighlyrecommendedthatyouconductregularsnapshotstoAmazonS3for
longtermdatadurability.ForcustomerswhohavearchitectedcomplextransactionaldatabasesusingEBS,itis
recommendedthatbackupstoAmazonS3beperformedthroughthedatabasemanagementsystemsothatdistributed
transactionsandlogscanbecheckpointed.AWSdoesnotperformbackupsofdatathataremaintainedonvirtualdisks
attachedtorunninginstancesonAmazonEC2.
YoucanmakeAmazonEBSvolumesnapshotspubliclyavailabletootherAWSAccountstouseasthebasisforcreating
yourownvolumes.SharingAmazonEBSvolumesnapshotsdoesnotprovideotherAWSAccountswiththepermissionto
alterordeletetheoriginalsnapshot,asthatrightisexplicitlyreservedfortheAWSAccountthatcreatedthevolume.An
EBSsnapshotisablocklevelviewofanentireEBSvolume.Notethatdatathatisnotvisiblethroughthefilesystemon
thevolume,suchasfilesthathavebeendeleted,maybepresentintheEBSsnapshot.Ifyouwanttocreateshared
snapshots,youshoulddosocarefully.Ifavolumehasheldsensitivedataorhashadfilesdeletedfromit,anewEBS
volumeshouldbecreated.Thedatatobecontainedinthesharedsnapshotshouldbecopiedtothenewvolume,and
thesnapshotcreatedfromthenewvolume.
AmazonEBSvolumesarepresentedtoyouasrawunformattedblockdevicesthathavebeenwipedpriortobeingmade
availableforuse.Wipingoccursimmediatelybeforereusesothatyoucanbeassuredthatthewipeprocesscompleted.
Ifyouhaveproceduresrequiringthatalldatabewipedviaaspecificmethod,suchasthosedetailedinDoD5220.22M
(NationalIndustrialSecurityProgramOperatingManual)orNIST80088(GuidelinesforMediaSanitization),you
havetheabilitytodosoonAmazonEBS.Youshouldconductaspecializedwipeprocedurepriortodeletingthevolume
forcompliancewithyourestablishedrequirements.
Encryptionofsensitivedataisgenerallyagoodsecuritypractice,andAWSprovidestheabilitytoencryptEBSvolumes
andtheirsnapshotswithAES256.TheencryptionoccursontheserversthathosttheEC2instances,providing
encryptionofdataasitmovesbetweenEC2instancesandEBSstorage.Inordertobeabletodothisefficientlyandwith
lowlatency,theEBSencryptionfeatureisonlyavailableonEC2'smorepowerfulinstancetypes(e.g.,M3,C3,R3,G2).

AutoScalingSecurity
AutoScalingallowsyoutoautomaticallyscaleyourAmazonEC2capacityupordownaccordingtoconditionsyoudefine,
sothatthenumberofAmazonEC2instancesyouareusingscalesupseamlesslyduringdemandspikestomaintain
performance,andscalesdownautomaticallyduringdemandlullstominimizecosts.
LikeallAWSservices,AutoScalingrequiresthateveryrequestmadetoitscontrolAPIbeauthenticatedsoonly
authenticateduserscanaccessandmanageAutoScaling.RequestsaresignedwithanHMACSHA1signaturecalculated
fromtherequestandtheusersprivatekey.However,gettingcredentialsouttonewEC2instanceslaunchedwithAuto
Scalingcanbechallengingforlargeorelasticallyscalingfleets.Tosimplifythisprocess,youcanuseroleswithinIAM,so
thatanynewinstanceslaunchedwitharolewillbegivencredentialsautomatically.WhenyoulaunchanEC2instance
withanIAMrole,temporaryAWSsecuritycredentialswithpermissionsspecifiedbytherolewillbesecurelyprovisioned
totheinstanceandwillbemadeavailabletoyourapplicationviatheAmazonEC2InstanceMetadataService.The
MetadataServicewillmakenewtemporarysecuritycredentialsavailablepriortotheexpirationofthecurrentactive
credentials,sothatvalidcredentialsarealwaysavailableontheinstance.Inaddition,thetemporarysecuritycredentials
areautomaticallyrotatedmultipletimesperday,providingenhancedsecurity.YoucanfurthercontrolaccesstoAuto
ScalingbycreatingusersunderyourAWSAccountusingAWSIAM,andcontrollingwhatAutoScalingAPIstheseusers
havepermissiontocall.MoreinformationaboutusingroleswhenlaunchinginstancesisavailableintheAmazonEC2
UserGuideontheAWSwebsite:http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM

Page24of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

NetworkingServices
AmazonWebServicesprovidesarangeofnetworkingservicesthatenableyoutocreatealogicallyisolatednetworkthat
youdefine,establishaprivatenetworkconnectiontotheAWScloud,useahighlyavailableandscalableDNSserviceand
delivercontenttoyourenduserswithlowlatencyathighdatatransferspeedswithacontentdeliverywebservice.

AmazonElasticLoadBalancingSecurity
AmazonElasticLoadBalancingisusedtomanagetrafficonafleetofAmazonEC2instances,distributingtrafficto
instancesacrossallavailabilityzoneswithinaregion.ElasticLoadBalancinghasalltheadvantagesofanonpremises
loadbalancer,plusseveralsecuritybenefits:

TakesovertheencryptionanddecryptionworkfromtheAmazonEC2instancesandmanagesitcentrallyonthe
loadbalancer

Offersclientsasinglepointofcontact,andcanalsoserveasthefirstlineofdefenseagainstattacksonyour
network

WhenusedinanAmazonVPC,supportscreationandmanagementofsecuritygroupsassociatedwithyour
ElasticLoadBalancingtoprovideadditionalnetworkingandsecurityoptions

SupportsendtoendtrafficencryptionusingTLS(previouslySSL)onthosenetworksthatusesecureHTTP
(HTTPS)connections.WhenTLSisused,theTLSservercertificateusedtoterminateclientconnectionscanbe
managedcentrallyontheloadbalancer,ratherthanoneveryindividualinstance.

HTTPS/TLSusesalongtermsecretkeytogenerateashorttermsessionkeytobeusedbetweentheserverandthe
browsertocreatetheciphered(encrypted)message.AmazonElasticLoadBalancingconfiguresyourloadbalancerwith
apredefinedciphersetthatisusedforTLSnegotiationwhenaconnectionisestablishedbetweenaclientandyourload
balancer.Thepredefinedciphersetprovidescompatibilitywithabroadrangeofclientsandusesstrongcryptographic
algorithms.However,somecustomersmayhaverequirementsforallowingonlyspecificciphersandprotocols(suchas
PCI,SOX,etc.)fromclientstoensurethatstandardsaremet.Inthesecases,AmazonElasticLoadBalancingprovides
optionsforselectingdifferentconfigurationsforTLSprotocolsandciphers.Youcanchoosetoenableordisablethe
ciphersdependingonyourspecificrequirements.
Tohelpensuretheuseofnewerandstrongerciphersuiteswhenestablishingasecureconnection,youcanconfigure
theloadbalancertohavethefinalsayintheciphersuiteselectionduringtheclientservernegotiation.WhentheServer
OrderPreferenceoptionisselected,theloadbalancerwillselectaciphersuitebasedontheserversprioritizationof
ciphersuitesratherthantheclients.Thisgivesyoumorecontroloverthelevelofsecuritythatclientsusetoconnectto
yourloadbalancer.
Forevengreatercommunicationprivacy,AmazonElasticLoadBalancerallowstheuseofPerfectForwardSecrecy,which
usessessionkeysthatareephemeralandnotstoredanywhere.Thispreventsthedecodingofcaptureddata,evenifthe
secretlongtermkeyitselfiscompromised.
AmazonElasticLoadBalancingallowsyoutoidentifytheoriginatingIPaddressofaclientconnectingtoyourservers,
whetheryoureusingHTTPSorTCPloadbalancing.Typically,clientconnectioninformation,suchasIPaddressandport,
islostwhenrequestsareproxiedthroughaloadbalancer.Thisisbecausetheloadbalancersendsrequeststotheserver
onbehalfoftheclient,makingyourloadbalancerappearasthoughitistherequestingclient.Havingtheoriginating
clientIPaddressisusefulifyouneedmoreinformationaboutvisitorstoyourapplicationsinordertogatherconnection

Page25of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

statistics,analyzetrafficlogs,ormanagewhitelistsofIPaddresses.
AmazonElasticLoadBalancingaccesslogscontaininformationabouteachHTTPandTCPrequestprocessedbyyourload
balancer.ThisincludestheIPaddressandportoftherequestingclient,thebackendIPaddressoftheinstancethat
processedtherequest,thesizeoftherequestandresponse,andtheactualrequestlinefromtheclient(forexample,
GEThttp://www.example.com:80/HTTP/1.1).Allrequestssenttotheloadbalancerarelogged,includingrequeststhat
nevermadeittobackendinstances.

AmazonVirtualPrivateCloud(AmazonVPC)Security
Normally,eachAmazonEC2instanceyoulaunchisrandomlyassignedapublicIPaddressintheAmazonEC2address
space.AmazonVPCenablesyoutocreateanisolatedportionoftheAWScloudandlaunchAmazonEC2instancesthat
haveprivate(RFC1918)addressesintherangeofyourchoice(e.g.,10.0.0.0/16).Youcandefinesubnetswithinyour
VPC,groupingsimilarkindsofinstancesbasedonIPaddressrange,andthensetuproutingandsecuritytocontrolthe
flowoftrafficinandoutoftheinstancesandsubnets.
AWSoffersavarietyofVPCarchitecturetemplateswithconfigurationsthatprovidevaryinglevelsofpublicaccess:

VPCwithasinglepublicsubnetonly.Yourinstancesruninaprivate,isolatedsectionoftheAWScloudwith
directaccesstotheInternet.NetworkACLsandsecuritygroupscanbeusedtoprovidestrictcontrolover
inboundandoutboundnetworktraffictoyourinstances.

VPCwithpublicandprivatesubnets.Inadditiontocontainingapublicsubnet,thisconfigurationaddsaprivate
subnetwhoseinstancesarenotaddressablefromtheInternet.Instancesintheprivatesubnetcanestablish
outboundconnectionstotheInternetviathepublicsubnetusingNetworkAddressTranslation(NAT).

VPCwithpublicandprivatesubnetsandhardwareVPNaccess.ThisconfigurationaddsanIPsecVPN
connectionbetweenyourAmazonVPCandyourdatacenter,effectivelyextendingyourdatacentertothecloud
whilealsoprovidingdirectaccesstotheInternetforpublicsubnetinstancesinyourAmazonVPC.Inthis
configuration,customersaddaVPNapplianceontheircorporatedatacenterside.

VPCwithprivatesubnetonlyandhardwareVPNaccess.Yourinstancesruninaprivate,isolatedsectionofthe
AWScloudwithaprivatesubnetwhoseinstancesarenotaddressablefromtheInternet.Youcanconnectthis
privatesubnettoyourcorporatedatacenterviaanIPsecVPNtunnel.

YoucanalsoconnecttwoVPCsusingaprivateIPaddress,whichallowsinstancesinthetwoVPCstocommunicatewith
eachotherasiftheyarewithinthesamenetwork.YoucancreateaVPCpeeringconnectionbetweenyourownVPCs,or
withaVPCinanotherAWSaccountwithinasingleregion.
SecurityfeatureswithinAmazonVPCincludesecuritygroups,networkACLs,routingtables,andexternalgateways.Each
oftheseitemsiscomplementarytoprovidingasecure,isolatednetworkthatcanbeextendedthroughselective
enablingofdirectInternetaccessorprivateconnectivitytoanothernetwork.AmazonEC2instancesrunningwithinan
AmazonVPCinheritallofthebenefitsdescribedbelowrelatedtotheguestOSandprotectionagainstpacketsniffing.
Note,however,thatyoumustcreateVPCsecuritygroupsspecificallyforyourAmazonVPC;anyAmazonEC2security
groupsyouhavecreatedwillnotworkinsideyourAmazonVPC.Also,AmazonVPCsecuritygroupshaveadditional
capabilitiesthatAmazonEC2securitygroupsdonothave,suchasbeingabletochangethesecuritygroupafterthe
instanceislaunchedandbeingabletospecifyanyprotocolwithastandardprotocolnumber(asopposedtojustTCP,
UDP,orICMP).
EachAmazonVPCisadistinct,isolatednetworkwithinthecloud;networktrafficwithineachAmazonVPCisisolated
Page26of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

fromallotherAmazonVPCs.Atcreationtime,youselectanIPaddressrangeforeachAmazonVPC.Youmaycreateand
attachanInternetgateway,virtualprivategateway,orbothtoestablishexternalconnectivity,subjecttothecontrols
below.
APIAccess:CallstocreateanddeleteAmazonVPCs,changerouting,securitygroup,andnetworkACLparameters,and
performotherfunctionsareallsignedbyyourAmazonSecretAccessKey,whichcouldbeeithertheAWSAccounts
SecretAccessKeyortheSecretAccesskeyofausercreatedwithAWSIAM.WithoutaccesstoyourSecretAccessKey,
AmazonVPCAPIcallscannotbemadeonyourbehalf.Inaddition,APIcallscanbeencryptedwithSSLtomaintain
confidentiality.AmazonrecommendsalwaysusingSSLprotectedAPIendpoints.AWSIAMalsoenablesacustomerto
furthercontrolwhatAPIsanewlycreateduserhaspermissionstocall.
SubnetsandRouteTables:YoucreateoneormoresubnetswithineachAmazonVPC;eachinstancelaunchedinthe
AmazonVPCisconnectedtoonesubnet.TraditionalLayer2securityattacks,includingMACspoofingandARPspoofing,
areblocked.
EachsubnetinanAmazonVPCisassociatedwitharoutingtable,andallnetworktrafficleavingthesubnetisprocessed
bytheroutingtabletodeterminethedestination.
Firewall(SecurityGroups):LikeAmazonEC2,AmazonVPCsupportsacompletefirewallsolutionenablingfilteringon
bothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromother
membersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIP
protocol,byserviceport,aswellassource/destinationIPaddress(individualIPorClasslessInterDomainRouting(CIDR)
block).
ThefirewallisntcontrolledthroughtheguestOS;rather,itcanbemodifiedonlythroughtheinvocationofAmazonVPC
APIs.AWSsupportstheabilitytograntgranularaccesstodifferentadministrativefunctionsontheinstancesandthe
firewall,thereforeenablingyoutoimplementadditionalsecuritythroughseparationofduties.Thelevelofsecurity
affordedbythefirewallisafunctionofwhichportsyouopen,andforwhatdurationandpurpose.Wellinformedtraffic
managementandsecuritydesignarestillrequiredonaperinstancebasis.AWSfurtherencouragesyoutoapply
additionalperinstancefilterswithhostbasedfirewallssuchasIPtablesortheWindowsFirewall.

Page27of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Figure5:AmazonVPCNetworkArchitecture

NetworkAccessControlLists:ToaddafurtherlayerofsecuritywithinAmazonVPC,youcanconfigurenetworkACLs.
ThesearestatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinAmazonVPC.These
ACLscancontainorderedrulestoallowordenytrafficbaseduponIPprotocol,byserviceport,aswellas
source/destinationIPaddress.
Likesecuritygroups,networkACLsaremanagedthroughAmazonVPCAPIs,addinganadditionallayerofprotectionand
enablingadditionalsecuritythroughseparationofduties.Thediagrambelowdepictshowthesecuritycontrolsabove
interrelatetoenableflexiblenetworktopologieswhileprovidingcompletecontrolovernetworktrafficflows.

Page28of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Figure6:FlexibleNetworkTopologies

VirtualPrivateGateway:AvirtualprivategatewayenablesprivateconnectivitybetweentheAmazonVPCandanother
network.Networktrafficwithineachvirtualprivategatewayisisolatedfromnetworktrafficwithinallothervirtual
privategateways.YoucanestablishVPNconnectionstothevirtualprivategatewayfromgatewaydevicesatyour
premises.EachconnectionissecuredbyapresharedkeyinconjunctionwiththeIPaddressofthecustomergateway
device.
InternetGateway:AnInternetgatewaymaybeattachedtoanAmazonVPCtoenabledirectconnectivitytoAmazonS3,
otherAWSservices,andtheInternet.EachinstancedesiringthisaccessmusteitherhaveanElasticIPassociatedwithit
orroutetrafficthroughaNATinstance.Additionally,networkroutesareconfigured(seeabove)todirecttraffictothe
Internetgateway.AWSprovidesreferenceNATAMIsthatyoucanextendtoperformnetworklogging,deeppacket
inspection,applicationlayerfiltering,orothersecuritycontrols.
ThisaccesscanonlybemodifiedthroughtheinvocationofAmazonVPCAPIs.AWSsupportstheabilitytograntgranular
accesstodifferentadministrativefunctionsontheinstancesandtheInternetgateway,thereforeenablingyouto
implementadditionalsecuritythroughseparationofduties.
DedicatedInstances:WithinaVPC,youcanlaunchAmazonEC2instancesthatarephysicallyisolatedatthehost

Page29of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

hardwarelevel(i.e.,theywillrunonsingletenanthardware).AnAmazonVPCcanbecreatedwithdedicatedtenancy,
sothatallinstanceslaunchedintotheAmazonVPCwillutilizethisfeature.Alternatively,anAmazonVPCmaybecreated
withdefaulttenancy,butyoucanspecifydedicatedtenancyforparticularinstanceslaunchedintoit.
ElasticNetworkInterfaces:EachAmazonEC2instancehasadefaultnetworkinterfacethatisassignedaprivateIP
addressonyourAmazonVPCnetwork.Youcancreateandattachanadditionalnetworkinterface,knownasanelastic
networkinterface(ENI),toanyAmazonEC2instanceinyourAmazonVPCforatotaloftwonetworkinterfacesper
instance.Attachingmorethanonenetworkinterfacetoaninstanceisusefulwhenyouwanttocreateamanagement
network,usenetworkandsecurityappliancesinyourAmazonVPC,orcreatedualhomedinstanceswith
workloads/rolesondistinctsubnets.AnENI'sattributes,includingtheprivateIPaddress,elasticIPaddresses,andMAC
address,willfollowtheENIasitisattachedordetachedfromaninstanceandreattachedtoanotherinstance.More
informationaboutAmazonVPCisavailableontheAWSwebsite:http://aws.amazon.com/vpc/
AdditionalNetworkAccessControlwithEC2VPC
IfyoulaunchinstancesinaregionwhereyoudidnothaveinstancesbeforeAWSlaunchedthenewEC2VPCfeature
(alsocalledDefaultVPC),allinstancesareautomaticallyprovisionedinareadytousedefaultVPC.Youcanchooseto
createadditionalVPCs,oryoucancreateVPCsforinstancesinregionswhereyoualreadyhadinstancesbeforewe
launchedEC2VPC.
IfyoucreateaVPClater,usingregularVPC,youspecifyaCIDRblock,createsubnets,entertheroutingandsecurityfor
thosesubnets,andprovisionanInternetgatewayorNATinstanceifyouwantoneofyoursubnetstobeabletoreach
theInternet.WhenyoulaunchEC2instancesintoanEC2VPC,mostofthisworkisautomaticallyperformedforyou.
WhenyoulaunchaninstanceintoadefaultVPCusingEC2VPC,wedothefollowingtosetitupforyou:

CreateadefaultsubnetineachAvailabilityZone

CreateanInternetgatewayandconnectittoyourdefaultVPC

CreateamainroutetableforyourdefaultVPCwitharulethatsendsalltrafficdestinedfortheInternettothe
Internetgateway

CreateadefaultsecuritygroupandassociateitwithyourdefaultVPC

Createadefaultnetworkaccesscontrollist(ACL)andassociateitwithyourdefaultVPC

AssociatethedefaultDHCPoptionssetforyourAWSaccountwithyourdefaultVPC

InadditiontothedefaultVPChavingitsownprivateIPrange,EC2instanceslaunchedinadefaultVPCcanalsoreceivea
publicIP.
ThefollowingtablesummarizesthedifferencesbetweeninstanceslaunchedintoEC2Classic,instanceslaunchedintoa
defaultVPC,andinstanceslaunchedintoanondefaultVPC.
Characteristic

EC2Classic

EC2VPC(DefaultVPC)

RegularVPC

PublicIPaddress

Yourinstancereceivesapublic
IPaddress.

Yourinstancelaunchedina
defaultsubnetreceivesapublic
IPaddressbydefault,unlessyou
specifyotherwiseduringlaunch.

Yourinstancedoesn'treceivea
publicIPaddressbydefault,
unlessyouspecifyotherwise
duringlaunch.

Page30of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Characteristic

EC2Classic

EC2VPC(DefaultVPC)

RegularVPC

PrivateIPaddress

Yourinstancereceivesaprivate
IPaddressfromtheEC2Classic
rangeeachtimeit'sstarted.

Yourinstancereceivesastatic
privateIPaddressfromthe
addressrangeofyourdefault
VPC.

Yourinstancereceivesastatic
privateIPaddressfromthe
addressrangeofyourVPC.

MultipleprivateIP
addresses

WeselectasingleIPaddressfor
yourinstance.MultipleIP
addressesarenotsupported.

Youcanassignmultipleprivate
IPaddressestoyourinstance.

Youcanassignmultipleprivate
IPaddressestoyourinstance.

ElasticIPaddress

AnEIPisdisassociatedfrom
yourinstancewhenyoustopit.

AnEIPremainsassociatedwith
yourinstancewhenyoustopit.

AnEIPremainsassociatedwith
yourinstancewhenyoustopit.

DNShostnames

DNShostnamesareenabledby
default.

DNShostnamesareenabledby
default.

DNShostnamesaredisabledby
default.

Securitygroup

Asecuritygroupcanreference
securitygroupsthatbelongto
otherAWSaccounts.

Asecuritygroupcanreference
securitygroupsforyourVPC
only.

Asecuritygroupcanreference
securitygroupsforyourVPC
only.

Securitygroup
association

Youmustterminateyour
instancetochangeitssecurity
group.

Youcanchangethesecurity
groupofyourrunninginstance.

Youcanchangethesecurity
groupofyourrunninginstance.

Securitygrouprules

Youcanaddrulesforinbound
trafficonly.

Youcanaddrulesforinbound
andoutboundtraffic.

Youcanaddrulesforinbound
andoutboundtraffic.

Tenancy

Yourinstancerunsonshared
hardware;youcannotrunan
instanceonsingletenant
hardware.

Youcanrunyourinstanceon
sharedhardwareorsingle
tenanthardware.

Youcanrunyourinstanceon
sharedhardwareorsingle
tenanthardware.

NotethatsecuritygroupsforinstancesinEC2ClassicareslightlydifferentthansecuritygroupsforinstancesinEC2VPC.
Forexample,youcanaddrulesforinboundtrafficforEC2Classic,butyoucanaddrulesforbothinboundandoutbound
traffictoEC2VPC.InEC2Classic,youcantchangethesecuritygroupsassignedtoaninstanceafteritslaunched,butin
EC2VPC,youcanchangesecuritygroupsassignedtoaninstanceafteritslaunched.Inaddition,youcan'tusethe
securitygroupsthatyou'vecreatedforusewithEC2ClassicwithinstancesinyourVPC.Youmustcreatesecuritygroups
specificallyforusewithinstancesinyourVPC.TherulesyoucreateforusewithasecuritygroupforaVPCcan't
referenceasecuritygroupforEC2Classic,andviceversa.

AmazonRoute53Security
AmazonRoute53isahighlyavailableandscalableDomainNameSystem(DNS)servicethatanswersDNSqueries,
translatingdomainnamesintoIPaddressessocomputerscancommunicatewitheachother.Route53canbeusedto
connectuserrequeststoinfrastructurerunninginAWSsuchasanAmazonEC2instanceoranAmazonS3bucketor
toinfrastructureoutsideofAWS.
AmazonRoute53letsyoumanagetheIPaddresses(records)listedforyourdomainnamesanditanswersrequests
(queries)totranslatespecificdomainnamesintotheircorrespondingIPaddresses.Queriesforyourdomainare
automaticallyroutedtoanearbyDNSserverusinganycastinordertoprovidethelowestlatencypossible.Route53
makesitpossibleforyoutomanagetrafficgloballythroughavarietyofroutingtypes,includingLatencyBasedRouting
(LBR),GeoDNS,andWeightedRoundRobin(WRR)allofwhichcanbecombinedwithDNSFailoverinordertohelp
createavarietyoflowlatency,faulttolerantarchitectures.ThefailoveralgorithmsimplementedbyAmazonRoute53

Page31of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

aredesignednotonlytoroutetraffictoendpointsthatarehealthy,butalsotohelpavoidmakingdisasterscenarios
worseduetomisconfiguredhealthchecksandapplications,endpointoverloads,andpartitionfailures.
Route53alsooffersDomainNameRegistrationyoucanpurchaseandmanagedomainnamessuchasexample.com
andRoute53willautomaticallyconfiguredefaultDNSsettingsforyourdomains.Youcanbuy,manage,andtransfer
(bothinandout)domainsfromawideselectionofgenericandcountryspecifictopleveldomains(TLDs).Duringthe
registrationprocess,youhavetheoptiontoenableprivacyprotectionforyourdomain.Thisoptionwillhidemostof
yourpersonalinformationfromthepublicWhoisdatabaseinordertohelpthwartscrapingandspamming.
AmazonRoute53isbuiltusingAWSshighlyavailableandreliableinfrastructure.ThedistributednatureoftheAWSDNS
servershelpsensureaconsistentabilitytorouteyourenduserstoyourapplication.Route53alsohelpsensurethe
availabilityofyourwebsitebyprovidinghealthchecksandDNSfailovercapabilities.YoucaneasilyconfigureRoute53to
checkthehealthofyourwebsiteonaregularbasis(evensecurewebsitesthatareavailableonlyoverSSL),andto
switchtoabackupsiteiftheprimaryoneisunresponsive.
LikeallAWSServices,AmazonRoute53requiresthateveryrequestmadetoitscontrolAPIbeauthenticatedsoonly
authenticateduserscanaccessandmanageRoute53.APIrequestsaresignedwithanHMACSHA1orHMACSHA256
signaturecalculatedfromtherequestandtheusersAWSSecretAccesskey.Additionally,theAmazonRoute53control
APIisonlyaccessibleviaSSLencryptedendpoints.ItsupportsbothIPv4andIPv6routing.
YoucancontrolaccesstoAmazonRoute53DNSmanagementfunctionsbycreatingusersunderyourAWSAccount
usingAWSIAM,andcontrollingwhichRoute53operationstheseusershavepermissiontoperform.

AmazonCloudFrontSecurity
AmazonCloudFrontgivescustomersaneasywaytodistributecontenttoenduserswithlowlatencyandhighdata
transferspeeds.Itdeliversdynamic,static,andstreamingcontentusingaglobalnetworkofedgelocations.Requestsfor
customersobjectsareautomaticallyroutedtothenearestedgelocation,socontentisdeliveredwiththebestpossible
performance.AmazonCloudFrontisoptimizedtoworkwithotherAWSservices,likeAmazonS3,AmazonEC2,Amazon
ElasticLoadBalancing,andAmazonRoute53.ItalsoworksseamlesslywithanynonAWSoriginserverthatstoresthe
original,definitiveversionsofyourfiles.
AmazonCloudFrontrequireseveryrequestmadetoitscontrolAPIbeauthenticatedsoonlyauthorizeduserscancreate,
modify,ordeletetheirownAmazonCloudFrontdistributions.RequestsaresignedwithanHMACSHA1signature
calculatedfromtherequestandtheusersprivatekey.Additionally,theAmazonCloudFrontcontrolAPIisonly
accessibleviaSSLenabledendpoints.
ThereisnoguaranteeofdurabilityofdataheldinAmazonCloudFrontedgelocations.Theservicemayfromtimetotime
removeobjectsfromedgelocationsifthoseobjectsarenotrequestedfrequently.DurabilityisprovidedbyAmazonS3,
whichworksastheoriginserverforAmazonCloudFrontholdingtheoriginal,definitivecopiesofobjectsdeliveredby
AmazonCloudFront.
IfyouwantcontroloverwhoisabletodownloadcontentfromAmazonCloudFront,youcanenabletheservicesprivate
contentfeature.Thisfeaturehastwocomponents:thefirstcontrolshowcontentisdeliveredfromtheAmazon
CloudFrontedgelocationtoviewersontheInternet.ThesecondcontrolshowtheAmazonCloudFrontedgelocations
accessobjectsinAmazonS3.CloudFrontalsosupportsGeoRestriction,whichrestrictsaccesstoyourcontentbasedon
thegeographiclocationofyourviewers.
TocontrolaccesstotheoriginalcopiesofyourobjectsinAmazonS3,AmazonCloudFrontallowsyoutocreateoneor

Page32of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

moreOriginAccessIdentitiesandassociatethesewithyourdistributions.WhenanOriginAccessIdentityisassociated
withanAmazonCloudFrontdistribution,thedistributionwillusethatidentitytoretrieveobjectsfromAmazonS3.You
canthenuseAmazonS3sACLfeature,whichlimitsaccesstothatOriginAccessIdentitysotheoriginalcopyofthe
objectisnotpubliclyreadable.
TocontrolwhoisabletodownloadobjectsfromAmazonCloudFrontedgelocations,theserviceusesasignedURL
verificationsystem.Tousethissystem,youfirstcreateapublicprivatekeypair,anduploadthepublickeytoyour
accountviatheAWSManagementConsole.Second,youconfigureyourAmazonCloudFrontdistributiontoindicate
whichaccountsyouwouldauthorizetosignrequestsyoucanindicateuptofiveAWSAccountsyoutrusttosign
requests.Third,asyoureceiverequestsyouwillcreatepolicydocumentsindicatingtheconditionsunderwhichyou
wantAmazonCloudFronttoserveyourcontent.Thesepolicydocumentscanspecifythenameoftheobjectthatis
requested,thedateandtimeoftherequest,andthesourceIP(orCIDRrange)oftheclientmakingtherequest.You
thencalculatetheSHA1hashofyourpolicydocumentandsignthisusingyourprivatekey.Finally,youincludeboththe
encodedpolicydocumentandthesignatureasquerystringparameterswhenyoureferenceyourobjects.WhenAmazon
CloudFrontreceivesarequest,itwilldecodethesignatureusingyourpublickey.AmazonCloudFrontwillonlyserve
requeststhathaveavalidpolicydocumentandmatchingsignature.
NotethatprivatecontentisanoptionalfeaturethatmustbeenabledwhenyousetupyourCloudFrontdistribution.
Contentdeliveredwithoutthisfeatureenabledwillbepubliclyreadable.
AmazonCloudFrontprovidestheoptiontotransfercontentoveranencryptedconnection(HTTPS).Bydefault,
CloudFrontwillacceptrequestsoverbothHTTPandHTTPSprotocols.However,youcanalsoconfigureCloudFrontto
requireHTTPSforallrequestsorhaveCloudFrontredirectHTTPrequeststoHTTPS.YoucanevenconfigureCloudFront
distributionstoallowHTTPforsomeobjectsbutrequireHTTPSforotherobjects.

Figure7:AmazonCloudFrontEncryptedTransmission

YoucanconfigureoneormoreCloudFrontoriginstorequireCloudFrontfetchobjectsfromyouroriginusingthe
protocolthattheviewerusedtorequesttheobjects.Forexample,whenyouusethisCloudFrontsettingandtheviewer
usesHTTPStorequestanobjectfromCloudFront,CloudFrontalsousesHTTPStoforwardtherequesttoyourorigin.
AmazonCloudFrontusestheSSLv3orTLSv1protocolsandaselectionofciphersuitesthatincludestheEllipticCurve
DiffieHellmanEphemeral(ECDHE)protocolonconnectionstobothviewersandtheorigin.ECDHEallowsSSL/TLS
clientstoprovidePerfectForwardSecrecy,whichusessessionkeysthatareephemeralandnotstoredanywhere.This
helpspreventthedecodingofcaptureddatabyunauthorizedthirdparties,evenifthesecretlongtermkeyitselfis
compromised.
Notethatifyou'reusingyourownserverasyourorigin,andyouwanttouseHTTPSbothbetweenviewersand

Page33of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

CloudFrontandbetweenCloudFrontandyourorigin,youmustinstallavalidSSLcertificateontheHTTPserverthatis
signedbyathirdpartycertificateauthority,forexample,VeriSignorDigiCert.
Bydefault,youcandelivercontenttoviewersoverHTTPSbyusingyourCloudFrontdistributiondomainnameinyour
URLs;forexample,https://dxxxxx.cloudfront.net/image.jpg.IfyouwanttodeliveryourcontentoverHTTPSusingyour
owndomainnameandyourownSSLcertificate,youcanuseSNICustomSSLorDedicatedIPCustomSSL.WithServer
NameIdentification(SNI)CustomSSL,CloudFrontreliesontheSNIextensionoftheTLSprotocol,whichissupportedby
mostmodernwebbrowsers.However,someusersmaynotbeabletoaccessyourcontentbecausesomeolder
browsersdonotsupportSNI.(Foralistofsupportedbrowsers,visithttp://aws.amazon.com/cloudfront/faqs/.)With
DedicatedIPCustomSSL,CloudFrontdedicatesIPaddressestoyourSSLcertificateateachCloudFrontedgelocationso
thatCloudFrontcanassociatetheincomingrequestswiththeproperSSLcertificate.
AmazonCloudFrontaccesslogscontainacomprehensivesetofinformationaboutrequestsforcontent,includingthe
objectrequested,thedateandtimeoftherequest,theedgelocationservingtherequest,theclientIPaddress,the
referrer,andtheuseragent.Toenableaccesslogs,justspecifythenameoftheAmazonS3buckettostorethelogsin
whenyouconfigureyourAmazonCloudFrontdistribution.

AWSDirectConnectSecurity
WithAWSDirectConnect,youcanprovisionadirectlinkbetweenyourinternalnetworkandanAWSregionusinga
highthroughput,dedicatedconnection.Doingthismayhelpreduceyournetworkcosts,improvethroughput,orprovide
amoreconsistentnetworkexperience.Withthisdedicatedconnectioninplace,youcanthencreatevirtualinterfaces
directlytotheAWScloud(forexample,toAmazonEC2andAmazonS3)andAmazonVPC.
WithDirectConnect,youbypassInternetserviceprovidersinyournetworkpath.Youcanprocurerackspacewithinthe
facilityhousingtheAWSDirectConnectlocationanddeployyourequipmentnearby.Oncedeployed,youcanconnect
thisequipmenttoAWSDirectConnectusingacrossconnect.EachAWSDirectConnectlocationenablesconnectivityto
thegeographicallynearestAWSregionaswellasaccesstootherUSregions.Forexample,youcanprovisionasingle
connectiontoanyAWSDirectConnectlocationintheUSanduseittoaccesspublicAWSservicesinallUSRegionsand
AWSGovCloud(US).
Usingindustrystandard802.1qVLANs,thededicatedconnectioncanbepartitionedintomultiplevirtualinterfaces.This
allowsyoutousethesameconnectiontoaccesspublicresourcessuchasobjectsstoredinAmazonS3usingpublicIP
addressspace,andprivateresourcessuchasAmazonEC2instancesrunningwithinanAmazonVPCusingprivateIP
space,whilemaintainingnetworkseparationbetweenthepublicandprivateenvironments.
AmazonDirectConnectrequirestheuseoftheBorderGatewayProtocol(BGP)withanAutonomousSystemNumber
(ASN).Tocreateavirtualinterface,youuseanMD5cryptographickeyformessageauthorization.MD5createsakeyed
hashusingyoursecretkey.YoucanhaveAWSautomaticallygenerateaBGPMD5keyoryoucanprovideyourown.

StorageServices
AmazonWebServicesprovideslowcostdatastoragewithhighdurabilityandavailability.AWSoffersstoragechoicesfor
backup,archiving,anddisasterrecovery,aswellasblockandobjectstorage.

AmazonSimpleStorageService(AmazonS3)Security
AmazonSimpleStorageService(S3)allowsyoutouploadandretrievedataatanytime,fromanywhereontheweb.
AmazonS3storesdataasobjectswithinbuckets.Anobjectcanbeanykindoffile:atextfile,aphoto,avideo,etc.When
youaddafiletoAmazonS3,youhavetheoptionofincludingmetadatawiththefileandsettingpermissionstocontrol

Page34of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

accesstothefile.Foreachbucket,youcancontrolaccesstothebucket(whocancreate,delete,andlistobjectsinthe
bucket),viewaccesslogsforthebucketanditsobjects,andchoosethegeographicalregionwhereAmazonS3willstore
thebucketanditscontents.
DataAccess
AccesstodatastoredinAmazonS3isrestrictedbydefault;onlybucketandobjectownershaveaccesstotheAmazon
S3resourcestheycreate(notethatabucket/objectowneristheAWSAccountowner,nottheuserwhocreatedthe
bucket/object).Therearemultiplewaystocontrolaccesstobucketsandobjects:

IdentityandAccessManagement(IAM)Policies.AWSIAMenablesorganizationswithmanyemployeesto
createandmanagemultipleusersunderasingleAWSAccount.IAMpoliciesareattachedtotheusers,enabling
centralizedcontrolofpermissionsforusersunderyourAWSAccounttoaccessbucketsorobjects.WithIAM
policies,youcanonlygrantuserswithinyourownAWSaccountpermissiontoaccessyourAmazonS3resources.

AccessControlLists(ACLs).WithinAmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsor
objectstogroupsofusers.WithACLs,youcanonlygrantotherAWSaccounts(notspecificusers)accesstoyour
AmazonS3resources.

BucketPolicies.BucketpoliciesinAmazonS3canbeusedtoaddordenypermissionsacrosssomeorallofthe
objectswithinasinglebucket.Policiescanbeattachedtousers,groups,orAmazonS3buckets,enabling
centralizedmanagementofpermissions.Withbucketpolicies,youcangrantuserswithinyourAWSAccountor
otherAWSAccountsaccesstoyourAmazonS3resources.

TypeofAccessControl

AWSAccountLevelControl?

UserLevelControl?

IAMPolicies

No

Yes

ACLs

Yes

No

BucketPolicies

Yes

Yes

Youcanfurtherrestrictaccesstospecificresourcesbasedoncertainconditions.Forexample,youcanrestrictaccess
basedonrequesttime(DateCondition),whethertherequestwassentusingSSL(BooleanConditions),arequestersIP
address(IPAddressCondition),orbasedontherequester'sclientapplication(StringConditions).Toidentifythese
conditions,youusepolicykeys.FormoreinformationaboutactionspecificpolicykeysavailablewithinAmazonS3,refer
totheAmazonSimpleStorageServiceDeveloperGuide.
AmazonS3alsogivesdeveloperstheoptiontousequerystringauthentication,whichallowsthemtoshareAmazonS3
objectsthroughURLsthatarevalidforapredefinedperiodoftime.QuerystringauthenticationisusefulforgivingHTTP
orbrowseraccesstoresourcesthatwouldnormallyrequireauthentication.Thesignatureinthequerystringsecuresthe
request.
DataTransfer
Formaximumsecurity,youcansecurelyupload/downloaddatatoAmazonS3viatheSSLencryptedendpoints.The
encryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdataistransferred
securelybothwithinAWSandtoandfromsourcesoutsideofAWS.

Page35of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

DataStorage
AmazonS3providesmultipleoptionsforprotectingdataatrest.Forcustomerswhoprefertomanagetheirown
encryption,theycanuseaclientencryptionlibraryliketheAmazonS3EncryptionClienttoencryptdatabefore
uploadingtoAmazonS3.Alternatively,youcanuseAmazonS3ServerSideEncryption(SSE)ifyouprefertohave
AmazonS3managetheencryptionprocessforyou.DataisencryptedwithakeygeneratedbyAWSorwithakeyyou
supply,dependingonyourrequirements.WithAmazonS3SSE,youcanencryptdataonuploadsimplybyaddingan
additionalrequestheaderwhenwritingtheobject.Decryptionhappensautomaticallywhendataisretrieved.
Notethatmetadata,whichyoucanincludewithyourobject,isnotencrypted.Therefore,AWSrecommendsthat
customersnotplacesensitiveinformationinAmazonS3metadata.
AmazonS3SSEusesoneofthestrongestblockciphersavailable256bitAdvancedEncryptionStandard(AES256).
WithAmazonS3SSE,everyprotectedobjectisencryptedwithauniqueencryptionkey.Thisobjectkeyitselfisthen
encryptedwitharegularlyrotatedmasterkey.AmazonS3SSEprovidesadditionalsecuritybystoringtheencrypteddata
andencryptionkeysindifferenthosts.AmazonS3SSEalsomakesitpossibleforyoutoenforceencryption
requirements.Forexample,youcancreateandapplybucketpoliciesthatrequirethatonlyencrypteddatacanbe
uploadedtoyourbuckets.
Forlongtermstorage,youcanautomaticallyarchivethecontentsofyourAmazonS3bucketstoAWSsarchivalservice
calledGlacier.YoucanhavedatatransferredatspecificintervalstoGlacierbycreatinglifecyclerulesinAmazonS3that
describewhichobjectsyouwanttobearchivedtoGlacierandwhen.Aspartofyourdatamanagementstrategy,youcan
alsospecifyhowlongAmazonS3shouldwaitaftertheobjectsareputintoAmazonS3todeletethem.
WhenanobjectisdeletedfromAmazonS3,removalofthemappingfromthepublicnametotheobjectstarts
immediately,andisgenerallyprocessedacrossthedistributedsystemwithinseveralseconds.Oncethemappingis
removed,thereisnoremoteaccesstothedeletedobject.Theunderlyingstorageareaisthenreclaimedforusebythe
system.
DataDurabilityandReliability
AmazonS3isdesignedtoprovide99.999999999%durabilityand99.99%availabilityofobjectsoveragivenyear.Objects
areredundantlystoredonmultipledevicesacrossmultiplefacilitiesinanAmazonS3region.Tohelpprovidedurability,
AmazonS3PUTandCOPYoperationssynchronouslystorecustomerdataacrossmultiplefacilitiesbeforereturning
SUCCESS.Oncestored,AmazonS3helpsmaintainthedurabilityoftheobjectsbyquicklydetectingandrepairinganylost
redundancy.AmazonS3alsoregularlyverifiestheintegrityofdatastoredusingchecksums.Ifcorruptionisdetected,itis
repairedusingredundantdata.Inaddition,AmazonS3calculateschecksumsonallnetworktraffictodetectcorruption
ofdatapacketswhenstoringorretrievingdata.
AmazonS3providesfurtherprotectionviaVersioning.YoucanuseVersioningtopreserve,retrieve,andrestoreevery
versionofeveryobjectstoredinanAmazonS3bucket.WithVersioning,youcaneasilyrecoverfrombothunintended
useractionsandapplicationfailures.Bydefault,requestswillretrievethemostrecentlywrittenversion.Olderversions
ofanobjectcanberetrievedbyspecifyingaversionintherequest.YoucanfurtherprotectversionsusingAmazonS3
Versioning'sMFADeletefeature.OnceenabledforanAmazonS3bucket,eachversiondeletionrequestmustinclude
thesixdigitcodeandserialnumberfromyourmultifactorauthenticationdevice.
AccessLogs
AnAmazonS3bucketcanbeconfiguredtologaccesstothebucketandobjectswithinit.Theaccesslogcontainsdetails
abouteachaccessrequestincludingrequesttype,therequestedresource,therequestorsIP,andthetimeanddateof
therequest.Whenloggingisenabledforabucket,logrecordsareperiodicallyaggregatedintologfilesanddeliveredto
Page36of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

thespecifiedAmazonS3bucket.
CrossOriginResourceSharing(CORS)
AWScustomerswhouseAmazonS3tohoststaticwebpagesorstoreobjectsusedbyotherwebpagescanloadcontent
securelybyconfiguringanAmazonS3buckettoexplicitlyenablecrossoriginrequests.ModernbrowsersusetheSame
OriginpolicytoblockJavaScriptorHTML5fromallowingrequeststoloadcontentfromanothersiteordomainasaway
tohelpensurethatmaliciouscontentisnotloadedfromalessreputablesource(suchasduringcrosssitescripting
attacks).WiththeCrossOriginResourceSharing(CORS)policyenabled,assetssuchaswebfontsandimagesstoredin
anAmazonS3bucketcanbesafelyreferencedbyexternalwebpages,stylesheets,andHTML5applications.

AWSGlacierSecurity
LikeAmazonS3,theAmazonGlacierserviceprovideslowcost,secure,anddurablestorage.ButwhereAmazonS3is
designedforrapidretrieval,Glacierismeanttobeusedasanarchivalservicefordatathatisnotaccessedoftenandfor
whichretrievaltimesofseveralhoursaresuitable.
AmazonGlacierstoresfilesasarchiveswithinvaults.Archivescanbeanydatasuchasaphoto,video,ordocument,and
cancontainoneorseveralfiles.Youcanstoreanunlimitednumberofarchivesinasinglevaultandcancreateupto
1,000vaultsperregion.Eacharchivecancontainupto40TBofdata.
DataUpload
TotransferdataintoAmazonGlaciervaults,youcanuploadanarchiveinasingleuploadoperationoramultipart
operation.Inasingleuploadoperation,youcanuploadarchivesupto4GBinsize.However,customerscanachieve
betterresultsusingtheMultipartUploadAPItouploadarchivesgreaterthan100MB.UsingtheMultipartUploadAPI
allowsyoutouploadlargearchives,uptoabout40,000GB.TheMultipartUploadAPIcallisdesignedtoimprovethe
uploadexperienceforlargerarchives;itenablesthepartstobeuploadedindependently,inanyorder,andinparallel.If
amultipartuploadfails,youonlyneedtouploadthefailedpartagainandnottheentirearchive.
WhenyouuploaddatatoGlacier,youmustcomputeandsupplyatreehash.Glacierchecksthehashagainstthedatato
helpensurethatithasnotbeenalteredenroute.Atreehashisgeneratedbycomputingahashforeachmegabytesized
segmentofthedata,andthencombiningthehashesintreefashiontorepresentevergrowingadjacentsegmentsofthe
data.
AsanalternatetousingtheMultipartUploadfeature,customerswithverylargeuploadstoAmazonGlaciermay
considerusingtheAWSImport/Exportserviceinsteadtotransferthedata.AWSImport/Exportfacilitatesmovinglarge
amountsofdataintoAWSusingportablestoragedevicesfortransport.AWStransfersyourdatadirectlyoffofstorage
devicesusingAmazonshighspeedinternalnetwork,bypassingtheInternet.
YoucanalsosetupAmazonS3totransferdataatspecificintervalstoGlacier.YoucancreatelifecyclerulesinAmazon
S3thatdescribewhichobjectsyouwanttobearchivedtoGlacierandwhen.YoucanalsospecifyhowlongAmazonS3
shouldwaitaftertheobjectsareputintoAmazonS3todeletethem.
Toachieveevengreatersecurity,youcansecurelyupload/downloaddatatoAmazonGlacierviatheSSLencrypted
endpoints.TheencryptedendpointsareaccessiblefromboththeInternetandfromwithinAmazonEC2,sothatdatais
transferredsecurelybothwithinAWSandtoandfromsourcesoutsideofAWS.
DataRetrieval
RetrievingarchivesfromAmazonGlacierrequirestheinitiationofaretrievaljob,whichisgenerallycompletedin3to5

Page37of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

hours.YoucanthenaccessthedataviaHTTPGETrequests.Thedatawillremainavailabletoyoufor24hours.
Youcanretrieveanentirearchiveorseveralfilesfromanarchive.Ifyouwanttoretrieveonlyasubsetofanarchive,you
canuseoneretrievalrequesttospecifytherangeofthearchivethatcontainsthefilesyouareinterestedoryoucan
initiatemultipleretrievalrequests,eachwitharangeforoneormorefiles.Youcanalsolimitthenumberofvault
inventoryitemsretrievedbyfilteringonanarchivecreationdaterangeorbysettingamaximumitemslimit.Whichever
methodyouchoose,whenyouretrieveportionsofyourarchive,youcanusethesuppliedchecksumtohelpensurethe
integrityofthefilesprovidedthattherangethatisretrievedisalignedwiththetreehashoftheoverallarchive.
DataStorage
AmazonGlacierautomaticallyencryptsthedatausingAES256andstoresitdurablyinanimmutableform.Amazon
Glacierisdesignedtoprovideaverageannualdurabilityof99.999999999%foranarchive.Itstoreseacharchivein
multiplefacilitiesandmultipledevices.Unliketraditionalsystemswhichcanrequirelaboriousdataverificationand
manualrepair,Glacierperformsregular,systematicdataintegritychecksandisbuilttobeautomaticallyselfhealing.
DataAccess
OnlyyouraccountcanaccessyourdatainAmazonGlacier.TocontrolaccesstoyourdatainAmazonGlacier,youcan
useAWSIAMtospecifywhichuserswithinyouraccounthaverightstooperationsonagivenvault.

AWSStorageGatewaySecurity
TheAWSStorageGatewayserviceconnectsyouronpremisessoftwareappliancewithcloudbasedstoragetoprovide
seamlessandsecureintegrationbetweenyourITenvironmentandAWSsstorageinfrastructure.Theserviceenables
youtosecurelyuploaddatatoAWSscalable,reliable,andsecureAmazonS3storageserviceforcosteffectivebackup
andrapiddisasterrecovery.
AWSStorageGatewaytransparentlybacksupdataoffsitetoAmazonS3intheformofAmazonEBSsnapshots.Amazon
S3redundantlystoresthesesnapshotsonmultipledevicesacrossmultiplefacilities,detectingandrepairinganylost
redundancy.TheAmazonEBSsnapshotprovidesapointintimebackupthatcanberestoredonpremisesorusedto
instantiatenewAmazonEBSvolumes.Dataisstoredwithinasingleregionthatyouspecify.
AWSStorageGatewayoffersthreeoptions:

GatewayStoredVolumes(wherethecloudisbackup).Inthisoption,yourvolumedataisstoredlocallyand
thenpushedtoAmazonS3,whereitisstoredinredundant,encryptedform,andmadeavailableintheformof
ElasticBlockStorage(EBS)snapshots.Whenyouusethismodel,theonpremisesstorageisprimary,delivering
lowlatencyaccesstoyourentiredataset,andthecloudstorageisthebackup.

GatewayCachedVolumes(wherethecloudisprimary).Inthisoption,yourvolumedataisstoredencryptedin
AmazonS3,visiblewithinyourenterprise'snetworkviaaniSCSIinterface.Recentlyaccesseddataiscachedon
premisesforlowlatencylocalaccess.Whenyouusethismodel,thecloudstorageisprimary,butyougetlow
latencyaccesstoyouractiveworkingsetinthecachedvolumesonpremises.

GatewayVirtualTapeLibrary(VTL).Inthisoption,youcanconfigureaGatewayVTLwithupto10virtualtape
drivespergateway,1mediachangerandupto1500virtualtapecartridges.Eachvirtualtapedriverespondsto
theSCSIcommandset,soyourexistingonpremisesbackupapplications(eitherdisktotapeordisktodiskto
tape)willworkwithoutmodification.

Page38of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Nomatterwhichoptionyouchoose,dataisasynchronouslytransferredfromyouronpremisesstoragehardwareto
AWSoverSSL.ThedataisstoredencryptedinAmazonS3usingAdvancedEncryptionStandard(AES)256,asymmetric
keyencryptionstandardusing256bitencryptionkeys.TheAWSStorageGatewayonlyuploadsdatathathaschanged,
minimizingtheamountofdatasentovertheInternet.
TheAWSStorageGatewayrunsasavirtualmachine(VM)thatyoudeployonahostinyourdatacenterrunningVMware
ESXiHypervisorv4.1orv5orMicrosoftHyperV(youdownloadtheVMwaresoftwareduringthesetupprocess).You
canalsorunwithinEC2usingagatewayAMI.Duringtheinstallationandconfigurationprocess,youcancreateupto12
Storedvolumes,20Cachedvolumes,or1500virtualtapecartridgespergateway.Onceinstalled,eachgatewaywill
automaticallydownload,install,anddeployupdatesandpatches.Thisactivitytakesplaceduringamaintenancewindow
thatyoucansetonapergatewaybasis.
TheiSCSIprotocolsupportsauthenticationbetweentargetsandinitiatorsviaCHAP(ChallengeHandshake
AuthenticationProtocol).CHAPprovidesprotectionagainstmaninthemiddleandplaybackattacksbyperiodically
verifyingtheidentityofaniSCSIinitiatorasauthenticatedtoaccessastoragevolumetarget.TosetupCHAP,youmust
configureitinboththeAWSStorageGatewayconsoleandintheiSCSIinitiatorsoftwareyouusetoconnecttothe
target.
AfteryoudeploytheAWSStorageGatewayVM,youmustactivatethegatewayusingtheAWSStorageGateway
console.TheactivationprocessassociatesyourgatewaywithyourAWSAccount.Onceyouestablishthisconnection,
youcanmanagealmostallaspectsofyourgatewayfromtheconsole.Intheactivationprocess,youspecifytheIP
addressofyourgateway,nameyourgateway,identifytheAWSregioninwhichyouwantyoursnapshotbackupsstored,
andspecifythegatewaytimezone.

AWSImport/ExportSecurity
AWSImport/Exportisasimple,securemethodforphysicallytransferringlargeamountsofdatatoAmazonS3,EBS,or
Glacierstorage.Thisserviceistypicallyusedbycustomerswhohaveover100GBofdataand/orslowconnectionspeeds
thatwouldresultinveryslowtransferratesovertheInternet.WithAWSImport/Export,youprepareaportablestorage
devicethatyoushiptoasecureAWSfacility.AWStransfersthedatadirectlyoffofthestoragedeviceusingAmazons
highspeedinternalnetwork,thusbypassingtheInternet.Conversely,datacanalsobeexportedfromAWStoaportable
storagedevice.
LikeallotherAWSservices,theAWSImport/Exportservicerequiresthatyousecurelyidentifyandauthenticateyour
storagedevice.Inthiscase,youwillsubmitajobrequesttoAWSthatincludesyourAmazonS3bucket,AmazonEBS
region,AWSAccessKeyID,andreturnshippingaddress.Youthenreceiveauniqueidentifierforthejob,adigital
signatureforauthenticatingyourdevice,andanAWSaddresstoshipthestoragedeviceto.ForAmazonS3,youplace
thesignaturefileontherootdirectoryofyourdevice.ForAmazonEBS,youtapethesignaturebarcodetotheexteriorof
thedevice.ThesignaturefileisusedonlyforauthenticationandisnotuploadedtoAmazonS3orEBS.
FortransferstoAmazonS3,youspecifythespecificbucketstowhichthedatashouldbeloadedandensurethatthe
accountdoingtheloadinghaswritepermissionforthebuckets.Youshouldalsospecifytheaccesscontrollisttobe
appliedtoeachobjectloadedtoAmazonS3.
FortransferstoEBS,youspecifythetargetregionfortheEBSimportoperation.Ifthestoragedeviceislessthanorequal
tothemaximumvolumesizeof1TB,itscontentsareloadeddirectlyintoanAmazonEBSsnapshot.Ifthestorage
devicescapacityexceeds1TB,adeviceimageisstoredwithinthespecifiedS3logbucket.YoucanthencreateaRAIDof
AmazonEBSvolumesusingsoftwaresuchasLogicalVolumeManager,andcopytheimagefromS3tothisnewvolume.

Page39of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Foraddedprotection,youcanencryptthedataonyourdevicebeforeyoushipittoAWS.ForAmazonS3data,youcan
useaPINcodedevicewithhardwareencryptionorTrueCryptsoftwaretoencryptyourdatabeforesendingittoAWS.
ForEBSandGlacierdata,youcanuseanyencryptionmethodyouchoose,includingaPINcodedevice.AWSwilldecrypt
yourAmazonS3databeforeimportingusingthePINcodeand/orTrueCryptpasswordyousupplyinyourimport
manifest.AWSusesyourPINtoaccessaPINcodedevice,butdoesnotdecryptsoftwareencrypteddataforimportto
AmazonEBSorAmazonGlacier.Thefollowingtablesummarizesyourencryptionoptionsforeachtypeofimport/export
job.
ImporttoAmazonS3
Source

Target

Result

Filesonadevicefilesystem

ObjectsinanexistingAmazonS3bucket

Oneobjectforeachfile.

EncryptdatausingPINcode
deviceand/orTrueCrypt
beforeshippingdevice

AWSdecryptsthedatabefore
performingtheimport

AWSerasesyourdeviceafterevery
importjobpriortoshipping

ExportfromAmazonS3
Source

Objectsinoneormore
AmazonS3buckets

ProvideaPINcodeand/or
passwordthatAWSwilluseto
encryptyourdata

Target

Result

Filesonyourstoragedevice

Onefileforeachobject

AWSformatsyourdevice

AWScopiesyourdatatoanencrypted
filecontaineronyourdevice

AWSencryptsyourdatapriorto
shipping

UsePINcodedeviceand/orTrueCrypt
todecryptthefiles

ImporttoAmazonGlacier
Source

Target

Entiredevice

Encryptthedatausingthe
encryptionmethodofyour
choicebeforeshipping

OnearchiveinanexistingAmazon
Glaciervault

AWSdoesnotdecryptyourdevice

Result

Deviceimagestoredasasinglearchive

AWSerasesyourdeviceafterevery
importjobpriortoshipping

ImporttoAmazonEBS(DeviceCapacity<1TB)
Source

Target

Entiredevice

OneAmazonEBSsnapshot

Encryptthedatausingthe
encryptionmethodofyour
choicebeforeshipping

AWSdoesnotdecryptyourdevice

Result

Deviceimageisstoredasasingle
snapshot

Ifthedevicewasencrypted,theimageis
encrypted

AWSerasesyourdeviceafterevery
importjobpriortoshipping

ImporttoAmazonEBS(DeviceCapacity>1TB)
Source

Page40of77

Target

Result

AmazonWebServicesOverviewofSecurityProcesses

Entiredevice

Encryptthedatausingthe
encryptionmethodofyour
choicebeforeshipping

MultipleobjectsinanexistingAmazon
S3bucket

AWSdoesnotdecryptyourdevice

November2014

Deviceimagechunkedintoseriesof1
TBsnapshotsstoredasobjectsin
AmazonS3bucketspecifiedinmanifest
file

Ifthedevicewasencrypted,theimageis
encrypted

AWSerasesyourdeviceafterevery
importjobpriortoshipping

Aftertheimportiscomplete,AWSImport/Exportwillerasethecontentsofyourstoragedevicetosafeguardthedata
duringreturnshipment.AWSoverwritesallwritableblocksonthestoragedevicewithzeroes.Youwillneedto
repartitionandformatthedeviceafterthewipe.IfAWSisunabletoerasethedataonthedevice,itwillbescheduled
fordestructionandoursupportteamwillcontactyouusingtheemailaddressspecifiedinthemanifestfileyoushipwith
thedevice.
Whenshippingadeviceinternationally,thecustomsoptionandcertainrequiredsubfieldsarerequiredinthemanifest
filesenttoAWS.AWSImport/Exportusesthesevaluestovalidatetheinboundshipmentandpreparetheoutbound
customspaperwork.Twooftheseoptionsarewhetherthedataonthedeviceisencryptedornotandtheencryption
softwaresclassification.WhenshippingencrypteddatatoorfromtheUnitedStates,theencryptionsoftwaremustbe
classifiedas5D992undertheUnitedStatesExportAdministrationRegulations.

DatabaseServices
AmazonWebServicesprovidesanumberofdatabasesolutionsfordevelopersandbusinessesfrommanaged
relationalandNoSQLdatabaseservices,toinmemorycachingasaserviceandpetabytescaledatawarehouseservice.

AmazonDynamoDBSecurity
AmazonDynamoDBisamanagedNoSQLdatabaseservicethatprovidesfastandpredictableperformancewithseamless
scalability.AmazonDynamoDBenablesyoutooffloadtheadministrativeburdensofoperatingandscalingdistributed
databasestoAWS,soyoudonthavetoworryabouthardwareprovisioning,setupandconfiguration,replication,
softwarepatching,orclusterscaling.
Youcancreateadatabasetablethatcanstoreandretrieveanyamountofdata,andserveanylevelofrequesttraffic.
DynamoDBautomaticallyspreadsthedataandtrafficforthetableoverasufficientnumberofserverstohandlethe
requestcapacityyouspecifiedandtheamountofdatastored,whilemaintainingconsistent,fastperformance.Alldata
itemsarestoredonSolidStateDrives(SSDs)andareautomaticallyreplicatedacrossmultipleavailabilityzonesina
regiontoprovidebuiltinhighavailabilityanddatadurability.
YoucansetupautomaticbackupsusingaspecialtemplateinAWSDataPipelinethatwascreatedjustforcopying
DynamoDBtables.Youcanchoosefullorincrementalbackupstoatableinthesameregionoradifferentregion.You
canusethecopyfordisasterrecovery(DR)intheeventthatanerrorinyourcodedamagestheoriginaltable,orto
federateDynamoDBdataacrossregionstosupportamultiregionapplication.
TocontrolwhocanusetheDynamoDBresourcesandAPI,yousetuppermissionsinAWSIAM.Inadditiontocontrolling
accessattheresourcelevelwithIAM,youcanalsocontrolaccessatthedatabaselevelyoucancreatedatabaselevel
permissionsthatallowordenyaccesstoitems(rows)andattributes(columns)basedontheneedsofyourapplication.
Thesedatabaselevelpermissionsarecalledfinegrainedaccesscontrols,andyoucreatethemusinganIAMpolicythat

Page41of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

specifiesunderwhatcircumstancesauserorapplicationcanaccessaDynamoDBtable.TheIAMpolicycanrestrict
accesstoindividualitemsinatable,accesstotheattributesinthoseitems,orbothatthesametime.

Attribute

Item

YoucanoptionallyusewebidentityfederationtocontrolaccessbyapplicationuserswhoareauthenticatedbyLogin
withAmazon,Facebook,orGoogle.WebidentityfederationremovestheneedforcreatingindividualIAMusers;
instead,userscansignintoanidentityproviderandthenobtaintemporarysecuritycredentialsfromAWSSecurity
TokenService(AWSSTS).AWSSTSreturnstemporaryAWScredentialstotheapplicationandallowsittoaccessthe
specificDynamoDBtable.
Inadditiontorequiringdatabaseanduserpermissions,eachrequesttotheDynamoDBservicemustcontainavalid
HMACSHA256signature,ortherequestisrejected.TheAWSSDKsautomaticallysignyourrequests;however,ifyou
wanttowriteyourownHTTPPOSTrequests,youmustprovidethesignatureintheheaderofyourrequesttoAmazon
DynamoDB.Tocalculatethesignature,youmustrequesttemporarysecuritycredentialsfromtheAWSSecurityToken
Service.UsethetemporarysecuritycredentialstosignyourrequeststoAmazonDynamoDB.
AmazonDynamoDBisaccessibleviaSSLencryptedendpoints.Theencryptedendpointsareaccessiblefromboththe
InternetandfromwithinAmazonEC2.

AmazonRelationalDatabaseService(AmazonRDS)Security
AmazonRDSallowsyoutoquicklycreatearelationaldatabase(DB)instanceandflexiblyscaletheassociatedcompute
resourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSmanagesthedatabaseinstanceonyour
behalfbyperformingbackups,handlingfailover,andmaintainingthedatabasesoftware.Currently,AmazonRDSis
availableforMySQL,Oracle,MicrosoftSQLServer,andPostgreSQLdatabaseengines.
AmazonRDShasmultiplefeaturesthatenhancereliabilityforcriticalproductiondatabases,includingDBsecurity
groups,permissions,SSLconnections,automatedbackups,DBsnapshots,andmultiAZdeployments.DBinstancescan
alsobedeployedinanAmazonVPCforadditionalnetworkisolation.
AccessControl
WhenyoufirstcreateaDBInstancewithinAmazonRDS,youwillcreateamasteruseraccount,whichisusedonlywithin
thecontextofAmazonRDStocontrolaccesstoyourDBInstance(s).Themasteruseraccountisanativedatabaseuser
accountthatallowsyoutologontoyourDBInstancewithalldatabaseprivileges.Youcanspecifythemasterusername
andpasswordyouwantassociatedwitheachDBInstancewhenyoucreatetheDBInstance.Onceyouhavecreatedyour
DBInstance,youcanconnecttothedatabaseusingthemasterusercredentials.Subsequently,youcancreateadditional
useraccountssothatyoucanrestrictwhocanaccessyourDBInstance.

Page42of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

YoucancontrolAmazonRDSDBInstanceaccessviaDBSecurityGroups,whicharesimilartoAmazonEC2Security
Groupsbutnotinterchangeable.DBSecurityGroupsactlikeafirewallcontrollingnetworkaccesstoyourDBInstance.
DatabaseSecurityGroupsdefaulttoadenyallaccessmodeandcustomersmustspecificallyauthorizenetwork
ingress.Therearetwowaysofdoingthis:authorizinganetworkIPrangeorauthorizinganexistingAmazonEC2Security
Group.DBSecurityGroupsonlyallowaccesstothedatabaseserverport(allothersareblocked)andcanbeupdated
withoutrestartingtheAmazonRDSDBInstance,whichallowsacustomerseamlesscontroloftheirdatabaseaccess.
UsingAWSIAM,youcanfurthercontrolaccesstoyourRDSDBinstances.AWSIAMenablesyoutocontrolwhatRDS
operationseachindividualAWSIAMuserhaspermissiontocall.
NetworkIsolation
Foradditionalnetworkaccesscontrol,youcanrunyourDBInstancesinanAmazonVPC.AmazonVPCenablesyouto
isolateyourDBInstancesbyspecifyingtheIPrangeyouwishtouse,andconnecttoyourexistingITinfrastructure
throughindustrystandardencryptedIPsecVPN.RunningAmazonRDSinaVPCenablesyoutohaveaDBinstancewithin
aprivatesubnet.YoucanalsosetupavirtualprivategatewaythatextendsyourcorporatenetworkintoyourVPC,and
allowsaccesstotheRDSDBinstanceinthatVPC.RefertotheAmazonVPCUserGuideformoredetails.
ForMultiAZdeployments,definingasubnetforallavailabilityzonesinaregionwillallowAmazonRDStocreateanew
standbyinanotheravailabilityzoneshouldtheneedarise.YoucancreateDBSubnetGroups,whicharecollectionsof
subnetsthatyoumaywanttodesignateforyourRDSDBInstancesinaVPC.EachDBSubnetGroupshouldhaveatleast
onesubnetforeveryavailabilityzoneinagivenregion.Inthiscase,whenyoucreateaDBInstanceinaVPC,youselecta
DBSubnetGroup;AmazonRDSthenusesthatDBSubnetGroupandyourpreferredavailabilityzonetoselectasubnet
andanIPaddresswithinthatsubnet.AmazonRDScreatesandassociatesanElasticNetworkInterfacetoyourDB
InstancewiththatIPaddress.
DBInstancesdeployedwithinanAmazonVPCcanbeaccessedfromtheInternetorfromAmazonEC2Instancesoutside
theVPCviaVPNorbastionhoststhatyoucanlaunchinyourpublicsubnet.Touseabastionhost,youwillneedtosetup
apublicsubnetwithanEC2instancethatactsasaSSHBastion.ThispublicsubnetmusthaveanInternetgatewayand
routingrulesthatallowtraffictobedirectedviatheSSHhost,whichmustthenforwardrequeststotheprivateIP
addressofyourAmazonRDSDBinstance.
DBSecurityGroupscanbeusedtohelpsecureDBInstanceswithinanAmazonVPC.Inaddition,networktrafficentering
andexitingeachsubnetcanbeallowedordeniedvianetworkACLs.AllnetworktrafficenteringorexitingyourAmazon
VPCviayourIPsecVPNconnectioncanbeinspectedbyyouronpremisessecurityinfrastructure,includingnetwork
firewallsandintrusiondetectionsystems.
Encryption
YoucanencryptconnectionsbetweenyourapplicationandyourDBInstanceusingSSL.ForMySQLandSQLServer,RDS
createsanSSLcertificateandinstallsthecertificateontheDBinstancewhentheinstanceisprovisioned.ForMySQL,
youlaunchthemysqlclientusingthessl_caparametertoreferencethepublickeyinordertoencryptconnections.For
SQLServer,downloadthepublickeyandimportthecertificateintoyourWindowsoperatingsystem.OracleRDSuses
OraclenativenetworkencryptionwithaDBinstance.Yousimplyaddthenativenetworkencryptionoptiontoanoption
groupandassociatethatoptiongroupwiththeDBinstance.Onceanencryptedconnectionisestablished,data
transferredbetweentheDBInstanceandyourapplicationwillbeencryptedduringtransfer.Youcanalsorequireyour
DBinstancetoonlyacceptencryptedconnections.
AmazonRDSsupportsTransparentDataEncryption(TDE)forSQLServer(SQLServerEnterpriseEdition)andOracle(part
oftheOracleAdvancedSecurityoptionavailableinOracleEnterpriseEdition).TheTDEfeatureautomaticallyencrypts
databeforeitiswrittentostorageandautomaticallydecryptsdatawhenitisreadfromstorage.Ifyourequireyour
Page43of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

MySQLdatatobeencryptedwhileatrestinthedatabase,yourapplicationmustmanagetheencryptionand
decryptionofdata.
NotethatSSLsupportwithinAmazonRDSisforencryptingtheconnectionbetweenyourapplicationandyourDB
Instance;itshouldnotbereliedonforauthenticatingtheDBInstanceitself.
WhileSSLofferssecuritybenefits,beawarethatSSLencryptionisacomputeintensiveoperationandwillincreasethe
latencyofyourdatabaseconnection.TolearnmoreabouthowSSLworkswithMySQL,youcanreferdirectlytothe
MySQLdocumentationfoundhere.TolearnhowSSLworkswithSQLServer,youcanreadmoreintheRDSUserGuide.
AutomatedBackupsandDBSnapshots
AmazonRDSprovidestwodifferentmethodsforbackingupandrestoringyourDBInstance(s):automatedbackupsand
databasesnapshots(DBSnapshots).
Turnedonbydefault,theautomatedbackupfeatureofAmazonRDSenablespointintimerecoveryforyourDB
Instance.AmazonRDSwillbackupyourdatabaseandtransactionlogsandstorebothforauserspecifiedretention
period.ThisallowsyoutorestoreyourDBInstancetoanysecondduringyourretentionperiod,uptothelast5minutes.
Yourautomaticbackupretentionperiodcanbeconfiguredtoupto35days.
Duringthebackupwindow,storageI/Omaybesuspendedwhileyourdataisbeingbackedup.ThisI/Osuspension
typicallylastsafewminutes.ThisI/OsuspensionisavoidedwithMultiAZDBdeployments,sincethebackupistaken
fromthestandby.
DBSnapshotsareuserinitiatedbackupsofyourDBInstance.ThesefulldatabasebackupsarestoredbyAmazonRDS
untilyouexplicitlydeletethem.YoucancopyDBsnapshotsofanysizeandmovethembetweenanyofAWSspublic
regions,orcopythesamesnapshottomultipleregionssimultaneously.YoucanthencreateanewDBInstancefroma
DBSnapshotwheneveryoudesire.
DBInstanceReplication
Amazoncloudcomputingresourcesarehousedinhighlyavailabledatacenterfacilitiesindifferentregionsoftheworld,
andeachregioncontainsmultipledistinctlocationscalledAvailabilityZones.EachAvailabilityZoneisengineeredtobe
isolatedfromfailuresinotherAvailabilityZones,andtoprovideinexpensive,lowlatencynetworkconnectivitytoother
AvailabilityZonesinthesameregion.

ToarchitectforhighavailabilityofyourOracle,PostgreSQL,orMySQLdatabases,youcanrunyourRDSDBinstancein
severalAvailabilityZones,anoptioncalledaMultiAZdeployment.Whenyouselectthisoption,Amazonautomatically
provisionsandmaintainsasynchronousstandbyreplicaofyourDBinstanceinadifferentAvailabilityZone.Theprimary
DBinstanceissynchronouslyreplicatedacrossAvailabilityZonestothestandbyreplica.IntheeventofDBinstanceor
AvailabilityZonefailure,AmazonRDSwillautomaticallyfailovertothestandbysothatdatabaseoperationscanresume
quicklywithoutadministrativeintervention.

ForcustomerswhouseMySQLandneedtoscalebeyondthecapacityconstraintsofasingleDBInstanceforreadheavy
databaseworkloads,AmazonRDSprovidesaReadReplicaoption.Onceyoucreateareadreplica,databaseupdateson
thesourceDBinstancearereplicatedtothereadreplicausingMySQLsnative,asynchronousreplication.Youcancreate
multiplereadreplicasforagivensourceDBinstanceanddistributeyourapplicationsreadtrafficamongthem.Read
replicascanbecreatedwithMultiAZdeploymentstogainreadscalingbenefitsinadditiontotheenhanceddatabase
writeavailabilityanddatadurabilityprovidedbyMultiAZdeployments.

Page44of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AutomaticSoftwarePatching
AmazonRDSwillmakesurethattherelationaldatabasesoftwarepoweringyourdeploymentstaysuptodatewiththe
latestpatches.Whennecessary,patchesareappliedduringamaintenancewindowthatyoucancontrol.Youcanthink
oftheAmazonRDSmaintenancewindowasanopportunitytocontrolwhenDBInstancemodifications(suchasscaling
DBInstanceclass)andsoftwarepatchingoccur,intheeventeitherarerequestedorrequired.Ifamaintenanceevent
isscheduledforagivenweek,itwillbeinitiatedandcompletedatsomepointduringthe30minutemaintenance
windowyouidentify.
TheonlymaintenanceeventsthatrequireAmazonRDStotakeyourDBInstanceofflinearescalecomputeoperations
(whichgenerallytakeonlyafewminutesfromstarttofinish)orrequiredsoftwarepatching.Requiredpatchingis
automaticallyscheduledonlyforpatchesthataresecurityanddurabilityrelated.Suchpatchingoccursinfrequently
(typicallyonceeveryfewmonths)andshouldseldomrequiremorethanafractionofyourmaintenancewindow.Ifyou
donotspecifyapreferredweeklymaintenancewindowwhencreatingyourDBInstance,a30minutedefaultvalueis
assigned.Ifyouwishtomodifywhenmaintenanceisperformedonyourbehalf,youcandosobymodifyingyourDB
InstanceintheAWSManagementConsoleorbyusingtheModifyDBInstanceAPI.EachofyourDBInstancescanhave
differentpreferredmaintenancewindows,ifyousochoose.
RunningyourDBInstanceasaMultiAZdeploymentcanfurtherreducetheimpactofamaintenanceevent,asAmazon
RDSwillconductmaintenanceviathefollowingsteps:1)Performmaintenanceonstandby,2)Promotestandbyto
primary,and3)Performmaintenanceonoldprimary,whichbecomesthenewstandby.
WhenanAmazonRDSDBInstancedeletionAPI(DeleteDBInstance)isrun,theDBInstanceismarkedfordeletion.Once
theinstancenolongerindicatesdeletingstatus,ithasbeenremoved.Atthispointtheinstanceisnolongeraccessible
andunlessafinalsnapshotcopywasaskedfor,itcannotberestoredandwillnotbelistedbyanyofthetoolsorAPIs.
EventNotification
YoucanreceivenotificationsofavarietyofimportanteventsthatcanoccuronyourRDSinstance,suchaswhetherthe
instancewasshutdown,abackupwasstarted,afailoveroccurred,thesecuritygroupwaschanged,oryourstorage
spaceislow.TheAmazonRDSservicegroupseventsintocategoriesthatyoucansubscribetosothatyoucanbenotified
whenaneventinthatcategoryoccurs.YoucansubscribetoaneventcategoryforaDBinstance,DBsnapshot,DB
securitygroup,orforaDBparametergroup.RDSeventsarepublishedviaAWSSNSandsenttoyouasanemailortext
message.FormoreinformationaboutRDSnotificationeventcategories,refertotheRDSUserGuide.

AmazonRedshiftSecurity
AmazonRedshiftisapetabytescaleSQLdatawarehouseservicethatrunsonhighlyoptimizedandmanagedAWS
computeandstorageresources.Theservicehasbeenarchitectedtonotonlyscaleupordownrapidly,butto
significantlyimprovequeryspeedsevenonextremelylargedatasets.Toincreaseperformance,Redshiftuses
techniquessuchascolumnarstorage,datacompression,andzonemapstoreducetheamountofIOneededtoperform
queries.Italsohasamassivelyparallelprocessing(MPP)architecture,parallelizinganddistributingSQLoperationsto
takeadvantageofallavailableresources.
WhenyoucreateaRedshiftdatawarehouse,youprovisionasinglenodeormultinodecluster,specifyingthetypeand
numberofnodesthatwillmakeupthecluster.Thenodetypedeterminesthestoragesize,memory,andCPUofeach
node.Eachmultinodeclusterincludesaleadernodeandtwoormorecomputenodes.Aleadernodemanages
connections,parsesqueries,buildsexecutionplans,andmanagesqueryexecutioninthecomputenodes.Thecompute
nodesstoredata,performcomputations,andrunqueriesasdirectedbytheleadernode.Theleadernodeofeach

Page45of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

clusterisaccessiblethroughODBCandJDBCendpoints,usingstandardPostgreSQLdrivers.Thecomputenodesrunona
separate,isolatednetworkandareneveraccesseddirectly.
Afteryouprovisionacluster,youcanuploadyourdatasetandperformdataanalysisqueriesbyusingcommonSQL
basedtoolsandbusinessintelligenceapplications.
ClusterAccess
Bydefault,clustersthatyoucreateareclosedtoeveryone.AmazonRedshiftenablesyoutoconfigurefirewallrules
(securitygroups)tocontrolnetworkaccesstoyourdatawarehousecluster.YoucanalsorunRedshiftinsideanAmazon
VPCtoisolateyourdatawarehouseclusterinyourownvirtualnetworkandconnectittoyourexistingITinfrastructure
usingindustrystandardencryptedIPsecVPN.
TheAWSaccountthatcreatestheclusterhasfullaccesstothecluster.WithinyourAWSaccount,youcanuseAWSIAM
tocreateuseraccountsandmanagepermissionsforthoseaccounts.ByusingIAM,youcangrantdifferentusers
permissiontoperformonlytheclusteroperationsthatarenecessaryfortheirwork.
Likealldatabases,youmustgrantpermissioninRedshiftatthedatabaselevelinadditiontograntingaccessatthe
resourcelevel.Databaseusersarenameduseraccountsthatcanconnecttoadatabaseandareauthenticatedwhen
theylogintoAmazonRedshift.InRedshift,yougrantdatabaseuserpermissionsonaperclusterbasisinsteadofona
pertablebasis.However,ausercanseedataonlyinthetablerowsthatweregeneratedbyhisownactivities;rows
generatedbyotherusersarenotvisibletohim.
Theuserwhocreatesadatabaseobjectisitsowner.Bydefault,onlyasuperuserortheownerofanobjectcanquery,
modify,orgrantpermissionsontheobject.Foruserstouseanobject,youmustgrantthenecessarypermissionstothe
userorthegroupthatcontainstheuser.Andonlytheownerofanobjectcanmodifyordeleteit.
DataBackups
AmazonRedshiftdistributesyourdataacrossallcomputenodesinacluster.Whenyourunaclusterwithatleasttwo
computenodes,dataoneachnodewillalwaysbemirroredondisksonanothernode,reducingtheriskofdataloss.In
addition,alldatawrittentoanodeinyourclusteriscontinuouslybackeduptoAmazonS3usingsnapshots.Redshift
storesyoursnapshotsforauserdefinedperiod,whichcanbefromonetothirtyfivedays.Youcanalsotakeyourown
snapshotsatanytime;thesesnapshotsleverageallexistingsystemsnapshotsandareretaineduntilyouexplicitlydelete
them.
AmazonRedshiftcontinuouslymonitorsthehealthoftheclusterandautomaticallyrereplicatesdatafromfaileddrives
andreplacesnodesasnecessary.Allofthishappenswithoutanyeffortonyourpart,althoughyoumayseeaslight
performancedegradationduringtherereplicationprocess.
YoucanuseanysystemorusersnapshottorestoreyourclusterusingtheAWSManagementConsoleortheAmazon
RedshiftAPIs.Yourclusterisavailableassoonasthesystemmetadatahasbeenrestoredandyoucanstartrunning
querieswhileuserdataisspooleddowninthebackground.
DataEncryption
Whencreatingacluster,youcanchoosetoencryptitinordertoprovideadditionalprotectionforyourdataatrest.
Whenyouenableencryptioninyourcluster,AmazonRedshiftstoresalldatainusercreatedtablesinanencrypted
formatusinghardwareacceleratedAES256blockencryptionkeys.Thisincludesalldatawrittentodiskaswellasany
backups.

Page46of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonRedshiftusesafourtier,keybasedarchitectureforencryption.Thesekeysconsistofdataencryptionkeys,a
databasekey,aclusterkey,andamasterkey:

Dataencryptionkeysencryptdatablocksinthecluster.EachdatablockisassignedarandomlygeneratedAES
256key.Thesekeysareencryptedbyusingthedatabasekeyforthecluster.

Thedatabasekeyencryptsdataencryptionkeysinthecluster.ThedatabasekeyisarandomlygeneratedAES
256key.ItisstoredondiskinaseparatenetworkfromtheAmazonRedshiftclusterandencryptedbyamaster
key.AmazonRedshiftpassesthedatabasekeyacrossasecurechannelandkeepsitinmemoryinthecluster.

TheclusterkeyencryptsthedatabasekeyfortheAmazonRedshiftcluster.YoucanuseeitherAWSora
hardwaresecuritymodule(HSM)tostoretheclusterkey.HSMsprovidedirectcontrolofkeygenerationand
management,andmakekeymanagementseparateanddistinctfromtheapplicationandthedatabase.

ThemasterkeyencryptstheclusterkeyifitisstoredinAWS.Themasterkeyencryptstheclusterkeyencrypted
databasekeyiftheclusterkeyisstoredinanHSM.

YoucanhaveRedshiftrotatetheencryptionkeysforyourencryptedclustersatanytime.Aspartoftherotationprocess,
keysarealsoupdatedforallofthecluster'sautomaticandmanualsnapshots.
Notethatenablingencryptioninyourclusterwillimpactperformance,eventhoughitishardwareaccelerated.
Encryptionalsoappliestobackups.Whenrestoringfromanencryptedsnapshot,thenewclusterwillbeencryptedas
well.
ToencryptyourtableloaddatafileswhenyouuploadthemtoAmazonS3,youcanuseAmazonS3serverside
encryption.WhenyouloadthedatafromAmazonS3,theCOPYcommandwilldecryptthedataasitloadsthetable.
DatabaseAuditLogging
AmazonRedshiftlogsallSQLoperations,includingconnectionattempts,queries,andchangestoyourdatabase.Youcan
accesstheselogsusingSQLqueriesagainstsystemtablesorchoosetohavethemdownloadedtoasecureAmazonS3
bucket. Youcanthenusetheseauditlogstomonitoryourclusterforsecurityandtroubleshootingpurposes.
AutomaticSoftwarePatching
AmazonRedshiftmanagesalltheworkofsettingup,operating,andscalingyourdatawarehouse,includingprovisioning
capacity,monitoringthecluster,andapplyingpatchesandupgradestotheAmazonRedshiftengine.Patchesareapplied
onlyduringspecifiedmaintenancewindows.
SSLConnections
ToprotectyourdataintransitwithintheAWScloud,AmazonRedshiftuseshardwareacceleratedSSLtocommunicate
withAmazonS3orAmazonDynamoDBforCOPY,UNLOAD,backup,andrestoreoperations.Youcanencryptthe
connectionbetweenyourclientandtheclusterbyspecifyingSSLintheparametergroupassociatedwiththecluster.To
haveyourclientsalsoauthenticatetheRedshiftserver,youcaninstallthepublickey(.pemfile)fortheSSLcertificateon
yourclientandusethekeytoconnecttoyourclusters.
AmazonRedshiftoffersthenewer,strongerciphersuitesthatusetheEllipticCurveDiffieHellmanEphemeralprotocol.
ECDHEallowsSSLclientstoprovidePerfectForwardSecrecybetweentheclientandtheRedshiftcluster.Perfect
ForwardSecrecyusessessionkeysthatareephemeralandnotstoredanywhere,whichpreventsthedecodingof
captureddatabyunauthorizedthirdparties,evenifthesecretlongtermkeyitselfiscompromised.Youdonotneedto
configureanythinginAmazonRedshifttoenableECDHE;ifyouconnectfromaSQLclienttoolthatusesECDHEto

Page47of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

encryptcommunicationbetweentheclientandserver,AmazonRedshiftwillusetheprovidedcipherlisttomakethe
appropriateconnection.

AmazonElastiCacheSecurity
AmazonElastiCacheisawebservicethatmakesiteasytosetup,manage,andscaledistributedinmemorycache
environmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieve
informationfromafast,managed,inmemorycachingsystem,insteadofrelyingentirelyonslowerdiskbased
databases.Itcanbeusedtosignificantlyimprovelatencyandthroughputformanyreadheavyapplicationworkloads
(suchassocialnetworking,gaming,mediasharing,andQ&Aportals)orcomputeintensiveworkloads(suchasa
recommendationengine).Cachingimprovesapplicationperformancebystoringcriticalpiecesofdatainmemoryfor
lowlatencyaccess.CachedinformationmayincludetheresultsofI/Ointensivedatabasequeriesortheresultsof
computationallyintensivecalculations.
TheAmazonElastiCacheserviceautomatestimeconsumingmanagementtasksforinmemorycacheenvironments,
suchaspatchmanagement,failuredetection,andrecovery.ItworksinconjunctionwithotherAmazonWebServices
(suchasAmazonEC2,AmazonCloudWatch,andAmazonSNS)toprovideasecure,highperformance,andmanagedin
memorycache.Forexample,anapplicationrunninginAmazonEC2cansecurelyaccessanAmazonElastiCacheCluster
inthesameregionwithverylowlatency.
UsingtheAmazonElastiCacheservice,youcreateaCacheCluster,whichisacollectionofoneormoreCacheNodes,
eachrunninganinstanceoftheMemcachedservice.ACacheNodeisafixedsizechunkofsecure,networkattached
RAM.EachCacheNoderunsaninstanceoftheMemcachedservice,andhasitsownDNSnameandport.Multipletypes
ofCacheNodesaresupported,eachwithvaryingamountsofassociatedmemory.ACacheClustercanbesetupwitha
specificnumberofCacheNodesandaCacheParameterGroupthatcontrolsthepropertiesforeachCacheNode.All
CacheNodeswithinaCacheClusteraredesignedtobeofthesameNodeTypeandhavethesameparameterand
securitygroupsettings.
AmazonElastiCacheallowsyoutocontrolaccesstoyourCacheClustersusingCacheSecurityGroups.ACacheSecurity
Groupactslikeafirewall,controllingnetworkaccesstoyourCacheCluster.Bydefault,networkaccessisturnedoffto
yourCacheClusters.IfyouwantyourapplicationstoaccessyourCacheCluster,youmustexplicitlyenableaccessfrom
hostsinspecificEC2securitygroups.Onceingressrulesareconfigured,thesamerulesapplytoallCacheClusters
associatedwiththatCacheSecurityGroup.
ToallownetworkaccesstoyourCacheCluster,createaCacheSecurityGroupandusetheAuthorizeCacheSecurity
GroupIngressAPIorCLIcommandtoauthorizethedesiredEC2securitygroup(whichinturnspecifiestheEC2instances
allowed).IPrangebasedaccesscontroliscurrentlynotenabledforCacheClusters.AllclientstoaCacheClustermustbe
withintheEC2network,andauthorizedviaCacheSecurityGroups.
ElastiCacheforRedisprovidesbackupandrestorefunctionality,whereyoucancreateasnapshotofyourentireRedis
clusterasitexistsataspecificpointintime.Youcanscheduleautomatic,recurringdailysnapshotsoryoucancreatea
manualsnapshotatanytime.Forautomaticsnapshots,youspecifyaretentionperiod;manualsnapshotsareretained
untilyoudeletethem.ThesnapshotsarestoredinAmazonS3withhighdurability,andcanbeusedforwarmstarts,
backups,andarchiving.

Page48of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

ApplicationServices
AmazonWebServicesoffersavarietyofmanagedservicestousewithyourapplications,includingservicesthatprovide
applicationstreaming,queueing,pushnotification,emaildelivery,search,andtranscoding.

AmazonCloudSearchSecurity
AmazonCloudSearchisamanagedserviceinthecloudthatmakesiteasytosetup,manage,andscaleasearchsolution
foryourwebsite.AmazonCloudSearchenablesyoutosearchlargecollectionsofdatasuchaswebpages,document
files,forumposts,orproductinformation.Itenablesyoutoquicklyaddsearchcapabilitiestoyourwebsitewithout
havingtobecomeasearchexpertorworryabouthardwareprovisioning,setup,andmaintenance.Asyourvolumeof
dataandtrafficfluctuates,AmazonCloudSearchautomaticallyscalestomeetyourneeds.
AnAmazonCloudSearchdomainencapsulatesacollectionofdatayouwanttosearch,thesearchinstancesthatprocess
yoursearchrequests,andaconfigurationthatcontrolshowyourdataisindexedandsearched.Youcreateaseparate
searchdomainforeachcollectionofdatayouwanttomakesearchable.Foreachdomain,youconfigureindexing
optionsthatdescribethefieldsyouwanttoincludeinyourindexandhowyouwanttousthem,textoptionsthatdefine
domainspecificstopwords,stems,andsynonyms,rankexpressionsthatyoucanusetocustomizehowsearchresults
areranked,andaccesspoliciesthatcontrolaccesstothedomainsdocumentandsearchendpoints.
Accesstoyoursearchdomain'sendpointsisrestrictedbyIPaddresssothatonlyauthorizedhostscansubmitdocuments
andsendsearchrequests.IPaddressauthorizationisusedonlytocontrolaccesstothedocumentandsearchendpoints.
AllAmazonCloudSearchconfigurationrequestsmustbeauthenticatedusingstandardAWSauthentication.
AmazonCloudSearchprovidesseparateendpointsforaccessingtheconfiguration,search,anddocumentservices:

Theconfigurationserviceisaccessedthroughageneralendpoint:cloudsearch.useast1.amazonaws.com

Thedocumentserviceendpointisusedtosubmitdocumentstothedomainforindexingandisaccessedthrough
adomainspecificendpoint:http://docdomainnamedomainid.useast1.cloudsearch.amazonaws.com

Thesearchendpointisusedtosubmitsearchrequeststothedomainandisaccessedthroughadomainspecific
endpoint:http://searchdomainnamedomainid.useast1.cloudsearch.amazonaws.com

NotethatifyoudonothaveastaticIPaddress,youmustreauthorizeyourcomputerwheneveryourIPaddress
changes.IfyourIPaddressisassigneddynamically,itisalsolikelythatyou'resharingthataddresswithothercomputers
onyournetwork.ThismeansthatwhenyouauthorizetheIPaddress,allcomputersthatshareitwillbeabletoaccess
yoursearchdomain'sdocumentserviceendpoint.
LikeallAWSServices,AmazonCloudSearchrequiresthateveryrequestmadetoitscontrolAPIbeauthenticatedsoonly
authenticateduserscanaccessandmanageyourCloudSearchdomain.APIrequestsaresignedwithanHMACSHA1or
HMACSHA256signaturecalculatedfromtherequestandtheusersAWSSecretAccesskey.Additionally,theAmazon
CloudSearchcontrolAPIisaccessibleviaSSLencryptedendpoints.YoucancontrolaccesstoAmazonCloudSearch
managementfunctionsbycreatingusersunderyourAWSAccountusingAWSIAM,andcontrollingwhichCloudSearch
operationstheseusershavepermissiontoperform.

Page49of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonSimpleQueueService(AmazonSQS)Security
AmazonSQSisahighlyreliable,scalablemessagequeuingservicethatenablesasynchronousmessagebased
communicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2
instancesoracombinationofboth.WithAmazonSQS,youcansendanynumberofmessagestoanAmazonSQSqueue
atanytimefromanycomponent.Themessagescanberetrievedfromthesamecomponentoradifferentoneright
awayoratalatertime(within4days).Messagesarehighlydurable;eachmessageispersistentlystoredinhighly
available,highlyreliablequeues.Multipleprocessescanread/writefrom/toanAmazonSQSqueueatthesametime
withoutinterferingwitheachother.
AmazonSQSaccessisgrantedbasedonanAWSAccountorausercreatedwithAWSIAM.Onceauthenticated,theAWS
Accounthasfullaccesstoalluseroperations.AnAWSIAMuser,however,onlyhasaccesstotheoperationsandqueues
forwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualqueueisrestrictedtotheAWS
Accountthatcreatedit.However,youcanallowotheraccesstoaqueue,usingeitheranSQSgeneratedpolicyora
policyyouwrite.
AmazonSQSisaccessibleviaSSLencryptedendpoints.TheencryptedendpointsareaccessiblefromboththeInternet
andfromwithinAmazonEC2.DatastoredwithinAmazonSQSisnotencryptedbyAWS;however,theusercanencrypt
databeforeitisuploadedtoAmazonSQS,providedthattheapplicationutilizingthequeuehasameanstodecryptthe
messagewhenretrieved.EncryptingmessagesbeforesendingthemtoAmazonSQShelpsprotectagainstaccessto
sensitivecustomerdatabyunauthorizedpersons,includingAWS.

AmazonSimpleNotificationService(AmazonSNS)Security
AmazonSimpleNotificationService(AmazonSNS)isawebservicethatmakesiteasytosetup,operate,andsend
notificationsfromthecloud.Itprovidesdeveloperswithahighlyscalable,flexible,andcosteffectivecapabilityto
publishmessagesfromanapplicationandimmediatelydeliverthemtosubscribersorotherapplications.
AmazonSNSprovidesasimplewebservicesinterfacethatcanbeusedtocreatetopicsthatcustomerswanttonotify
applications(orpeople)about,subscribeclientstothesetopics,publishmessages,andhavethesemessagesdelivered
overclientsprotocolofchoice(i.e.,HTTP/HTTPS,email,etc.).AmazonSNSdeliversnotificationstoclientsusinga
pushmechanismthateliminatestheneedtoperiodicallycheckorpollfornewinformationandupdates.Amazon
SNScanbeleveragedtobuildhighlyreliable,eventdrivenworkflowsandmessagingapplicationswithouttheneedfor
complexmiddlewareandapplicationmanagement.ThepotentialusesforAmazonSNSincludemonitoringapplications,
workflowsystems,timesensitiveinformationupdates,mobileapplications,andmanyothers.AmazonSNSprovides
accesscontrolmechanismssothattopicsandmessagesaresecuredagainstunauthorizedaccess.Topicownerscanset
policiesforatopicthatrestrictwhocanpublishorsubscribetoatopic.Additionally,topicownerscanencrypt
transmissionbyspecifyingthatthedeliverymechanismmustbeHTTPS.
AmazonSNSaccessisgrantedbasedonanAWSAccountorausercreatedwithAWSIAM.Onceauthenticated,theAWS
Accounthasfullaccesstoalluseroperations.AnAWSIAMuser,however,onlyhasaccesstotheoperationsandtopics
forwhichtheyhavebeengrantedaccessviapolicy.Bydefault,accesstoeachindividualtopicisrestrictedtotheAWS
Accountthatcreatedit.However,youcanallowotheraccesstoSNS,usingeitheranSNSgeneratedpolicyorapolicy
youwrite.

Page50of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonSimpleWorkflowService(AmazonSWF)Security
TheAmazonSimpleWorkflowService(SWF)makesiteasytobuildapplicationsthatcoordinateworkacrossdistributed
components.UsingAmazonSWF,youcanstructurethevariousprocessingstepsinanapplicationastasksthatdrive
workindistributedapplications,andAmazonSWFcoordinatesthesetasksinareliableandscalablemanner.Amazon
SWFmanagestaskexecutiondependencies,scheduling,andconcurrencybasedonadevelopersapplicationlogic.The
servicestorestasks,dispatchesthemtoapplicationcomponents,trackstheirprogress,andkeepstheirlateststate.
AmazonSWFprovidessimpleAPIcallsthatcanbeexecutedfromcodewritteninanylanguageandrunonyourEC2
instances,oranyofyourmachineslocatedanywhereintheworldthatcanaccesstheInternet.AmazonSWFactsasa
coordinationhubwithwhichyourapplicationhostsinteract.Youcreatedesiredworkflowswiththeirassociatedtasks
andanyconditionallogicyouwishtoapplyandstorethemwithAmazonSWF.
AmazonSWFaccessisgrantedbasedonanAWSAccountorausercreatedwithAWSIAM.Allactorsthatparticipatein
theexecutionofaworkflowdeciders,activityworkers,workflowadministratorsmustbeIAMusersundertheAWS
AccountthatownstheAmazonSWFresources.YoucannotgrantusersassociatedwithotherAWSAccountsaccessto
yourAmazonSWFworkflows.AnAWSIAMuser,however,onlyhasaccesstotheworkflowsandresourcesforwhich
theyhavebeengrantedaccessviapolicy.

AmazonSimpleEmailService(AmazonSES)Security
AmazonSimpleEmailService(SES)isanoutboundonlyemailsendingservicebuiltonAmazonsreliableandscalable
infrastructure.AmazonSEShelpsyoumaximizeemaildeliverabilityandstayinformedofthedeliverystatusofyour
emails.AmazonSESintegrateswithotherAWSservices,makingiteasytosendemailsfromapplicationsbeinghostedon
servicessuchasAmazonEC2.
Unfortunately,withotheremailsystems,it'spossibleforaspammertofalsifyanemailheaderandspooftheoriginating
emailaddresssothatitappearsasthoughtheemailoriginatedfromadifferentsource.Tomitigatetheseproblems,
AmazonSESrequiresuserstoverifytheiremailaddressordomaininordertoconfirmthattheyownitandtoprevent
othersfromusingit.Toverifyadomain,AmazonSESrequiresthesendertopublishaDNSrecordthatAmazonSES
suppliesasproofofcontroloverthedomain.AmazonSESperiodicallyreviewsdomainverificationstatus,andrevokes
verificationincaseswhereitisnolongervalid.
AmazonSEStakesproactivestepstopreventquestionablecontentfrombeingsent,sothatISPsreceiveconsistently
highqualityemailfromourdomainsandthereforeviewAmazonSESasatrustedemailorigin.Belowaresomeofthe
featuresthatmaximizedeliverabilityanddependabilityforallofoursenders:
AmazonSESusescontentfilteringtechnologiestohelpdetectandblockmessagescontainingvirusesor
malwarebeforetheycanbesent.
AmazonSESmaintainscomplaintfeedbackloopswithmajorISPs.Complaintfeedbackloopsindicatewhich
emailsarecipientmarkedasspam.AmazonSESprovidesyouaccesstothesedeliverymetricstohelpguideyour
sendingstrategy.
AmazonSESusesavarietyoftechniquestomeasurethequalityofeachuserssending.Thesemechanismshelp
identifyanddisableattemptstouseAmazonSESforunsolicitedmail,anddetectothersendingpatternsthat
wouldharmAmazonSESsreputationwithISPs,mailboxproviders,andantispamservices.
AmazonSESsupportsauthenticationmechanismssuchasSenderPolicyFramework(SPF)andDomainKeys
IdentifiedMail(DKIM).Whenyouauthenticateanemail,youprovideevidencetoISPsthatyouownthedomain.
Page51of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonSESmakesiteasyforyoutoauthenticateyouremails.IfyouconfigureyouraccounttouseEasyDKIM,
AmazonSESwillDKIMsignyouremailsonyourbehalf,soyoucanfocusonotheraspectsofyouremailsending
strategy.Toensureoptimaldeliverability,werecommendthatyouauthenticateyouremails.
AswithotherAWSservices,youusesecuritycredentialstoverifywhoyouareandwhetheryouhavepermissionto
interactwithAmazonSES.Forinformationaboutwhichcredentialstouse,seeUsingCredentialswithAmazonSES.
AmazonSESalsointegrateswithAWSIAMsothatyoucanspecifywhichAmazonSESAPIactionsausercanperform.
IfyouchoosetocommunicatewithAmazonSESthroughitsSMTPinterface,youarerequiredtoencryptyourconnection
usingTLS.AmazonSESsupportstwomechanismsforestablishingaTLSencryptedconnection:STARTTLSandTLS
Wrapper.IfyouchoosetocommunicatewithAmazonSESoverHTTP,thenallcommunicationwillbeprotectedbyTLS
throughAmazonSESsHTTPSendpoint.Whendeliveringemailtoitsfinaldestination,AmazonSESencryptstheemail
contentwithopportunisticTLS,ifsupportedbythereceiver.

AmazonElasticTranscoderServiceSecurity
TheAmazonElasticTranscoderservicesimplifiesandautomateswhatisusuallyacomplexprocessofconvertingmedia
filesfromoneformat,size,orqualitytoanother.TheElasticTranscoderserviceconvertsstandarddefinition(SD)or
highdefinition(HD)videofilesaswellasaudiofiles.ItreadsinputfromanAmazonS3bucket,transcodesit,andwrites
theresultingfiletoanotherAmazonS3bucket.Youcanusethesamebucketforinputandoutput,andthebucketscan
beinanyAWSregion.TheElasticTranscoderacceptsinputfilesinawidevarietyofweb,consumer,andprofessional
formats.OutputfiletypesincludetheMP3,MP4,OGG,TS,WebM,HLSusingMPEG2TS,andSmoothStreamingusing
fmp4containertypes,storingH.264orVP8videoandAAC,MP3,orVorbisaudio.
You'llstartwithoneormoreinputfiles,andcreatetranscodingjobsinatypeofworkflowcalledatranscodingpipeline
foreachfile.Whenyoucreatethepipelineyou'llspecifyinputandoutputbucketsaswellasanIAMrole.Eachjobmust
referenceamediaconversiontemplatecalledatranscodingpreset,andwillresultinthegenerationofoneormore
outputfiles.ApresettellstheElasticTranscoderwhatsettingstousewhenprocessingaparticularinputfile.Youcan
specifymanysettingswhenyoucreateapreset,includingthesamplerate,bitrate,resolution(outputheightandwidth),
thenumberofreferenceandkeyframes,avideobitrate,somethumbnailcreationoptions,etc.
Abesteffortismadetostartjobsintheorderinwhichtheyresubmitted,butthisisnotahardguaranteeandjobs
typicallyfinishoutofordersincetheyareworkedoninparallelandvaryincomplexity.Youcanpauseandresumeanyof
yourpipelinesifnecessary.
ElasticTranscodersupportstheuseofSNSnotificationswhenitstartsandfinisheseachjob,andwhenitneedstotell
youthatithasdetectedanerrororwarningcondition.TheSNSnotificationparametersareassociatedwitheach
pipeline.ItcanalsousetheListJobsByStatusfunctiontofindallofthejobswithagivenstatus(e.g.,"Completed")or
theReadJobfunctiontoretrievedetailedinformationaboutaparticularjob.
LikeallotherAWSservices,ElasticTranscoderintegrateswithAWSIdentityandAccessManagement(IAM),which
allowsyoutocontrolaccesstotheserviceandtootherAWSresourcesthatElasticTranscoderrequires,including
AmazonS3bucketsandAmazonSNStopics.Bydefault,IAMusershavenoaccesstoElasticTranscoderortothe
resourcesthatituses.IfyouwantIAMuserstobeabletoworkwithElasticTranscoder,youmustexplicitlygrantthem
permissions.
AmazonElasticTranscoderrequireseveryrequestmadetoitscontrolAPIbeauthenticatedsoonlyauthenticated
processesoruserscancreate,modify,ordeletetheirownAmazonTranscoderpipelinesandpresets.Requestsare
signedwithanHMACSHA256signaturecalculatedfromtherequestandakeyderivedfromtheuserssecretkey.

Page52of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Additionally,theAmazonElasticTranscoderAPIisonlyaccessibleviaSSLencryptedendpoints.
DurabilityisprovidedbyAmazonS3,wheremediafilesareredundantlystoredonmultipledevicesacrossmultiple
facilitiesinanAmazonS3region.Foraddedprotectionagainstusersaccidentlydeletingmediafiles,youcanusethe
VersioningfeatureinAmazonS3topreserve,retrieve,andrestoreeveryversionofeveryobjectstoredinanAmazonS3
bucket.YoucanfurtherprotectversionsusingAmazonS3Versioning'sMFADeletefeature.OnceenabledforanAmazon
S3bucket,eachversiondeletionrequestmustincludethesixdigitcodeandserialnumberfromyourmultifactor
authenticationdevice.

AmazonAppStreamSecurity
TheAmazonAppStreamserviceprovidesaframeworkforrunningstreamingapplications,particularlyapplicationsthat
requirelightweightclientsrunningonmobiledevices.Itenablesyoutostoreandrunyourapplicationonpowerful,
parallelprocessingGPUsinthecloudandthenstreaminputandoutputtoanyclientdevice.Thiscanbeapreexisting
applicationthatyoumodifytoworkwithAmazonAppStreamoranewapplicationthatyoudesignspecificallytowork
withtheservice.
TheAmazonAppStreamSDKsimplifiesthedevelopmentofinteractivestreamingapplicationsandclientapplications.
TheSDKprovidesAPIsthatconnectyourcustomersdevicesdirectlytoyourapplication,captureandencodeaudioand
video,streamcontentacrosstheInternetinnearrealtime,decodecontentonclientdevices,andreturnuserinputto
theapplication.Becauseyourapplication'sprocessingoccursinthecloud,itcanscaletohandleextremelylarge
computationalloads.
AmazonAppStreamdeploysstreamingapplicationsonAmazonEC2.Whenyouaddastreamingapplicationthroughthe
AWSManagementConsole,theservicecreatestheAMIrequiredtohostyourapplicationandmakesyourapplication
availabletostreamingclients.Theservicescalesyourapplicationasneededwithinthecapacitylimitsyouhavesetto
meetdemand.ClientsusingtheAmazonAppStreamSDKautomaticallyconnecttoyourstreamedapplication.
Inmostcases,youllwanttoensurethattheuserrunningtheclientisauthorizedtouseyourapplicationbeforeletting
himobtainasessionID.Werecommendthatyouusesomesortofentitlementservice,whichisaservicethat
authenticatesclientsandauthorizestheirconnectiontoyourapplication.Inthiscase,theentitlementservicewillalso
callintotheAmazonAppStreamRESTAPItocreateanewstreamingsessionfortheclient.Aftertheentitlementservice
createsanewsession,itreturnsthesessionidentifiertotheauthorizedclientasasingleuseentitlementURL.Theclient
thenusestheentitlementURLtoconnecttotheapplication.YourentitlementservicecanbehostedonanAmazonEC2
instanceoronAWSElasticBeanstalk.
AmazonAppStreamutilizesanAWSCloudFormationtemplatethatautomatestheprocessofdeployingaGPUEC2
instancethathastheAppStreamWindowsApplicationandWindowsClientSDKlibrariesinstalled;isconfiguredforSSH,
RDC,orVPNaccess;andhasanelasticIPaddressassignedtoit.Byusingthistemplatetodeployyourstandalone
streamingserver,allyouneedtodoisuploadyourapplicationtotheserverandrunthecommandtolaunchit.Youcan
thenusetheAmazonAppStreamServiceSimulatortooltotestyourapplicationinstandalonemodebeforedeployingit
intoproduction.
AmazonAppStreamalsoutilizestheSTXProtocoltomanagethestreamingofyourapplicationfromAWStolocal
devices.TheAmazonAppStreamSTXProtocolisaproprietaryprotocolusedtostreamhighqualityapplicationvideo
overvaryingnetworkconditions;itmonitorsnetworkconditionsandautomaticallyadaptsthevideostreamtoprovidea
lowlatencyandhighresolutionexperiencetoyourcustomers.Itminimizeslatencywhilesyncingaudioandvideoas
wellascapturinginputfromyourcustomerstobesentbacktotheapplicationrunninginAWS.

Page53of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AnalyticsServices
AmazonWebServicesprovidescloudbasedanalyticsservicestohelpyouprocessandanalyzeanyvolumeofdata,
whetheryourneedisformanagedHadoopclusters,realtimestreamingdata,petabytescaledatawarehousing,or
orchestration.

AmazonElasticMapReduce(AmazonEMR)Security
AmazonElasticMapReduce(AmazonEMR)isamanagedwebserviceyoucanusetorunHadoopclustersthatprocess
vastamountsofdatabydistributingtheworkanddataamongseveralservers.Itutilizesanenhancedversionofthe
ApacheHadoopframeworkrunningonthewebscaleinfrastructureofAmazonEC2andAmazonS3.Yousimplyupload
yourinputdataandadataprocessingapplicationintoAmazonS3.AmazonEMRthenlaunchesthenumberofAmazon
EC2instancesyouspecify.TheservicebeginsthejobflowexecutionwhilepullingtheinputdatafromAmazonS3into
thelaunchedAmazonEC2instances.Oncethejobflowisfinished,AmazonEMRtransferstheoutputdatatoAmazonS3,
whereyoucanthenretrieveitoruseitasinputinanotherjobflow.
Whenlaunchingjobflowsonyourbehalf,AmazonEMRsetsuptwoAmazonEC2securitygroups:oneforthemaster
nodesandanotherfortheslaves.Themastersecuritygrouphasaportopenforcommunicationwiththeservice.Italso
hastheSSHportopentoallowyoutoSSHintotheinstances,usingthekeyspecifiedatstartup.Theslavesstartina
separatesecuritygroup,whichonlyallowsinteractionwiththemasterinstance.Bydefaultbothsecuritygroupsareset
uptonotallowaccessfromexternalsources,includingAmazonEC2instancesbelongingtoothercustomers.Sincethese
aresecuritygroupswithinyouraccount,youcanreconfigurethemusingthestandardEC2toolsordashboard.To
protectcustomerinputandoutputdatasets,AmazonEMRtransfersdatatoandfromAmazonS3usingSSL.
AmazonEMRprovidesseveralwaystocontrolaccesstotheresourcesofyourcluster.YoucanuseAWSIAMtocreate
useraccountsandrolesandconfigurepermissionsthatcontrolwhichAWSfeaturesthoseusersandrolescanaccess.
Whenyoulaunchacluster,youcanassociateanAmazonEC2keypairwiththecluster,whichyoucanthenusewhen
youconnecttotheclusterusingSSH.YoucanalsosetpermissionsthatallowusersotherthanthedefaultHadoopuser
tosubmitjobstoyourcluster.
Bydefault,ifanIAMuserlaunchesacluster,thatclusterishiddenfromotherIAMusersontheAWSaccount.This
filteringoccursonallAmazonEMRinterfacestheconsole,CLI,API,andSDKsandhelpspreventIAMusersfrom
accessingandinadvertentlychangingclusterscreatedbyotherIAMusers.Itisusefulforclustersthatareintendedtobe
viewedbyonlyasingleIAMuserandthemainAWSaccount.Youalsohavetheoptiontomakeaclustervisibleand
accessibletoallIAMusersunderasingleAWSaccount.
Foranadditionallayerofprotection,youcanlaunchtheEC2instancesofyourEMRclusterintoanAmazonVPC,whichis
likelaunchingitintoaprivatesubnet.Thisallowsyoutocontrolaccesstotheentiresubnetwork.Youcanalsolaunch
theclusterintoaVPCandenabletheclustertoaccessresourcesonyourinternalnetworkusingaVPNconnection.You
canencrypttheinputdatabeforeyouuploadittoAmazonS3usinganycommondataencryptiontool.Ifyoudoencrypt
thedatabeforeitsuploaded,youthenneedtoaddadecryptionsteptothebeginningofyourjobflowwhenAmazon
ElasticMapReducefetchesthedatafromAmazonS3.

AmazonKinesisSecurity
AmazonKinesisisamanagedservicedesignedtohandlerealtimestreamingofbigdata.Itcanacceptanyamountof
data,fromanynumberofsources,scalingupanddownasneeded.YoucanuseKinesisinsituationsthatcallforlarge
scale,realtimedataingestionandprocessing,suchasserverlogs,socialmediaormarketdatafeeds,andweb
clickstreamdata.

Page54of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

ApplicationsreadandwritedatarecordstoAmazonKinesisinstreams.YoucancreateanynumberofKinesisstreamsto
capture,store,andtransportdata.AmazonKinesisautomaticallymanagestheinfrastructure,storage,networking,and
configurationneededtocollectandprocessyourdataatthelevelofthroughputyourstreamingapplicationsneed.You
donthavetoworryaboutprovisioning,deployment,orongoingmaintenanceofhardware,software,orotherservices
toenablerealtimecaptureandstorageoflargescaledata.AmazonKinesisalsosynchronouslyreplicatesdataacross
threefacilitiesinanAWSRegion,providinghighavailabilityanddatadurability.
InAmazonKinesis,datarecordscontainasequencenumber,apartitionkey,andadatablob,whichisanuninterpreted,
immutablesequenceofbytes.TheAmazonKinesisservicedoesnotinspect,interpret,orchangethedataintheblobin
anyway.Datarecordsareaccessibleforonly24hoursfromthetimetheyareaddedtoanAmazonKinesisstream,and
thentheyareautomaticallydiscarded.
YourapplicationisaconsumerofanAmazonKinesisstream,whichtypicallyrunsonafleetofAmazonEC2instances.A
KinesisapplicationusestheAmazonKinesisClientLibrarytoreadfromtheAmazonKinesisstream.TheKinesisClient
Librarytakescareofavarietyofdetailsforyouincludingfailover,recovery,andloadbalancing,allowingyourapplication
tofocusonprocessingthedataasitbecomesavailable.Afterprocessingtherecord,yourconsumercodecanpassit
alongtoanotherKinesisstream;writeittoanAmazonS3bucket,aRedshiftdatawarehouse,oraDynamoDBtable;or
simplydiscardit.AconnectorlibraryisavailabletohelpyouintegrateKinesiswithotherAWSservices(suchas
DynamoDB,Redshift,andAmazonS3)aswellasthirdpartyproductslikeApacheStorm.
YoucancontrollogicalaccesstoKinesisresourcesandmanagementfunctionsbycreatingusersunderyourAWS
AccountusingAWSIAM,andcontrollingwhichKinesisoperationstheseusershavepermissiontoperform.Tofacilitate
runningyourproducerorconsumerapplicationsonanAmazonEC2instance,youcanconfigurethatinstancewithan
IAMrole.Thatway,AWScredentialsthatreflectthepermissionsassociatedwiththeIAMrolearemadeavailableto
applicationsontheinstance,whichmeansyoudonthavetouseyourlongtermAWSsecuritycredentials.Roleshave
theaddedbenefitofprovidingtemporarycredentialsthatexpirewithinashorttimeframe,whichaddsanadditional
measureofprotection. SeetheUsingIAMguideformoreinformationaboutIAMroles.
TheAmazonKinesisAPIisonlyaccessibleviaanSSLencryptedendpoint(kinesis.useast1.amazonaws.com)tohelp
ensuresecuretransmissionofyourdatatoAWS.YoumustconnecttothatendpointtoaccessKinesis,butyoucanthen
usetheAPItodirectAWSKinesistocreateastreaminanyAWSRegion

AWSDataPipelineSecurity
TheAWSDataPipelineservicehelpsyouprocessandmovedatabetweendifferentdatasourcesatspecifiedintervals
usingdatadrivenworkflowsandbuiltindependencychecking.Whenyoucreateapipeline,youdefinedatasources,
preconditions,destinations,processingsteps,andanoperationalschedule.Onceyoudefineandactivateapipeline,it
willrunautomaticallyaccordingtothescheduleyouspecified.
WithAWSDataPipeline,youdonthavetoworryaboutcheckingresourceavailability,managingintertask
dependencies,retryingtransientfailures/timeoutsinindividualtasks,orcreatingafailurenotificationsystem.AWSData
PipelinetakescareoflaunchingtheAWSservicesandresourcesyourpipelineneedstoprocessyourdata(e.g.,Amazon
EC2orEMR)andtransferringtheresultstostorage(e.g.,AmazonS3,RDS,DynamoDB,orEMR).
Whenyouusetheconsole,AWSDataPipelinecreatesthenecessaryIAMrolesandpolicies,includingatrustedentities
listforyou.IAMrolesdeterminewhatyourpipelinecanaccessandtheactionsitcanperform.Additionally,whenyour
pipelinecreatesaresource,suchasanEC2instance,IAMrolesdeterminetheEC2instance'spermittedresourcesand
actions.Whenyoucreateapipeline,youspecifyoneIAMrolethatgovernsyourpipelineandanotherIAMroleto
governyourpipeline'sresources(referredtoasa"resourcerole"),whichcanbethesameroleforboth.Aspartofthe

Page55of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

securitybestpracticeofleastprivilege,werecommendthatyouconsidertheminimumpermissionsnecessaryforyour
pipelinetoperformworkanddefinetheIAMrolesaccordingly.
LikemostAWSservices,AWSDataPipelinealsoprovidestheoptionofsecure(HTTPS)endpointsforaccessviaSSL.

DeploymentandManagementServices
AmazonWebServicesprovidesavarietyoftoolstohelpwiththedeploymentandmanagementofyourapplications.
ThisincludesservicesthatallowyoutocreateindividualuseraccountswithcredentialsforaccesstoAWSservices.It
alsoincludesservicesforcreatingandupdatingstacksofAWSresources,deployingapplicationsonthoseresources,and
monitoringthehealthofthoseAWSresources.Othertoolshelpyoumanagecryptographickeysusinghardwaresecurity
modules(HSMs)andlogAWSAPIactivityforsecurityandcompliancepurposes.

AWSIdentityandAccessManagement(AWSIAM)
AWSIAMallowsyoutocreatemultipleusersandmanagethepermissionsforeachoftheseuserswithinyourAWS
Account.Auserisanidentity(withinanAWSAccount)withuniquesecuritycredentialsthatcanbeusedtoaccessAWS
Services.AWSIAMeliminatestheneedtosharepasswordsorkeys,andmakesiteasytoenableordisableausers
accessasappropriate.
AWSIAMenablesyoutoimplementsecuritybestpractices,suchasleastprivilege,bygrantinguniquecredentialsto
everyuserwithinyourAWSAccountandonlygrantingpermissiontoaccesstheAWSservicesandresourcesrequiredfor
theuserstoperformtheirjobs.AWSIAMissecurebydefault;newusershavenoaccesstoAWSuntilpermissionsare
explicitlygranted.
AWSIAMisalsointegratedwiththeAWSMarketplace,sothatyoucancontrolwhoinyourorganizationcansubscribe
tothesoftwareandservicesofferedintheMarketplace.SincesubscribingtocertainsoftwareintheMarketplace
launchesanEC2instancetorunthesoftware,thisisanimportantaccesscontrolfeature.UsingAWSIAMtocontrol
accesstotheAWSMarketplacealsoenablesAWSAccountownerstohavefinegrainedcontroloverusageandsoftware
costs.
AWSIAMenablesyoutominimizetheuseofyourAWSAccountcredentials.OnceyoucreateAWSIAMuseraccounts,
allinteractionswithAWSServicesandresourcesshouldoccurwithAWSIAMusersecuritycredentials.Moreinformation
aboutAWSIAMisavailableontheAWSwebsite:http://aws.amazon.com/iam/
Roles
AnIAMroleusestemporarysecuritycredentialstoallowyoutodelegateaccesstousersorservicesthatnormallydon't
haveaccesstoyourAWSresources.AroleisasetofpermissionstoaccessspecificAWSresources,butthese
permissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity(e.g.,mobileuser,EC2instance)assumesa
roleandreceivestemporarysecuritycredentialsforauthenticatingtotheresourcesdefinedintherole.Temporary
securitycredentialsprovideenhancedsecurityduetotheirshortlifespan(thedefaultexpirationis12hours)andthe
factthattheycannotbereusedaftertheyexpire.Thiscanbeparticularlyusefulinprovidinglimited,controlledaccessin
certainsituations:

Federated(nonAWS)UserAccess.Federatedusersareusers(orapplications)whodonothaveAWSAccounts.
Withroles,youcangivethemaccesstoyourAWSresourcesforalimitedamountoftime.Thisisusefulifyou
havenonAWSusersthatyoucanauthenticatewithanexternalservice,suchasMicrosoftActiveDirectory,
LDAP,orKerberos.ThetemporaryAWScredentialsusedwiththerolesprovideidentityfederationbetween
AWSandyournonAWSusersinyourcorporateidentityandauthorizationsystem.

Page56of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

IfyourorganizationsupportsSAML2.0(SecurityAssertionMarkupLanguage2.0),youcancreatetrustbetween
yourorganizationasanidentityprovider(IdP)andotherorganizationsasserviceproviders.InAWS,youcan
configureAWSastheserviceprovideranduseSAMLtoprovideyouruserswithfederatedsinglesignon(SSO)to
theAWSManagementConsoleortogetfederatedaccesstocallAWSAPIs.
RolesarealsousefulifyoucreateamobileorwebbasedapplicationthataccessesAWSresources.AWS
resourcesrequiresecuritycredentialsforprogrammaticrequests;however,youshouldn'tembedlongterm
securitycredentialsinyourapplicationbecausetheyareaccessibletotheapplication'susersandcanbedifficult
torotate.Instead,youcanletuserssignintoyourapplicationusingLoginwithAmazon,Facebook,orGoogle,
andthenusetheirauthenticationinformationtoassumearoleandgettemporarysecuritycredentials.

CrossAccountAccess.FororganizationswhousemultipleAWSAccountstomanagetheirresources,youcanset
uprolestoprovideuserswhohavepermissionsinoneaccounttoaccessresourcesunderanotheraccount.For
organizationswhohavepersonnelwhoonlyrarelyneedaccesstoresourcesunderanotheraccount,usingroles
helpsensuresthatcredentialsareprovidedtemporarily,onlyasneeded.

ApplicationsRunningonEC2InstancesthatNeedtoAccessAWSResources.Ifanapplicationrunsonan
AmazonEC2instanceandneedstomakerequestsforAWSresourcessuchasAmazonS3bucketsoran
DynamoDBtable,itmusthavesecuritycredentials.UsingrolesinsteadofcreatingindividualIAMaccountsfor
eachapplicationoneachinstancecansavesignificanttimeforcustomerswhomanagealargenumberof
instancesoranelasticallyscalingfleetusingAWSAutoScaling.

Thetemporarycredentialsincludeasecuritytoken,anAccessKeyID,andaSecretAccessKey.Togiveauseraccessto
certainresources,youdistributethetemporarysecuritycredentialstotheuseryouaregrantingtemporaryaccessto.
Whentheusermakescallstoyourresources,theuserpassesinthetokenandAccessKeyID,andsignstherequestwith
theSecretAccessKey.Thetokenwillnotworkwithdifferentaccesskeys.Howtheuserpassesinthetokendependson
theAPIandversionoftheAWSproducttheuserismakingcallsto.Moreinformationabouttemporarysecurity
credentialsisavailableontheAWSwebsite:http://docs.amazonwebservices.com/STS
Theuseoftemporarycredentialsmeansadditionalprotectionforyoubecauseyoudonthavetomanageordistribute
longtermcredentialstotemporaryusers.Inaddition,thetemporarycredentialsgetautomaticallyloadedtothetarget
instancesoyoudonthavetoembedthemsomewhereunsafelikeyourcode.Temporarycredentialsareautomatically
rotatedorchangedmultipletimesadaywithoutanyactiononyourpart,andarestoredsecurelybydefault.
MoreinformationaboutusingIAMrolestoautoprovisionkeysonEC2instancesisavailableintheUsingIAMguideon
theAWSwebsite:http://docs.amazonwebservices.com/IAM

AmazonCloudWatchSecurity
AmazonCloudWatchisawebservicethatprovidesmonitoringforAWScloudresources,startingwithAmazonEC2.It
providescustomerswithvisibilityintoresourceutilization,operationalperformance,andoveralldemandpatterns
includingmetricssuchasCPUutilization,diskreadsandwrites,andnetworktraffic.YoucansetupCloudWatchalarms
tonotifyyouifcertainthresholdsarecrossed,ortotakeotherautomatedactionssuchasaddingorremovingEC2
instancesifAutoScalingisenabled.
CloudWatchcapturesandsummarizesutilizationmetricsnativelyforAWSresources,butyoucanalsohaveotherlogs
senttoCloudWatchtomonitor.YoucanrouteyourguestOS,application,andcustomlogfilesforthesoftwareinstalled
onyourEC2instancestoCloudWatch,wheretheywillbestoredindurablefashionforaslongasyou'dlike.Youcan
configureCloudWatchtomonitortheincominglogentriesforanydesiredsymbolsormessagesandtosurfacethe
resultsasCloudWatchmetrics.Youcould,forexample,monitoryourwebserver'slogfilesfor404errorstodetectbad

Page57of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

inboundlinksorinvalidusermessagestodetectunauthorizedloginattemptstoyourguestOS.
LikeallAWSServices,AmazonCloudWatchrequiresthateveryrequestmadetoitscontrolAPIbeauthenticatedsoonly
authenticateduserscanaccessandmanageCloudWatch.RequestsaresignedwithanHMACSHA1signaturecalculated
fromtherequestandtheusersprivatekey.Additionally,theAmazonCloudWatchcontrolAPIisonlyaccessibleviaSSL
encryptedendpoints.
YoucanfurthercontrolaccesstoAmazonCloudWatchbycreatingusersunderyourAWSAccountusingAWSIAM,and
controllingwhatCloudWatchoperationstheseusershavepermissiontocall.

AWSElasticBeanstalkSecurity
AWSElasticBeanstalkisadeploymentandmanagementtoolthatautomatesthefunctionsofcapacityprovisioning,load
balancing,andautoscalingforyourapplications.YoucanuploadyourdeployablecodeandAWSElasticBeanstalkdoes
therest.Oncetheapplicationisrunning,ElasticBeanstalkautomatesmanagementtaskssuchasmonitoring,application
versiondeployment,logfilesnapshots,andhealthchecks,replacingresources(suchasEC2instances)iftheyare
deemedunhealthyinordertokeepyourapplicationupandrunning.
AWSElasticBeanstalkusesseveralAWSfeaturesandservicessuchasAmazonEC2,AmazonRDS,ElasticLoadBalancing,
AutoScaling,AmazonS3,andAmazonSNStocreateanenvironmentthatseamlesslyrunsyourapplication.It
automaticallylaunchesoneormoreEC2instancesusingasecurelyconfiguredAMI,storestheapplicationinAmazonS3,
initiatesloadbalancingandautoscaling,andmonitorsthehealthoftheapplicationenvironment.
WhenyourapplicationneedstocallanAWSserviceAPI(likeDynamoDBorCloudWatch),youcanpasstheAWSaccess
keyandsecretkeytoyourapplicationusingElasticBeanstalkenvironmentvariablesoruseanIAMroletocreate
temporarycredentials.WhenyoucreateanIAMrole,yourapplicationcanusetheinstanceprofileassociatedwiththat
roletoobtaintemporarysecuritycredentialstomakeAWSAPIcalls.WhenyoudeployyourapplicationtoAWSElastic
Beanstalk,ElasticBeanstalklaunchestheEC2instancesusingtheinstanceprofileyouspecify.Yourapplicationusesthe
rolecredentialsthatareavailableontheEC2instance.YourapplicationretrievestherolecredentialsfromtheInstance
MetaDataService(IMDS),andthenmakesAPIcallstotheAWSserviceusingthosecredentials.Anadditionalsecurity
benefitofusingIAMrolesisthatthetemporarycredentialsareautomaticallyrotatedforyoumultipletimesaday.
Foranadditionallayerofprivacy,youcanalsorunElasticBeanstalkapplicationswithinaVirtualPrivateCloud
(VPC).Youcandefineandprovisionaprivate,virtualnetworkintheAWScloudandconnectittoyourcorporate
networkusingaVPNconnection.ThisallowsyoutorunabroadervarietyofapplicationsonElasticBeanstalk.For
example,youcanrunyourintranetapplicationssuchasatroubleticketingapplicationorareportingsiteonElastic
Beanstalk.
EventhoughElasticBeanstalkautomatestheprovisioninganddeploymentofanapplication,youcanusetheElastic
BeanstalkconsoletomanuallyoverridethedefaultsettingsfortheAWSresources,retainingasmuchcontrolasyoud
likeovertheunderlyinginfrastructure.Inaddition,youcanconfigureavarietyofmonitoringandsecurityfeatures,
including:

EnforcingsecuretransmissionofdatatoandfromyourapplicationbyenablingHTTPSontheloadbalancer

ReceivingemailnotificationsthroughAmazonSimpleNotificationService(AmazonSNS)whenapplication
healthchangesorapplicationserversareaddedorremoved

EnablingsecuretransmissionofemailnotificationsbyspecifyingHTTPSasthenotificationprotocol

Page58of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Adjustingapplicationserversettingsandpassingenvironmentvariables,includingtheAWSSecretAccessKey,
whichisneededbyanapplicationinordertoauthenticatetoAWSresources

EnablingsecureloginaccesstoAmazonEC2instancesforimmediateanddirecttroubleshooting

Enablinglogfilerotation,whichwillcopythecustomersEC2instancelogfilesonanhourlybasistotheAmazon
S3bucketassociatedwiththeapplication

AccessingbuiltinAmazonCloudWatchmonitoringmetricssuchasaverageCPUutilization,requestcount,and
averagelatency

AllAWSElasticBeanstalkendpointsusetheHTTPSprotocolforaccess.YoucancontrolaccesstoElasticBeanstalk
servicesbyusingIAMpolicies.TosimplifytheprocessofgrantingaccesstoAWSElasticBeanstalk,youcanuseoneof
thepolicytemplatesintheAWSIAMconsoletogetstarted.AWSElasticBeanstalkofferstwotemplates:areadonly
accesstemplateandafullaccesstemplate.ThereadonlytemplategrantsreadaccesstoAWSElasticBeanstalk
resources.ThefullaccesstemplategrantsfullaccesstoallAWSElasticBeanstalkoperationsaswellaspermissionsto
managedependentresourcessuchasElasticLoadBalancingandAutoScaling.CustomerscanalsousetheAWSPolicy
GeneratortocreatecustompoliciestoallowordenypermissionstospecificAWSElasticBeanstalkresourcessuchas
applications,applicationversions,andenvironments.

AWSCloudFormationSecurity
AWSCloudFormationisaprovisioningtoolthatallowsyoutorecordthebaselineconfigurationoftheAWSresources
neededtorunyourapplicationssothatyoucanprovisionandupdatetheminanorderlyandpredictablefashion.You
definetheAWSresourcesneededtorunyourapplicationinasimpletextfilecalledatemplate,whichcanbeused
repeatedlytocreateidenticalcopiesofthesameresourcestack(orusedasafoundationtostartanewstack).Youcan
captureandcontrolregionspecificinfrastructurevariationssuchasAmazonEC2AMIs,EBSsnapshotnames,RDS
databasesizes,etc.,usingparameters.Parametersallowvaluestobedeclaredthatcanbepassedtothetemplatewhen
thestackiscreated.Parametersarealsoaneffectivewaytospecifysensitiveinformation,suchasusernamesand
passwords,thatshouldnotbestoredinthetemplateitself.
AWSCloudFormationenablesyoutomakesimplechanges,suchasupdatingthepropertiesofexistingresources,or
morecomplexchanges,suchasaddingorremovingresourcesfromthestack.Changestothestackaremadeby
modifyingthetemplateandupdatingastack.AWSCloudFormationunderstandsthedifferencesbetweenthecurrent
templateandthenewtemplateandmodifiesthestackaccordingly.
YoucancreateyourowntemplatesusingtheCloudFormertooltodescribetheAWSresourcesandanyassociated
dependenciesorruntimeparameters,oryoucanuseAWSCloudFormationssampletemplates.AndjustlikeAWSElastic
Beanstalk,CloudFormationautomaticallydeploystheresourcessoyoudontneedtofigureouttheorderinwhichAWS
resourcesneedtobeprovisionedorthesubtletiesofhowtomakethosedependencieswork.
AWSCloudFormationrecordsresourcecreationanddeletionforeachstack,soyoucanseealistofallresourcesthat
havebeenprovisionedforastackaswellasthehistoryofprovisioningevents.Thetemplateisatextfile,soitcanbe
versioncontrolled,justlikeotherapplicationartifacts.WithAWSCloudFormation,youcanversioncontrolyour
infrastructuredefinitionjustlikeyouversioncontroltheirapplicationsources
AllAWSCloudFormationendpointsusetheHTTPSprotocolforaccess.YoucancontrolaccesstoAWSCloudFormation
templatecreationandmanagementfunctionsbycreatingusersunderyourAWSAccountusingAWSIAM,and
controllingwhichCloudFormationoperationstheseusershavepermissiontoperform.

Page59of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AWSOpsWorksSecurity
AWSOpsWorksisanapplicationmanagementservicethathelpsyoucontrolthecompleteapplicationlifecycle.Itallows
youtoautomateandmanagealltheprocessesinvolvedinthedeploymentofyourapplications,includingresource
provisioning,configurationmanagement,applicationdeployment,softwareupdates,monitoring,andaccesscontrol.
YoustartinOpsWorksbycreatingastack,whichisacollectionofbothEC2instancesandlayers,whichareblueprints
thatareusedtoconfigure,launch,andmanagetheinstances.Youdefinethesoftwareconfigurationforeachlayer,
includinginstallationscriptsandinitializationtasks.Whenaninstanceisaddedtoalayer,OpsWorksautomatically
appliesthespecifiedconfiguration.
EachstackhostsoneormoreapplicationsandalsoservesasthecontainerforanyotherAWSresourcesyourapplication
mightneed(suchasEBSvolumesandElasticIPaddresses)aswellasuserpermissionsassociatedwiththeapplication.
YoutellOpsWorkstoinstalltheapplicationontheEC2instancesbypullingcodefromoneormorecoderepositories,
suchasGitorSubversion,fetchingviaanHTTPrequest,ordownloadingfromanAmazonS3bucket.

Afteryouhavedefinedastack,itslayers,anditsapplications,youcancreateEC2instancesandassignthemtospecific
layers.Youcanlaunchtheinstancesmanually,oryoucandefinescalingbasedonloadorbytime.Eitherway,youhave
fullcontrolovertheinstancetype,AvailabilityZone,securitygroup(s),andoperatingsystem.YoucanusecustomAMIs

Page60of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

forevengreatercontroloverinstalledpackagesandversions.Astheinstanceslaunch,theywillbeconfiguredtoyour
specificationsusingtherecipesthatyoudefinedforthelayerthatcontainstheinstance.
YoucanuseAWSIAMtocontrolhowusersareallowedtointeractwithOpsWorks,suchasmanagingstacksandusing
SSHtoconnecttoEC2instances.YouevenhavetheflexibilitytogiveusersaccesstoAWSOpsWorksbutdenythem
directaccesstodependentservicessuchasAmazonEC2.Forexample,youcangiveauserpermissiontostopinstances
byusingAWSOpsWorks,butdenythemtheabilitytoterminateinstancesbyusingtheAmazonEC2consoleorAPI.
YoucanalsouseIAMtocontrolhowOpsWorkscanactonyourbehalftomanagestackresources,andhowappsthat
runoninstancescontrolledbyAWSOpsWorkscanaccessAWSresources(thisappliesonlyifyoudeployappsthat
accessotherAWSservicesandgettheircredentialsthroughrolesinEC2instances).
AWSOpsWorksallowsyoutorequiretheuseofadeploykeytoretrieveappsfromaGithubrepository.Adeploykeyis
anSSHkeywithnopasswordthatallowsAWSOpsWorkstoasynchronouslydeployappsorcookbooksfromaprivate
Githubrepositorywithoutrequiringanyfurtherinputfromyou.
Additionally,theAWSOpsWorksAPIisonlyaccessibleviaanSSLencryptedendpoint(opsworks.useast
1.amazonaws.com).YoumustconnecttothatendpointtoaccessOpsWorks,butyoucanthenusetheAPItodirectAWS
OpsWorkstocreatestacksinanyAWSRegion.

AWSCloudHSMSecurity
TheAWSCloudHSMserviceprovidescustomerswithdedicatedaccesstoahardwaresecuritymodule(HSM)appliance
designedtoprovidesecurecryptographickeystorageandoperationswithinanintrusionresistant,tamperevident
device.Youcangenerate,store,andmanagethecryptographickeysusedfordataencryptionsothattheyareaccessible
onlybyyou.AWSCloudHSMappliancesaredesignedtosecurelystoreandprocesscryptographickeymaterialforawide
varietyofusessuchasdatabaseencryption,DigitalRightsManagement(DRM),PublicKeyInfrastructure(PKI),
authenticationandauthorization,documentsigning,andtransactionprocessing.Theysupportsomeofthestrongest
cryptographicalgorithmsavailable,includingAES,RSA,andECC,andmanyothers.
TheAWSCloudHSMserviceisdesignedtobeusedwithAmazonEC2andVPC,providingtheappliancewithitsown
privateIPwithinaprivatesubnet.YoucanconnecttoCloudHSMappliancesfromyourEC2serversthroughSSL/TLS,
whichusestwowaydigitalcertificateauthenticationand256bitSSLencryptiontoprovideasecurecommunication
channel.
SelectingCloudHSMserviceinthesameregionasyourEC2instancedecreasesnetworklatency,whichcanimproveyour
applicationperformance.YoucanconfigureaclientonyourEC2instancethatallowsyourapplicationstousetheAPIs
providedbytheHSM,includingPKCS#11,MSCAPIandJavaJCA/JCE(JavaCryptographyArchitecture/JavaCryptography
Extensions).
BeforeyoubeginusinganHSM,youmustsetupatleastonepartitionontheappliance.Acryptographicpartitionisa
logicalandphysicalsecurityboundarythatrestrictsaccesstoyourkeys,soonlyyoucontrolyourkeysandthe
operationsperformedbytheHSM.AWShasadministrativecredentialstotheappliance,butthesecredentialscanonly
beusedtomanagetheappliance,nottheHSMpartitionsontheappliance.AWSusesthesecredentialstomonitorand
maintainthehealthandavailabilityoftheappliance.AWScannotextractyourkeysnorcanAWScausetheapplianceto
performanycryptographicoperationusingyourkeys.
TheHSMappliancehasbothphysicalandlogicaltamperdetectionandresponsemechanismsthaterasethe
cryptographickeymaterialandgenerateeventlogsiftamperingisdetected.TheHSMisdesignedtodetecttamperingif

Page61of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

thephysicalbarrieroftheHSMapplianceisbreached.Inaddition,afterthreeunsuccessfulattemptstoaccessanHSM
partitionwithHSMAdmincredentials,theHSMapplianceerasesitsHSMpartitions.
WhenyourCloudHSMsubscriptionendsandyouhaveconfirmedthatthecontentsoftheHSMarenolongerneeded,
youmustdeleteeachpartitionanditscontentsaswellasanylogs.Aspartofthedecommissioningprocess,AWS
zeroizestheappliance,permanentlyerasingallkeymaterial.

AWSCloudTrailSecurity
AWSCloudTrailprovidesalogofallrequestsforAWSresourceswithinyouraccount.Foreacheventrecorded,youcan
seewhatservicewasaccessed,whatactionwasperformed, anyparametersfortheaction,andwhomadetherequest.
NotonlycanyouseewhichoneofyourusersorservicesperformedanactiononanAWSservice,butyoucansee
whetheritwasastheAWSrootaccountuseroranIAMuser,orwhetheritwaswithtemporarysecuritycredentialsfora
roleorfederateduser.
CloudTrailbasicallycapturesinformationabouteveryAPIcalltoanAWSresource,whetherthatcallwasmadefromthe
AWSManagementConsole,CLI,oranSDK.IftheAPIrequestreturnedanerror,CloudTrailprovidesthedescriptionof
theerror,includingmessagesforauthorizationfailures.ItevencapturesAWSManagementConsolesigninevents,
creatingalogrecordeverytimeanAWSaccountowner,afederateduser,oranIAMusersimplysignsintotheconsole.
OnceyouhaveenabledCloudTrail,eventlogsaredeliveredevery5minutestotheAmazonS3bucketofyourchoice.
ThelogfilesareorganizedbyAWSAccountID,region,servicename,date,andtime.YoucanconfigureCloudTrailsothat
itaggregateslogfilesfrommultipleregionsintoasingleAmazonS3bucket.Fromthere,youcanthenuploadthemto
yourfavoritelogmanagementandanalysissolutionstoperformsecurityanalysisanddetectuserbehaviorpatterns.
Bydefault,logfilesarestoredindefinitely.ThelogfilesareautomaticallyencryptedusingAmazonS3'sServerSide
Encryptionandwillremaininthebucketuntilyouchoosetodeleteorarchivethem.YoucanuseAmazonS3lifecycle
configurationrulestoautomaticallydeleteoldlogfilesorarchivethemtoAmazonGlacierforadditionallongevityat
significantsavings.
LikeeveryotherAWSservice,youcanlimitaccesstoCloudTrailtoonlycertainusers.YoucanuseIAMtocontrolwhich
AWSuserscancreate,configure,ordeleteAWSCloudTrailtrailsaswellaswhichuserscanstartandstoplogging.You
cancontrolaccesstothelogfilesbyapplyingIAMorAmazonS3bucketpolicies.Youcanalsoaddanadditionallayerof
securitybyenablingMFADeleteonyourAmazonS3bucket.

MobileServices
AWSmobileservicesmakeiteasierforyoutobuild,ship,run,monitor,optimize,andscalecloudpoweredapplications
formobiledevices.Theseservicesalsohelpyouauthenticateuserstoyourmobileapplication,synchronizedata,and
collectandanalyzeapplicationusage.

AmazonCognito
AmazonCognitoprovidesidentityandsyncservicesformobileandwebbasedapplications.Itsimplifiesthetaskof
authenticatingusersandstoring,managing,andsyncingtheirdataacrossmultipledevices,platforms,andapplications.
Itprovidestemporary,limitedprivilegecredentialsforbothauthenticatedandunauthenticateduserswithouthavingto
manageanybackendinfrastructure.
CognitoworkswithwellknownidentityproviderslikeGoogle,Facebook,andAmazontoauthenticateendusersofyour
mobileandwebapplications.Youcantakeadvantageoftheidentificationandauthorizationfeaturesprovidedbythese

Page62of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

servicesinsteadofhavingtobuildandmaintainyourown.Yourapplicationauthenticateswithoneoftheseidentity
providersusingtheprovidersSDK.Oncetheenduserisauthenticatedwiththeprovider,anOAuthorOpenIDConnect
tokenreturnedfromtheproviderispassedbyyourapplicationtoCognito,whichreturnsanewCognitoIDfortheuser
andasetoftemporary,limitedprivilegeAWScredentials.
TobeginusingAmazonCognito,youcreateanidentitypoolthroughtheAmazonCognitoconsole.Theidentitypoolisa
storeofuseridentityinformationthatisspecifictoyourAWSaccount.Duringthecreationoftheidentitypool,youwill
beaskedtocreateanewIAMroleorpickanexistingoneforyourendusers.AnIAMroleisasetofpermissionsto
accessspecificAWSresources,butthesepermissionsarenottiedtoaspecificIAMuserorgroup.Anauthorizedentity
(e.g.,mobileuser,EC2instance)assumesaroleandreceivestemporarysecuritycredentialsforauthenticatingtothe
AWSresourcesdefinedintherole.Temporarysecuritycredentialsprovideenhancedsecurityduetotheirshortlifespan
(thedefaultexpirationis12hours)andthefactthattheycannotbereusedaftertheyexpire.Theroleyouselecthasan
impactonwhichAWSservicesyourenduserswillbeabletoaccesswiththetemporarycredentials.Bydefault,Amazon
CognitocreatesanewrolewithlimitedpermissionsendusersonlyhaveaccesstotheCognitoSyncserviceand
AmazonMobileAnalytics.IfyourapplicationneedsaccesstootherAWSresourcessuchasAmazonS3orDynamoDB,
youcanmodifyyourrolesdirectlyfromtheIAMmanagementconsole.
WithAmazonCognito,theresnoneedtocreateindividualAWSaccountsorevenIAMaccountsforeveryoneofyour
web/mobileappsenduserswhowillneedtoaccessyourAWSresources.InconjunctionwithIAMroles,mobileusers
cansecurelyaccessAWSresourcesandapplicationfeatures,andevensavedatatotheAWScloudwithouthavingto
createanaccountorlogin.However,iftheychoosetodothislater,Cognitowillmergedataandidentification
information.
BecauseAmazonCognitostoresdatalocallyaswellasintheservice,yourenduserscancontinuetointeractwiththeir
dataevenwhentheyareoffline.Theirofflinedatamaybestale,butanythingtheyputintothedataset,theycan
immediatelyretrievewhethertheyareonlineornot.TheclientSDKmanagesalocalSQLitestoresothattheapplication
canworkevenwhenitisnotconnected.TheSQLitestorefunctionsasacacheandisthetargetofallreadandwrite
operations.Cognito'ssyncfacilitycomparesthelocalversionofthedatatothecloudversion,andpushesuporpulls
downdeltasasneeded.Notethatinordertosyncdataacrossdevices,youridentitypoolmustsupportauthenticated
identities.Unauthenticatedidentitiesaretiedtothedevice,sounlessanenduserauthenticates,nodatacanbesynced
acrossmultipledevices.
WithCognito,yourapplicationcommunicatesdirectlywithasupportedpublicidentityprovider(Amazon,Facebook,or
Google)toauthenticateusers.AmazonCognitodoesnotreceiveorstoreusercredentialsonlytheOAuthorOpenID
Connecttokenreceivedfromtheidentityprovider.OnceCognitoreceivesthetoken,itreturnsanewCognitoIDforthe
userandasetoftemporary,limitedprivilegeAWScredentials.
EachCognitoidentityhasaccessonlytoitsowndatainthesyncstore,andthisdataisencryptedwhenstored.In
addition,allidentitydataistransmittedoverHTTPS.TheuniqueAmazonCognitoidentifieronthedeviceisstoredinthe
appropriatesecurelocationoniOSforexample,theCognitoidentifierisstoredintheiOSkeychain.Userdataiscached
inalocalSQLitedatabasewithintheapplicationssandbox;ifyourequireadditionalsecurity,youcanencryptthis
identitydatainthelocalcachebyimplementingencryptioninyourapplication.

AmazonMobileAnalytics
AmazonMobileAnalyticsisaserviceforcollecting,visualizing,andunderstandingmobileapplicationusagedata.It
enablesyoutotrackcustomerbehaviors,aggregatemetrics,andidentifymeaningfulpatternsinyourmobile
applications.AmazonMobileAnalyticsautomaticallycalculatesandupdatesusagemetricsasthedataisreceivedfrom

Page63of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

clientdevicesrunningyourappanddisplaysthedataintheconsole.
YoucanintegrateAmazonMobileAnalyticswithyourapplicationwithoutrequiringusersofyourapptobe
authenticatedwithanidentityprovider(likeGoogle,Facebook,orAmazon).Fortheseunauthenticatedusers,Mobile
AnalyticsworkswithAmazonCognitotoprovidetemporary,limitedprivilegecredentials.Todothis,youfirstcreatean
identitypoolinCognito.TheidentitypoolwilluseIAMroles,whichisasetofpermissionsnottiedtoaspecificIAMuser
orgroupbutwhichallowsanentitytoaccessspecificAWSresources.Theentityassumesaroleandreceivestemporary
securitycredentialsforauthenticatingtotheAWSresourcesdefinedintherole.Bydefault,AmazonCognitocreatesa
newrolewithlimitedpermissionsendusersonlyhaveaccesstotheCognitoSyncserviceandAmazonMobile
Analytics.IfyourapplicationneedsaccesstootherAWSresourcessuchasAmazonS3orDynamoDB,youcanmodify
yourrolesdirectlyfromtheIAMmanagementconsole.
YoucanintegratetheAWSMobileSDKforAndroidoriOSintoyourapplicationorusetheAmazonMobileAnalyticsREST
APItosendeventsfromanyconnecteddeviceorserviceandvisualizedatainthereports.TheAmazonMobileAnalytics
APIisonlyaccessibleviaanSSLencryptedendpoint(https://mobileanalytics.useast1.amazonaws.com).

Applications
AWSapplicationsaremanagedservicesthatenableyoutoprovideyouruserswithsecure,centralizedstorageandwork
areasinthecloud.

AmazonWorkSpaces
AmazonWorkSpacesisamanageddesktopservicethatallowsyoutoquicklyprovisioncloudbaseddesktopsforyour
users.SimplychooseaWindows7bundlethatbestmeetstheneedsofyourusersandthenumberofWorkSpacesthat
youwouldliketolaunch.OncetheWorkSpacesareready,usersreceiveanemailinformingthemwheretheycan
downloadtherelevantclientandlogintotheirWorkSpace.Theycanthenaccesstheircloudbaseddesktopsfroma
varietyofendpointdevices,includingPCs,laptops,andmobiledevices.However,yourorganizationsdataisneversent
toorstoredontheenduserdevicebecauseAmazonWorkSpacesusesPCoverIP(PCoIP),whichprovidesaninteractive
videostreamwithouttransmittingactualdata.ThePCoIPprotocolcompresses,encrypts,andencodestheusers
desktopcomputingexperienceandtransmitspixelsonlyacrossanystandardIPnetworktoenduserdevices.
InordertoaccesstheirWorkSpace,usersmustsigninusingasetofuniquecredentialsortheirregularActiveDirectory
credentials.WhenyouintegrateAmazonWorkSpaceswithyourcorporateActiveDirectory,eachWorkSpacejoinsyour
ActiveDirectorydomainandcanbemanagedjustlikeanyotherdesktopinyourorganization.Thismeansthatyoucan
useActiveDirectoryGroupPoliciestomanageyourusersWorkSpacestospecifyconfigurationoptionsthatcontrolthe
desktop.IfyouchoosenottouseActiveDirectoryorothertypeofonpremisesdirectorytomanageyouruser
WorkSpaces,youcancreateaprivateclouddirectorywithinAmazonWorkSpacesthatyoucanuseforadministration.
Toprovideanadditionallayerofsecurity,youcanalsorequiretheuseofmultifactorauthenticationuponsignininthe
formofahardwareorsoftwaretoken.AmazonWorkSpacessupportsMFAusinganonpremiseRemoteAuthentication
DialInUserService(RADIUS)serveroranysecurityproviderthatsupportsRADIUSauthentication.Itcurrentlysupports
thePAP,CHAP,MSCHAP1,andMSCHAP2protocols,alongwithRADIUSproxies.
EachWorkspaceresidesonitsownEC2instancewithinaVPC.YoucancreateWorkSpacesinaVPCyoualreadyownor
havetheWorkSpacesservicecreateoneforyouautomaticallyusingtheWorkSpacesQuickStartoption.Whenyouuse
theQuickStartoption,WorkSpacesnotonlycreatestheVPC,butitperformsseveralotherprovisioningand
configurationtasksforyou,suchascreatinganInternetGatewayfortheVPC,settingupadirectorywithintheVPCthat
isusedtostoreuserandWorkSpaceinformation,creatingadirectoryadministratoraccount,creatingthespecifieduser

Page64of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

accountsandaddingthemtothedirectory,andcreatingtheWorkSpaceinstances.OrtheVPCcanbeconnectedtoan
onpremisesnetworkusingasecureVPNconnectiontoallowaccesstoanexistingonpremisesActiveDirectoryand
otherintranetresources.YoucanaddasecuritygroupthatyoucreateinyourAmazonVPCtoalltheWorkSpacesthat
belongtoyourDirectory.ThisallowsyoutocontrolnetworkaccessfromAmazonWorkSpacesinyourVPCtoother
resourcesinyourAmazonVPCandonpremisesnetwork.
PersistentstorageforWorkSpacesisprovidedbyAmazonEBSandisautomaticallybackeduptwiceadaytoAmazonS3.
IfWorkSpacesSyncisenabledonaWorkSpace,thefolderauserchoosestosyncwillbecontinuouslybackedupand
storedinAmazonS3.YoucanalsouseWorkSpacesSynconaMacorPCtosyncdocumentstoorfromyourWorkSpace
sothatyoucanalwayshaveaccesstoyourdataregardlessofthedesktopcomputeryouareusing.
Becauseitsamanagedservice,AWStakescareofseveralsecurityandmaintenancetaskslikedailybackupsand
patching.UpdatesaredeliveredautomaticallytoyourWorkSpacesduringaweeklymaintenancewindow.Youcan
controlhowpatchingisconfiguredforausersWorkSpace.Bydefault,WindowsUpdateisturnedon,butyouhavethe
abilitytocustomizethesesettings,oruseanalternativepatchmanagementapproachifyoudesire.Fortheunderlying
OS,WindowsUpdateisenabledbydefaultonWorkSpaces,andconfiguredtoinstallupdatesonaweeklybasis.Youcan
useanalternativepatchingapproachortoconfigureWindowsUpdatetoperformupdatesatatimeofyourchoosing.
YoucanuseIAMtocontrolwhoonyourteamcanperformadministrativefunctionslikecreatingordeletingWorkSpaces
orsettingupuserdirectories.YoucanalsosetupaWorkSpacefordirectoryadministration,installyourfavoriteActive
Directoryadministrationtools,andcreateorganizationalunitsandGroupPoliciesinordertomoreeasilyapplyActive
DirectorychangesforallyourWorkSpacesusers.

AmazonZocalo
AmazonZocaloisamanagedenterprisestorageandsharingservicewithfeedbackcapabilitiesforusercollaboration.
UserscanstoreanytypeoffileinaZocalofolderandallowotherstoviewanddownloadthem.Commentingand
annotationcapabilitiesworkoncertainfiletypessuchasMSWord,andwithoutrequiringtheapplicationthatwasused
tooriginallycreatethefile.Zocalonotifiescontributorsaboutreviewactivitiesanddeadlinesviaemailandperforms
versioningoffilesthatyouhavesyncedusingtheZocaloSyncapplication.
UserinformationisstoredinanActiveDirectorycompatiblenetworkdirectory.Youcaneithercreateanewdirectoryin
thecloud,orconnectAmazonZocalotoyouronpremisesdirectory.WhenyoucreateaclouddirectoryusingZocalos
quickstartsetup,italsocreatesadirectoryadministratoraccountwiththeadministratoremailastheusername.An
emailissenttoyouradministratorwithinstructionstocompleteregistration.Theadministratorthenusesthisaccount
tomanageyourdirectory.
WhenyoucreateaclouddirectoryusingZocalosquickstartsetup,italsocreatesandconfiguresaVPCforusewiththe
directory.Ifyouneedmorecontroloverthedirectoryconfiguration,youcanchoosethestandardsetup,whichallows
youtospecifyyourowndirectorydomainname,aswellasoneofyourexistingVPCstousewiththedirectory.Ifyou
wanttouseoneofyourexistingVPCs,theVPCmusthaveanInternetgatewayandatleasttwosubnets.Eachofthe
subnetsmustbeinadifferentAvailabilityZone.
UsingtheAmazonZocaloManagementConsole,administratorscanviewauditlogstotrackfileanduseractivitybytime,
IPaddress,anddevice,andchoosewhethertoallowuserstosharefileswithothersoutsidetheirorganization.Users
canthencontrolwhocanaccessindividualfilesanddisabledownloadsoffilestheyshare.
AlldataintransitisencryptedusingindustrystandardSSL.TheZocalowebandmobileapplicationsanddesktopsync
clientstransmitfilesdirectlytoAmazonZocalousingSSL.ZocalouserscanalsoutilizeMultiFactorAuthentication,or

Page65of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

MFA,iftheirorganizationhasdeployedaRadiusserver.MFAusesthefollowingfactors:username,password,and
methodssupportedbytheRadiusserver.TheprotocolssupportedarePAP,CHAP,MSCHAPv1,andMSCHAPv2
YouchoosetheAWSRegionwhereeachZocalositesfilesarestored.AmazonZocaloiscurrentlyavailableintheUSEast
(Virginia),USWest(Oregon),andEU(Ireland)AWSRegions.Allfiles,comments,andannotationsstoredinZocaloare
automaticallyencryptedwithAES256encryption.

Page66of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AppendixGlossaryofTerms
AccessKeyID:AstringthatAWSdistributesinordertouniquelyidentifyeachAWSuser;itisanalphanumerictoken
associatedwithyourSecretAccessKey.
Accesscontrollist(ACL):Alistofpermissionsorrulesforaccessinganobjectornetworkresource.InAmazonEC2,
securitygroupsactasACLsattheinstancelevel,controllingwhichusershavepermissiontoaccessspecificinstances.In
AmazonS3,youcanuseACLstogivereadorwriteaccessonbucketsorobjectstogroupsofusers.InAmazonVPC,ACLs
actlikenetworkfirewallsandcontrolaccessatthesubnetlevel.
AMI:AnAmazonMachineImage(AMI)isanencryptedmachineimagestoredinAmazonS3.Itcontainsallthe
informationnecessarytobootinstancesofacustomerssoftware.
API:ApplicationProgrammingInterface(API)isaninterfaceincomputersciencethatdefinesthewaysbywhichan
applicationprogrammayrequestservicesfromlibrariesand/oroperatingsystems.
Archive:AnarchiveinAmazonGlacierisafilethatyouwanttostoreandisabaseunitofstorageinAmazonGlacier.It
canbeanydatasuchasaphoto,video,ordocument.EacharchivehasauniqueIDandanoptionaldescription.
Authentication:Authenticationistheprocessofdeterminingwhethersomeoneorsomethingis,infact,whoorwhatit
isdeclaredtobe.Notonlydousersneedtobeauthenticated,buteveryprogramthatwantstocallthefunctionality
exposedbyanAWSAPImustbeauthenticated.AWSrequiresthatyouauthenticateeveryrequestbydigitallysigningit
usingacryptographichashfunction.
AutoScaling:AnAWSservicethatallowscustomerstoautomaticallyscaletheirAmazonEC2capacityupordown
accordingtoconditionstheydefine.
AvailabilityZone:AmazonEC2locationsarecomposedofregionsandavailabilityzones.Availabilityzonesaredistinct
locationsthatareengineeredtobeinsulatedfromfailuresinotheravailabilityzonesandprovideinexpensive,low
latencynetworkconnectivitytootheravailabilityzonesinthesameregion.
Bastionhost:Acomputerspecificallyconfiguredtowithstandattack,usuallyplacedontheexternal/publicsideofa
demilitarizedzone(DMZ)oroutsidethefirewall.YoucansetupanAmazonEC2instanceasanSSHbastionbysettingup
apublicsubnetaspartofanAmazonVPC.
Bucket:AcontainerforobjectsstoredinAmazonS3.Everyobjectiscontainedwithinabucket.Forexample,ifthe
objectnamedphotos/puppy.jpgisstoredinthejohnsmithbucket,thenitisaddressableusingtheURL
http://johnsmith.s3.amazonaws.com/photos/puppy.jpg.
Certificate:AcredentialthatsomeAWSproductsusetoauthenticateAWSAccountsandusers.AlsoknownasanX.509
certificate.Thecertificateispairedwithaprivatekey.
CIDRBlock:ClasslessInterDomainRoutingBlockofIPaddresses.
Clientsideencryption:EncryptingdataontheclientsidebeforeuploadingittoAmazonS3.
CloudFormation:AnAWSprovisioningtoolthatletscustomersrecordthebaselineconfigurationoftheAWSresources
neededtoruntheirapplicationssothattheycanprovisionandupdatetheminanorderlyandpredictablefashion.

Page67of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Cognito:AnAWSservicethatsimplifiesthetaskofauthenticatingusersandstoring,managing,andsyncingtheirdata
acrossmultipledevices,platforms,andapplications.Itworkswithmultipleexistingidentityprovidersandalsosupports
unauthenticatedguestusers.
Credentials:ItemsthatauserorprocessmusthaveinordertoconfirmtoAWSservicesduringtheauthentication
processthattheyareauthorizedtoaccesstheservice.AWScredentialsincludepasswords,secretaccesskeysaswellas
X.509certificatesandmultifactortokens.
Dedicatedinstance:AmazonEC2instancesthatarephysicallyisolatedatthehosthardwarelevel(i.e.,theywillrunon
singletenanthardware).
Digitalsignature:Adigitalsignatureisacryptographicmethodfordemonstratingtheauthenticityofadigitalmessage
ordocument.Avaliddigitalsignaturegivesarecipientreasontobelievethatthemessagewascreatedbyanauthorized
sender,andthatitwasnotalteredintransit.DigitalsignaturesareusedbycustomersforsigningrequeststoAWSAPIs
aspartoftheauthenticationprocess.
DirectConnectService:Amazonservicethatallowsyoutoprovisionadirectlinkbetweenyourinternalnetworkandan
AWSregionusingahighthroughput,dedicatedconnection.Withthisdedicatedconnectioninplace,youcanthen
createlogicalconnectionsdirectlytotheAWScloud(forexample,toAmazonEC2andAmazonS3)andAmazonVPC,
bypassingInternetserviceprovidersinthenetworkpath.
DynamoDBService:AmanagedNoSQLdatabaseservicefromAWSthatprovidesfastandpredictableperformancewith
seamlessscalability.
EBS:AmazonElasticBlockStore(EBS)providesblocklevelstoragevolumesforusewithAmazonEC2instances.Amazon
EBSvolumesareoffinstancestoragethatpersistsindependentlyfromthelifeofaninstance.
ElastiCache:AnAWSwebservicethatallowsyoutosetup,manage,andscaledistributedinmemorycache
environmentsinthecloud.Theserviceimprovestheperformanceofwebapplicationsbyallowingyoutoretrieve
informationfromafast,managed,inmemorycachingsystem,insteadofrelyingentirelyonslowerdiskbased
databases.
ElasticBeanstalk:AnAWSdeploymentandmanagementtoolthatautomatesthefunctionsofcapacityprovisioning,
loadbalancing,andautoscalingforcustomersapplications.
ElasticIPAddress:Astatic,publicIPaddressthatyoucanassigntoanyinstanceinanAmazonVPC,therebymakingthe
instancepublic.ElasticIPaddressesalsoenableyoutomaskinstancefailuresbyrapidlyremappingyourpublicIP
addressestoanyinstanceintheVPC.
ElasticLoadBalancing:AnAWSservicethatisusedtomanagetrafficonafleetofAmazonEC2instances,distributing
traffictoinstancesacrossallavailabilityzoneswithinaregion.ElasticLoadBalancinghasalltheadvantagesofanon
premisesloadbalancer,plusseveralsecuritybenefitssuchastakingovertheencryption/decryptionworkfromEC2
instancesandmanagingitcentrallyontheloadbalancer.
ElasticMapReduce(EMR)Service:AnAWSservicethatutilizesahostedHadoopframeworkrunningonthewebscale
infrastructureofAmazonEC2andAmazonS3.ElasticMapReduceenablescustomerstoeasilyandcosteffectively
processextremelylargequantitiesofdata(bigdata).

Page68of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

ElasticNetworkInterface:WithinanAmazonVPC,anElasticNetworkInterfaceisanoptionalsecondnetworkinterface
thatyoucanattachtoanEC2instance.AnElasticNetworkInterfacecanbeusefulforcreatingamanagementnetwork
orusingnetworkorsecurityappliancesintheAmazonVPC.Itcanbeeasilydetachedfromaninstanceandreattachedto
anotherinstance.
Endpoint:AURLthatistheentrypointforanAWSservice.Toreducedatalatencyinyourapplications,mostAWS
servicesallowyoutoselectaregionalendpointtomakeyourrequests.Somewebservicesallowyoutouseageneral
endpointthatdoesn'tspecifyaregion;thesegenericendpointsresolvetotheservice'suseast1endpoint.Youcan
connecttoanAWSendpointviaHTTPorsecureHTTP(HTTPS)usingSSL.
Federatedusers:User,systems,orapplicationsthatarenotcurrentlyauthorizedtoaccessyourAWSservices,butthat
youwanttogivetemporaryaccessto.ThisaccessisprovidedusingtheAWSSecurityTokenService(STS)APIs.
Firewall:Ahardwareorsoftwarecomponentthatcontrolsincomingand/oroutgoingnetworktrafficaccordingtoa
specificsetofrules.UsingfirewallrulesinAmazonEC2,youspecifytheprotocols,ports,andsourceIPaddressranges
thatareallowedtoreachyourinstances.Theserulesspecifywhichincomingnetworktrafficshouldbedeliveredtoyour
instance(e.g.,acceptwebtrafficonport80).AmazonVPCsupportsacompletefirewallsolutionenablingfilteringon
bothingressandegresstrafficfromaninstance.Thedefaultgroupenablesinboundcommunicationfromother
membersofthesamegroupandoutboundcommunicationtoanydestination.TrafficcanberestrictedbyanyIP
protocol,byserviceport,aswellassource/destinationIPaddress(individualIPorClasslessInterDomainRouting(CIDR)
block).
GuestOS:Inavirtualmachineenvironment,multipleoperatingsystemscanrunonasinglepieceofhardware.Each
oneoftheseinstancesisconsideredaguestonthehosthardwareandutilizesitsownOS.
Hash:AcryptographichashfunctionisusedtocalculateadigitalsignatureforsigningrequeststoAWSAPIs.A
cryptographichashisaonewayfunctionthatreturnsauniquehashvaluebasedontheinput.Theinputtothehash
functionincludesthetextofyourrequestandyoursecretaccesskey.Thehashfunctionreturnsahashvaluethatyou
includeintherequestasyoursignature.
HMACSHA1/HMACSHA256:Incryptography,akeyedHashMessageAuthenticationCode(HMACorKHMAC),isatype
ofmessageauthenticationcode(MAC)calculatedusingaspecificalgorithminvolvingacryptographichashfunctionin
combinationwithasecretkey.AswithanyMAC,itmaybeusedtosimultaneouslyverifyboththedataintegrityandthe
authenticityofamessage.Anyiterativecryptographichashfunction,suchasSHA1orSHA256,maybeusedinthe
calculationofanHMAC;theresultingMACalgorithmistermedHMACSHA1orHMACSHA256accordingly.The
cryptographicstrengthoftheHMACdependsuponthecryptographicstrengthoftheunderlyinghashfunction,onthe
sizeandqualityofthekeyandthesizeofthehashoutputlengthinbits.
Hardwaresecuritymodule(HSM):AnHSMisanappliancethatprovidessecurecryptographickeystorageand
operationswithinatamperresistanthardwaredevice.HSMsaredesignedtosecurelystorecryptographickeymaterial
andusethekeymaterialwithoutexposingitoutsidethecryptographicboundaryoftheappliance.TheAWSCloudHSM
serviceprovidescustomerswithdedicated,singletenantaccesstoanHSMappliance.
Hypervisor:Ahypervisor,alsocalledVirtualMachineMonitor(VMM),iscomputersoftware/hardwareplatform
virtualizationsoftwarethatallowsmultipleoperatingsystemstorunonahostcomputerconcurrently.

Page69of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

IdentityandAccessManagement(IAM):AWSIAMenablesyoutocreatemultipleusersandmanagethepermissionsfor
eachoftheseuserswithinyourAWSAccount.
Identitypool:AstoreofuseridentityinformationinAmazonCognitothatisspecifictoyourAWSAccount.Identitypools
useIAMroles,whicharepermissionsthatarenottiedtoaspecificIAMuserorgroupandthatusetemporarysecurity
credentialsforauthenticatingtotheAWSresourcesdefinedintherole.
IdentityProvider:Anonlineserviceresponsibleforissuingidentificationinformationforuserswhowouldliketointeract
withtheserviceorwithothercooperatingservices.ExamplesofidentityprovidersincludeFacebook,Google,and
Amazon.
Import/ExportService:AnAWSservicefortransferringlargeamountsofdatatoAmazonS3orEBSstoragebyphysically
shippingaportablestoragedevicetoasecureAWSfacility.
Instance:Aninstanceisavirtualizedserver,alsoknownasavirtualmachine(VM),withitsownhardwareresourcesand
guestOS.InEC2,aninstancerepresentsonerunningcopyofanAmazonMachineImage(AMI).
IPaddress:AnInternetProtocol(IP)addressisanumericallabelthatisassignedtodevicesparticipatinginacomputer
networkutilizingtheInternetProtocolforcommunicationbetweenitsnodes.
IPspoofing:CreationofIPpacketswithaforgedsourceIPaddress,calledspoofing,withthepurposeofconcealingthe
identityofthesenderorimpersonatinganothercomputingsystem.
Key:Incryptography,akeyisaparameterthatdeterminestheoutputofacryptographicalgorithm(calledahashing
algorithm).Akeypairisasetofsecuritycredentialsyouusetoproveyouridentityelectronicallyandconsistsofapublic
keyandaprivatekey.
Keyrotation:Theprocessofperiodicallychangingthecryptographickeysusedforencryptingdataordigitallysigning
requests.Justlikechangingpasswords,rotatingkeysminimizestheriskofunauthorizedaccessifanattackersomehow
obtainsyourkeyordeterminesthevalueofit.AWSsupportsmultipleconcurrentaccesskeysandcertificates,which
allowscustomerstorotatekeysandcertificatesintoandoutofoperationonaregularbasiswithoutanydowntimeto
theirapplication.
MobileAnalytics:AnAWSserviceforcollecting,visualizing,andunderstandingmobileapplicationusagedata.Itenables
youtotrackcustomerbehaviors,aggregatemetrics,andidentifymeaningfulpatternsinyourmobileapplications.
Multifactorauthentication(MFA):Theuseoftwoormoreauthenticationfactors.Authenticationfactorsinclude
somethingyouknow(likeapassword)orsomethingyouhave(likeatokenthatgeneratesarandomnumber).AWSIAM
allowstheuseofasixdigitsingleusecodeinadditiontotheusernameandpasswordcredentials.Customersgetthis
singleusecodefromanauthenticationdevicethattheykeepintheirphysicalpossession(eitheraphysicaltokendevice
oravirtualtokenfromtheirsmartphone).
NetworkACLs:StatelesstrafficfiltersthatapplytoalltrafficinboundoroutboundfromasubnetwithinanAmazon
VPC.NetworkACLscancontainorderedrulestoallowordenytrafficbaseduponIPprotocol,byserviceport,aswellas
source/destinationIPaddress.
Object:ThefundamentalentitiesstoredinAmazonS3.Objectsconsistofobjectdataandmetadata.Thedataportionis
opaquetoAmazonS3.Themetadataisasetofnamevaluepairsthatdescribetheobject.Theseincludesomedefault

Page70of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

metadatasuchasthedatelastmodifiedandstandardHTTPmetadatasuchasContentType.Thedevelopercanalso
specifycustommetadataatthetimetheObjectisstored.
Paravirtualization:Incomputing,paravirtualizationisavirtualizationtechniquethatpresentsasoftwareinterfaceto
virtualmachinesthatissimilarbutnotidenticaltothatoftheunderlyinghardware.
Peering:AVPCpeeringconnectionisanetworkingconnectionbetweentwoVPCsthatenablesyoutoroutetraffic
betweenthemusingprivateIPaddresses.InstancesineitherVPCcancommunicatewitheachotherasiftheyarewithin
thesamenetwork.
Portscanning:Aportscanisaseriesofmessagessentbysomeoneattemptingtobreakintoacomputertolearnwhich
computernetworkservices,eachassociatedwitha"wellknown"portnumber,thecomputerprovides.
Region:AnamedsetofAWSresourcesinthesamegeographicalarea.Eachregioncontainsatleasttwoavailability
zones.
Replication:Thecontinuouscopyingofdatafromadatabaseinordertomaintainasecondversionofthedatabase,
usuallyfordisasterrecoverypurposes.CustomerscanusemultipleAZsfortheirAmazonRDSdatabasereplication
needs,oruseReadReplicasifusingMySQL.
RelationalDatabaseService(RDS):AnAWSservicethatallowsyoutocreatearelationaldatabase(DB)instanceand
flexiblyscaletheassociatedcomputeresourcesandstoragecapacitytomeetapplicationdemand.AmazonRDSis
availableforMySQL,Oracle,orMicrosoftSQLServerdatabaseengines.
Role:AnentityinAWSIAMthathasasetofpermissionsthatcanbeassumedbyanotherentity.Userolestoenable
applicationsrunningonyourAmazonEC2instancestosecurelyaccessyourAWSresources.Yougrantaspecificsetof
permissionstoarole,usetheroletolaunchanAmazonEC2instance,andletEC2automaticallyhandleAWScredential
managementforyourapplicationsthatrunonAmazonEC2.
Route53:AnauthoritativeDNSsystemthatprovidesanupdatemechanismthatdeveloperscanusetomanagetheir
publicDNSnames,answeringDNSqueriesandtranslatingdomainnamesintoIPaddresssocomputerscan
communicatewitheachother.
SecretAccessKey:AkeythatAWSassignstoyouwhenyousignupforanAWSAccount.TomakeAPIcallsortowork
withthecommandlineinterface,eachAWSuserneedstheSecretAccessKeyandAccessKeyID.Theusersignseach
requestwiththeSecretAccessKeyandincludestheAccessKeyIDintherequest.Tohelpensurethesecurityofyour
AWSAccount,theSecretAccessKeyisaccessibleonlyduringkeyandusercreation.Youmustsavethekey(forexample,
inatextfilethatyoustoresecurely)ifyouwanttobeabletoaccessitagain.
Securitygroup:Asecuritygroupgivesyoucontrolovertheprotocols,ports,andsourceIPaddressrangesthatare
allowedtoreachyourAmazonEC2instances;inotherwords,itdefinesthefirewallrulesforyourinstance.Theserules
specifywhichincomingnetworktrafficshouldbedeliveredtoyourinstance(e.g.,acceptwebtrafficonport80).
SecurityTokenService(STS):TheAWSSTSAPIsreturntemporarysecuritycredentialsconsistingofasecuritytoken,an
AccessKeyID,andaSecretAccessKey.YoucanuseSTStoissuesecuritycredentialstouserswhoneedtemporary
accesstoyourresources.TheseuserscanbeexistingIAMusers,nonAWSusers(federatedidentities),systems,or
applicationsthatneedtoaccessyourAWSresources.

Page71of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Serversideencryption(SSE):AnoptionforAmazonS3storageforautomaticallyencryptingdataatrest.WithAmazon
S3SSE,customerscanencryptdataonuploadsimplybyaddinganadditionalrequestheaderwhenwritingtheobject.
Decryptionhappensautomaticallywhendataisretrieved.
Service:Softwareorcomputingabilityprovidedacrossanetwork(e.g.,AmazonEC2,AmazonS3).
Shard:InAmazonKinesis,ashardisauniquelyidentifiedgroupofdatarecordsinanAmazonKinesisstream.AKinesis
streamiscomposedofmultipleshards,eachofwhichprovidesafixedunitofcapacity.
Signature:Referstoadigitalsignature,whichisamathematicalwaytoconfirmtheauthenticityofadigitalmessage.
AWSusessignaturescalculatedwithacryptographicalgorithmandyourprivatekeytoauthenticatetherequestsyou
sendtoourwebservices.
SimpleDataBase(SimpleDB):AnonrelationaldatastorethatallowsAWScustomerstostoreandquerydataitemsvia
webservicesrequests.AmazonSimpleDBcreatesandmanagesmultiplegeographicallydistributedreplicasofthe
customersdataautomaticallytoenablehighavailabilityanddatadurability.
SimpleEmailService(SES):AnAWSservicethatprovidesascalablebulkandtransactionalemailsendingservicefor
businessesanddevelopers.Inordertomaximizedeliverabilityanddependabilityforsenders,AmazonSEStakes
proactivestepstopreventquestionablecontentfrombeingsent,sothatISPsviewtheserviceasatrustedemailorigin.
SimpleMailTransferProtocol(SMTP):AnInternetstandardfortransmittingemailacrossIPnetworks,SMTPisusedby
theAmazonSimpleEmailService.CustomerswhousedAmazonSEScanuseanSMTPinterfacetosendemail,butmust
connecttoanSMTPendpointviaTLS.
SimpleNotificationService(SNS):AnAWSservicethatmakesiteasytosetup,operate,andsendnotificationsfromthe
cloud.AmazonSNSprovidesdeveloperswiththeabilitytopublishmessagesfromanapplicationandimmediately
deliverthemtosubscribersorotherapplications.
SimpleQueueService(SQS):AscalablemessagequeuingservicefromAWSthatenablesasynchronousmessagebased
communicationbetweendistributedcomponentsofanapplication.ThecomponentscanbecomputersorAmazonEC2
instancesoracombinationofboth.
SimpleStorageService(AmazonS3):AnAWSservicethatprovidessecurestorageforobjectfiles.Accesstoobjectscan
becontrolledatthefileorbucketlevelandcanfurtherrestrictedbasedonotherconditionssuchasrequestIPsource,
requesttime,etc.FilescanalsobeencryptedautomaticallyusingAES256encryption.
SimpleWorkflowService(SWF):AnAWSservicethatallowscustomerstobuildapplicationsthatcoordinatework
acrossdistributedcomponents.UsingAmazonSWF,developerscanstructurethevariousprocessingstepsinan
applicationastasksthatdriveworkindistributedapplications.AmazonSWFcoordinatesthesetasks,managingtask
executiondependencies,scheduling,andconcurrencybasedonadevelopersapplicationlogic.
Singlesignon:Thecapabilitytologinoncebutaccessmultipleapplicationsandsystems.Asecuresinglesignon
capabilitycanbeprovidedtoyourfederatedusers(AWSandnonAWSusers)bycreatingaURLthatpassesthe
temporarysecuritycredentialstotheAWSManagementConsole.
Snapshot:AcustomerinitiatedbackupofanEBSvolumethatisstoredinAmazonS3,oracustomerinitiatedbackupof
anRDSdatabasethatisstoredinAmazonRDS.AsnapshotcanbeusedasthestartingpointforanewEBSvolumeor

Page72of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

AmazonRDSdatabaseortoprotectthedataforlongtermdurabilityandrecovery.
SecureSocketsLayer(SSL):AcryptographicprotocolthatprovidessecurityovertheInternetattheApplicationLayer.
BoththeTLS1.0andSSL3.0protocolspecificationsusecryptographicmechanismstoimplementthesecurityservices
thatestablishandmaintainasecureTCP/IPconnection.Thesecureconnectionpreventseavesdropping,tampering,or
messageforgery.YoucanconnecttoanAWSendpointviaHTTPorsecureHTTP(HTTPS)usingSSL.
Statefulfirewall:Incomputing,astatefulfirewall(anyfirewallthatperformsstatefulpacketinspection(SPI)orstateful
inspection)isafirewallthatkeepstrackofthestateofnetworkconnections(suchasTCPstreams,UDPcommunication)
travelingacrossit.
StorageGateway:AnAWSservicethatsecurelyconnectsacustomersonpremisessoftwareappliancewithAmazonS3
storagebyusingaVMthatthecustomerdeploysonahostintheirdatacenterrunningVMwareESXiHypervisor.Datais
asynchronouslytransferredfromthecustomersonpremisesstoragehardwaretoAWSoverSSL,andthenstored
encryptedinAmazonS3usingAES256.
Temporarysecuritycredentials:AWScredentialsthatprovidetemporaryaccesstoAWSservices.Temporarysecurity
credentialscanbeusedtoprovideidentityfederationbetweenAWSservicesandnonAWSusersinyourownidentity
andauthorizationsystem.Temporarysecuritycredentialsconsistofsecuritytoken,anAccessKeyID,andaSecret
AccessKey.
Transcoder:Asystemthattranscodes(converts)amediafile(audioorvideo)fromoneformat,size,orqualityto
another.AmazonElasticTranscodermakesiteasyforcustomerstotranscodevideofilesinascalableandcosteffective
fashion.
TransportLayerSecurity(TLS):AcryptographicprotocolthatprovidessecurityovertheInternetattheApplication
Layer.CustomerswhousedAmazonsSimpleEmailServicemustconnecttoanSMTPendpointviaTLS.
Treehash:Atreehashisgeneratedbycomputingahashforeachmegabytesizedsegmentofthedata,andthen
combiningthehashesintreefashiontorepresentevergrowingadjacentsegmentsofthedata.Glacierchecksthehash
againstthedatatohelpensurethatithasnotbeenalteredenroute.
Vault:InAmazonGlacier,avaultisacontainerforstoringarchives.Whenyoucreateavault,youspecifyanameand
selectanAWSregionwhereyouwanttocreatethevault.Eachvaultresourcehasauniqueaddress.
Versioning:EveryobjectinAmazonS3hasakeyandaversionID.Objectswiththesamekey,butdifferentversionIDs
canbestoredinthesamebucket.VersioningisenabledatthebucketlayerusingPUTBucketversioning.
VirtualInstance:OnceanAMIhasbeenlaunched,theresultingrunningsystemisreferredtoasaninstance.All
instancesbasedonthesameAMIstartoutidenticalandanyinformationonthemislostwhentheinstancesare
terminatedorfail.
VirtualMFA:Thecapabilityforausertogetthesixdigit,singleuseMFAcodefromtheirsmartphoneratherthanfrom
atoken/fob.MFAistheuseofanadditionalfactor(thesingleusecode)inconjunctionwithausernameandpassword
forauthentication.
VirtualPrivateCloud(VPC):AnAWSservicethatenablescustomerstoprovisionanisolatedsectionoftheAWScloud,
includingselectingtheirownIPaddressrange,definingsubnets,andconfiguringroutingtablesandnetworkgateways.

Page73of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

VirtualPrivateNetwork(VPN):Thecapabilitytocreateaprivate,securenetworkbetweentwolocationsoverapublic
networksuchastheInternet.AWScustomerscanaddanIPsecVPNconnectionbetweentheirAmazonVPCandtheir
datacenter,effectivelyextendingtheirdatacentertothecloudwhilealsoprovidingdirectaccesstotheInternetfor
publicsubnetinstancesintheirAmazonVPC.Inthisconfiguration,customersaddaVPNapplianceontheircorporate
datacenterside.
WorkSpaces:AnAWSmanageddesktopservicethatenablesyoutoprovisioncloudbaseddesktopsforyourusersand
allowsthemtosigninusingasetofuniquecredentialsortheirregularActiveDirectorycredentials.
X.509:Incryptography,X.509isastandardforaPublicKeyInfrastructure(PKI)forsinglesignonandPrivilege
ManagementInfrastructure(PMI).X.509specifiesstandardformatsforpublickeycertificates,certificaterevocation
lists,attributecertificates,andacertificationpathvalidationalgorithm.SomeAWSproductsuseX.509certificates
insteadofaSecretAccessKeyforaccesstocertaininterfaces.Forexample,AmazonEC2usesaSecretAccessKeyfor
accesstoitsQueryinterface,butitusesasigningcertificateforaccesstoitsSOAPinterfaceandcommandlinetool
interface.
Zocalo:AnAWSmanagedenterprisestorageandsharingservicewithfeedbackcapabilitiesforusercollaboration.

Page74of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Changessincelastversion(June2014):

Updatedsharedsecurityresponsibilitymodel
UpdatedAWSAccountsecurityfeatures
Reorganizedservicesintocategories
Updatedseveralserviceswithnewfeatures:CloudWatch,CloudTrail,CloudFront,EBS,ElastiCache,Redshift,
Route53,S3,TrustedAdvisor,andWorkSpaces
AddedCognitoSecurity
AddedMobileAnalyticsSecurity
AddedZocaloSecurity

Changessincelastversion(Nov2013):

Updatedregions
Updatedseveralserviceswithnewfeatures:CloudFront,DirectConnect,DynamoDB,EBS,ELB,EMR,Glacier,
IAM,OpsWorks,RDS,Redshift,Route53,StorageGateway,andVPC
AddedAppStreamSecurity
AddedCloudTrailSecurity
AddedKinesisSecurity
AddedWorkSpacesSecurity

Changessincelastversion(May/June2013):

UpdatedIAMtoincorporaterolesandAPIaccess
UpdatedMFAforAPIaccessforcustomerspecifiedprivilegedactions
UpdatedRDStoaddeventnotification,multiAZ,andSSLtoSQLServer2012
UpdatedVPCtoaddmultipleIPaddresses,staticroutingVPN,andVPCByDefault
Updatedseveralotherserviceswithnewfeatures:CloudFront,CloudWatch,EBS,ElastiCache,
ElasticBeanstalk,Route53,S3,StorageGateway
AddedGlacierSecurity
AddedRedshiftSecurity
AddedDataPipelineSecurity
AddedTranscoderSecurity
AddedTrustedAdvisorSecurity
AddedOpsWorksSecurity
AddedCloudHSMSecurity

Changessincelastversion(May2011):

Reorganizationtobetteridentifyinfrastructureversusservicespecificsecurity
ChangedControlEnvironmentSummaryheadingtoAWSComplianceProgram
ChangedInformationandCommunicationheadingtoManagementandCommunication
ChangedEmployeeLifecycleheadingtoLogicalAccess
ChangedConfigurationManagementheadingtoChangeManagement
MergedEnvironmentalSafeguardssectionwithPhysicalSecuritysection
IncorporatedinformationinBackupssectionintoS3,SimpleDB,andEBSsections
UpdatetocertificationstoreflectSAS70namechangetoSSAE16andadditionofFedRAMP
UpdatetoNetworkSecuritysectiontoaddSecureNetworkArchitectureandNetworkMonitoringand

Page75of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Protection
UpdatetoIAMtoincorporateroles/keyprovisioning,virtualMFA,temporarysecuritycredentials,andsingle
signon
UpdatetoregionstoincludenewregionsandGovClouddescription
UpdatedEBS,S3,SimpleDB,RDS,andEMRtoclarifyserviceandsecuritydescriptions
UpdatetoVPCtoaddconfigurationoptions,VPN,andElasticNetworkInterfaces
AdditionofAmazonDirectConnectSecuritysection
AdditionofAmazonElasticLoadBalancingSecurity
AdditionofAWSStorageGatewaySecurity
AdditionofAWSImport/ExportSecurity
AdditionofAutoScalingSecurity
AdditionofAmazonDynamoDBSecurity
AdditionofAmazonElastiCacheSecurity
AdditionofAmazonSimpleWorkflowService(AmazonSWS)Security
AdditionofAmazonSimpleEmailService(AmazonSES)Security
AdditionofAmazonRoute53Security
AdditionofAmazonCloudSearchSecurity
AdditionofAWSElasticBeanstalkSecurity
AdditionofAWSCloudFormationSecurity
Updatedglossary

Changessincelastversion(Aug2010):

AdditionofAWSIdentityandAccessManagement(AWSIAM)
AdditionofAmazonSimpleNotificationService(SNS)Security
AdditionofAmazonCloudWatchSecurity
AdditionofAutoScalingSecurity
UpdatetoAmazonVirtualPrivateCloud(AmazonVPC)
UpdatetoControlEnvironment
RemovalofRiskManagementbecauseithasbeenexpandedinaseparatewhitepaper

Changessincelastversion(Nov2009):

Majorrevision

Changessincelastversion(June2009):

ChangetoCertificationsandAccreditationssectiontoreflectSAS70
AdditionofAmazonVirtualPrivateCloud(AmazonVPC)
AdditionofSecurityCredentialssectiontohighlightAWSMultiFactorAuthenticationandKeyRotation
AdditionofAmazonRelationalDatabaseService(AmazonRDS)Security

Changessincelastversion(Sep2008):

AdditionofSecurityDesignPrinciples
UpdateofPhysicalSecurityinformationandinclusionofbackgroundchecks
BackupsectionupdatedforclaritywithrespecttoAmazonEBS
UpdateofAmazonEC2Securitysectiontoinclude:
CertificatebasedSSHv2

Page76of77

AmazonWebServicesOverviewofSecurityProcesses

November2014

Multitiersecuritygroupdetailanddiagram
HypervisordescriptionandInstanceIsolationdiagram
FaultSeparation
AdditionofConfigurationManagement
AmazonS3sectionupdatedfordetailandclarity
AdditionofStorageDeviceDecommissioning
AdditionofAmazonSQSSecurity
AdditionofAmazonCloudFrontSecurity
AdditionofAmazonElasticMapReduceSecurity

Notices
20102014Amazon.com,Inc.,oritsaffiliates.Thisdocumentisprovidedforinformationalpurposesonly.ItrepresentsAWSscurrentproduct
offeringsasofthedateofissueofthisdocument,whicharesubjecttochangewithoutnotice.Customersareresponsibleformakingtheirown
independentassessmentoftheinformationinthisdocumentandanyuseofAWSsproductsorservices,eachofwhichisprovidedasiswithout
warrantyofanykind,whetherexpressorimplied.Thisdocumentdoesnotcreateanywarranties,representations,contractualcommitments,
conditionsorassurancesfromAWS,itsaffiliates,suppliersorlicensors.TheresponsibilitiesandliabilitiesofAWStoitscustomersarecontrolledby
AWSagreements,andthisdocumentisnotpartof,nordoesitmodify,anyagreementbetweenAWSanditscustomers.

Page77of77