Using AWS for Criminal Justice Information Solutions

The CJIS Security Policy outlines the “appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit,” irrespective of the underlying information technology model. By using solutions built on AWS, agencies can manage and secure their applications and data in the AWS cloud.

AWS provides building blocks that public safety agencies and their application partners can utilize to build highly available, resilient, and secure applications in alignment with the CJIS Security Policy. AWS customers maintain complete ownership and control over their data, which is enabled through access to simple, powerful, cloud native tools that allow them to manage the full life cycle of sensitive customer data. Customers exercise exclusive control over where data is stored and the methods used to secure data in transit and at rest, and manage access to their information systems built on AWS.

Properly securing Criminal Justice Information (CJI) and maintaining compliance with the CJIS Security Policy requires a number of security controls aimed at ensuring only authorized individuals have access to the CJI. The principal of least privilege is one of the most fundamental underpinnings of the CJIS Security Policy based on a "need-to-know, right-to-know" standard. AWS customers can enforce least privilege by securely encrypting their CJI and limiting all access to the CJI to only those with access to the encryption keys. Customers are provided AWS services and tools to enable their agencies and trusted partners to retain complete control and ownership over their own criminal justice data, such as AWS Key Management Service (KMS) and AWS Nitro System.

AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2 and allow customers to create, own, and manage their own customer master keys for all encryption. These customer master keys never leave the AWS KMS FIPS validated hardware security modules unencrypted and are never known to AWS personnel.

The AWS Nitro System uses purpose-built hardware and servers designed specifically to run a virtual compute hypervisor—nothing more – removing all extra and unnecessary ports, components and capabilities found on traditional servers. The AWS Nitro System’s security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering. Customers can also choose AWS Nitro Enclaves which feature no persistent storage, no interactive access, and no external networking to create isolated compute environments to further protect and securely process highly sensitive data.

The technological advancements of the AWS Nitro System and the AWS Key Management Service using FIPS 140-2 validated hardware security modules for symmetric encryption keys have removed the need to engage in the traditional method of relying on physical security and background checks as a way to qualify an individual’s “access” to unencrypted CJI. While the traditional approach can help achieve minimum compliance under the CJIS Security Policy, it doesn’t compare to the security that can be achieved using strong encryption practices and the deployment of “least privilege” principles to restrict CJI access to those with a need-to-know, right-to-know, and your explicit authorization. This allows customers and application providers to build solutions that eliminate all AWS employees from having physical and logical access to CJI and devices that store, process, and transmit CJI.