The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely.
The AWS cloud infrastructure is housed in AWS’s highly secure data centers, which utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. All personnel must be screened when leaving areas that contain customer data. Environmental systems in the data centers are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures.
The AWS infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the AWS cloud infrastructure, platforms, and services, please read our Overview of Security Processes whitepaper.
The AWS infrastructure is protected by extensive network and security monitoring systems. These systems provide important security measures, such as basic distributed denial of service (DDoS) protection and password brute-force detection on AWS accounts. In addition, AWS infrastructure components are continuously scanned and tested. While some organizations perform vulnerability scanning on their resources once a quarter or once a month, we scan multiple times a day. And we scan from every possible angle— from within the same region as the resources being scanned as well as across AZs and regions.
The AWS production network is segregated from the Amazon corporate network and requires a separate set of credentials for access, consisting of SSH public-key authentication through a bastion host using an MFA token. This access is monitored and reviewed on a daily basis by AWS security managers.
Not only do we have a large staff of security experts at AWS, but we also have a large set of tools and systems that automate many of our security tasks, both large and small. Everything from managing credentials to monitoring server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.
We build most of these security tools ourselves because we tailor them to our unique environment and scale. Our automated scanning program alone decreased security engineering review time from hours to minutes per scan while increasing scanning velocity from dozens of hosts per day to thousands of hosts per day.
With these automated tools, we can enforce important security principles like least privilege and role segregation programmatically. We can then set custom metrics thresholds for unusual activity and automatically alert the appropriate security experts or take the appropriate actions. Leaving our security experts to focus on critical issues that could potentially impact our customers.
We’re not only replacing failed hardware on a continuous basis, we’re always improving our infrastructure. We replace end-of-life hardware with the latest processors that not only improve performance, but also include security technologies such as the latest instructions for speeding up crypto operations (for example, Intel AES-NI instruction for AES algorithm, Intel RDRAND for random number generation) and the Trusted Platform Module chip for enabling hardware-based security features like secure storage and host software verification.
Because we know that some security features can impact performance, we also look for ways to reduce friction within existing security processes and services. For example, last year Amazon CloudFront added SSL Session Tickets, which saves client/server SSL negotiation information and therefore speeds up the negotiation process when the connection has to be resumed or restarted. These features operate behind the scenes and with no configuration work on your part, yet they speed up important security functions.
AWS builds its data centers in multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a region and are located in lower risk areas. They are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.
In the unlikely case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
For customers who must meet specific security standards or regulations, AWS provides certification reports that describe how the AWS cloud infrastructure meets the controls required by these standards. AWS has achieved compliance with an extensive list of global security standards, including ISO 27001, SOC, the PCI Data Security Standard, the Australian Signals Directorate (ASD) Information Security Manual, and the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584). We have been granted two separate FedRAMP Agency ATOs: one for the AWS GovCloud (US) Region, and the other covering the AWS US East/West regions. We are also one of the only public cloud service providers to have been granted a provisional authorization for DoD CSM Levels 1-5.
Each certification means that an auditor has verified that specific security controls are in place and operating as intended. You can view the applicable compliance reports by contacting your AWS account representative. For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage.
The AWS Security Team encourages customer communication. We have established processes for:
We have created a signed PGP key for especially sensitive communications you may need to send. You can access it here.