The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely.
With the AWS cloud, not only are infrastructure headaches removed, but so are many of the security issues that come with them. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures.
The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the core AWS cloud infrastructure, platforms, and services, please read our Overview of Security Processes whitepaper.
Not only are your applications and data protected by highly secure facilities and infrastructure, but they’re also protected by extensive network and security monitoring systems. These systems provide basic but important security measures such as distributed denial of service (DDoS) protection and password brute-force detection on AWS Accounts. Additional security measures include:
- Secure access – Customer access points, also called API endpoints, allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL/TLS.
- Built-in firewalls – You can control how accessible your instances are by configuring built-in firewall rules – from totally public to completely private, or somewhere in between. And when your instances reside within a Virtual Private Cloud (VPC) subnet, you can control egress as well as ingress.
- Unique users – The AWS Identity and Access Management (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services. With AWS IAM, each user can have unique security credentials, eliminating the need for shared passwords or keys and allowing the security best practices of role separation and least privilege.
- Multi-factor authentication (MFA) – AWS provides built-in support for multi-factor authentication (MFA) for use with your root AWS Account as well as individual IAM user accounts under it.
- Private Subnets – The AWS Virtual Private Cloud (VPC) service allows you to add another layer of network security to your instances by creating private subnets and even adding an IPsec VPN tunnel between your home network and your AWS VPC.
- Encrypted data storage – Customers can have the data and objects they store in Amazon EBS, Amazon S3, Glacier, Redshift, and Oracle and SQL Server RDS encrypted automatically using Advanced Encryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys.
- Dedicated connection option – The AWS Direct Connect service allows you to establish a dedicated network connection from your premise to AWS. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple logical connections to enable you to access both public and private IP environments within your AWS cloud.
- Perfect Forward Secrecy – For even greater communication privacy, several AWS services such as Elastic Load Balancer and Amazon CloudFront offer newer, stronger cipher suites. These cipher suites allow SSL/TLS clients to use Perfect Forward Secrecy, a technique that uses session keys that are ephemeral and not stored anywhere. This prevents the decoding of captured data, even if the secret long-term key itself is compromised.
- Security logs – AWS CloudTrail provides logs of all user activity within your AWS account. You can see what actions were performed on each of your AWS resources and by whom. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
- Isolated GovCloud – For customers who require additional measures in order to comply with US ITAR regulations, AWS provides an entirely separate region called AWS GovCloud (US) that provides an environment where customers can run ITAR-compliant applications, and provides special endpoints that utilize FIPS 140-2 encryption.
- CloudHSM – For customers who must use Hardware Security Module (HSM) appliances for cryptographic key storage, AWS CloudHSM provides a highly secure and convenient way to store and manage keys.
- Trusted Advisor – Provided automatically when you sign up for premium support, the Trusted Advisor service is a convenient way for you to see where you could use a little more security. It monitors AWS resources and alerts you to security configuration gaps such as overly permissive access to certain EC2 instance ports and S3 storage buckets, minimal use of role segregation using IAM, and weak password policies.
Because the AWS cloud infrastructure provides so many built-in security features, you can simply focus on the security of your guest OS and applications. AWS security engineers and solution architects have developed whitepapers and operational checklists to help you select the best options for your needs and recommend security best practices, such as storing secret keys and passwords in a secure manner and rotating or changing them frequently.
Because we know that some security features can impact performance, we look for ways to reduce friction within existing security processes. For example, this year Amazon CloudFront added SSL Session Tickets, which saves client/server SSL negotiation information and therefore speeds up the negotiation process when the connection has to be resumed or restarted.
We also introduced OCSP Stapling, which reduces the work the client has to do in verifying the certificate authority (CA) during SSL negotiations. These features operate behind the scenes and with no configuration work on your part, yet they speed up important security functions.
And we continue to look for ways to strengthen the security processes you already depend on. For example, we added the option to several services for advanced cipher suites that use the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol. ECDHE allows SSL/TLS clients to provide Perfect Forward Secrecy, which uses session keys that are ephemeral and not stored anywhere. This prevents the decoding of captured data by unauthorized third parties, even if the secret long-term key itself is compromised.
None of these new features make us any money. They simply make our customers happier.
Because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure or connect to the infrastructure. The amount of security configuration work you have to do varies depending on how sensitive your data is and which services you select.
For IaaS services like Amazon EC2 and Amazon S3, you have more control and therefore more configuration work to do. For EC2 instances, you’re responsible for patching the guest OS on the instances as well as any software you install on them, configuring the security group (firewall) that allows outside access to your instances, and setting up any VPC subnets that the instances reside within, etc. For Amazon S3, you must set the access control policies for each of your storage buckets, set up encryption options for the stored data, and specify backup and archiving preferences.
For PaaS services like Amazon RDS or RedShift or WorkSpaces, you have less security configuring to do. For these services, you don’t have to worry about launching and maintaining instances or patching the guest OS or applications—AWS handles that for you. For these managed services, backups are performed automatically, firewalls are configured, and databases are replicated.
However, there are certain security features—such as individual IAM user accounts and credentials, HTTPS for data transmissions, and user activity logging—that you should configure no matter which AWS services you use.
For information on how to configure a particular AWS service, see the documentation for that service. For more tips on security best practices for AWS resources, see the list of security-related whitepapers, articles, and videos on our Security Resources page.
We know that it’s important for you to understand the protection measures that are used to guard the AWS cloud infrastructure. But since you can’t physically touch the servers or walk through the data centers, how can you be sure that the right security controls are in place?
The answer lies in the third-party certifications and evaluations that AWS has undergone. AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
Each certification means that an auditor has verified that specific security controls are in place and operating as intended. You can view the applicable compliance reports by contacting your AWS account representative. For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage or the AWS Risk and Compliance whitepaper.
The AWS Security Team encourages customer communication. We have established processes for:
We have created a signed PGP key for especially sensitive communications you may need to send. You can access it here.