The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely.
With the AWS cloud, not only are infrastructure headaches removed, but so are many of the security issues that come with them. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures.
The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the core AWS cloud infrastructure, platforms, and services, please read our Amazon Web Services: Overview of Security Processes whitepaper.
Not only are your applications and data protected by highly secure facilities and infrastructure, but they’re also protected by extensive network and security monitoring systems. These systems provide basic but important security measures such as distributed denial of service (DDoS) protection and password brute-force detection on AWS Accounts. Additional security measures include:
Because the AWS cloud infrastructure provides so many built-in security features, your primary focus can be the security of your guest OS and applications. AWS security engineers and solution architects have developed whitepapers and operational checklists to help you select the best options for your needs and recommend security best practices, such as storing secret keys and passwords in a secure manner and rotating or changing them frequently.
We know that it’s important for you to understand the protection measures that are used to guard the AWS cloud infrastructure. But since you can’t physically touch the servers or walk through the data centers, how can you be sure that the right security controls are in place?
The answer lies in the third-party certifications and evaluations that AWS has undergone. AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
Each certification means that an auditor has verified that specific security controls are in place and operating as intended. You can view the applicable compliance reports by contacting your AWS account representative. For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage.
Because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS manages the underlying infrastructure but you must secure anything you put on the infrastructure. This includes your AWS EC2 instances and anything you install on them, any accounts that access your instances, the security group that allows outside access to your instances, the VPC subnet that the instances reside within if you’ve chosen this option, the external access to your S3 buckets, etc.
This means that there are several security decisions you need to make and controls you must configure. For information on how to configure a particular AWS service, see the documentation for that service. For more tips on security best practices, see the list of security-related whitepapers, tutorials, and videos on our Security Resources page.
The AWS Security Team encourages customer communication. We have established processes for: