Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability, and the flexibility to enable customers to build a wide range of applications. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations. This information assists customers in understanding the controls in place relevant to the AWS services they use and how those controls have been validated by independent auditors. This information also assists customers in their efforts to account for and to validate that controls are operating effectively in their extended IT environment.
At a high level, we’ve taken the following approach to secure the AWS infrastructure:
The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers.
Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment. The Amazon Web Services: Overview of Security Processes whitepaper will provide background information and an overview of the AWS philosophy in offering a secure cloud computing platform.
AWS provides a number of ways for you to identify yourself and securely access your AWS account, the AWS services you have signed up for, and the resources hosted by these services. You can find the complete list of credentials that we support on the Security Credentials page under Your Account. We also provide additional security options that enable you to further protect your AWS account and control access: Identity and Access Management (IAM), Multi-Factor Authentication (MFA), Key Rotation, and Cloud Hardware Security Module (HSM).
AWS Identity and Access Management (IAM) enables you to create multiple Users and manage the permissions for each User within your AWS Account. A User is an identity (within a customer AWS Account) with unique security credentials that can be used to access AWS resources. IAM eliminates the need to share passwords or access keys and makes it easy to enable or disable a User’s access as appropriate.
IAM enables you to implement security best practices, such as least privilege, by assigning unique credentials to every User within your AWS Account and granting only the permissions Users need to access the AWS resources required for them to perform their jobs. IAM is secure by default; new Users have no access to AWS until permissions are explicitly granted.
IAM allows you to minimize the use of your AWS Account credentials. Instead, all interactions with AWS resources should occur in the context of IAM User security credentials. To learn more about AWS Identity and Access Management (IAM) visit our IAM page.
AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over your AWS Account settings and the management of the AWS resources to which the account has subscribed. When you enable this opt-in feature, you’ll need to provide a six-digit single-use code in addition to your standard user name and password credentials before access is granted. You get this single use code from an authentication device or a special application on a mobile phone that you keep in your physical possession. This is called Multi-Factor Authentication because two factors are checked before access is granted to your account: you need to provide both your AWS email ID and password (the first “factor”: something you know) and the particular code from your authentication device (the second “factor”: something you have). Multi-Factor Authentication can be enabled for your AWS Account as well as for the Users you have created under your AWS Account using IAM.
It is easy to obtain an authentication device from a participating third party provider, or download and install appropriate software on your mobile phone, then set it up for use via the AWS website. More information about Multi-Factor Authentication is available here.
For the same reasons as it is important to change your password frequently, AWS recommends that you rotate your access keys and certificates on a regular basis. To let you do this without potential impact to your applications’ availability, AWS supports multiple concurrent access keys and certificates. With this feature, you can rotate keys and certificates into and out of operation on a regular basis without any downtime to your application. This can help to mitigate risk from lost or compromised access keys or certificates. The IAM APIs enable you to rotate the access keys of your AWS Account as well as for Users created under your AWS Account.
To learn more about this feature or to begin using key rotation, click here.
AWS CloudHSM is a service that helps you meet stringent corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. While AWS data protection and security solutions exceed the regulatory and compliance requirements of most applications, CloudHSM is designed for applications where the use of HSM appliances for encryption and key storage is mandatory. Prior to CloudHSM, your only option may have been to use HSM appliances in your on-premise data centers. This may have prevented some applications from moving to the cloud or reduced the performance of cloud-based applications that use HSMs due to the network delay between the cloud and your data centers. CloudHSM allows you to securely store and use encryption keys within HSM appliances in AWS data centers. With AWS CloudHSM, you maintain full ownership, control, and access to keys and sensitive data while Amazon manages the HSM appliances in close proximity to your applications and data. The physical proximity of CloudHSM appliances to your AWS workloads minimizes network latency and maximizes application performance. More information about AWS CloudHSM is available here.
The AWS Security Team encourages customer communication. We have established processes for reporting security vulnerabilities and for requesting penetration testing. We have also created a signed PGP key for especially sensitive communications you may need to send.