AWS Security Center

Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability, and the flexibility to enable customers to build a wide range of applications. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.

AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations. This information assists customers in understanding the controls in place relevant to the AWS services they use and how those controls have been validated by independent auditors. This information also assists customers in their efforts to account for and to validate that controls are operating effectively in their extended IT environment.

This page contains the following categories of information. Click to jump down:

Overview

At a high level, we’ve taken the following approach to secure the AWS infrastructure:

  • Physical Security. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.
  • Secure Services. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. For more information about the security capabilities of each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper.
  • Data Privacy. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS. For more information on the data privacy and backup procedures for each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper referenced above.

The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers.

Top

Background Information

Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment. The Amazon Web Services: Overview of Security Processes whitepaper will provide background information and an overview of the AWS philosophy in offering a secure cloud computing platform.

Top

Security Features

AWS provides a number of ways for you to identify yourself and securely access your AWS account, the AWS services you have signed up for, and the resources hosted by these services. You can find the complete list of credentials that we support on the Security Credentials page under Your Account. We also provide additional security options that enable you to further protect your AWS account and control access: Identity and Access Management (IAM), Multi-Factor Authentication (MFA), Key Rotation, and Cloud Hardware Security Module (HSM).

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to create multiple Users and manage the permissions for each User within your AWS Account. A User is an identity (within a customer AWS Account) with unique security credentials that can be used to access AWS resources. IAM eliminates the need to share passwords or access keys and makes it easy to enable or disable a User’s access as appropriate.

IAM enables you to implement security best practices, such as least privilege, by assigning unique credentials to every User within your AWS Account and granting only the permissions Users need to access the AWS resources required for them to perform their jobs. IAM is secure by default; new Users have no access to AWS until permissions are explicitly granted.

IAM allows you to minimize the use of your AWS Account credentials. Instead, all interactions with AWS resources should occur in the context of IAM User security credentials. To learn more about AWS Identity and Access Management (IAM) visit our IAM page.

AWS Multi-Factor Authentication (AWS MFA)

AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over your AWS Account settings and the management of the AWS resources to which the account has subscribed. When you enable this opt-in feature, you’ll need to provide a six-digit single-use code in addition to your standard user name and password credentials before access is granted. You get this single use code from an authentication device or a special application on a mobile phone that you keep in your physical possession. This is called Multi-Factor Authentication because two factors are checked before access is granted to your account: you need to provide both your AWS email ID and password (the first “factor”: something you know) and the particular code from your authentication device (the second “factor”: something you have). Multi-Factor Authentication can be enabled for your AWS Account as well as for the Users you have created under your AWS Account using IAM.

It is easy to obtain an authentication device from a participating third party provider, or download and install appropriate software on your mobile phone, then set it up for use via the AWS website. More information about Multi-Factor Authentication is available here.

Key Rotation

For the same reasons as it is important to change your password frequently, AWS recommends that you rotate your access keys and certificates on a regular basis. To let you do this without potential impact to your applications’ availability, AWS supports multiple concurrent access keys and certificates. With this feature, you can rotate keys and certificates into and out of operation on a regular basis without any downtime to your application. This can help to mitigate risk from lost or compromised access keys or certificates. The IAM APIs enable you to rotate the access keys of your AWS Account as well as for Users created under your AWS Account.

To learn more about this feature or to begin using key rotation, click here.

AWS CloudHSM

AWS CloudHSM is a service that helps you meet stringent corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. While AWS data protection and security solutions exceed the regulatory and compliance requirements of most applications, CloudHSM is designed for applications where the use of HSM appliances for encryption and key storage is mandatory. Prior to CloudHSM, your only option may have been to use HSM appliances in your on-premise data centers. This may have prevented some applications from moving to the cloud or reduced the performance of cloud-based applications that use HSMs due to the network delay between the cloud and your data centers. CloudHSM allows you to securely store and use encryption keys within HSM appliances in AWS data centers. With AWS CloudHSM, you maintain full ownership, control, and access to keys and sensitive data while Amazon manages the HSM appliances in close proximity to your applications and data. The physical proximity of CloudHSM appliances to your AWS workloads minimizes network latency and maximizes application performance. More information about AWS CloudHSM is available here.

Top

AWS Public PGP Key

The AWS Security Team encourages customer communication. We have established processes for reporting security vulnerabilities and for requesting penetration testing. We have also created a signed PGP key for especially sensitive communications you may need to send.

Top





Testimonial
“The improved computer security includes, but is not limited to, greater protection against network attacks and real time detection of system tampering.”

- Recovery Accountability and Transparency Board on the expected security benefits from moving Recovery.gov to the AWS cloud.



©2013, Amazon Web Services, Inc. or its affiliates. All rights reserved.