AWS Panorama Security
Last Updated: October 20, 2021
The AWS Panorama Appliance helps you develop edge computer vision applications. We recommend using the AWS Panorama Appliance in a test environment before migrating to production environment. We recommend carefully architecting your network to ensure that your cameras and the AWS Panorama Appliance are securely connected to AWS cloud.
Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud.
- Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. Panorama is an extension of AWS cloud to your locations, and the same shared responsibility model of the cloud applies to the Panorama Appliance and the overall service.
- Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors, including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
Customers who purchase AWS Panorama Appliance are also responsible for the following:
- Physical and logical network security of the AWS Panorama Appliance. Securely operating the network-attached cameras when you use the AWS Panorama Appliance. This includes securely connecting the cameras to the AWS Panorama Appliance and connectivity to the nearest AWS cloud region.
- Applying software updates provided by AWS to the AWS Panorama Appliance, and keeping cameras connected to AWS Panorama Appliance updated with latest security patches and firmware.
- Compliance to any applicable laws or regulations including those associated with the content of the videos and images, applications, and workloads.
- Factory resetting the AWS Panorama Appliance before returning to AWS or transferring ownership to wipe all data.
The AWS Panorama service provides encryption in transit with TLS and encryption at rest. The AWS Panorama service uses AWS Identity and Access Management service for administrators to securely control access to AWS Panorama Appliance and service. As a managed service, AWS Panorama is protected by AWS global security procedures that are described in Amazon Web Services: Overview of security processes whitepaper.
Secure network connectivity to/from AWS Panorama appliance - We recommend deploying the AWS Panorama appliance behind a network firewall and only opening specific ports/protocols needed for this appliance to communicate with specific AWS API endpoints necessary for operation (AWS IP ranges). If the network connectivity between the customer site and AWS cloud traverses the Internet, then we recommend using a Virtual Private Network (VPN) to encrypt this traffic. See here to setup site-site IPSec VPN to an Amazon Virtual Private Gateway. To keep all traffic private and not exposed to the Internet, we also recommend using AWS Direct Connect, which provides private layer-2 connectivity between customer site and AWS cloud.
Even though AWS Panorama appliance has two ethernet ports, it cannot be connected to two different networks at the same time. It can only be connected to one network, which will be used to connect to the cameras and also go out to the Internet.
For more information refer to the AWS Panorama Developer Guide.