Zero Trust on AWS
Advancing your security model with a Zero Trust approach
Zero Trust is a security model centered on the idea that access to data should not be solely made based on network location. It requires users and systems to strongly prove their identities and trustworthiness, and enforces fine-grained identity-based authorization rules before allowing them to access applications, data, and other systems. With Zero Trust, these identities often operate within highly flexible identity-aware networks that further reduce surface area, eliminate unneeded pathways to data, and provide straightforward outer security guardrails.
Moving to a Zero Trust security model starts with evaluating your workload portfolio and determining where the enhanced flexibility and security of Zero Trust would provide the greatest benefits. Then, you’ll apply Zero Trust concepts - rethinking identity, authentication, and other context indicators such as device state and health – in order to make real and meaningful security improvements over the status quo. To help you on this journey, a number of AWS identity and networking services provide core Zero Trust building blocks as standard features that can be applied to both new and existing workloads.
Video - re:Invent 2020 - Zero Trust: An AWS perspective (32:36)
Watch this video presentation about the AWS guiding principles for Zero Trust, how AWS embodies these principles with our services, and how AWS can help you on your own Zero Trust journey.
Blog - Zero Trust architectures: An AWS Perspective
Read about the AWS guiding principles for Zero Trust, explore common use cases, and learn how AWS services can help you build your Zero Trust architecture today.
Video - Security at scale: How Goldman Sachs manages network and access control (33:39)
Get a walkthrough of the evolution of Goldman Sachs' architecture and design to manage access control, including connection-level visibility, isolation boundaries, certificate-based service identities, enforcement of least privilege, and manageability at scale.
Guiding principles for building Zero Trust on AWS
Where possible, use identity and network capabilities together
Identity and network controls in AWS can oftentimes complement and augment one another to help you accomplish your specific security objectives. Identity-centric controls offer very strong, flexible, and fine-grained access controls. Network-centric controls enable you to easily establish well understood perimeters within which identity-centric controls can operate. Ideally, these controls should be aware of and augment one another.
Work backwards from your specific use cases
There are a number of common use cases, such as workforce mobility, software-to-software communications, and digital transformation projects that can benefit from the enhanced security provided by Zero Trust. It is important to work backwards from each of the specific use cases that apply to your organization in order to determine the optimal Zero Trust patterns, tools, and approaches that achieve meaningful security advancements.
Apply Zero Trust to your systems and data in accordance with their value
You should think of Zero Trust concepts as additive to your existing security controls. By applying Zero Trust concepts in accordance with the organizational value of the system and data being protected, you can ensure that the benefits to your business are commensurate with the effort.
Featured customer story
Figma is the design platform for teams who build products together. Born on the Web, Figma helps teams create, share, test, and ship better designs—from start to finish.
“Protecting our users’ designs and ideas is paramount to Figma’s mission,” said Max Burkhardt, Staff Security Engineer. “Using features like AWS Application Load Balancers with OIDC authentication, Amazon Cognito, and Lambda serverless functions, the Figma Security Team was able to build next-gen defenses for our internal tooling, all while saving time and resources. We were able to build a strong zero-trust security model with minimal custom code, which has been a boon for our reliability.”
Zero Trust principles at work within AWS
Signing AWS API requests
Every day, each and every AWS customer interacts confidently and securely with AWS, making billions of AWS API calls over a diverse set of public and private networks. Each one of these signed API requests is individually authenticated and authorized every single time at rates of millions of requests per second globally. The use of network-level encryption using Transport Layer Security (TLS) combined with powerful cryptographic capabilities of the AWS Signature v4 signing process secures these requests without any regard to the trustworthiness of the underlying network.
AWS service-to-service interactions
When individual AWS services need to call each other, they rely on the same security mechanisms that you use as a customer. For example, the Amazon EC2 Auto Scaling service uses a service-linked role in your account to receive short term credentials and call the Amazon Elastic Compute Cloud (Amazon EC2) APIs on your behalf in response to scaling needs. These calls are authenticated and authorized by AWS Identity and Access Management (IAM), just as your calls to AWS services are. Strong identity-centric controls form the basis of the security model between AWS services.
Zero Trust for IoT
AWS IoT provides the foundational components of Zero Trust to a technology domain where unauthenticated, unencrypted network messaging over the open internet was previously the norm. All traffic between your connected IoT devices and the AWS IoT services is sent over Transport Layer Security (TLS) using modern device authentication including certificate-based mutual TLS. In addition, AWS added TLS support to FreeRTOS bringing key foundational components of Zero Trust to a whole class of microcontrollers and embedded systems.
When two components don’t need to communicate, they shouldn’t be able to, even when residing within the same network segment. You can accomplish this by authorizing specific flows between the components. By eliminating unnecessary communication pathways, you are applying least privilege principles to better protect critical data. Depending on the nature of the systems, you can construct these architectures through dynamic microperimeters built using Security Groups, request signing through Amazon API Gateway, private connectivity through AWS PrivateLink, and more.
Secure workforce mobility
The modern workforce requires access to their business applications from anywhere without compromising security. You can accomplish this with services like Amazon Workspaces or Amazon AppStream 2.0, which stream applications as encrypted pixels to remote users while keeping data safely within your Amazon VPC. You can also accomplish this by securely connecting your internal applications directly to the Internet, using services like AWS Shield, AWS WAF, and Application Load Balancer with OpenID Connect (OIDC) authentication. This allows you to integrate with your existing Identity provider (IdP), control application access through strong user and device authentication, leverage modern identity standards, and provide friction free end user access.
Digital transformation projects
Digital transformation projects often connect sensors, controllers, and cloud-based processing and insights, all operating entirely outside of the traditional enterprise network. To keep your critical IoT infrastructure protected, the family of AWS IoT services can provide end-to-end security over open networks, with device authentication and authorization offered as standard features.
Securely manage access to workloads and applications
Instantly get access to the AWS Free Tier.
Get started building in the AWS Management Console.