AWS Security Whitepaper
AWS Security whitepaper, one of the most important whitepapers for the Certification perspective
Model of shared security responsibility
AWS Security Responsibilities
AWS is responsible to protect the global infrastructure that runs all the services in the AWS cloud. This infrastructure includes the hardware, software and networking that runs AWS services.
AWS provides several reports from third party auditors who have verified compliance with a variety computer security standards and regulations.
AWS is responsible to configure the security of its products, which are managed services such as e.g. RDS, DynamoDB
AWS Managed Services will manage basic security tasks such as database patching, firewall configuration, disaster recovery, and guest operating system (OS).
AWS Infrastructure as a Service products for e.g. EC2, VPC and S3 are all under your control and require that you perform all security configurations and management tasks.
Management of the guest OS (including security patches), any software or utilities installed on instances and configuration of AWS-provided firewall (called security group) on each instance
You only need to set up logical access controls and protect account credentials for most managed services.
AWS Compliance Program
AWS’s IT infrastructure is designed and managed to comply with security best practices.
SOC 2
SOC 3
FISMA, DIACAP and FedRAMP
DOD CSM Levels 1-5
PCI DSS Level 1
ISO 9001 / ISO 27001
ITAR
FIPS 140-2
MTCS Level 3and meet several industry-specific requirements, including:Criminal Justice Information Services CJIS
Cloud Security Alliance (CSA).
Family Educational Rights and Privacy Act
Health Insurance Portability and Accountability Act, (HIPAA).
Motion Picture Association of America (MPAA), Physical and Environmental Security
Storage Decommissioning
AWS procedures are used to decommission storage devices that have reached their end of useful life. This is to protect customer data from being exposed by unauthorised individuals.
AWS uses the DoD 5220.22M (National Industrial Security Program Opera Manual) and NIST 800-88 (Guidelines to Media Sanitization) techniques to destroy data during the decommissioning process.
All magnetic storage devices that have been decommissioned are degaussed according to industry-standard procedures and physically destroyed.
Amazon Corporate Segregation
AWS Production network is separate from Amazon Corporate network. This requires a separate set credentials for logical access.
Network Monitoring & Protection
AWS uses a variety of automated monitoring systems in order to ensure high service availability and performance. These tools monitor server and network usage as well as port scanning activities, application usage and unauthorized intrusion attempts. These tools can set thresholds for unusual activity and provide protection against traditional network security issuesDDOS. AWS uses proprietary DDoS mitigation methods. AWS’s networks can be multi-homed with a variety of providers to ensure Internet access diversity.
Man in the Middle attacks
