Presentation by Matt Yanchyshyn of Amazon Web Services at the Alert Logic Cloud Security Summit in San Francisco on November 3, 2016.

1. The AWS Shared Security Responsibility Model
Matt Yanchyshyn
Sr. Manager, Solutions Architecture
Amazon Web Services

2. OR
Move
Fast
Stay
Secure

3. AND
Move
Fast
Stay
Secure

4. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

5. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations

6. AWS strengthens your security posture
Leverage security
enhancements from
1M+ customer
experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity
organizations
Over 50 global
compliance
certifications and
accreditations
“We work closely with AWS to develop a security
model, which we believe enables us to
operate more securely in the public cloud
than we can in our own data centers.”
Rob Alexander - CIO, Capital One

7. Security Audits: On-premises vs. On AWS
Start with bare concrete
Functionally optional – you can build a
secure system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security
innovation
on-prem
Start on base of accredited services
Functionally necessary – high
watermark of requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all
workload scenarios
Security innovation drives broad
compliance
on AWS

8. What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data

9. AWS: more assurance programs than anyone
Certifications / Attestations Laws, Regulations, and Privacy Alignments and Frameworks
ISO 27001 HIPAA CJIS
ISO 27017 IRS 1075 FISMA
ISO 27018 ITAR GxP
PCI DSS Level 1 FERPA CLIA
DoD SRG CS Mark [Japan] CMS Edge
FedRAMP DNB [Netherlands] FISC [Japan]
FIPS EAR FDA
IRAP [Australia] Gramm-Leach-Bliley Act (GLBA) MPAA
MLPS Level 3 [China] HITECH CMSR
MTCS Tier 3 [Singapore] My Number Act [Japan] FedRAMP TIC
SEC Rule 17a-4(f) DPA – 1998 [U.K.] G-Cloud [U.K.]
SOC 1, SOC 2, SOC 3 VPAT / Section 508 PHR
EU Data Protection Directive [EU] IT Grundschutz [Germany]
Privacy Act [Australia & New Zealand] MITA 3.0
PDPA – 2010 [Malaysia & Singapore] NERC
NIST

10. Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Your own
accreditation
Your own
certifications
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
You

12. AWS Global Infrastructure
14 Regions
38 Availability Zones
63 Edge Locations

13. North America
US East (N. Virginia) Region US West (Oregon) Region
EC2 Availability Zones: 5 EC2 Availability Zones: 3
US West (N. California) Region AWS GovCloud (US) Region
EC2 Availability Zones: 3 EC2 Availability Zones: 2
Canada (Montreal) Region US Central (Ohio) Region
Announced EC2 Availability Zones: 3
AWS Edge Locations
United States - Ashburn, VA (3), Atlanta GA (2), Chicago, IL, Dallas/Fort
Worth, TX (2), Hayward, CA, Jacksonville, FL, Los Angeles, CA (2), Miami,
FL, New York, NY (3), Newark, NJ, Palo Alto, CA, San Jose, CA, Seattle, WA,
South Bend, IN, St. Louis, MO
Canada - Montreal, QC, Toronto, ON

14. Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and
doesn’t move unless you choose to move it

15. Data Locality in practice
Block level storage
Instance Storage (Elastic Cloud Compute - EC2)
Elastic Block Storage (EBS)
Object level storage
Simple Storage Service (S3)
Database storage
Relational Databases (RDS)
NoSQL (DynamoDB)
Data Warehouse (Redshift)
Caching (Elasticache)

16. AWS Shared Responsibility Model Deep Dive
One model for all?
Infrastructure
Services
Managed
Services
Abstract
Services

17. AWS Security Tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrail
&
Inspector
Service
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation

18. Client-Side Data encryption
& Data Integrity Auth
Server-Side Encryption
Fire System and/or Data
Network Traffic Protection
(Encryption, Integrity, Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model: Infrastructure Services
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations

19. Infrastructure Service Example: Amazon EC2
• AWS Networking, Compute & Storage Services
• AWS Global Infrastructure
• AWS API Endpoints
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
You

20. Client-Side Data encryption
& Data Integrity Auth
Network Traffic Protection
(Encryption, Integrity, Identity)
Customer content
You
AWS Shared Responsibility Model: Managed Services
Identity & Access Management
Platform, Operating System, Network Configuration
Firewall
Configuration
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations

21. Managed Service Example: Amazon RDS
• AWS Networking, Compute,
Storage Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability
• Data Protection (Transit, Rest,
Backup)
• Scaling
You

22. Client-Side Data encryption
& Data Integrity Auth
Network Traffic Protection
(Encryption, Integrity, Identity)
Customer content
You
AWS Shared Responsibility Model:Abstract Services
Identity & Access Management
Platform & Application Management
Firewall
Configuration
Operating System & Networking Configuration
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations

23. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility Model: Abstract Services
Data Protection by the Platform (at rest)
Network Traffic Protection by the Platform (in transit)
Client-Side Data Encryption & Data Integrity AuthenticationYou
Identity & Access Management

24. • Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Abstract Service Example: Amazon S3
You

25. Summary of Shared Responsibility in AWS
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Managed
Services
Abstract
Services

26. AWS Security & Compliance Training
AWS Security Fundamentals
3 hour eLearning course
Target audience – Security Auditors/Analysts
It’s Free 
AWS Security Operations
3 day Instructor Lead Training
Target audience – Security Engineer/Architects
12 Modules + Labs
Self-paced labs available on http://qwiklabs.com
https://aws.amazon.com/training/course-descriptions/

27. Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-
of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: awsaudittraining@amazon.com