2. centralized decentralized
hybrid
AWS Cloud Governance
data
infrastructure application
A Shared Responsibility Model
scalable highly available
accessible
3. Governance…
“Governance implies control and oversight over
policies, procedures, and standards for application
development, as well as the
design, implementation, testing, and monitoring of
deployed services.”
Wayne Jansen, Timothy Grace, NIST SP 800-144: Guidelines on Security and Privacy in
Public Cloud Computing, January 2011.
URL: http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
4. …is a Shared Responsibility
“Cloud Providers and Cloud Consumers collaboratively
design, build, deploy, and operate cloud-based systems.
The split of control means both parties now share the
responsibilities in providing adequate protections to the
cloud-based systems. Security is a shared
responsibility.”
Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger and Dawn
Leaf, NIST SP 500-292: NIST Cloud Computing Reference Architecture, September
2011.
5. AWS Investments Establish a Trusted
Foundation
Certifications Physical Security HW, SW, Network
SOC 1 Type 2 Datacenters in Systematic change
(formerly SAS-70) nondescript facilities management
ISO 27001 Physical access Phased updates
strictly controlled deployment
PCI DSS for
EC2, S3, EBS, VPC, Must pass two-factor Safe storage
RDS, ELB, IAM authentication at decommission
least twice for floor
Automated
access
monitoring and self-
Physical access audit
logged and audited
Advanced network
protection
6. Authorizations and ATOs
FISMA Moderate
ITAR Compliant Region (GovCloud)
DIACAP MAC III/Sensative
7. Statement on Auditing Standards No. 70
(SAS 70) Type II report.
Conducted in accordance with the Statement on
Standards for Attestation Engagements No. 16 (SSAE
16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional
standards.
Attests that AWS’ control objectives are appropriately
designed and that the individual controls defined to
safeguard customer data are operating effectively.
Our commitment to the SOC 1 report is on-going with
planned periodic audits.
SOC 1 Type 2 Replaces Statement on Auditing
Standards No. 70 (SAS 70) Type II report.
8. ISO 27001 Certification
AWS achieved ISO 27001 certification of our Information
Security Management System (ISMS) covering our
infrastructure, data centers, and services including Amazon
Elastic Compute Cloud (Amazon EC2), Amazon Simple
Storage Service (Amazon S3) and Amazon Virtual Private
Cloud (Amazon VPC).
Certifies our systematic and ongoing approach to managing
information security risks that affect the
confidentiality, integrity, and availability of company and
customer information.
AWS’s ISO 27001 certification includes all AWS data centers
in all regions worldwide and AWS has established a formal
program to maintain the certification.
A copy of our ISO certificate, available to AWS
customers, describes the ISMS services and geographic
scope.
9. Payment Card Industry (PCI) Data Security
Standard (DSS) Certification
PCI-DSS is a standard that specifies best practices
and various security controls. Certification in the
standard requires organizations to:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong security measures
Regularly test and monitor networks
Maintain an information security policy
12. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Information Assurance • Corporate “Gold” Operating System Images
Processing • VPC Workload Isolation
• Dedicated EC2 Instances
Information Assurance • S3 AES 256 bit Encryption
Storage • Partner Extensions offer Boot Volume and EBS
Volume Encryption
Information Assurance • HW/SW VPN Connections
Transmission • DirectConnect
Network Security • Virtual Private Cloud
• Network ACLs
• Security Groups
• Virtual Private Gateways
• VPN Connections
13. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Access Controls • Identity and Access Management Policies
• Bucket Policies
• EC2 Instance Roles
• Query String Authentication
• Access Control Lists
Identification and • Identity and Access Management
Authentication • Multi-Factor Authentication
• Group Policies and Roles
• Federated Identity Management API
14. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Disaster Recovery and Data
Continuity of Operations • EBS Snapshots
• S3 Near-Line Storage
• Glacier Near-Offline Storage
• Storage Gateway
• Bulk Data Import/Export
• Managed AWS No-SQL/SQL Database
Services
• Extensive 3rd Party Solutions
Workload
• Elastic load Balancers
• EC2 Auto Scaling
• Route 53 – Latency Based Routing
• Cloud Front – Content Delivery Network
• Multi-AZ, Multi-Region Workload Deployment
15. AWS Cloud Governance Service Enablers (cont.)
Governance Area AWS Technologies
Monitoring and Reporting • Cloud Watch
• Cloud Watch Alarms
• Simple Notification Service
16. References and Further Reading
Wayne Jansen, Timothy Grace, NIST SP 800-144: Guidelines on Security and Privacy
in Public Cloud Computing, January 2011. URL:
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger and Dawn
Leaf, NIST SP 500-292: NIST Cloud Computing Reference Architecture, September
2011.URL: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
NIST SP 800-53 R3: Recommended Security Controls for Federal Information
Systems and Organizations, August 2009. URL:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
Amazon Web Services: Security and Accreditation Center: Certifications
URL: http://aws.amazon.com/security/#certifications