3. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Seoul)
4. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Tokyo)
China (Beijing)
Asia Pacific (Seoul)
Region
An independent collection of AWS resources in a
defined geography
A solid foundation for meeting location-dependent
privacy and compliance requirements
5. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Seoul)
6. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Seoul)
Availability Zone
Designed as independent failure zones
Physically separated within a typical metropolitan region
10. AWS Global Footprint
12 Regions
29 Availability Zones
64 Edge locations
Over 1 million active customers
Every day, AWS adds enough new server
capacity to support Amazon.com when it was a
$7 billion global enterprise.
11. Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by
design
Data is not replicated to other AWS regions
and doesn’t move unless you choose to move it
13. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
14. AWS Shared Responsibility Model – Deep Dive
Will one model work for all services?
Infrastructure
Services
Container
Services
Abstract
Services
15. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
16. Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
Customers
RESPONSIBILITIES
17. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Container Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
18. Infrastructure Service
Example – RDS
• Foundational Services –
Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users,
Table Permissions)
• High Availability
• Data Protection (Transit, Rest, Backup)
• Scaling
Customers
RESPONSIBILITIES
19. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones Edge
Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Abstract Services
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
& Data Integrity Authentication
AWSIAM
20. • Foundational Services
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
Customers
RESPONSIBILITIES
Infrastructure Service
Example – S3
21. Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services
23. Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
24. Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security innovation
on-prem
Start on base of accredited services
Functionally necessary – high watermark of
requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all workload
scenarios
Security innovation drives broad compliance
on AWS
25. What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data
27. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications
29. Shared Responsibility & Security By Design
Phase 1. Outline your requirements
• Outline your policies, controls you inherit from AWS
• Document controls you own and operate on AWS
Phase 2. Build a Golden Environment
• Define your AWS resources and controls as Code
Phase 3. Enforce with the use of Templates
• Templates presented to users within Service Catalogue as Products within Portfolios
Phase 4. Perform validation checks
• Deploying your environment through Service Catalogue as Gold Templates you make your
environment audit ready
30. GoldBase — Security Control Responsibility Matrix
NIST SP 800-53 rev. 4 control security control matrix