Download - Public Cloud Providers
-
8/11/2019 Public Cloud Providers
1/47
1
Analysis of Amazon S3 Cloud Services
Joseph Beckman
Matthew Riedle
Hans Vargas
Purdue University
Authors Note
-
8/11/2019 Public Cloud Providers
2/47
2
Joseph Beckman, Ph.D. Student, Center for Education and Research in Information
Assurance and Security (CERIAS), Purdue University
Matthew Riedle, M.S. Student, Cyber Forensics in Computer Information Technology,
Purdue University
Hans Vargas, M.S. Student, Center for Education and Research in Information Assurance
and Security (CERIAS), Purdue University.
This research was supported by Dr. Brandeis Marshall and Dr. Melissa Dark as part of
the INSuRE (The Information Security Research and Education) Research Grant, as well as the
National Security Agency (NSA) sponsoring and providing unclassified problems to be
researched.
Correspondence concerning this paper should be addressed to Joseph Beckman, Matthew
Riedle, and Hans Vargas, Purdue University, West Lafayette, IN 47906
Contact: [email protected], [email protected], [email protected]
-
8/11/2019 Public Cloud Providers
3/47
3
Abstract1
Distributed computing is a familiar concept within computer science. Public distributed
computing, better known as cloud computing services, is a relatively new concept in the
marketplace. In recent years, individuals, corporations, and government agencies have begun to
leverage the resources of the Internet to perform tasks that had previously been limited to in-
house computer networks. Providers of these resources, collectively referred to as Cloud
Service Providers (CSPs), tout numerous benefits of their use, including the reduction of IT
costs. Prospective customers, however, should take a serious look at the risks, vulnerabilities,
and threats that may take place when relocating their resources to the cloud. The impacts of
cloud usage upon information security as it relates to confidentiality are not well understood, and
for that reason our research focuses on the Amazon S3 cloud storage service and as a case study
related to confidentiality from which to provide recommendations for improvement to existing
cloud security frameworks.
1Keywords: Amazon S3, AWS, Confidentiality, Cloud Computing, CSP, FedRAMP, 3PAO
-
8/11/2019 Public Cloud Providers
4/47
4
Analysis of Amazon S3 Cloud Services
Introduction
Previous work2 categorizing risks within cloud computing identified threat and
vulnerability profiles of three major CSPs, comparing them against security controls required by
FedRAMP in order to approve the federal agencies migration of services to the cloud. This
project will focus primarily on federal agencies as the customer base of cloud services, but will
also take under consideration that private sector customers would benefit from security
guidelines established by FedRAMP adopters.
Amazon Web Services (AWS) was one of the first CSPs to be deemed compliant with
FedRAMP cloud storage service security guidelines which certified Amazons S3 cloud storage
service for use by United States federal government agencies. This project will attempt to
describe and explain the existence, usability and effectiveness of these security features related to
Amazon S3 with respect to the protection of confidentiality within the Infrastructure-as-a-
Service (IaaS) domain. It will also lay the groundwork for updating and adapting the existing
guidelines to more efficiently audit CSPs, as well as provide analysis based on open source
intelligence regarding the realization of vulnerabilities, adoption of remedial actions from
providers and customers.
2Vargas, Toriola (2012) Public Cloud Providers: A Risk Matrix.
-
8/11/2019 Public Cloud Providers
5/47
5
Motivation
The aim of this project, through the evaluation of Amazon S3 cloud services and the re-
evaluation of the FedRAMP cloud services security guidelines, is to bring a greater level of
security to information stored in the cloud. Increasing the level of security in the cloud is an
important act to the field of information security, to the United States government, and to anyone
who uses cloud services. While this project will focus on the cloud security policies and
processes of the United States federal government, it has the potential to impact much of the
worlds population because of the widespread use of services like free e-mail, which operates
mainly as a cloud service.
Efforts to bring greater security to the cloud face many challenges that will impact this
project. The nature of cloud services, and one of the greatest benefits of this architecture, is the
lack of exposure of the systems back-end processes to the user. When evaluating the security of
such a system, however, the inability to examine these processes directly reduces the
effectiveness and meaningfulness of a security audit. Additionally, the cloud environment is very
dynamic; services are added, changed, and removed often as user needs and behaviors change.
As a result, our ability to produce changes to any security auditing framework that will be
durable and enduring will be will be limited to studying the effects that are possible to analyze
from the standpoint of a normal commercial service deployment.
While not being able to see the full impact of this project, we know that it is a relevant
issue to everyone. The motivation that is driving us to address this problem is the potential for its
solution to have wide-ranging impacts on any customer using web storage services.
-
8/11/2019 Public Cloud Providers
6/47
6
Previous Work
An initial work on this project related to Public Cloud Providers was conducted as part of
the semester Fall-2012. That research presented an overview of the three major cloud service
providers: Amazon, Microsoft, and Google; and the determination of common threats and
vulnerabilities. Another important aspect was the evaluation of security controls available to
mitigate risk, specifically when Federal Agencies were considering transferring services to the
cloud. Institutions like FedRAMP (based on NIST standards) and CSA were consulted as
providers of guidelines and benchmarks for security in the cloud, as well as other, more specific
risk frameworks. As a result, a risk matrix was developed that displayed a match between risk
and security controls.
The trend towards moving services to cloud computing is relatively new, existing
literature on the topic of security in cloud computing tends to focus on one or more of three
areas: analyzing the security of cloud service providers (CSPs) environments, providing an
overview of the security landscape of cloud deployment models3, or creating an overall
framework for a more secure use of the cloud. Each of these three themes is addressed from
various perspectives, although comparisons tend to be rather straightforward and technical
(Batten, 2012)(Shraer, 2010)(Agrawal, 2010). Some of the work providing an overview of cloud
security discusses security in the cloud from the perspective of a particular discipline, such as
business (Gurkok, 2013). Others focus on aspects of the cloud security landscape like
institutional impact (Ksherti, 2013), or technical vulnerabilities (Marinescu, 2013). Given the
variety of missions being addressed by the myriad government agencies that may derive benefit
from and consider using Infrastructure-as-a-Service in the cloud, literature using all of these
3IaaS, PaaS, SaaS.
-
8/11/2019 Public Cloud Providers
7/47
-
8/11/2019 Public Cloud Providers
8/47
8
levels offered by CSPs. In order to accomplish this, BSI6 guidelines, which established
minimum-security requirements for cloud providers, were used as they describe security levels
for the K.O. (knock-out) criteria matrix. These criteria attempts to assess the security level of
cloud providers, with emphasis on Amazon as a cloud provider. The BSI represents one type of
benchmark similar to other efforts (FedRAMP in the US) that attempt to determine a security
level.
Similarly, potential users of cloud services could benefit from the existence of a cloud
certification authority that ensures the transparency of CSPs with respect to their security levels.
Such a level of security could be determined by using the K.O. criteria, providing customers with
better tools to choose cloud providers based on their security capabilities. In an increasing scale,
more and more CSPs are partnering with specialized security providers, in a Security-as-a-
Service model, to enhance cloud level of security for their customers. These services are directly
aimed to increase confidentiality rather than availability7.
According to Xiaoqi Ma (2012), the analysis of potential security risks related to cloud
services -as they relate to confidentiality, integrity and availability (CIA)- attempt to provide
answers focused on privacy. From data privacy protection to data integrity in cloud services, his
research represents a broad overview of security problems and proposed solutions. In the
meantime, Behl and Behl (2012) reviews the key challenges of implementing cloud security
solutions for a dynamic and changing cloud environment; it conducts analysis in order to
consider detailed specifications of the problem and descriptions of must have features for a
security solution. Some of the reasons that represent major concerns
6Federal Office for Information Security (Bundesamt fr Sicherheit in der Informationstechnik).7Ensuring timely and reliable access to and use of information
-
8/11/2019 Public Cloud Providers
9/47
9
regarding security are: loss of control while moving services to the cloud, multi-tenancy or the
co-residence of same logical/physical mediums, and service level agreements (SLAs) as the
assurance of the right expectations are considered. It further details the need for information
integrity and privacy as well as identity federation. It concludes by recommending that cloud
security management should be enhanced in order to better control and manage user data; in
addition to that, it suggests that security should become a wrapper to all cloud deployment
models in a multilayer security solution.
Behl et al. (2012), however, reviews the key challenges of implementing cloud security
solutions for a dynamic and changing cloud environment. They conduct analysis in order to
consider detailed specifications of the problem of security in cloud computing and descriptions
of required features for a security solution. Some areas of major concern regarding security are:
loss of control while moving services to the cloud, multi-tenancy or the co-residence of same
logical/physical mediums, and SLAs as the assurance of the right expectations are considered. It
further details the need for information integrity and privacy as well as identity federation. Behl
et al. conclude by recommending that cloud security management should be enhanced in order to
better control and manage user data; and it suggests that security should become a wrapper to all
cloud deployment models in a multilayer security solution.
Contrary to some assumptions, moving to a cloud environment does not eliminate the risk
associated with security. In fact, outsourcing-computing resources to the cloud generates major
new security and privacy concerns. Moreover, service layer agreements (SLAs) might not
provide adequate legal protection for cloud computer users, who are often left to deal with events
beyond their control.
-
8/11/2019 Public Cloud Providers
10/47
10
Amazon Computing
Some of the literature that we sought was related to specific Amazon cloud computing
services, this effort resulted in the discovery of some literature that brings a light of computing
services related to Amazon.
Marinescu (2013) suggests that an in-depth study of cache placement decisions over
various cloud storage options would be beneficial to a large class of users through data
persistence, monetary costs, and high performance needs of AWS in order to generate cost-
effective data placement strategies. Marinescu describes what adequate caching strategies8could
represent for cloud services. The costs considered are for Amazons S3, EC2
9
and EBS
10
, and are
then used to obtain relevant data through a series of experiments for cost evaluation. The
relevance of this paper is on the analysis of how these different services could be distinguished
from each other based on the cost effectiveness of each one.
Garfinkel (2007) article, was considered as a way to show the progress in authentication
mechanisms, from simple authentication strategy based on the SHA1-HMAC algorithm to
todays four mechanisms for controlling access to Amazon S3 resources : Identity and Access
Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string
authentication.
Abundant information about these four access control mechanisms are available from
Amazon S3 Access Control11, where each feature and capability are described. With IAM
policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or
8Caches can be deployed to maintain some set of precomputed/intermediate data for reuse. Especially in scientific
applications, precomputed data could not only replace the need to tirelessly compute redundant information, but it
can also significantly reduce the amount of data transfer required.9Amazon Elastic Compute Cloud (Amazon EC2)10Amazon Elastic Block Store (Amazon EBS)11
Access Control. Retrieved from: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html
-
8/11/2019 Public Cloud Providers
11/47
-
8/11/2019 Public Cloud Providers
12/47
12
For instance, the cloud security of Dropbox, Google Drive, and Microsoft SkyDrive are
all compared to have similar weaknesses, mostly pertaining to a lack of user authentication with
the sharing of data. This could be fixed by looking at how invitations to view the data can be
rendered useless after they have been activated. Preventing these links from continuing to work
after the recipient has used them; along with setting up a method to require a password in order
to use that link will help tighten down the security of sharing data in the cloud. From this
analysis we found ideas for investigating new security policies for cloud security.
The first chapter of Yangs and Jias (2014): Security for Cloud Storage Systems,
explores aspects of cloud technology, defining how they operate with data storage. Several items,
including on-demand self-service and network access, are already expected by the users of cloud
services when storing personal data. From there, there are two main threats described to plague
cloud providers. The first issue pertains to data integrity; users should be confident that the cloud
provider is correctly managing their personal data, especially after they want to delete it. The
second issue that arises pertains to access control; this issue is also due to the user being forced
to trust the cloud server for their access control policies. While the data integrity issue is outside
of our scope for this project, the access control information presented in this book will be very
useful in not only assessing the weakness of access control in cloud architectures, but it also
provides several concepts at how to fix these holes.
-
8/11/2019 Public Cloud Providers
13/47
13
A Comparison of Approaches to Cloud Security
Tajadod et al. (2012) is based on the comparison of two CSPs, and it goes into detail
exploring those differences. We found relevant information about Amazon S3 as it details its
services in order to elaborate for the corresponding comparison. This description of security
features is presented following CIA. For Confidentiality it describes Amazon IAM 12MFA13, and
Key Rotation. With respect to Integrity, it describes encryption via SSL and HTTPS from client
and server sides as well as HMAC (hash-based message authentication code). Finally for
Availability, it specifies the SLA of Amazon as well as data replication capabilities.
Securing Cloud Services against Attacks
The securing of cloud services could obey reactive and proactive measures, and in that
regard Boot, Soknacki, and Somayaji provide an overview of security in the cloud computing
environment, but approach their overview from the perspective of potential attackers. This
overview, using descriptive methods, considers the various attacks that can be perpetrated upon a
client-server model, and then reduces the scope of these attacks to those that would impact the
current cloud environment, specifically one employing Hypervisor. The authors found that
attacks relating to denial-of-service, breach of confidentiality, and compromise of data integrity
are all applicable within the cloud. In relation to data confidentiality, the cloud adds a new threat
of data colocation to those of typical client-server security issues. Through colocation, an
12Identity and Access Management.
13MFA: Multi-Factor Authentication
-
8/11/2019 Public Cloud Providers
14/47
14
attacker may be able to gain access to sensitive data residing on a cloud server by gaining access
to the server through the account of a user using weaker authentication techniques. This paper
also discuss the possibility of users with administrative-level access compromising sensitive data
either maliciously or accidentally. Though the authors feel that data encryption and monitoring
are important steps in ensuring the confidentiality of data in the cloud, these solutions remain
vulnerable to traffic analysis and cryptographic weaknesses and would require additional burden
upon cloud providers.
A document, written by Cem Gurkok (2013) as a chapter in the book, Computer and
Information Security Handbook, presents a view of cloud computing from a very strategic level.
Gurkok begins his work with an overview of the types of cloud computing platforms (SaaS,
IaaS, and PaaS), moves on to discuss security issues common to cloud services, and then
describes security issues specific to the types of cloud platforms. Gurkoks descriptive methods
are comprehensive and are able to analyze cloud security through the lens of the CIA triad, while
subdividing these issues by discipline (legal, technical, etc.), and by operative system
(infrastructure, operating system, application, etc.). The strategic level of this document provides
a starting point for the narrowing of our analysis of the problem space.
Auditing is addressed by Yu, Niu, Yang, Mu, and Susilo (2014) focuses not on cloud
security itself, rather on the function of auditing cloud services for security. This paper is the
result of conducting active attacks on cloud services, which showed that current auditing tools,
such as Oruta and Knox, failed to provide evidence that the authenticity and integrity of stored
files had been breached. In response, these authors propose a new framework that accounts for
the actions of an attacker who is active on the system and working against the goals of the
auditors. Though this work does not speak directly to the framework for security in the cloud
-
8/11/2019 Public Cloud Providers
15/47
15
environment, it does present both the security audit process, and its current vulnerabilities. An
important aspect of our proposed framework, and of any security framework, should be the
ability to audit and verify the security of the system. Understanding these processes will be
important to the creation of a robust framework and successful evaluation of the Amazon S3
service.
Trustworthiness is researched by Shraer et al. (2010) especially after some identified 14
high-profile incidents as they related to data integrity and consistency and their relationship to
Confidentiality (through encryption) and availability (through resilience and protection against
loss). Venus is a service for securing user interactions with untrusted cloud storage, by
guaranteeing integrity and consistency. Even though this research represents an external
mechanism that could be added transparently to the cloud storage service (Amazon S3), it
provides evidence of the capability of this CSP infrastructure being able to support verification
mechanisms in their commodity cloud storage service. A split-brain simulated attack from a
system with two clients was performed in order to evaluate how venus detects service violations,
successfully identifying inconsistencies. This work represents external attempts [to cloud
providers] that enhance current storage solutions with insignificant overhead added.
Customers Role in Cloud Security
The role of customers in the acquisition, configuration, used and allocation of cloud
services falls under the responsibility of the customers in the exploitation of vulnerabilities.
Kshertis (2013) paper, from the journal Telecommunications Policy, states that a discrepancy
exists between the security claims of cloud computing vendors and users of cloud computing
14Amazon S3s silent data corruption, a privacy breach in Google Docs, and ma.gnolias data loss.
-
8/11/2019 Public Cloud Providers
16/47
16
services. His largely descriptive study cites statistics from popular press surveys about the
security fears of cloud computing users to support his assertion. Ksherti also uses these surveys
as a jumping off point to discuss the institutions surrounding cloud computing, and how they
should be modified to build greater levels of security into the fabric of these institutions.
Specifically, he suggests the formation, through legal, technical, and social means, of a
normative culture of security in cloud computing. Given the size and diversity of missions within
the United States federal government, the importance of the culture of use surrounding cloud
computing in this environment cannot be overstated. This work will inform aspects of the
modified framework and evaluation of the Amazon S3 service that we provide in our work.
Security Framework for Cloud Services
A cloud security framework is presented by Nayak et al. (2012) detailing three phases:
server initialization, registration, and authentication, of cloud security that benefit from
incorporating user authentication into the overall cloud models. User authentication is used, in
the form of usernames and passwords in almost every system that people use on a daily basis,
such as online shopping, email, and social media. These methods are already applied by AWS in
their approach to cloud security, and the paper goes into detail about how the messages could be
laid out between Amazon's authentication servers and the user in order to maximize
authentication security. In the server authentication phase, each user is assigned a unique SK15
which is used in further steps to authenticate the users. The second phase, registration, is
dependent on whether the user is new or not. When a new user opens an Amazon S3 account,
that user must register with an email address which will need to then be verified by the user.
15Secret Key
-
8/11/2019 Public Cloud Providers
17/47
-
8/11/2019 Public Cloud Providers
18/47
18
is able to successfully authenticate the user, it is always advisable to include an additional
method of authentication on the chance that it does not work. In their testing, the access control
policies they designed, based off of personal habit characteristics, proved successful in
authenticating the user and preventing unauthorized access with a low failure rate.
While this system is not perfect at achieving authentication, it can prove beneficial to
Amazon's S3 cloud services. A large portion of the S3 involves data storage, which users want
quick access to from anywhere, hence using the cloud for their storage. By cloud providers,
including Amazon S3, implementing the TrustCube dynamics, they will be able to provide
quicker access for their users, allowing for better consumer satisfaction. The inclusion of user
habits is also a great method of adding an additional security layer for users who are extremely
security-conscious.
Mouratidis, et. al. (2103) provide a systematic and structured framework to the cloud
computing framework. Unlike other existing frameworks for cloud computing security, these
authors approach the topic of cloud provider selection from a decidedly technical perspective.
Although the approach is technical, descriptions within the work about high-level goal setting
work well to inform a comprehensive approach to security in this environment. This work is also
unique because it walks through a case study in building the proposed model. Despite the
existence of FedRAMP as a tool for evaluation of the security of cloud providers for the United
States federal government use, the section about secure cloud provider selection will highlight
areas within FedRAMP that may need augmentation.
-
8/11/2019 Public Cloud Providers
19/47
19
Methods
Research was conducted on the confidentiality of data stored on the Amazon S3
Infrastructure-as-a-Service (IaaS) cloud storage environment for the purposes of developing
guidelines supplemental to FedRAMP that better address issues of confidentiality within this
environment. Time and financial constraints inherent in the course setting impacted both the
scope and nature of this research. First and foremost, the overall research methodology was
descriptive and qualitative as a result. Further, the scope of this project was narrowed to focus
only on the Amazon S3 storage service, rather than a broader assortment of Amazons cloud
service offerings, and only on the confidentiality aspect of the service, rather than all aspects of
the C-I-A triad.
The key aspect of research during this study was an extensive literature review, which
began with general research of the cloud computing environment. Ultimately, this review was
also narrowed necessarily to match the scope of the research question. Beyond narrowing the
focus of the research to confidentiality metrics and issues relating to the Amazon S3 cloud
storage service, issues and resolutions to issues that could not be verified either through testing
or through an independent third-party were also removed from the scope of this research;
however, Amazon has summarized how it complies with federal privacy laws (Amazon, 2014).
The research methods supported the following research motive: The cloud computing
environment is an extremely dynamic space, and several sets of guidelines are being developed
to promote secure use of cloud storage resources. In this context, the research question to be
answered in this study is, Are current FedRAMP guidelines sufficient to meet the challenges of
data confidentiality faced by United States federal government agencies in the Amazon S3 cloud,
-
8/11/2019 Public Cloud Providers
20/47
20
or should guidelines be added, changed, or segmented by level of security required for a
project?
Discussion
On February 8, 2011, the Chief Information Officer of the United States released the
Federal Cloud Computing Strategy (FCCS) document (Kundra, 2011) . The goal of this
document was to set forth a strategy that would increase the efficiency of information technology
use in the federal government both in terms of cost and time (Kundra, 2011, p. 1) . The FCCS
policy is designed to work in conjunction with, and in support of, the CIO's February 2010
Federal Data Center Consolidation Initiative (FDCCI), which seeks to raise data center
efficiency through the elimination of 800 federal data centers by 2015 (Kundra, 2011, p. 8) .
Based on estimates by the federal Office of Management and Budget (OMB), 25% of federal IT
spending was now being targeted for migration to cloud computing environments (Kundra, 2011,
p. 1).
Within the Decision Framework for Cloud Migration, the FCCS document does discuss
security requirements to be considered when agencies make decisions about the type of cloud to
be used, and the speed at which migration should occur (Kundra, 2011, pp. 11-14) . FCCS
frames the evaluation criteria for security considerations in the cloud in terms of the Federal
Information Security Act (FISMA) requirements including, but not limited to Federal
Information Processing Standards (FIPS), and lays the responsibility for maintaining the
appropriate level of information security upon the individual agencies (Kundra, 2011, p. 13).
FCCS does, however, recognize that security (and other) concerns are likely to produce different
iterations of cloud computing within and among federal agencies by virtue of its recognition of
NIST's definition of cloud service models (Kundra, 2011, p. 6), and deployment models
-
8/11/2019 Public Cloud Providers
21/47
21
(Kundra, 2011, p. 5), including private clouds. It also recognizes the need for a transparent
security environment between cloud providers and cloud consumers (Kundra, 2011, p. 26), and
cites the 2010 Federal Risk Authorization Management Program (FedRAMP) as responsible for
defining requirements for cloud computing security controls, including vulner-ability scanning,
and incident monitoring, logging and reporting, in support of the secure and transparent cloud
security environment (Kundra, 2011, p. 26). Also according to the FCCS, the Department of
Homeland Security will assist in the operational security of federal agencies using cloud services
by publishing a list of top security threats related to the cloud as needed, whereas NIST will
assist with continued monitoring of cloud solutions as outlined by the Six Step Risk
Management Framework (Kundra, 2011, p. 26) cited as Special Publication 800 -37, Revision
1 (Kundra, 2011, p. 26).
In the problem space of cloud computing controls exist several solutions frameworks.
FedRAMP, of course, applies to federal cloud computing and, consequently, plays a significant
role in defining the solution space. Because of its role as a controls structure for the United States
federal government, FedRAMP plays a significant role in that function for agencies that work
with the United States federal government, such as: state agencies, universities, private firms,
and foreign governments, as well as other entities that may not see the benefit in developing a
further structure. Despite FedRAMP's stature in the space, various other previously mentioned
controls structures exist. Organizations such as the Cloud Security Alliance (Cloud Security
Alliance, 2013), and trade-based professional associations (Mouratidis, 2013) have also proposed
control sets based on their own needs in cloud security. Our analysis has attempted to combine
those controls that, in our view, represent the best confidentiality controls for cloud computing
currently in existence across the community, compare the Amazon S3 service against these
-
8/11/2019 Public Cloud Providers
22/47
22
augmented metrics, and return suggestions that are useful not only to Amazon S3, but to the
cloud computing community broadly. The timeline shownbelow presents Amazons security and
compliance releases that have impacted the security of the Amazon S3 cloud storage service that
serve as the basis for the discussion of problems and issues that follows.
-
8/11/2019 Public Cloud Providers
23/47
23
Cloud Provider Perspective: Amazon Web Services (AWS)
AWS Compliance timeline
This compliance timeline shows security policies implemented and compliance events
starting in 2009 with HIPAA to the first quarter of 2013 with improvements to IAM policy
variables:
Date Security or Compliance Event Description
4/3/13 IAM Policy Variables Create policies containing variables that will
be dynamically evaluated using context fromthe authenticated user's session.
3/26/13 AWS CloudHSM Use dedicated Hardware Security Module
(HSM) appliances within the AWS Cloud.
3/11/13 VPC by default EC2 instances will be launched in a VPC for
http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/http://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/ -
8/11/2019 Public Cloud Providers
24/47
24
new customers. Amazon Virtual Private
Cloud (Amazon VPC)
11/19/12 Cross-account API access using
IAM roles
Delegate temporary API access to AWS
services and resources within your AWS
account without having to share long-term
security credentials.
7/10/12 MFA-protected API access Enforce MFA authentication for AWS
service APIs via AWS Identity and Access
Management (IAM) policies.
6/11/12 IAM Roles Simplifies the process for applications to
secure access AWS service APIs from EC2
instances.
1/30/12 AWS Trusted Advisor Self-service access to proactive alerts that
identify opportunities to save money,
improve system performance, or close
security gaps.
11/11/11 Compliance Milestone: SOC 1,Type 2 Report
11/2/11 Support for virtual MFA devices Use a smartphone, tablet, or computer
running any application that supports the
open TOTP standard.
10/4/11 S3 server-side encryption Request encrypted storage when you store a
new object in Amazon S3 or when an
existing object is copied.
9/15/11 Compliance Milestone: FISMA
Moderate
8/16/11 AWS GovCloud AWS Region designed to allow US
government agencies and customers to move
http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/ -
8/11/2019 Public Cloud Providers
25/47
25
more sensitive workloads into the cloud by
addressing their specific regulatory and
compliance requirements.
8/3/11 AWS Direct Connect Enables you to bypass the public Internetwhen connecting to AWS.
12/7/10 Compliance Milestone: PCI DSS
Level 1
11/18/10 Compliance Milestone: ISO 27001
9/2/10 AWS Identity and Access
Management (IAM)
Enables to securely control access to AWS
services and resources for your users.
11/11/09 Compliance Milestone: SAS70
Type II Audit
8/31/09 AWS Multi-Factor Authentication
(MFA)
Provides an extra level of security that can be
applied to AWS environment.
8/26/09 Amazon VPC Provision a logically isolated section of the
Amazon Web Services (AWS) Cloud where
you can launch AWS resources in a virtual
network that you define.
4/6/09 Compliance milestone: white paper
for HIPAA-compliant data
applications
For a extended and detailed account of security related improvements to Amazon S3 for the
current 2014, see Appendix 1:Amazon Web Services (AWS) security updates.For a complete list
of compliance reports as well as certifications and third-party attestations, see Amazon WebServices. (2014). AWS Risk and Compliance Whitepaper.
http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/ -
8/11/2019 Public Cloud Providers
26/47
26
Incidents related to Amazon S3 Configurations
This account of events attempts to present the perspective of security has to be from all
involved parties. When transferring services to the Cloud, there is a significant transference of
risk, but this transfer is not absolute and complete. The Customer(s) must remain vigilant to
the portion of responsibility it controls respect to security. In many cases this means the
overview of SLAs and ensuring that services are correctly configured to perform as expected
according to user or groups permissions to data privacy assurances. Following below there are
listed two reports that show configurations issues related to cloud services, one from the
customer side and another from the provider.
August 08, 2011 - Amazon S3 security: Exploiting misconfigurations (TechTarget
Magazine)
Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3
security and avoid inadvertent data exposure.A security researcher, Diji Ninja, had an epiphany
when considering how Amazon S3 storage functioned: If each URL was customized with a
unique account name, it would be possible to use existing brute force techniques to enumerate
the Amazon S3 buckets and possibly access the files. The researcher developed a tool to test this
theory using standard wordlists and running them against the Amazon S3 API. The tool can also
test whether the Amazon S3 storage bucket has been properly configured for public or private
access.
Running this tool with a simple word list produces enlightening results that demonstrate
both an Amazon S3 oversight and the importance of proper customer configuration. The tool
runs through the wordlist by testing access to bucket URLs in succession in this format:
-
8/11/2019 Public Cloud Providers
27/47
-
8/11/2019 Public Cloud Providers
28/47
28
After reviewing the permissions of 12,328 Amazon S3 buckets the Rapid7 team revealed
that, of the 1,951 'public' ones there were some 126 billion files exposed in all, around 60 percent
of which were images. However, there were also 28,000 PHP source files (including database
usernames, passwords and API keys) and 218,000 CSV files (including personal data such as
email addresses and telephone numbers). 5 million text files, large numbers of which were
marked as private or confidential and contained sensitive personal credentials; details about the
organisations concerned and their customers. Getting even more specific on the information that
was exposed in these buckets, Rapid7 cites examples such as sales records and accounts from a
large car dealership, source code and development tools from a mobile gaming outfit, sales
'battlecards' for a large software vendor and assorted cases of employee personal information
across various spreadsheets.
The most common exposure was through log backups that were left globally accessible.
Rapid7 has since worked with Amazon to disclose this misconfiguration as it recommended its
customers to check their bucket settings unless they really want to openly share their files.
-
8/11/2019 Public Cloud Providers
29/47
-
8/11/2019 Public Cloud Providers
30/47
30
framework itself, we remain curious about the potential impact of FedRAMPs recent change in
jurisdiction from the General Services Administration to the Office of the Chief Information
Officer. The directives from the CIOs office relating to federal cloud computing strateg y
suggest that this move is simply administrative, and that the overall direction of FedRAMP will
remain consistent (Kundra, 2011). Though FedRAMP must constantly evolve to meet the rapidly
changing security needs in cloud computing, large changes in the framework at this stage would
disrupt the CIOs vision for government computing in the cloud, and likely make the transition
of services to the cloud far more difficult.
-
8/11/2019 Public Cloud Providers
31/47
31
Problems and Issues
This study faced two main issues in generating its results. The first and largest of these
issues was time. Once our group was formed, and our topic assigned, we began to identify the
problem set. We felt that a broad study of security frameworks across the service groups within
cloud computing was useful, but narrowed the topic down dramatically in order to be able to
provide a substantive deliverable by the end of the course term. The short time frame also
impacted our work by forcing removal from our scope verification and validation of information
provided by Amazon about the confidentiality of the S3 service, as well as the removal of a
testing phase related to Amazon's two-factor authentication offering for its cloud services,
including S3.
Testing of two-factor authentication was also impacted by the second issue of this study,
which is funding. Devices or services that may have impacted the confidentiality of S3 could not
be purchased due to lack of funds. Though the devices that Amazon uses for two-factor
authentication within the S3 service are relatively inexpensive, many of Amazon's cloud service
offerings that is targeted toward larger organizations, such as government agencies, are not.
Without access to these services, or models that would serve as adequate substitutes, we were
prevented from performing tasks that may have produced significant insight into the security
structure and function of Amazon's web services due to the possibility of breaking live Amazon
services. Doing so would have violated the bounds of this project.
-
8/11/2019 Public Cloud Providers
32/47
-
8/11/2019 Public Cloud Providers
33/47
33
All organizations using, or considering the use of, cloud services would likely benefit
from the adoption by standards organizations of a data classification system similar to the
security clearance system currently used by national security-related agencies in the United
States government. These levels would be more extensive than the current FedRAMP low, and
FedRAMP medium designations, and would also incorporate higher levels of security controls
similar to those found in the DoD cloud security model (DISA, 2014). Classifying data by
sensitivity for security and privacy purposes could balance the cost of security with the benefit of
that security at these different levels, especially if developed by consensus both inside and
outside of the national security apparatus. If cloud security framework systems were augmented
with these classifications, selection and utilization of cloud services would likely be much more
straightforward and consequently, more likely to be implemented effectively.
Moving forward in cloud computing security, it is becoming increasingly important to
understand the interaction within the cloud among the various services offered. For example,
because we were not able to test Amazon's cryptographic offerings that claim to encrypt data on
the service, we recommend that sensitive data be encrypted prior to being uploaded to the cloud;
however, this recommendation takes on added challenge when data is stored on the cloud by a
SaaS application that also lives in the cloud. In light of recent challenges with government web
portals that process highly privacy-sensitive information such aswww.healthcare.govworking in
support of the Affordable Care Act, it would seem to be unthinkable to implement such a system
in a private cloud environment. We suggest that, with the proper implementation of strong
controls and monitoring, even a healthcare.gov cloud may be able to share cloud space with
other agencies in a relatively secure manner.
http://www.healthcare.gov/http://www.healthcare.gov/http://www.healthcare.gov/http://www.healthcare.gov/ -
8/11/2019 Public Cloud Providers
34/47
34
Because our time working on this project was so short, and because the cloud computing
environment is so dynamic, opportunities for future work on this topic abound. Certainly, SaaS
and PaaS are fertile ground for study, as are the availability and integrity aspects of the C-I-A
triad, since all of these topics were scoped out of this work. Creation or adoption of the
information classification system recommended above would also be extremely worthy of
investigation.
As more users migrate to these services, and as they begin to store more sensitive
information within the cloud, it is imperative that the confidentiality of their data is assured. If
we consider applications where critical health or genetic information is stored using the cloud, or
where troops in the field use a similar type of service to communicate critical information to
commanders, the impact of data confidentiality becomes clear. Though we will not be able to
solve the majority of challenges relating to the confidentiality of data in the cloud environment
over the course of a single semester, we feel that this project will make a real and lasting
contribution to the state-of-the-art in this area, and be able to be built upon by future class
research. Ultimately, we hope to make cloud storage more secure for millions of users
worldwide.
-
8/11/2019 Public Cloud Providers
35/47
35
References
Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance April 2014.
Retrieved April 10, 2014 from:
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf .
Astrova, I., Grivas, S. G., Schaaf, M., Koschel, A., Bernhardt, J., Kellermeier, M. D. Herr, M.
(2012). Security of a Public Cloud. 2012 Sixth International Conference on Innovative
Mobile and Internet Services in Ubiquitous Computing, 564569.
doi:10.1109/IMIS.2012.78
Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing Security Issues, 109114.
Chiu, D., & Agrawal, G. (2010). Evaluating caching and storage options on the Amazon Web
Services Cloud. 2010 11th IEEE/ACM International Conference on Grid Computing, 17
24. doi:10.1109/GRID.2010.5697949
Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., & Song, Z. (2010).
Authentication in the Clouds: A Framework and its, 16.
Cloud Security Alliance. (2013). SECURITY GUIDANCE FOR CRITICAL AREAS OF
FOCUS IN CLOUD, 0176.
Garfinkel, S. (2007). Commodity Grid Computing with Amazons S3 and EC2.
Gurkok, C. (2013). Securing Cloud Computing Systems. Computer and Information Security
Handbook 2e(pp. 97124). Elsevier Inc. doi:10.1016/B978-0-12-394397-2.00006-4
IronBee Open Source Web Application Firewall. (2013).
Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and
institutional evolution. Telecommunications Policy, 37(4-5), 372386.
doi:10.1016/j.telpol.2012.04.011
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdfhttp://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdfhttp://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf -
8/11/2019 Public Cloud Providers
36/47
36
Kundra, V. (2011). Federal Cloud Computing Strategy.
Ma, X. (2012). Security Concerns in Cloud Computing. 2012 Fourth International Conference
on Computational and Information Sciences, 10691072. doi:10.1109/ICCIS.2012.274
Marinescu, D. (2013). Cloud Computing Theory and Practice: Cloud Security (Chapter 9), 273
300. doi:10.1016/B978-0-12-404627-6.00009-9
Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support
selection of cloud providers based on security and privacy requirements.Journal of
Systems and Software, 86(9), 22762293. doi:10.1016/j.jss.2013.03.011
Nayak, S. K., Mohapatra, S., & Majhi, B. (2012). An Improved Mutual Authentication
Framework for Cloud Computing User message, 52(5), 3641.
Shraer, A., Cachin, C., & Cidon, A. (2010). Venus: Verification for untrusted cloud storage.
Workshop on Cloud , 1929. Retrieved from
http://dl.acm.org/citation.cfm?id=1866841
Tajadod, G., Batten, L., & Govinda, K. (2012). Microsoft and Amazon: A comparison of
approaches to cloud security, 539544.
Yang, K., & Jia, X. (2014). Security for Cloud Storage Systems. Springer.
Yu, Y., Niu, L., Yang, G., Mu, Y., & Susilo, W. (2014). On the security of auditing mechanisms
for secure cloud storage.Future Generation Computer Systems, 30, 127132.
doi:10.1016/j.future.2013.05.005
United States Defense Information Systems Agency. (2014). DoD Enterprise Cloud Service
Broker.
-
8/11/2019 Public Cloud Providers
37/47
37
APPENDICES
APPENDIX 1: Amazon Web Services (AWS) security updates
Some of the latest security improvements to Amazon Web Services (AWS) for 2014 are
listed below in order to provide a documented overview of advancements respect providing a
more secure cloud services.
April 21, 2014 - AWS accounts access keys
AWS will remove the ability to retrieve existing secret access keys for your AWS (root) account.
Secret access keys are, as the name implies, secrets, like your password. Just as AWS doesnt
allow you to retrieve your password if you forget it, you will no longer be able to retrieve the
secret access keys for your root account. This is (and always has been) the case with secret
access keys for IAM users.
April 2, 2014 - Update to AWS Sign-In
The sign-in experience for IAM users accessing AWS websites such as the AWS Management
Console, Support, or Forums. The new sign-in experience continues to provide the same
functionality as the previous one, but provides a more consistent experience for IAM users when
signing in to AWS account whether it is on a PC, tablet, or mobile phone.
April 1, 2014 - RedShift receives FedRAMP Authority to Operate (ATO)
AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP
assessment and authorization process and has been added to our list of services covered under
http://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://aws.amazon.com/redshifthttp://aws.amazon.com/redshifthttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keys -
8/11/2019 Public Cloud Providers
38/47
38
our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S.
Department of Health and Human Services (HHS). This is the first new service we've added to
our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May
2013.
With the addition of Redshift we now have six FedRAMP covered services in our US East/West
FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West
FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and
use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.
Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it
simple and cost-effective to efficiently analyze all your data using your existing business
intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte
or more.
March 26, 2014 - AWS Secures DoD Provisional Authorization
AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model's
impact levels 1-2 for all four of AWS's Infrastructure Regions in the U.S., including AWS
GovCloud (US). With this distinction, AWS has shown it can meet the DoDs stringent security
and compliance requirements; and as a result, even more DoD agencies can now use AWSs
secure, compliant infrastructure. Built on the foundation of the FedRAMP Program, the DoD
CSM includes additional security controls specific to the DoD. The Defense Information
Systems Agency (DISA) assessed amazon compliance with additional security controls and
granted the authorization which will reduce the time necessary for DoD agencies to evaluate and
authorize the use of the AWS Cloud.
http://www.gsa.gov/portal/content/171827http://www.gsa.gov/portal/content/171827 -
8/11/2019 Public Cloud Providers
39/47
39
March 18, 2014 - Use AWS CloudFormation to configure Web Identity Federation
Web identity federation in AWS STS enables you to create apps where users can sign in using a
web-based identity provider likeLogin with Amazon,Facebook, or Google. Your app can then
trade identity information from the provider for temporary security credentials that the app can
use to access AWS.
The AWS mobile development team created an S3PersonalFileStore sample app for iOS and
Android that shows you how to use web identity federation to let users store information in
individual S3 folders.
March 5, 2014 -High Availability IAM Design Patterns
AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable
resiliency against authentication and authorization failures in an application deployed on
Amazon EC2 using a high availability design pattern based onIAM roles.
February 27, 2014 -How do I protect cross-account access using MFA?
AWSannounced support for adding multi-factor authentication (MFA) for cross-account access.
This practice will demonstrate how to create policies that enforce MFA when IAM users from
one AWS account make programmatic requests for resources in a different account.
Many might maintain multiple AWS accounts, Amazon is frequently asked how to simplify
access management across those accounts. IAM roles provide a secure and controllable
mechanism to enable cross-account access. Roles allow you to accomplish cross-account access
without any credential sharing and without the need to create duplicate IAM users. With this
announcement, you can add another layer of protection for cross-account access by requiring the
users to authenticate using anMFA devicebefore assuming a role.
http://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProviderhttp://login.amazon.com/http://aws.amazon.com/articles/4617974389850313http://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.htmlhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://aws.typepad.com/aws/2014/02/mfa-protection-for-cross-account-access.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.htmlhttp://aws.typepad.com/aws/2014/02/mfa-protection-for-cross-account-access.htmlhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.htmlhttp://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://aws.amazon.com/articles/4617974389850313http://login.amazon.com/http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProviderhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federation -
8/11/2019 Public Cloud Providers
40/47
40
February 17, 2014 - Whitepaper: Security at Scale: Logging in AWS
Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail
can help Amazon customers to meet compliance and security requirements through the logging
of API calls. The API call history can be used to track changes to resources, perform security
analysis, operational troubleshooting and as an aid in meeting compliance requirements.
This whitepaper is primarily focused on the functionality of AWS CloudTrail and describes how
to:
Control access to log files
Obtain alerts on log file creation and misconfiguration
Manage changes to AWS resources and log files
Manage storage of log files
Generate customized reporting of log data
The paper also relates these features to major compliance program requirements related to
logging (e.g. ISO 27001:2005, PCI DSS v2.0, FedRAMP, etc.) and provides a robust compliance
program index in the appendix for your reference.
January 15, 2014 -Tracking Federated User Access to Amazon S3 and Best Practices for
Protecting Log Data
Auditing by using logs is an important capability of any cloud platform. There are several third
party solution providers that provide auditing and analysis using AWS logs. Last November
AWS announced its own logging and analysis service, calledAWS CloudTrail. While logging is
important, understanding how to interpret logs and alerts is crucial. In this blog post, Aaron
Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs
within a federated access control context.
http://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWShttp://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWShttp://media.amazonwebservices.com/AWS_Security_at_Scale_Logging_in_AWS.pdfhttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://aws.amazon.com/cloudtrail/http://aws.amazon.com/cloudtrail/http://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://media.amazonwebservices.com/AWS_Security_at_Scale_Logging_in_AWS.pdfhttp://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWS -
8/11/2019 Public Cloud Providers
41/47
41
January 1, 2014 -Amazon Retrospective view of 2013
IAM: We posted a mixture of prescriptive guidance and detailed explanations about released
Identity and Access Management features and best practices geared towards practitioners.
Where's my secret access key?
A safer way to distribute AWS credentials to EC2
IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3
Resources)
Guidelines for when to use Accounts, Users, and Groups
How to rotate access keys for IAM users
Improve the security of your AWS account in less than 5 minutes
Securing access to AWS using MFAPart I
Securing access to AWS using MFAPart 2
Securing access to AWS using MFAPart 3
Policies and Permissions: IAM policies and permissions are powerful tools for authorization.
Therefore, we focused a number of articles to help you fully realize the potential of IAM.
Generating IAM Policies in Code
Writing IAM Policies: How to grant access to an Amazon S3 bucket
IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3
Resources)
Resource-level Permissions for EC2 Controlling Management Access on Specific
Instances
Announcement: Resource Permissions for additional EC2 API actions
Amazon EC2 Resource-Level Permissions for RunInstances
Announcing New IAM Policy Simulator A primer on RDS resource-level permissions
Announcing resource-level permissions for AWS OpsWorks
Identity Federation: AWS launched three identity federation features and also made several
smaller announcements
http://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013http://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013http://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/-span-class-matches-Where-s-span-span-class-matches-my-span-secret-access-keyhttp://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-span-class-matches-safer-span-span-class-matches-way-span-to-distribute-AWS-crhttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxQYSWLSAPYVGT/Guidelines-for-when-to-use-Accounts-Users-and-Groupshttp://blogs.aws.amazon.com/security/post/Tx15CIT22V4J8RP/How-to-rotate-access-keys-for-IAM-usershttp://blogs.aws.amazon.com/security/post/Tx3QSGD587OLBJB/Improve-the-security-of-your-AWS-account-in-less-than-5-minuteshttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx28W5SAINTLPXF/Generating-IAM-Policies-in-Codehttp://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-buckethttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/TxM6BPIXWFBDJS/Announcement-Resource-Permissions-for-additional-EC2-API-actionshttp://blogs.aws.amazon.com/security/post/Tx2YQ8C5IZM5RHH/Amazon-EC2-Resource-Level-Permissions-for-RunInstanceshttp://blogs.aws.amazon.com/security/post/TxTYGT3EHL3Y08/Announcing-New-IAM-Policy-Simulatorhttp://blogs.aws.amazon.com/security/post/Tx2H8VFYCM8A1BF/A-primer-on-RDS-resource-level-permissionshttp://blogs.aws.amazon.com/security/post/Tx2BCXSU68XSQM6/Announcing-resource-level-permissions-for-AWS-OpsWorkshttp://blogs.aws.amazon.com/security/post/Tx2BCXSU68XSQM6/Announcing-resource-level-permissions-for-AWS-OpsWorkshttp://blogs.aws.amazon.com/security/post/Tx2H8VFYCM8A1BF/A-primer-on-RDS-resource-level-permissionshttp://blogs.aws.amazon.com/security/post/TxTYGT3EHL3Y08/Announcing-New-IAM-Policy-Simulatorhttp://blogs.aws.amazon.com/security/post/Tx2YQ8C5IZM5RHH/Amazon-EC2-Resource-Level-Permissions-for-RunInstanceshttp://blogs.aws.amazon.com/security/post/TxM6BPIXWFBDJS/Announcement-Resource-Permissions-for-additional-EC2-API-actionshttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-buckethttp://blogs.aws.amazon.com/security/post/Tx28W5SAINTLPXF/Generating-IAM-Policies-in-Codehttp://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx3QSGD587OLBJB/Improve-the-security-of-your-AWS-account-in-less-than-5-minuteshttp://blogs.aws.amazon.com/security/post/Tx15CIT22V4J8RP/How-to-rotate-access-keys-for-IAM-usershttp://blogs.aws.amazon.com/security/post/TxQYSWLSAPYVGT/Guidelines-for-when-to-use-Accounts-Users-and-Groupshttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-span-class-matches-safer-span-span-class-matches-way-span-to-distribute-AWS-crhttp://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/-span-class-matches-Where-s-span-span-class-matches-my-span-secret-access-keyhttp://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013 -
8/11/2019 Public Cloud Providers
42/47
42
Delegating API Access to AWS Services Using IAM Roles
Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML
2.0
New AWS web identity federation supports Amazon.com, Facebook, and Google
identities
Understanding the API options for securely delegating access to your AWS account
AWS CloudFormation now supports federated users and temporary security
credentials
New playground app to explore web identity federation with Amazon, Facebook, and
Google
Encryption:
Encrypting data in Amazon S3
AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)
Compliance:
Auditing Security Checklist for AWS Now Available
2013 PCI Compliance Package available now
New Whitepaper: AWS Cloud Security Best Practices
AWS Achieves First FedRAMP(SM) Agency ATOs
Other: Several important topics related to AWS Security were partner related and the other two
were references to other security related material published and distributed in different venues.
Controlling network access to EC2 instances using a bastion server
Recap of re:Invent Sessions
Credentials Best Practices on the AWS Java Developers Blog
CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3
Analyzing OS-Related Security Events on EC2 with SplunkStorm
http://blogs.aws.amazon.com/security/post/TxC24FI9IDXTY1/Delegating-API-Access-to-AWS-Services-Using-IAM-Roleshttp://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-accounthttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1274SCPXF81JI/Encrypting-data-in-Amazon-S3http://blogs.aws.amazon.com/security/post/Tx3I4NZ0SZEOZ48/AWS-CloudHSM-Use-Cases-Part-One-of-the-AWS-CloudHSM-Serieshttp://blogs.aws.amazon.com/security/post/Tx13K6TN0M2CRXF/Auditing-Security-Checklist-for-AWS-Now-Availablehttp://blogs.aws.amazon.com/security/post/Tx2BOQ6RM0ACYGT/2013-span-class-matches-PCI-span-span-class-matches-Compliance-span-Package-avaihttp://blogs.aws.amazon.com/security/post/TxDA6TS0KJK82R/New-span-class-matches-Whitepaper-span-AWS-Cloud-span-class-matches-Security-spahttp://blogs.aws.amazon.com/security/post/TxPDA8F0N24N8Y/AWS-Achieves-First-FedRAMP-SM-Agency-ATOshttp://blogs.aws.amazon.com/security/post/Tx2ZWDW1QA6D62Y/Controlling-span-class-matches-network-span-span-class-matches-access-span-to-EChttp://blogs.aws.amazon.com/security/post/Tx2NSGBHGI9PX9B/Recap-of-re-Invent-Sessionshttp://blogs.aws.amazon.com/security/post/Tx3TITQJ4FC8FG9/Credentials-Best-Practices-on-the-AWS-Java-Developers-Bloghttp://blogs.aws.amazon.com/security/post/Tx2TLNSAYXVZJA6/CloudBerry-Active-Directory-Bridge-for-Authenticating-non-AWS-AD-Users-to-S3http://blogs.aws.amazon.com/security/post/Tx3OX6P4BZQTV7K/Analyzing-OS-Related-Security-Events-on-EC2-with-SplunkStormhttp://blogs.aws.amazon.com/security/post/Tx3OX6P4BZQTV7K/Analyzing-OS-Related-Security-Events-on-EC2-with-SplunkStormhttp://blogs.aws.amazon.com/security/post/Tx2TLNSAYXVZJA6/CloudBerry-Active-Directory-Bridge-for-Authenticating-non-AWS-AD-Users-to-S3http://blogs.aws.amazon.com/security/post/Tx3TITQJ4FC8FG9/Credentials-Best-Practices-on-the-AWS-Java-Developers-Bloghttp://blogs.aws.amazon.com/security/post/Tx2NSGBHGI9PX9B/Recap-of-re-Invent-Sessionshttp://blogs.aws.amazon.com/security/post/Tx2ZWDW1QA6D62Y/Controlling-span-class-matches-network-span-span-class-matches-access-span-to-EChttp://blogs.aws.amazon.com/security/post/TxPDA8F0N24N8Y/AWS-Achieves-First-FedRAMP-SM-Agency-ATOshttp://blogs.aws.amazon.com/security/post/TxDA6TS0KJK82R/New-span-class-matches-Whitepaper-span-AWS-Cloud-span-class-matches-Security-spahttp://blogs.aws.amazon.com/security/post/Tx2BOQ6RM0ACYGT/2013-span-class-matches-PCI-span-span-class-matches-Compliance-span-Package-avaihttp://blogs.aws.amazon.com/security/post/Tx13K6TN0M2CRXF/Auditing-Security-Checklist-for-AWS-Now-Availablehttp://blogs.aws.amazon.com/security/post/Tx3I4NZ0SZEOZ48/AWS-CloudHSM-Use-Cases-Part-One-of-the-AWS-CloudHSM-Serieshttp://blogs.aws.amazon.com/security/post/Tx1274SCPXF81JI/Encrypting-data-in-Amazon-S3http://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-accounthttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/TxC24FI9IDXTY1/Delegating-API-Access-to-AWS-Services-Using-IAM-Roles -
8/11/2019 Public Cloud Providers
43/47
-
8/11/2019 Public Cloud Providers
44/47
44
Consolidated Confidentiality Security Controls - DETAILED
Control DomainCCM V3.0
Control IDControl Specification
Application &Interface Security
Data Security /
Integrity
AIS-04
Policies and procedures shall be established, and supporting business processes
and technical measures implemented, to ensure protection of confidentiality,integrity, and availability of data exchanged between one or more system
interfaces, jurisdictions, or external business relationships to prevent improper
disclosure, alteration, or destruction. These policies, procedures, processes, and
measures shall be in accordance with known legal, statutory and regulatory
compliance obligations.
Audit Assurance &
Compliance
Information System
Regulatory Mapping
AAC-03
An inventory of the organization's external legal, statutory, and regulatory
compliance obligations associated with (and mapped to) any scope and
geographically-relevant presence of data or organizationally-owned or managed
(physical or virtual) infrastructure network and systems components shall be
maintained and regularly updated as per the business need (e.g., change in
impacted-scope and/or a change in any compliance obligation).
Business ContinuityManagement &
Operational
Resilience
Policy
BCR-11
Policies and procedures shall be established, and supporting business processes
and technical measures implemented, for appropriate IT governance and servicemanagement to ensure appropriate planning, delivery and support of the
organization's IT capabilities supporting business functions, workforce, and/or
customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5).
Additionally, policies and procedures shall include defined roles and
responsibilities supported by regular workforce training.
Change Control &
Configuration
Management
Outsourced
Development
CCC-02
The use of an outsourced workforce or external business relationship for
designing, developing, testing, and/or deploying the organization's own source
code shall require higher levels of assurance of trustworthy applications (e.g.,
management supervision, established and independently certified adherence
information security baselines, mandated information security training for
outsourced workforce, and ongoing security code reviews).
Change Control &
Configuration
Management
Quality Testing
CCC-03
A program for the systematic monitoring and evaluation to ensure that standards
of quality and security baselines are being met shall be established for allsoftware developed by the organization. Quality evaluation and acceptance
criteria for information systems, upgrades, and new versions shall be established
and documented, and tests of the system(s) shall be carried out both during
development and prior to acceptance to maintain security. Management shall
have a clear oversight capacity in the quality testing process, with the final product
being certified as "fit for purpose" (the product should be suitable for the intended
purpose) and "right first time" (mistakes should be eliminated) prior to release. It is
also necessary to incorporate technical security reviews (i.e., vulnerability
assessments and/or penetration testing) to remediate vulnerabilities that pose an
unreasonable business risk or risk to customers (tenants) prior to release.
Data Security &
Information LifecycleManagment
Classification
DSI-01
Data and objects containing data shall be assigned a classification based on data
type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints,
contractual constraints, value, sensitivity, criticality to the organization, third-party
obligation for retention, and prevention of unauthorized disclosure or misuse.
Data Security &
Information Lifecycle
Management
Information Leakage