the aws shared responsibility model: presented by amazon web services
TRANSCRIPT
The AWS Shared Security Responsibility Model
Matt Yanchyshyn
Sr. Manager, Solutions Architecture
Amazon Web Services
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
AWS strengthens your security posture
Leverage security
enhancements from
1M+ customer
experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity
organizations
Over 50 global
compliance
certifications and
accreditations
“We work closely with AWS to develop a security
model, which we believe enables us to
operate more securely in the public cloud
than we can in our own data centers.”Rob Alexander - CIO, Capital One
Security Audits: On-premises vs. On AWS
Start with bare concrete
Functionally optional – you can build a
secure system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security
innovation
on-prem
Start on base of accredited services
Functionally necessary – high
watermark of requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all
workload scenarios
Security innovation drives broad
compliance
on AWS
What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data
AWS: more assurance programs than anyone
Certifications / Attestations Laws, Regulations, and Privacy Alignments and Frameworks
ISO 27001 HIPAA CJIS
ISO 27017 IRS 1075 FISMA
ISO 27018 ITAR GxP
PCI DSS Level 1 FERPA CLIA
DoD SRG CS Mark [Japan] CMS Edge
FedRAMP DNB [Netherlands] FISC [Japan]
FIPS EAR FDA
IRAP [Australia] Gramm-Leach-Bliley Act (GLBA) MPAA
MLPS Level 3 [China] HITECH CMSR
MTCS Tier 3 [Singapore] My Number Act [Japan] FedRAMP TIC
SEC Rule 17a-4(f) DPA – 1998 [U.K.] G-Cloud [U.K.]
SOC 1, SOC 2, SOC 3 VPAT / Section 508 PHR
EU Data Protection Directive [EU] IT Grundschutz [Germany]
Privacy Act [Australia & New Zealand] MITA 3.0
PDPA – 2010 [Malaysia & Singapore] NERC
NIST
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Your own
accreditation
Your own
certifications
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
You
North America
US East (N. Virginia) Region US West (Oregon) Region
EC2 Availability Zones: 5 EC2 Availability Zones: 3
US West (N. California) Region AWS GovCloud (US) Region
EC2 Availability Zones: 3 EC2 Availability Zones: 2
Canada (Montreal) Region US Central (Ohio) Region
Announced EC2 Availability Zones: 3
AWS Edge Locations
United States - Ashburn, VA (3), Atlanta GA (2), Chicago, IL, Dallas/Fort
Worth, TX (2), Hayward, CA, Jacksonville, FL, Los Angeles, CA (2), Miami,
FL, New York, NY (3), Newark, NJ, Palo Alto, CA, San Jose, CA, Seattle, WA,
South Bend, IN, St. Louis, MO
Canada - Montreal, QC, Toronto, ON
Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and
doesn’t move unless you choose to move it
Data Locality in practiceBlock level storage
Instance Storage (Elastic Cloud Compute - EC2)
Elastic Block Storage (EBS)
Object level storage
Simple Storage Service (S3)
Database storage
Relational Databases (RDS)
NoSQL (DynamoDB)
Data Warehouse (Redshift)
Caching (Elasticache)
AWS Shared Responsibility Model Deep Dive
One model for all?
Infrastructure
Services
Managed
Services
Abstract
Services
AWS Security Tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrail
&
Inspector
Service
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation
Client-Side Data encryption
& Data Integrity Auth
Server-Side Encryption
Fire System and/or DataNetwork Traffic Protection
(Encryption, Integrity, Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
You
AWS Shared Responsibility Model: Infrastructure Services
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
Infrastructure Service Example: Amazon EC2
• AWS Networking, Compute & Storage Services
• AWS Global Infrastructure
• AWS API Endpoints
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
You
Client-Side Data encryption
& Data Integrity AuthNetwork Traffic Protection
(Encryption, Integrity, Identity)
Customer content
You
AWS Shared Responsibility Model: Managed Services
Identity & Access Management
Platform, Operating System, Network Configuration
Fire
wa
ll
Co
nfig
ura
tion
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
Managed Service Example: Amazon RDS
• AWS Networking, Compute,
Storage Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability
• Data Protection (Transit, Rest,
Backup)
• ScalingYou
Client-Side Data encryption
& Data Integrity AuthNetwork Traffic Protection
(Encryption, Integrity, Identity)
Customer content
You
AWS Shared Responsibility Model: Abstract Services
Identity & Access Management
Platform & Application Management
Fire
wa
ll
Co
nfig
ura
tion
Operating System & Networking Configuration
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
AWS Shared Responsibility Model: Abstract Services
Data Protection by the Platform (at rest)
Network Traffic Protection by the Platform (in transit)
Client-Side Data Encryption & Data Integrity AuthenticationYou
Identity & Access Management
• Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Abstract Service Example: Amazon S3
You
Summary of Shared Responsibility in AWS
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Managed
Services
Abstract
Services
AWS Security & Compliance Training
AWS Security Fundamentals
3 hour eLearning course
Target audience – Security Auditors/Analysts
It’s Free
AWS Security Operations
3 day Instructor Lead Training
Target audience – Security Engineer/Architects
12 Modules + Labs
Self-paced labs available on http://qwiklabs.com
https://aws.amazon.com/training/course-descriptions/
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-
of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: [email protected]