The AWS Shared Security Responsibility Model

Matt Yanchyshyn

Sr. Manager, Solutions Architecture

Amazon Web Services

OR

Move

Fast

Stay

Secure

AND

Move

Fast

Stay

Secure

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

Client-side Data

Encryption

Server-side Data

Encryption

Network Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

You

AWS Shared Responsibility Model

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Client-side Data

Encryption

Server-side Data

Encryption

Network Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

You

AWS Shared Responsibility Model

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

AWS strengthens your security posture

Leverage security

enhancements from

1M+ customer

experiences

Benefit from AWS

industry leading

security teams 24/7,

365 days a year

Security infrastructure

built to satisfy military,

global banks, and other

high-sensitivity

organizations

Over 50 global

compliance

certifications and

accreditations

“We work closely with AWS to develop a security

model, which we believe enables us to

operate more securely in the public cloud

than we can in our own data centers.”Rob Alexander - CIO, Capital One

Security Audits: On-premises vs. On AWS

Start with bare concrete

Functionally optional – you can build a

secure system without it

Audits done by an in-house team

Accountable to yourself

Typically check once a year

Workload-specific compliance checks

Must keep pace and invest in security

innovation

on-prem

Start on base of accredited services

Functionally necessary – high

watermark of requirements

Audits done by third party experts

Accountable to everyone

Continuous monitoring

Compliance approach based on all

workload scenarios

Security innovation drives broad

compliance

on AWS

What this means

You benefit from an environment built for the most security

sensitive organizations

AWS manages 1,800+ security controls so you don’t have to

You get to define the right security controls for your workload

sensitivity

You always have full ownership and control of your data

AWS: more assurance programs than anyone

Certifications / Attestations Laws, Regulations, and Privacy Alignments and Frameworks

ISO 27001 HIPAA CJIS

ISO 27017 IRS 1075 FISMA

ISO 27018 ITAR GxP

PCI DSS Level 1 FERPA CLIA

DoD SRG CS Mark [Japan] CMS Edge

FedRAMP DNB [Netherlands] FISC [Japan]

FIPS EAR FDA

IRAP [Australia] Gramm-Leach-Bliley Act (GLBA) MPAA

MLPS Level 3 [China] HITECH CMSR

MTCS Tier 3 [Singapore] My Number Act [Japan] FedRAMP TIC

SEC Rule 17a-4(f) DPA – 1998 [U.K.] G-Cloud [U.K.]

SOC 1, SOC 2, SOC 3 VPAT / Section 508 PHR

EU Data Protection Directive [EU] IT Grundschutz [Germany]

Privacy Act [Australia & New Zealand] MITA 3.0

PDPA – 2010 [Malaysia & Singapore] NERC

NIST

Meet your own security objectives

Customer scope and

effort is reduced

Better results through

focused efforts

Built on AWS

consistent baseline

controls

Your own

external audits

Your own

accreditation

Your own

certifications

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

You

AWS Global Infrastructure

14 Regions

38 Availability Zones

63 Edge Locations

North America

US East (N. Virginia) Region US West (Oregon) Region

EC2 Availability Zones: 5 EC2 Availability Zones: 3

US West (N. California) Region AWS GovCloud (US) Region

EC2 Availability Zones: 3 EC2 Availability Zones: 2

Canada (Montreal) Region US Central (Ohio) Region

Announced EC2 Availability Zones: 3

AWS Edge Locations

United States - Ashburn, VA (3), Atlanta GA (2), Chicago, IL, Dallas/Fort

Worth, TX (2), Hayward, CA, Jacksonville, FL, Los Angeles, CA (2), Miami,

FL, New York, NY (3), Newark, NJ, Palo Alto, CA, San Jose, CA, Seattle, WA,

South Bend, IN, St. Louis, MO

Canada - Montreal, QC, Toronto, ON

Data Locality

Customer chooses where to place data

AWS regions are geographically isolated by design

Data is not replicated to other AWS regions and

doesn’t move unless you choose to move it

Data Locality in practiceBlock level storage

Instance Storage (Elastic Cloud Compute - EC2)

Elastic Block Storage (EBS)

Object level storage

Simple Storage Service (S3)

Database storage

Relational Databases (RDS)

NoSQL (DynamoDB)

Data Warehouse (Redshift)

Caching (Elasticache)

AWS Shared Responsibility Model Deep Dive

One model for all?

Infrastructure

Services

Managed

Services

Abstract

Services

AWS Security Tools

Encryption

Key

Management

Service

CloudHSM Server-side

Encryption

Networking

Virtual

Private

Cloud

Web

Application

Firewall

Compliance

ConfigCloudTrail

&

Inspector

Service

Catalog

Identity

IAM Active

Directory

Integration

SAML

Federation

Client-Side Data encryption

& Data Integrity Auth

Server-Side Encryption

Fire System and/or DataNetwork Traffic Protection

(Encryption, Integrity, Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

You

AWS Shared Responsibility Model: Infrastructure Services

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

Infrastructure Service Example: Amazon EC2

• AWS Networking, Compute & Storage Services

• AWS Global Infrastructure

• AWS API Endpoints

• Customer Data

• Customer Application

• Operating System

• Network & Firewall

• Customer IAM (Corporate Directory)

• High Availability, Scaling

• Instance Management

• Data Protection (Transit, Rest, Backup)

• AWS IAM (Users, Groups, Roles,

Policies)

You

Client-Side Data encryption

& Data Integrity AuthNetwork Traffic Protection

(Encryption, Integrity, Identity)

Customer content

You

AWS Shared Responsibility Model: Managed Services

Identity & Access Management

Platform, Operating System, Network Configuration

Fire

wa

ll

Co

nfig

ura

tion

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

Managed Service Example: Amazon RDS

• AWS Networking, Compute,

Storage Services

• AWS Global Infrastructure

• AWS API Endpoints

• Operating System

• Platform / Application

• Customer Data

• Firewall (VPC)

• Customer IAM (DB Users, Table

Permissions)

• AWS IAM (Users, Groups, Roles,

Policies)

• High Availability

• Data Protection (Transit, Rest,

Backup)

• ScalingYou

Client-Side Data encryption

& Data Integrity AuthNetwork Traffic Protection

(Encryption, Integrity, Identity)

Customer content

You

AWS Shared Responsibility Model: Abstract Services

Identity & Access Management

Platform & Application Management

Fire

wa

ll

Co

nfig

ura

tion

Operating System & Networking Configuration

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability ZonesEdge

Locations

AWS Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability ZonesEdge Locations

Platform & Applications Management

Operating System, Network & Firewall Configuration

Customer content

AWS Shared Responsibility Model: Abstract Services

Data Protection by the Platform (at rest)

Network Traffic Protection by the Platform (in transit)

Client-Side Data Encryption & Data Integrity AuthenticationYou

Identity & Access Management

• Foundational Services

• AWS Global Infrastructure

• AWS API Endpoints

• Operating System

• Platform / Application

• Data Protection (Rest - SSE, Transit)

• High Availability / Scaling

• Customer Data

• Data Protection (Rest – CSE)

• AWS IAM (Users, Groups, Roles, Policies)

Abstract Service Example: Amazon S3

You

Summary of Shared Responsibility in AWS

Customer IAM

AWS IAM

Firewall

Data

AWS IAM

Data

Applications

Operating System

Networking/Firewall

Data

Customer IAM

AWS IAM

Infrastructure

Services

Managed

Services

Abstract

Services

AWS Security & Compliance Training

AWS Security Fundamentals

3 hour eLearning course

Target audience – Security Auditors/Analysts

It’s Free

AWS Security Operations

3 day Instructor Lead Training

Target audience – Security Engineer/Architects

12 Modules + Labs

Self-paced labs available on http://qwiklabs.com

https://aws.amazon.com/training/course-descriptions/

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-

of-risk-and-compliance/

Compliance Center Website: https://aws.amazon.com/compliance

Security Center: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

AWS Audit Training: awsaudittraining@amazon.com