Introduction to AWS

Security Processes
June 2016

(Please consult http://aws.amazon.com/security/ for the latest version of this paper)

Amazon Web Services – Overview of Security Processes June 2016

© 2016, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notices
This document is provided for informational purposes only. It represents AWS’ current
product offerings and practices as of the date of issue of this document, which are
subject to change without notice. Customers are responsible for making their own
independent assessment of the information in this document and any use of AWS’
products or services, each of which is provided “as is” without warranty of any kind,
whether express or implied. This document does not create any warranties,
representations, contractual commitments, conditions or assurances from AWS, its
affiliates, suppliers or licensors. The responsibilities and liabilities of AWS to its
customers are controlled by AWS agreements, and this document is not part of, nor
does it modify, any agreement between AWS and its customers.

Page 2 of 45
Amazon Web Services – Overview of Security Processes June 2016

Table of Contents

Introduction ...................................................................................................................................5
Shared Security Responsibility Model .......................................................................................5
AWS Security Responsibilities ..................................................................................................6
Customer Security Responsibilities.............................................................................................7
AWS Global Security Infrastructure ...........................................................................................7
AWS Compliance Programs.......................................................................................................8
Physical and Environmental Security ........................................................................................9
Fire Detection and Suppression..................................................................................................9
Power .........................................................................................................................................9
Climate and Temperature ...........................................................................................................9
Management .........................................................................................................................10
Storage Device Decommissioning...................................................................................10
Business Continuity Management ...........................................................................................10
Availability ..............................................................................................................................10
Incident Response ...............................................................................................................10
Company-Wide Executive Review ..................................................................................11
Communication ....................................................................................................................11
AWS Access...............................................................................................................................11
Account Review and Audit.................................................................................................11
Background Checks ............................................................................................................12
Credentials Policy ................................................................................................................12
Secure Design Principles ..........................................................................................................12
Change Management................................................................................................................12
Software .................................................................................................................................12
Infrastructure .........................................................................................................................13
AWS Account Security Features .............................................................................................13
AWS Credentials..................................................................................................................14
Passwords .............................................................................................................................15
AWS Multi-Factor Authentication (AWS MFA) .............................................................15
Access Keys .........................................................................................................................16
Key Pairs................................................................................................................................17
X.509 Certificates ................................................................................................................18
Individual User Accounts ...................................................................................................18
Page 3 of 45
Amazon Web Services – Overview of Security Processes June 2016

Secure HTTPS Access Points ..........................................................................................19

Security Logs ........................................................................................................................19
AWS Trusted Advisor Security Checks ..........................................................................20
Networking Services ...........................................................................................................20
Amazon Elastic Load Balancing Security ......................................................................20
Amazon Virtual Private Cloud (Amazon VPC) Security .............................................22
Amazon Route 53 Security ................................................................................................28
Amazon CloudFront Security ............................................................................................29
AWS Direct Connect Security ...........................................................................................32
Appendix – Glossary of Terms ....................................................................................................33
Document Revisions .................................................................................................................44
Jun 2016 ..................................................................................................................................44
Nov 2014 .................................................................................................................................44
Nov 2013 .................................................................................................................................44
May 2013.................................................................................................................................45

Page 4 of 45
Amazon Web Services – Overview of Security Processes June 2016

Introduction
Amazon Web Services (AWS) delivers a scalable cloud computing platform with high
availability and dependability, providing the tools that enable customers to run a wide
range of applications. Helping to protect the confidentiality, integrity, and availability
of our customers’ systems and data is of the utmost importance to AWS, as is
maintaining customer trust and confidence. This document is intended to answer
questions such as, “How does AWS help me protect my data?” Specifically, AWS
physical and operational security processes are described for the network and server
infrastructure under AWS’ management, as well as service-specific security
implementations.

Shared Security Responsibility Model

When using AWS services, customers maintain complete control over their content and
are responsible for managing critical content security requirements, including:

• What content they choose to store on AWS

• Which AWS services are used with the content
• In what country that content is stored
• The format and structure of that content and whether it is masked, anonymised
or encrypted
• Who has access to that content and how those access rights are granted, managed
and revoked

Because AWS customers retain control over their data, they also retain responsibilities
relating to that content as part of the AWS “shared responsibility” model. This shared
responsibility model is fundamental to understanding the respective roles of the
customer and AWS in the context of the Cloud Security Principles.

Under the shared responsibility model, AWS operates, manages, and controls the
components from the host operating system and virtualization layer down to the physical
security of the facilities in which the services operate. In turn, customers assume
responsibility for and management of their operating system (including updates and
security patches), other associated application software, as well as the configuration of
the AWS-provided security group firewall. Customers should carefully consider the
services they choose, as their responsibilities vary depending on the services they use,
the integration of those services into their IT environments, and applicable laws and
regulations. It is possible to enhance security and/or meet more stringent compliance
requirements by leveraging technology such as host-based firewalls, host-based
intrusion detection/ prevention, and encryption. AWS provides tools and information to
assist customers in their efforts to account for and validate that controls are operating
effectively in their extended IT environment. More information can be found on the AWS
Compliance center at http://aws.amazon.com/compliance.

Page 5 of 45
Amazon Web Services – Overview of Security Processes June 2016

Figure 1: AWS Shared Security Responsibility Model

The amount of security configuration work you have to do varies depending on which
services you select and how sensitive your data is. However, there are certain security
features, such as individual user accounts and credentials, SSL/TLS for data
transmissions, and user activity logging, that you should configure no matter which
AWS service you use. For more information about these security features, see the
“AWS Account Security Features” section below.

AWS Security Responsibilities

AWS is responsible for protecting the global infrastructure that runs all of the services
offered in the AWS cloud. This infrastructure is comprised of the hardware, software,
networking, and facilities that run AWS services. Protecting this infrastructure is AWS’
number one priority, and while you can’t visit our data centers or offices to see this
protection firsthand, we provide several reports from third-party auditors who have
verified our compliance with a variety of computer security standards and regulations
(for more information, visit (aws.amazon.com/compliance).

Note that in addition to protecting this global infrastructure, AWS is responsible for the
security configuration of its products that are considered managed services. Examples
of these types of services include Amazon DynamoDB, Amazon RDS, Amazon Redshift,
Amazon Elastic MapReduce, Amazon WorkSpaces, and several other services. These
services provide the scalability and flexibility of cloud-based resources with the
additional benefit of being managed. For these services, AWS will handle basic security
tasks like guest operating system (OS) and database patching, firewall configuration,
Page 6 of 45
Amazon Web Services – Overview of Security Processes June 2016

and disaster recovery. For most of these managed services, all you have to do is
configure logical access controls for the resources and protect your account credentials.
A few of them may require additional tasks, such as setting up database user accounts,
but overall the security configuration work is performed by the service.
Customer Security Responsibilities
With the AWS cloud, you can provision virtual servers, storage, databases, and
desktops in minutes instead of weeks. You can also use cloud-based analytics and
workflow tools to process your data as you need it, and then store it in the cloud or
in your own data centers. Which AWS services you use will determine how much
configuration work you have to perform as part of your security responsibilities.

AWS products that fall into the well-understood category of Infrastructure as a

Service (IaaS), such as Amazon EC2 and Amazon VPC, are completely under your
control and require you to perform all of the necessary security configuration and
management tasks. For example, for EC2 instances, you’re responsible for
management of the guest OS (including updates and security patches), any
application software or utilities you install on the instances, and the configuration
of the AWS-provided firewall (called a security group) on each instance. These are
basically the same security tasks that you’re used to performing no matter where
your servers are located.

AWS managed services like Amazon RDS or Amazon Redshift provide all of the
resources you need in order to perform a specific task, but without the configuration
work that can come with them. With managed services, you don’t have to worry
about launching and maintaining instances, patching the guest OS or database, or
replicating databases - AWS handles that for you. However, as with all services, you
should protect your AWS Account credentials and set up individual user accounts
with Amazon Identity and Access Management (IAM) so that each of your users has
their own credentials and you can implement segregation of duties. We also
recommend using multi-factor authentication (MFA) with each account, requiring
the use of SSL/TLS to communicate with your AWS resources, and setting up
API/user activity logging with AWS CloudTrail. For more information about
additional measures you can take, refer to the AWS Security Resources webpage.

AWS Global Security Infrastructure

AWS operates the global cloud infrastructure that you use to provision a variety of
basic computing resources such as processing and storage. The AWS global
infrastructure includes the facilities, network, hardware, and operational software
(e.g., host OS, virtualization software, etc.) that support the provisioning and use of
these resources. The AWS global infrastructure is designed and managed according
to security best practices as well as a variety of security compliance standards. As
an AWS customer, you can be assured that you’re building web architectures on top
of some of the most secure computing infrastructure in the world.

Page 7 of 45
Amazon Web Services – Overview of Security Processes June 2016

AWS Compliance Programs

Amazon Web Services Compliance enables customers to understand the robust
controls in place at AWS to maintain security and data protection in the cloud. As
systems are built on top of the AWS cloud infrastructure, compliance
responsibilities will be shared. By tying together governance-focused, audit-friendly
service features with applicable compliance or audit standards, AWS Compliance
enablers build on traditional programs; helping customers to establish and operate
in an AWS security control environment. The IT infrastructure that AWS provides to
its customers is designed and managed in alignment with security best practices
and a variety of IT security standards, including:

• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

• SOC 2
• SOC 3
• FISMA
• FedRAMP
• DOD SRG Levels 2 and 4
• PCI DSS Level 1
• EU Model Clauses
• ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
• ITAR
• IRAP
• FIPS 140-2
• MLPS Level 3
• MTCS

In addition, the flexibility and control that the AWS platform provides allows customers
to deploy solutions that meet several industry-specific standards, including:
• Criminal Justice Information Services (CJIS)
• Cloud Security Alliance (CSA)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Motion Picture Association of America (MPAA)

Page 8 of 45
Amazon Web Services – Overview of Security Processes June 2016

AWS provides a wide range of information regarding its IT control environment to

customers through white papers, reports, certifications, accreditations, and other
third-party attestations. More information is available in the Risk and Compliance
whitepaper available at http://aws.amazon.com/compliance/.

Physical and Environmental Security

AWS’ data centers are state of the art, utilizing innovative architectural and
engineering approaches. AWS has many years of experience in designing,
constructing, and operating large-scale data centers. This experience has been
applied to the AWS platform and infrastructure. AWS data centers are housed in
nondescript facilities. Physical access is strictly controlled both at the perimeter and
at building ingress points by professional security staff utilizing video surveillance,
intrusion detection systems, and other electronic means. Authorized staff must pass
two-factor authentication a minimum of two times to access data center floors. All
visitors and contractors are required to present identification and are signed in and
continually escorted by authorized staff.

AWS only provides data center access and information to employees and contractors
who have a legitimate business need for such privileges. When an employee no longer
has a business need for these privileges, his or her access is immediately revoked, even
if they continue to be an employee of Amazon or Amazon Web Services. All physical
access to data centers by AWS employees is logged and audited routinely.

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce
risk. The fire detection system utilizes smoke detection sensors in all data center
environments, mechanical and electrical infrastructure spaces, chiller rooms and
generator equipment rooms. These areas are protected by either wet-pipe, double-
interlocked pre-action, or gaseous sprinkler systems.

Power
The data center electrical power systems are designed to be fully redundant and
maintainable without impact to operations, 24 hours a day, and seven days a week.
Uninterruptible Power Supply (UPS) units provide back-up power in the event of an
electrical failure for critical and essential loads in the facility. Data centers use
generators to provide back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers
and other hardware, which prevents overheating and reduces the possibility of
service outages. Data centers are conditioned to maintain atmospheric conditions at
optimal levels. Personnel and systems monitor and control temperature and
humidity at appropriate levels.

Page 9 of 45
Amazon Web Services – Overview of Security Processes June 2016

Management
AWS monitors electrical, mechanical, and life support systems and equipment so
that any issues are immediately identified. Preventative maintenance is performed to
maintain the continued operability of equipment.

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include
a decommissioning process that is designed to prevent customer data from being
exposed to unauthorized individuals. AWS uses techniques detailed NIST 800-88
(“Guidelines for Media Sanitization as part of the decommissioning process“).

Business Continuity Management

AWS’ infrastructure has a high level of availability and provides customers the
features to deploy a resilient IT architecture. AWS has designed its systems to
tolerate system or hardware failures with minimal customer impact. Data center
Business Continuity Management at AWS is under the direction of the Amazon
Infrastructure Group.

Availability
Data centers are built in clusters in various global regions. All data centers are online
and serving customers; no data center is “cold.” In case of failure, automated
processes move customer data traffic away from the affected area. Core applications
are deployed in an N+1 configuration, so that in the event of a data center failure,
there is sufficient capacity to enable traffic to be load-balanced to the remaining
sites.

AWS provides you with the flexibility to place instances and store data within
multiple geographic regions as well as across multiple availability zones within each
region. Each availability zone is designed as an independent failure zone. This means
that availability zones are physically separated within a typical metropolitan region
and are located in lower risk flood plains (specific flood zone categorization varies by
Region). In addition to discrete uninterruptable power supply (UPS) and onsite
backup generation facilities, they are each fed via different grids from independent
utilities to further reduce single points of failure. Availability zones are all
redundantly connected to multiple tier-1 transit providers.

You should architect your AWS usage to take advantage of multiple regions and
availability zones. Distributing applications across multiple availability zones
provides the ability to remain resilient in the face of most failure modes, including
natural disasters or system failures.

Incident Response
The Amazon Incident Management team employs industry-standard diagnostic
procedures to drive resolution during business-impacting events. Staff operators

Page 10 of 45
Amazon Web Services – Overview of Security Processes June 2016

provide 24x7x365 coverage to detect incidents and to manage the impact and
resolution.

Company-Wide Executive Review

Amazon’s Internal Audit group regularly reviews AWS resiliency plans, which are
also periodically reviewed by members of the Senior Executive management team
and the Audit Committee of the Board of Directors.

Communication
AWS has implemented various methods of internal communication at a global level
to help employees understand their individual roles and responsibilities and to
communicate significant events in a timely manner. These methods include
orientation and training programs for newly hired employees; regular management
meetings for updates on business performance and other matters; and electronic
means such as video conferencing, electronic mail messages, and the posting of
information via the Amazon intranet.

AWS has also implemented various methods of external communication to support

its customer base and the community. Mechanisms are in place to allow the
customer support team to be notified of operational issues that impact the
customer experience. A "Service Health Dashboard" is available and maintained by
the customer support team to alert customers to any issues that may be of broad
impact. The “AWS Security Center” is available to provide you with security and
compliance details about AWS. You can also subscribe to AWS Support offerings that
include direct communication with the customer support team and proactive
alerts to any customer impacting issues.

AWS Access
The AWS Production network is segregated from the Amazon Corporate network and
requires a separate set of credentials for logical access. The Amazon Corporate network
relies on user IDs, passwords, and Kerberos, while the AWS Production network requires
SSH public-key authentication through a bastion host.

AWS developers and administrators on the Amazon Corporate network who need to
access AWS cloud components must explicitly request access through the AWS access
management system. All requests are reviewed and approved by the appropriate owner
or manager.

Account Review and Audit

Accounts are reviewed every 90 days; explicit re-approval is required or access to the
resource is automatically revoked. Access is also automatically revoked when an
employee’s record is terminated in Amazon’s Human Resources system. Windows and
UNIX accounts are disabled and Amazon’s permission management system removes the
user from all systems.
Page 11 of 45
Amazon Web Services – Overview of Security Processes June 2016

Requests for changes in access are captured in the Amazon permissions management
tool audit log. When changes in an employee’s job function occur, continued access must
be explicitly approved to the resource or it will be automatically revoked.

Background Checks
AWS has established formal policies and procedures to delineate the minimum standards
for logical access to AWS platform and infrastructure hosts. AWS conducts criminal
background checks, as permitted by law, as part of pre- employment screening practices
for employees and commensurate with the employee’s position and level of access. The
policies also identify functional responsibilities for the administration of logical access
and security.

Credentials Policy
AWS Security has established a credentials policy with required configurations and
expiration intervals. Passwords must be complex and are forced to be changed every 90
days.

Secure Design Principles

AWS’ development process follows secure software development best practices, which
include formal design reviews by the AWS Security Team, threat modeling, and
completion of a risk assessment. Static code analysis tools are run as a part of the
standard build process, and all deployed software undergoes recurring penetration
testing performed by carefully selected industry experts. Our security risk assessment
reviews begin during the design phase and the engagement lasts through launch to
ongoing operations

Change Management
Routine, emergency, and configuration changes to existing AWS infrastructure are
authorized, logged, tested, approved, and documented in accordance with industry
norms for similar systems. Updates to AWS’ infrastructure are done to minimize any
impact on the customer and their use of the services. AWS will communicate with
customers, either via email, or through the AWS Service Health Dashboard (when service
use is likely to be adversely affected).

Software
AWS applies a systematic approach to managing change so that changes to customer-
impacting services are thoroughly reviewed, tested, approved, and well-communicated.
The AWS change management process is designed to avoid unintended service
disruptions and to maintain the integrity of service to the customer. Changes deployed
into production environments are:
• Reviewed: Peer reviews of the technical aspects of a change are required.
• Tested: Changes being applied are tested to help ensure they will behave as
expected and not adversely impact performance.

Page 12 of 45
Amazon Web Services – Overview of Security Processes June 2016

• Approved: All changes must be authorized in order to provide appropriate

oversight and understanding of business impact.

Changes are typically pushed into production in a phased deployment starting with
lowest impact areas. Deployments are tested on a single system and closely monitored so
impacts can be evaluated. Service owners have a number of configurable metrics that
measure the health of the service’s upstream dependencies. These metrics are closely
monitored with thresholds and alarming in place. Rollback procedures are documented
in the Change Management (CM) ticket.

When possible, changes are scheduled during regular change windows. Emergency
changes to production systems that require deviations from standard change
management procedures are associated with an incident and are logged and approved as
appropriate.

Periodically, AWS performs self-audits of changes to key services to monitor quality,

maintain high standards, and facilitate continuous improvement of the change
management process. Any exceptions are analyzed to determine the root cause, and
appropriate actions are taken to bring the change into compliance or roll back the change
if necessary. Actions are then taken to address and remediate the process or people issue.

Infrastructure
Amazon’s Corporate Applications team develops and manages software to automate IT
processes for UNIX/Linux hosts in the areas of third-party software delivery, internally
developed software, and configuration management. The Infrastructure team maintains
and operates a UNIX/Linux configuration management framework to address hardware
scalability, availability, auditing, and security management. By centrally managing hosts
through the use of automated processes that manage change, AWS is able to achieve its
goals of high availability, repeatability, scalability, security, and disaster recovery.
Systems and network engineers monitor the status of these automated tools on a
continuous basis, reviewing reports to respond to hosts that fail to obtain or update their
configuration and software.

Internally developed configuration management software is installed when new

hardware is provisioned. These tools are run on all UNIX hosts to validate that they are
configured and that software is installed in compliance with standards determined by the
role assigned to the host. This configuration management software also helps to
regularly update packages that are already installed on the host. Only approved
personnel enabled through the permissions service may log in to the central
configuration management servers.

AWS Account Security Features

AWS provides a variety of tools and features that you can use to keep your AWS Account
and resources safe from unauthorized use. This includes credentials for access control,
HTTPS endpoints for encrypted data transmission, the creation of separate IAM user
accounts, user activity logging for security monitoring, and Trusted Advisor security
checks. You can take advantage of all of these security tools no matter which AWS
Page 13 of 45
Amazon Web Services – Overview of Security Processes June 2016

services you select.

AWS Credentials
To help ensure that only authorized users and processes access your AWS Account and
resources, AWS uses several types of credentials for authentication. These include
passwords, cryptographic keys, digital signatures, and certificates. We also provide the
option of requiring multi-factor authentication (MFA) to log into your AWS Account or
IAM user accounts. The following table highlights the various AWS credentials and their
uses:

Credential Type Use Description

Passwords AWS root account or A string of characters used to log into

IAM user account login your AWS account or IAM account.
to the AWS AWS passwords must be a minimum of
Management Console 6 characters and may be up to 128
characters.

Multi-Factor AWS root account or A six-digit single-use code that is required

Authentication IAM user account login in addition to your password to log in to
(MFA) to the AWS your AWS Account or IAM user account.
Management Console

Access Keys Digitally signed requests Includes an access key ID and a secret
to AWS APIs (using the access key. You use access keys to
AWS SDK, CLI, or digitally sign programmatic requests
REST/Query APIs) that you make to AWS.

Key Pairs • SSH login to EC2 To log in to your instance, you must
instances create a key pair, specify the name of the
• CloudFront signed URLs key pair when you launch the instance,
and provide the private key when you
• Windows instances connect to the instance. Linux instances
have no password, and you use a key pair
to log in using SSH. With Windows
instances, you use a key pair to obtain the
administrator password and then log in
using RDP.

Page 14 of 45
Amazon Web Services – Overview of Security Processes June 2016

X.509 Certificates • Digitally signed X.509 certificates are only used to sign
SOAP requests SOAP-based requests (currently used
to AWS APIs only with Amazon S3). You can have
• SSL server AWS create an X.509 certificate and
certificates for private key that you can download, or
HTTPS you can upload your own certificate by
using the Credential Report.

You can download a Credential Report for your account at any time from the
Security Credentials page. This report lists all of your account’s users and the
status of their credentials - whether they use a password, whether their password
expires and must be changed regularly, the last time they changed their
password, the last time they rotated their access keys, and whether they have
MFA enabled.

For security reasons, if your credentials have been lost or forgotten, you cannot
recover them or re-download them. However, you can create new credentials
and then disable or delete the old set of credentials.

In fact, AWS recommends that you change (rotate) your access keys and
certificates on a regular basis. To help you do this without potential impact to
your application’s availability, AWS supports multiple concurrent access keys
and certificates. With this feature, you can rotate keys and certificates into and
out of operation on a regular basis without any downtime to your application.
This can help to mitigate risk from lost or compromised access keys or
certificates. The AWS IAM API enables you to rotate the access keys of your AWS
Account as well as for IAM user accounts.

Passwords
Passwords are required to access your AWS Account, individual IAM user
accounts, AWS Discussion Forums, and the AWS Support Center. You specify
the password when you first create the account, and you can change it at any
time by going to the Security Credentials page. AWS passwords can be up to 128
characters long and contain special characters, so we encourage you to create a
strong password that cannot be easily guessed.

You can set a password policy for your IAM user accounts to ensure that strong
passwords are used and that they are changed often. A password policy is a set of
rules that define the type of password an IAM user can set. For more information
about password policies, go to Managing Passwords in Using IAM.

AWS Multi-Factor Authentication (AWS MFA)

Page 15 of 45
Amazon Web Services – Overview of Security Processes June 2016

AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security

for accessing AWS services. When you enable this optional feature, you will need
to provide a six-digit single-use code in addition to your standard user name and
password credentials before access is granted to your AWS Account settings or
AWS services and resources. You get this single-use code from an authentication
device that you keep in your physical possession. This is called multi-factor
authentication because more than one authentication factor is checked before
access is granted: a password (something you know) and the precise code from
your authentication device (something you have). You can enable MFA devices
for your AWS Account as well as for the users you have created under your AWS
Account with AWS IAM. In addition, you add MFA protection for access across
AWS Accounts, for when you want to allow a user you’ve created under one AWS
Account to use an IAM role to access resources under another AWS Account.
You can require the user to use MFA before assuming the role as an additional
layer of security.

AWS MFA supports the use of both hardware tokens and virtual MFA devices.
Virtual MFA devices use the same protocols as the physical MFA devices, but can
run on any mobile hardware device, including a smartphone. A virtual MFA
device uses a software application that generates six-digit authentication codes
that are compatible with the Time- Based One-Time Password (TOTP) standard,
as described in RFC 6238. Most virtual MFA applications allow you to host more
than one virtual MFA device, which makes them more convenient than hardware
MFA devices. However, you should be aware that because a virtual MFA might
be run on a less secure device such as a smartphone, a virtual MFA might not
provide the same level of security as a hardware MFA device.

You can also enforce MFA authentication for AWS service APIs in order to
provide an extra layer of protection over powerful or privileged actions such as
terminating Amazon EC2 instances or reading sensitive data stored in Amazon
S3. You do this by adding an MFA-authentication requirement to an IAM access
policy. You can attach these access policies to IAM users, IAM groups, or
resources that support Access Control Lists (ACLs) like Amazon S3 buckets, SQS
queues, and SNS topics.

It is easy to obtain hardware tokens from a participating third-party provider or

virtual MFA applications from an AppStore and to set it up for use via the AWS
website. More information about AWS MFA is available on the AWS website.

Access Keys
AWS requires that all API requests be signed—that is, they must include a digital
signature that AWS can use to verify the identity of the requestor. You calculate
the digital signature using a cryptographic hash function. The input to the hash
function in this case includes the text of your request and your secret access key.
If you use any of the AWS SDKs to generate requests, the digital signature
Page 16 of 45
Amazon Web Services – Overview of Security Processes June 2016

calculation is done for you; otherwise, you can have your application calculate it
and include it in your REST or Query requests by following the directions in our
documentation.

Not only does the signing process help protect message integrity by preventing
tampering with the request while it is in transit, it also helps protect against
potential replay attacks. A request must reach AWS within 15 minutes of the
time stamp in the request. Otherwise, AWS denies the request.

The most recent version of the digital signature calculation process is Signature
Version 4, which calculates the signature using the HMAC-SHA256 protocol.
Version 4 provides an additional measure of protection over previous versions by
requiring that you sign the message using a key that is derived from your secret
access key rather than using the secret access key itself. In addition, you derive
the signing key based on credential scope, which facilitates cryptographic
isolation of the signing key.

Because access keys can be misused if they fall into the wrong hands, we
encourage you to save them in a safe place and not embed them in your code.
For customers with large fleets of elastically scaling EC2 instances, the use of
IAM roles can be a more secure and convenient way to manage the distribution
of access keys. IAM roles provide temporary credentials, which not only get
automatically loaded to the target instance, but are also automatically rotated
multiple times a day.

Key Pairs
Amazon EC2 uses public–key cryptography to encrypt and decrypt login
information. Public–key cryptography uses a public key to encrypt a piece of
data, such as a password, then the recipient uses the private key to decrypt the
data. The public and private keys are known as a key pair.

To log in to your instance, you must create a key pair, specify the name of the key
pair when you launch the instance, and provide the private key when you connect
to the instance. Linux instances have no password, and you use a key pair to log in
using SSH. With Windows instances, you use a key pair to obtain the administrator
password and then log in using RDP.

Creating a Key Pair

You can use Amazon EC2 to create your key pair. For more information, see
Creating Your Key Pair Using Amazon EC2.

Alternatively, you could use a third-party tool and then import the public key to
Amazon EC2. For more information, see Importing Your Own Key Pair to Amazon
EC2. Each key pair requires a name. Be sure to choose a name that is easy to

Page 17 of 45
Amazon Web Services – Overview of Security Processes June 2016

remember. Amazon EC2 associates the public key with the name that you specify as
the key name.

Amazon EC2 stores the public key only, and you store the private key. Anyone who
possesses your private key can decrypt your login information, so it's important
that you store your private keys in a secure place. The keys that Amazon EC2 uses
are 2048-bit SSH-2 RSA keys. You can have up to five thousand key pairs per
region.

X.509 Certificates
X.509 certificates are used to sign SOAP-based requests. X.509 certificates
contain a public key and additional metadata (like an expiration date that AWS
verifies when you upload the certificate), and is associated with a private key.
When you create a request, you create a digital signature with your private key
and then include that signature in the request, along with your certificate. AWS
verifies that you're the sender by decrypting the signature with the public key
that is in your certificate. AWS also verifies that the certificate you sent matches
the certificate that you uploaded to AWS.

For your AWS Account, you can have AWS create an X.509 certificate and
private key that you can download, or you can upload your own certificate by
using the Security Credentials page. For IAM users, you must create the X.509
certificate (signing certificate) by using third-party software. In contrast with
root account credentials, AWS cannot create an X.509 certificate for IAM users.
After you create the certificate, you attach it to an IAM user by using IAM.

In addition to SOAP requests, X.509 certificates are used as SSL/TLS server

certificates for customers who want to use HTTPS to encrypt their
transmissions. To use them for HTTPS, you can use an open-source tool like
OpenSSL to create a unique private key. You’ll need the private key to create the
Certificate Signing Request (CSR) that you submit to a certificate authority (CA)
to obtain the server certificate. You’ll then use the AWS CLI to upload the
certificate, private key, and certificate chain to IAM.

You’ll also need an X.509 certificate to create a customized Linux AMI for EC2
instances. The certificate is only required to create an instance-backed AMI (as
opposed to an EBS-backed AMI). You can have AWS create an X.509 certificate
and private key that you can download, or you can upload your own certificate by
using the Security Credentials page.

Individual User Accounts

AWS provides a centralized mechanism called AWS Identity and Access
Management (IAM) for creating and managing individual users within your
AWS Account. A user can be any individual, system, or application that interacts
with AWS resources, either programmatically or through the AWS Management
Page 18 of 45
Amazon Web Services – Overview of Security Processes June 2016

Console or AWS Command Line Interface (CLI). Each user has a unique name
within the AWS Account, and a unique set of security credentials not shared with
other users. AWS IAM eliminates the need to share passwords or keys, and
enables you to minimize the use of your AWS Account credentials.

With IAM, you define policies that control which AWS services your users can
access and what they can do with them. You can grant users only the minimum
permissions they need to perform their jobs. See the AWS Identity and Access
Management (AWS IAM) section below for more information.

Secure HTTPS Access Points

For greater communication security when accessing AWS resources, you should
use HTTPS instead of HTTP for data transmissions. HTTPS uses the SSL/TLS
protocol, which uses public-key cryptography to prevent eavesdropping,
tampering, and forgery. All AWS services provide secure customer access points
(also called API endpoints) that allow you to establish secure HTTPS
communication sessions.

Several services also now offer more advanced cipher suites that use the Elliptic
Curve Diffie-Hellman Ephemeral (ECDHE) protocol. ECDHE allows SSL/TLS
clients to provide Perfect Forward Secrecy, which uses session keys that are
ephemeral and not stored anywhere. This helps prevent the decoding of captured
data by unauthorized third parties, even if the secret long-term key itself is
compromised.

Security Logs
As important as credentials and encrypted endpoints are for preventing security
problems, logs are just as crucial for understanding events after a problem has
occurred. And to be effective as a security tool, a log must include not just a list
of what happened and when, but also identify the source. To help you with your
after-the-fact investigations and near-realtime intrusion detection, AWS
CloudTrail provides a log of requests for AWS resources within your account for
supported services. For each event, you can see what service was accessed, what
action was performed, and who made the request. CloudTrail captures
information about every API call to every supported AWS resource, including
sign-in events.

Once you have enabled CloudTrail, event logs are delivered every 5 minutes.
You can configure CloudTrail so that it aggregates log files from multiple
regions into a single Amazon S3 bucket. From there, you can then upload them
to your favorite log management and analysis solutions to perform security
analysis and detect user behavior patterns. By default, log files are stored
securely in Amazon S3, but you can also archive them to Amazon Glacier to help
meet audit and compliance requirements.

Page 19 of 45
Amazon Web Services – Overview of Security Processes June 2016

In addition to CloudTrail’s user activity logs, you can use the Amazon
CloudWatch Logs feature to collect and monitor system, application, and
custom log files from your EC2 instances and other sources in near-real time.
For example, you can monitor your web server's log files for invalid user
messages to detect unauthorized login attempts to your guest OS.

AWS Trusted Advisor Security Checks

The AWS Trusted Advisor customer support service not only monitors for cloud
performance and resiliency, but also cloud security. Trusted Advisor inspects
your AWS environment and makes recommendations when opportunities may
exist to save money, improve system performance, or close security gaps. It
provides alerts on several of the most common security misconfigurations that
can occur, including leaving certain ports open that make you vulnerable to
hacking and unauthorized access, neglecting to create IAM accounts for your
internal users, allowing public access to Amazon S3 buckets, not turning on user
activity logging (AWS CloudTrail), or not using MFA on your root AWS
Account. You also have the option for a Security contact at your organization to
automatically receive a weekly email with an updated status of your Trusted
Advisor security checks. The AWS Trusted Advisor service provides four checks
at no additional charge to all users, including three important security checks:
specific ports unrestricted, IAM use, and MFA on root account. And when you
sign up for Business- or Enterprise-level AWS Support, you receive full access to
all Trusted Advisor checks.

Networking Services
Amazon Web Services provides a range of networking services that enable you to create a
logically isolated network that you define, establish a private network connection to the
AWS cloud, use a highly available and scalable DNS service and deliver content to your
end users with low latency at high data transfer speeds with a content delivery web
service.

Amazon Elastic Load Balancing Security

Amazon Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2
instances, distributing traffic to instances across all availability zones within a region.
Elastic Load Balancing has all the advantages of an on-premises load balancer, plus
several security benefits:

• Takes over the encryption and decryption work from the Amazon EC2 instances
and manages it centrally on the load balancer
• Offers clients a single point of contact, and can also serve as the first line of
defense against attacks on your network
• When used in an Amazon VPC, supports creation and management of security
groups associated with your Elastic Load Balancing to provide additional
networking and security options
Page 20 of 45
Amazon Web Services – Overview of Security Processes June 2016

• Supports end-to-end traffic encryption using TLS (previously SSL) on those

networks that use secure HTTP (HTTPS) connections. When TLS is used, the TLS
server certificate used to terminate client connections can be managed centrally
on the load balancer, rather than on every individual instance.

HTTPS/TLS uses a long-term secret key to generate a short-term session key to be

used between the server and the browser to create the ciphered (encrypted)
message. Amazon Elastic Load Balancing configures your load balancer with a pre-
defined cipher set that is used for TLS negotiation when a connection is established
between a client and your load balancer. The pre-defined cipher set provides
compatibility with a broad range of clients and uses strong cryptographic
algorithms. However, some customers may have requirements for allowing only
specific ciphers and protocols (such as PCI, SOX, etc.) from clients to ensure that
standards are met. In these cases, Amazon Elastic Load Balancing provides options
for selecting different configurations for TLS protocols and ciphers. You can choose
to enable or disable the ciphers depending on your specific requirements.

To help ensure the use of newer and stronger cipher suites when establishing a
secure connection, you can configure the load balancer to have the final say in the
cipher suite selection during the client-server negotiation. When the Server Order
Preference option is selected, the load balancer will select a cipher suite based on
the server’s prioritization of cipher suites rather than the client’s. This gives you
more control over the level of security that clients use to connect to your load
balancer.

For even greater communication privacy, Amazon Elastic Load Balancer allows the
use of Perfect Forward Secrecy, which uses session keys that are ephemeral and not
stored anywhere. This prevents the decoding of captured data, even if the secret
long-term key itself is compromised.

Amazon Elastic Load Balancing allows you to identify the originating IP address of a
client connecting to your servers, whether you’re using HTTPS or TCP load
balancing. Typically, client connection information, such as IP address and port, is
lost when requests are proxied through a load balancer. This is because the load
balancer sends requests to the server on behalf of the client, making your load
balancer appear as though it is the requesting client. Having the originating client
IP address is useful if you need more information about visitors to your applications
in order to gather connection statistics, analyze traffic logs, or manage whitelists of
IP addresses.

Amazon Elastic Load Balancing access logs contain information about each HTTP
and TCP request processed by your load balancer. This includes the IP address and
port of the requesting client, the backend IP address of the instance that processed

Page 21 of 45
Amazon Web Services – Overview of Security Processes June 2016

the request, the size of the request and response, and the actual request line from
the client (for example, GET http://www.example.com: 80/HTTP/1.1). All requests
sent to the load balancer are logged, including requests that never made it to back-
end instances.

Amazon Virtual Private Cloud (Amazon VPC)

Security
Normally, each Amazon EC2 instance you launch is randomly assigned a public IP
address in the Amazon EC2 address space. Amazon VPC enables you to create an
isolated portion of the AWS cloud and launch Amazon EC2 instances that have
private (RFC 1918) addresses in the range of your choice (e.g., 10.0.0.0/16). You can
define subnets within your VPC, grouping similar kinds of instances based on IP
address range, and then set up routing and security to control the flow of traffic in
and out of the instances and subnets.

AWS offers a variety of VPC architecture templates with configurations that provide
varying levels of public access:

• VPC with a single public subnet only. Your instances run in a private,
isolated section of the AWS cloud with direct access to the Internet. Network
ACLs and security groups can be used to provide strict control over inbound and
outbound network traffic to your instances.
• VPC with public and private subnets. In addition to containing a public
subnet, this configuration adds a private subnet whose instances are not
addressable from the Internet. Instances in the private subnet can establish
outbound connections to the Internet via the public subnet using Network
Address Translation (NAT).
• VPC with public and private subnets and hardware VPN access. This
configuration adds an IPsec VPN connection between your Amazon VPC and
your data center, effectively extending your data center to the cloud while also
providing direct access to the Internet for public subnet instances in your
Amazon VPC. In this configuration, customers add a VPN appliance on their
corporate data center side.
• VPC with private subnet only and hardware VPN access. Your instances
run in a private, isolated section of the AWS cloud with a private subnet whose
instances are not addressable from the Internet. You can connect this private
subnet to your corporate data center via an IPsec VPN tunnel.

You can also connect two VPCs using a private IP address, which allows instances in
the two VPCs to communicate with each other as if they are within the same network.
You can create a VPC peering connection between your own VPCs, or with a VPC in
another AWS account within a single region.

Security features within Amazon VPC include security groups, network ACLs, routing
tables, and external gateways. Each of these items is complementary to providing a
Page 22 of 45
Amazon Web Services – Overview of Security Processes June 2016

secure, isolated network that can be extended through selective enabling of direct
Internet access or private connectivity to another network. Amazon EC2 instances
running within an Amazon VPC inherit all of the benefits described below related
to the guest OS and protection against packet sniffing.
Note, however, that you must create VPC security groups specifically for your Amazon
VPC; any Amazon EC2 security groups you have created will not work inside your
Amazon VPC. Also, Amazon VPC security groups have additional capabilities that
Amazon EC2 security groups do not have, such as being able to change the security
group after the instance is launched and being able to specify any protocol with a
standard protocol number (as opposed to just TCP, UDP, or ICMP).

Each Amazon VPC is a distinct, isolated network within the cloud; network traffic
within each Amazon VPC is isolated from all other Amazon VPCs. At creation time,
you select an IP address range for each Amazon VPC. You may create and attach an
Internet gateway, virtual private gateway, or both to establish external connectivity,
subject to the controls below.

API Access: Calls to create and delete Amazon VPCs, change routing, security group,
and network ACL parameters, and perform other functions are all signed by your
Amazon Secret Access Key, which could be either the AWS Account’s Secret Access
Key or the Secret Access key of a user created with AWS IAM. Without access to your
Secret Access Key, Amazon VPC API calls cannot be made on your behalf. In addition,
API calls can be encrypted with SSL to maintain confidentiality. Amazon
recommends always using SSL-protected API endpoints. AWS IAM also enables a
customer to further control what APIs a newly created user has permissions to call.

Subnets and Route Tables: You create one or more subnets within each Amazon
VPC; each instance launched in the Amazon VPC is connected to one subnet.
Traditional Layer 2 security attacks, including MAC spoofing and ARP spoofing, are
blocked.

Each subnet in an Amazon VPC is associated with a routing table, and all network
traffic leaving the subnet is processed by the routing table to determine the
destination.

Firewall (Security Groups): Like Amazon EC2, Amazon VPC supports a complete
firewall solution enabling filtering on both ingress and egress traffic from an
instance. The default group enables inbound communication from other members
of the same group and outbound communication to any destination. Traffic can be
restricted by any IP protocol, by service port, as well as source/destination IP
address (individual IP or Classless Inter-Domain Routing (CIDR) block).

The firewall isn’t controlled through the guest OS; rather, it can be modified only
through the invocation of Amazon VPC APIs. AWS supports the ability to grant
granular access to different administrative functions on the instances and the
firewall, therefore enabling you to implement additional security through separation

Page 23 of 45
Amazon Web Services – Overview of Security Processes June 2016

of duties. The level of security afforded by the firewall is a function of which ports
you open, and for what duration and purpose. Well-informed traffic management
and security design are still required on a per-instance basis. AWS further
encourages you to apply additional per-instance filters with host-based firewalls
such as IPtables or the Windows Firewall.

Figure 5: Amazon VPC Network Architecture

Network Access Control Lists: To add a further layer of security within Amazon
VPC, you can configure network ACLs. These are stateless traffic filters that apply to
all traffic inbound or outbound from a subnet within Amazon VPC. These ACLs can
contain ordered rules to allow or deny traffic based upon IP protocol, by service port,
as well as source/destination IP address.

Like security groups, network ACLs are managed through Amazon VPC APIs, adding
an additional layer of protection and enabling additional security through separation
of duties. The diagram below depicts how the security controls above inter-relate to
enable flexible network topologies while providing complete control over network
traffic flows.

Page 24 of 45
Amazon Web Services – Overview of Security Processes June 2016

Figure 6: Flexible Network Topologies

Virtual Private Gateway: A virtual private gateway enables private connectivity

between the Amazon VPC and another network. Network traffic within each virtual
private gateway is isolated from network traffic within all other virtual private
gateways. You can establish VPN connections to the virtual private gateway from
gateway devices at your premises. Each connection is secured by a pre-shared key
in conjunction with the IP address of the customer gateway device.

Internet Gateway: An Internet gateway may be attached to an Amazon VPC to

enable direct connectivity to Amazon S3, other AWS services, and the Internet. Each
instance desiring this access must either have an Elastic IP associated with it or
route traffic through a NAT instance. Additionally, network routes are configured
(see above) to direct traffic to the Internet gateway. AWS provides reference NAT
AMIs that you can extend to perform network logging, deep packet inspection,
application-layer filtering, or other security controls.

This access can only be modified through the invocation of Amazon VPC APIs. AWS
supports the ability to grant granular access to different administrative functions on
the instances and the Internet gateway, therefore enabling you to implement
additional security through separation of duties.

Page 25 of 45
Amazon Web Services – Overview of Security Processes June 2016

Dedicated Instances: Within a VPC, you can launch Amazon EC2 instances that are
physically isolated at the host hardware level (i.e., they will run on single-tenant
hardware). An Amazon VPC can be created with ‘dedicated’ tenancy, so that all
instances launched into the Amazon VPC will utilize this feature. Alternatively, an
Amazon VPC may be created with ‘default’ tenancy, but you can specify dedicated
tenancy for particular instances launched into it.

Elastic Network Interfaces: Each Amazon EC2 instance has a default network
interface that is assigned a private IP address on your Amazon VPC network. You
can create and attach an additional network interface, known as an elastic network
interface (ENI), to any Amazon EC2 instance in your Amazon VPC for a total of two
network interfaces per instance. Attaching more than one network interface to an
instance is useful when you want to create a management network, use network
and security appliances in your Amazon VPC, or create dual-homed instances with
workloads/roles on distinct subnets. An ENI's attributes, including the private IP
address, elastic IP addresses, and MAC address, will follow the ENI as it is
attached or detached from an instance and reattached to another instance. More
information about Amazon VPC is available on the AWS website:
http://aws.amazon.com/vpc/

Additional Network Access Control with EC2-VPC

If you launch instances in a region where you did not have instances before AWS
launched the new EC2-VPC feature (also called Default VPC), all instances are
automatically provisioned in a ready-to-use default VPC. You can choose to create
additional VPCs, or you can create VPCs for instances in regions where you already
had instances before we launched EC2-VPC.

If you create a VPC later, using regular VPC, you specify a CIDR block, create subnets,
enter the routing and security for those subnets, and provision an Internet gateway
or NAT instance if you want one of your subnets to be able to reach the Internet.
When you launch EC2 instances into an EC2-VPC, most of this work is automatically
performed for you. When you launch an instance into a default VPC using EC2-VPC,
we do the following to set it up for you:

• Create a default subnet in each Availability Zone

• Create an Internet gateway and connect it to your default VPC
• Create a main route table for your default VPC with a rule that sends all traffic
destined for the Internet to the Internet gateway
• Create a default security group and associate it with your default VPC
• Create a default network access control list (ACL) and associate it with your
default VPC
• Associate the default DHCP options set for your AWS account with your default
VPC

In addition to the default VPC having its own private IP range, EC2 instances
launched in a default VPC can also receive a public IP.
Page 26 of 45
Amazon Web Services – Overview of Security Processes June 2016

The following table summarizes the differences between instances launched into
EC2-Classic, instances launched into a default VPC, and instances launched into a
non-default VPC.

Characteristic EC2-Classic EC2-VPC (Default VPC) Regular VPC

Public IP address Your instance receives a Your instance launched in a Your instance doesn't
public IP address. default subnet receives a receive a public IP address
public IP address by default, by default, unless you
unless you specify otherwise specify otherwise during
during launch. launch.

Private IP address Your instance receives a Your instance receives a static Your instance receives a
private IP address from the private IP address from the static private IP address
EC2-Classic range each time address range of your default from the address range of
it's started. VPC. your VPC.

Multiple private IP We select a single IP address You can assign multiple You can assign multiple
addresses for your instance. Multiple IP private IP addresses to your private IP addresses to
addresses are not supported. instance. your instance.

Elastic IP address An EIP is disassociated from An EIP remains associated An EIP remains
your instance when you with your instance when associated with your
stop it. you stop it. instance when you stop
it.

DNS DNS hostnames are DNS hostnames are DNS hostnames are
hostnames enabled by default. enabled by default. disabled by default.

Security group A security group can A security group can A security group can
reference security groups reference security groups reference security groups
that belong to other AWS for your VPC only. for your VPC only.
accounts.

Security group You must terminate your You can change the security You can change the
association instance to change its group of your running security group of your
security group. instance. running instance.

Security group rules You can add rules for You can add rules for You can add rules for
inbound traffic only. inbound and outbound inbound and outbound
traffic. traffic.

Page 27 of 45
Amazon Web Services – Overview of Security Processes June 2016

Tenancy Your instance runs on You can run your instance You can run your instance
shared hardware; you on shared hardware or on shared hardware or
cannot run an instance single-tenant hardware. single-tenant hardware.
on single-tenant
hardware.

Note that security groups for instances in EC2-Classic are slightly different than
security groups for instances in EC2-VPC. For example, you can add rules for
inbound traffic for EC2-Classic, but you can add rules for both inbound and
outbound traffic to EC2-VPC. In EC2-Classic, you can’t change the security groups
assigned to an instance after it’s launched, but in EC2-VPC, you can change security
groups assigned to an instance after it’s launched. In addition, you can't use the
security groups that you've created for use with EC2-Classic with instances in your
VPC. You must create security groups specifically for use with instances in your VPC.
The rules you create for use with a security group for a VPC can't reference a security
group for EC2-Classic, and vice versa.

Amazon Route 53 Security

Amazon Route 53 is a highly available and scalable Domain Name System (DNS)
service that answers DNS queries, translating domain names into IP addresses so
computers can communicate with each other. Route 53 can be used to connect user
requests to infrastructure running in AWS – such as an Amazon EC2 instance or an
Amazon S3 bucket – or to infrastructure outside of AWS.

Amazon Route 53 lets you manage the IP addresses (records) listed for your domain
names and it answers requests (queries) to translate specific domain names into
their corresponding IP addresses. Queries for your domain are automatically routed
to a nearby DNS server using anycast in order to provide the lowest latency possible.
Route 53

makes it possible for you to manage traffic globally through a variety of routing
types, including Latency Based Routing (LBR), Geo DNS, and Weighted Round-
Robin (WRR) —all of which can be combined with DNS Failover in order to help
create a variety of low-latency, fault-tolerant architectures. The failover algorithms
implemented by Amazon Route 53 are designed not only to route traffic to endpoints
that are healthy, but also to help avoid making disaster scenarios worse due to
misconfigured health checks and applications, endpoint overloads, and partition
failures.

Route 53 also offers Domain Name Registration – you can purchase and manage
domain names such as example.com and Route 53 will automatically configure
default DNS settings for your domains. You can buy, manage, and transfer (both in
and out) domains from a wide selection of generic and country-specific top-level
domains (TLDs). During the registration process, you have the option to enable
privacy protection for your domain. This option will hide most of your personal
Page 28 of 45
Amazon Web Services – Overview of Security Processes June 2016

information from the public Whois database in order to help thwart scraping and
spamming.

Amazon Route 53 is built using AWS’ highly available and reliable infrastructure.
The distributed nature of the AWS DNS servers helps ensure a consistent ability to
route your end users to your application. Route 53 also helps ensure the availability
of your website by providing health checks and DNS failover capabilities. You can
easily configure Route 53 to check the health of your website on a regular basis (even
secure web sites that are available only over SSL), and to switch to a backup site if
the primary one is unresponsive.

Like all AWS Services, Amazon Route 53 requires that every request made to its
control API be authenticated so only authenticated users can access and manage
Route 53. API requests are signed with an HMAC-SHA1 or HMAC-SHA256
signature calculated from the request and the user’s AWS Secret Access key.
Additionally, the Amazon Route 53 control API is only accessible via SSL-encrypted
endpoints. It supports both IPv4 and IPv6 routing.

You can control access to Amazon Route 53 DNS management functions by creating
users under your AWS Account using AWS IAM, and controlling which Route 53
operations these users have permission to perform.

Amazon CloudFront Security

Amazon CloudFront gives customers an easy way to distribute content to end users
with low latency and high data transfer speeds. It delivers dynamic, static, and
streaming content using a global network of edge locations. Requests for customers’
objects are automatically routed to the nearest edge location, so content is delivered
with the best possible performance. Amazon CloudFront is optimized to work with
other AWS services, like Amazon S3, Amazon EC2, Elastic Load Balancing, and
Amazon Route 53. It also works seamlessly with any non-AWS origin server that
stores the original, definitive versions of your files.

Amazon CloudFront requires every request made to its control API be authenticated
so only authorized users can create, modify, or delete their own Amazon CloudFront
distributions. Requests are signed with an HMAC-SHA1 signature calculated from
the request and the user’s private key. Additionally, the Amazon CloudFront control
API is only accessible via SSL-enabled endpoints.

There is no guarantee of durability of data held in Amazon CloudFront edge

locations. The service may from time to time remove objects from edge locations if
those objects are not requested frequently. Durability is provided by Amazon S3,
which works as the origin server for Amazon CloudFront holding the original,
definitive copies of objects delivered by Amazon CloudFront.
If you want control over who is able to download content from Amazon CloudFront,
you can enable the service’s private content feature. This feature has two
Page 29 of 45
Amazon Web Services – Overview of Security Processes June 2016

components: the first controls how content is delivered from the Amazon
CloudFront edge location to viewers on the Internet. The second controls how the
Amazon CloudFront edge locations access objects in Amazon S3. CloudFront also
supports Geo Restriction, which restricts access to your content based on the
geographic location of your viewers.

To control access to the original copies of your objects in Amazon S3, Amazon
CloudFront allows you to create one or more “Origin Access Identities” and
associate these with your distributions. When an Origin Access Identity is
associated with an Amazon CloudFront distribution, the distribution will use that
identity to retrieve objects from Amazon S3. You can then use Amazon S3’s ACL
feature, which limits access to that Origin Access Identity so the original copy of
the object is not publicly readable.

To control who is able to download objects from Amazon CloudFront edge

locations, the service uses a signed-URL verification system. To use this system,
you first create a public-private key pair, and upload the public key to your
account via the AWS Management Console. Second, you configure your Amazon
CloudFront distribution to indicate which accounts you would authorize to sign
requests – you can indicate up to five AWS Accounts you trust to sign requests.
Third, as you receive requests you will create policy documents indicating the
conditions under which you want Amazon CloudFront to serve your content.
These policy documents can specify the name of the object that is requested, the
date and time of the request, and the source IP (or CIDR range) of the client
making the request. You then calculate the SHA1 hash of your policy document
and sign this using your private key. Finally, you include both the encoded policy
document and the signature as query string parameters when you reference your
objects. When Amazon CloudFront receives a request, it will decode the signature
using your public key. Amazon CloudFront will only serve requests that have a
valid policy document and matching signature.

Note that private content is an optional feature that must be enabled when you set
up your CloudFront distribution. Content delivered without this feature enabled
will be publicly readable.

Amazon CloudFront provides the option to transfer content over an encrypted

connection (HTTPS). By default, CloudFront will accept requests over both HTTP
and HTTPS protocols. However, you can also configure CloudFront to require
HTTPS for all requests or have CloudFront redirect HTTP requests to HTTPS. You
can even configure CloudFront distributions to allow HTTP for some objects but
require HTTPS for other objects.

Page 30 of 45
Amazon Web Services – Overview of Security Processes June 2016

Figure 7: Amazon CloudFront Encrypted Transmission

You can configure one or more CloudFront origins to require CloudFront fetch
objects from your origin using the protocol that the viewer used to request the
objects. For example, when you use this CloudFront setting and the viewer uses
HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to
forward the request to your origin.

Amazon CloudFront supports the TLSv1.1 and TLSv1.2 protocols for HTTPS
connections between CloudFront and your custom origin webserver (along with
SSLv3 and TLSv1.0) and a selection of cipher suites that includes the Elliptic Curve
Diffie-Hellman Ephemeral (ECDHE) protocol on connections to both viewers and
the origin. ECDHE allows SSL/TLS clients to provide Perfect Forward Secrecy,
which uses session keys that are ephemeral and not stored anywhere. This helps
prevent the decoding of captured data by unauthorized third parties, even if the
secret long-term key itself is compromised.

Note that if you're using your own server as your origin, and you want to use HTTPS
both between viewers and CloudFront and between CloudFront and your origin,
you must install a valid SSL certificate on the HTTP server that is signed by a third-
party certificate authority, for example, VeriSign or DigiCert.

By default, you can deliver content to viewers over HTTPS by using your
CloudFront distribution domain name in your URLs; for example,
https://dxxxxx.cloudfront.net/image.jpg. If you want to deliver your content over
HTTPS using your own domain name and your own SSL certificate, you can use SNI
Custom SSL or Dedicated IP Custom SSL. With Server Name Identification (SNI)
Custom SSL, CloudFront relies on the SNI extension of the TLS protocol, which is
supported by most modern web browsers. However, some users may not be able to
access your content because some older browsers do not support SNI. With
Dedicated IP Custom SSL, CloudFront dedicates IP addresses to your SSL certificate
at each CloudFront edge location so that CloudFront can associate the incoming
requests with the proper SSL certificate.

Amazon CloudFront access logs contain a comprehensive set of information about

requests for content, including the object requested, the date and time of the request,
Page 31 of 45
Amazon Web Services – Overview of Security Processes June 2016

the edge location serving the request, the client IP address, the referrer, and the user
agent. To enable access logs, just specify the name of the Amazon S3 bucket to store the
logs in when you configure your Amazon CloudFront distribution.

AWS Direct Connect Security

With AWS Direct Connect, you can provision a direct link between your internal network
and an AWS region using a high-throughput, dedicated connection. Doing this may help
reduce your network costs, improve throughput, or provide a more consistent network
experience. With this dedicated connection in place, you can then create virtual interfaces
directly to the AWS cloud (for example, to Amazon EC2 and Amazon S3).

With AWS Direct Connect, you bypass Internet service providers in your network path.
You can procure rack space within the facility housing the AWS Direct Connect location
and deploy your equipment nearby. Once deployed, you can connect this equipment to
AWS Direct Connect using a cross-connect. Each AWS Direct Connect location enables
connectivity to the geographically nearest AWS region. You can access all AWS services
available in that region. AWS Direct Connect locations in the US can also access the
public endpoints of the other AWS regions using a public virtual interface.

Using industry standard 802.1q VLANs, the dedicated connection can be partitioned
into multiple virtual interfaces. This allows you to use the same connection to access
public resources such as objects stored in Amazon S3 using public IP address space,
and private resources such as Amazon EC2 instances running within an Amazon VPC
using private IP space, while maintaining network separation between the public and
private environments.

AWS Direct Connect requires the use of the Border Gateway Protocol (BGP) with an
Autonomous System Number (ASN). To create a virtual interface, you use an MD5
cryptographic key for message authorization. MD5 creates a keyed hash using your
secret key. You can have AWS automatically generate a BGP MD5 key or you can
provide your own.

Further Reading
https://aws.amazon.com/security/security-resources/

Introduction to AWS Security Processes

Overview of AWS Security - Storage Services
Overview of AWS Security - Database Services
Overview of AWS Security - Compute Services
Overview of AWS Security - Application Services
Overview of AWS Security - Analytics, Mobile and Application Services
Overview of AWS Security – Network Services

Page 32 of 45
Amazon Web Services – Overview of Security Processes June 2016

Appendix – Glossary of Terms

Access Key ID: A string that AWS distributes in order to uniquely identify each AWS
user; it is an alphanumeric token associated with your Secret Access Key.

Access control list (ACL): A list of permissions or rules for accessing an object or
network resource. In Amazon EC2, security groups act as ACLs at the instance level,
controlling which users have permission to access specific instances. In Amazon S3, you
can use ACLs to give read or write access on buckets or objects to groups of users. In
Amazon VPC, ACLs act like network firewalls and control access at the subnet level.

AMI: An Amazon Machine Image (AMI) is an encrypted machine image stored in

Amazon S3. It contains all the information necessary to boot instances of a customer’s
software.

API: Application Programming Interface (API) is an interface in computer science that

defines the ways by which an application program may request services from libraries
and/or operating systems.

Archive: An archive in Amazon Glacier is a file that you want to store and is a base
unit of storage in Amazon Glacier. It can be any data such as a photo, video, or
document. Each archive has a unique ID and an optional description.

Authentication: Authentication is the process of determining whether someone or

something is, in fact, who or what it is declared to be. Not only do users need to be
authenticated, but every program that wants to call the functionality exposed by an
AWS API must be authenticated. AWS requires that you authenticate every request by
digitally signing it using a cryptographic hash function.

Auto Scaling: An AWS service that allows customers to automatically scale their
Amazon EC2 capacity up or down according to conditions they define.

Availability Zone: Amazon EC2 locations are composed of regions and availability
zones. Availability zones are distinct locations that are engineered to be insulated from

Page 33 of 45
Amazon Web Services – Overview of Security Processes June 2016

failures in other availability zones and provide inexpensive, low latency network
connectivity to other availability zones in the same region.

Bastion host: A computer specifically configured to withstand attack, usually placed

on the external/public side of a demilitarized zone (DMZ) or outside the firewall. You
can set up an Amazon EC2 instance as an SSH bastion by setting up a public subnet as
part of an Amazon VPC.

Bucket: A container for objects stored in Amazon S3. Every object is contained
within a bucket. For example, if the object named photos/puppy.jpg is stored in the
johnsmith bucket, then it is addressable using the URL:
http://johnsmith.s3.amazonaws.com/photos/puppy.jpg.

Certificate: A credential that some AWS products use to authenticate AWS

Accounts and users. Also known as an X.509 certificate. The certificate is paired
with a private key.

CIDR Block: Classless Inter-Domain Routing Block of IP addresses.

Client-side encryption: Encrypting data on the client side before uploading it to

Amazon S3.

CloudFormation: An AWS provisioning tool that lets customers record the

baseline configuration of the AWS resources needed to run their applications so that
they can provision and update them in an orderly and predictable fashion.

Cognito: An AWS service that simplifies the task of authenticating users and
storing, managing, and syncing their data across multiple devices, platforms, and
applications. It works with multiple existing identity providers and also supports
unauthenticated guest users.

Credentials: Items that a user or process must have in order to confirm to AWS
services during the authentication process that they are authorized to access the
service. AWS credentials include passwords, secret access keys as well as
X.509 certificates and multi-factor tokens.

Dedicated instance: Amazon EC2 instances that are physically isolated at the
host hardware level (i.e., they will run on single-tenant hardware).

Digital signature: A digital signature is a cryptographic method for

demonstrating the authenticity of a digital message or document. A valid digital
signature gives a recipient reason to believe that the message was created by an
authorized sender, and that it was not altered in transit. Digital signatures are used
Page 34 of 45
Amazon Web Services – Overview of Security Processes June 2016

by customers for signing requests to AWS APIs as part of the authentication

process.

Direct Connect Service: Amazon service that allows you to provision a direct link
between your internal network and an AWS region using a high-throughput,
dedicated connection. With this dedicated connection in place, you can then create
logical connections directly to the AWS cloud (for example, to Amazon EC2 and
Amazon S3) and Amazon VPC, bypassing Internet service providers in the network
path.

DynamoDB Service: A managed NoSQL database service from AWS that

provides fast and predictable performance with seamless scalability.

EBS: Amazon Elastic Block Store (EBS) provides block-level storage volumes for
use with Amazon EC2 instances. Amazon EBS volumes are off-instance storage that
persists independently from the life of an instance.
ElastiCache: An AWS web service that allows you to set up, manage, and scale
distributed in-memory cache environments in the cloud. The service improves the
performance of web applications by allowing you to retrieve information from a fast,
managed, in-memory caching system, instead of relying entirely on slower disk-
based databases.

Elastic Beanstalk: An AWS deployment and management tool that automates the
functions of capacity provisioning, load balancing, and auto scaling for customers’
applications.

Elastic IP Address: A static, public IP address that you can assign to any instance
in an Amazon VPC, thereby making the instance public. Elastic IP addresses also
enable you to mask instance failures by rapidly remapping your public IP addresses
to any instance in the VPC.

Elastic Load Balancing: An AWS service that is used to manage traffic on a fleet
of Amazon EC2 instances, distributing traffic to instances across all availability
zones within a region. Elastic Load Balancing has all the advantages of an on-
premises load balancer, plus several security benefits such as taking over the
encryption/decryption work from EC2 instances and managing it centrally on the
load balancer.

Elastic MapReduce (EMR) Service: An AWS service that utilizes a hosted

Hadoop framework running on the web-scale infrastructure of Amazon EC2 and
Amazon S3. Elastic MapReduce enables customers to easily and cost-effectively
process extremely large quantities of data (“big data”).

Page 35 of 45
Amazon Web Services – Overview of Security Processes June 2016

Elastic Network Interface: Within an Amazon VPC, an Elastic Network

Interface is an optional second network interface that you can attach to an EC2
instance. An Elastic Network Interface can be useful for creating a management
network or using network or security appliances in the Amazon VPC. It can be easily
detached from an instance and reattached to another instance.

Endpoint: A URL that is the entry point for an AWS service. To reduce data
latency in your applications, most AWS services allow you to select a regional
endpoint to make your requests. Some web services allow you to use a general
endpoint that doesn't specify a region; these generic endpoints resolve to the
service's us-east-1 endpoint. You can connect to an AWS endpoint via HTTP or
secure HTTP (HTTPS) using SSL.

Federated users: User, systems, or applications that are not currently authorized
to access your AWS services, but that you want to give temporary access to. This
access is provided using the AWS Security Token Service (STS) APIs.

Firewall: A hardware or software component that controls incoming and/or

outgoing network traffic according to a specific set of rules. Using firewall rules in
Amazon EC2, you specify the protocols, ports, and source IP address ranges that are
allowed to reach your instances. These rules specify which incoming network traffic
should be delivered to your instance (e.g., accept web traffic on port 80). Amazon
VPC supports a complete firewall solution enabling filtering on both ingress and
egress traffic from an instance. The default group enables inbound communication
from other members of the same group and outbound communication to any
destination. Traffic can be restricted by any IP protocol, by service port, as well as
source/destination IP address (individual IP or Classless Inter-Domain Routing
(CIDR) block).

Guest OS: In a virtual machine environment, multiple operating systems can run
on a single piece of hardware. Each one of these instances is considered a guest on
the host hardware and utilizes its own OS.

Hash: A cryptographic hash function is used to calculate a digital signature for

signing requests to AWS APIs. A cryptographic hash is a one-way function that
returns a unique hash value based on the input. The input to the hash function
includes the text of your request and your secret access key. The hash function
returns a hash value that you include in the request as your signature.

HMAC-SHA1/HMAC-SHA256: In cryptography, a keyed-Hash Message

Authentication Code (HMAC or KHMAC), is a type of message authentication code
(MAC) calculated using a specific algorithm involving a cryptographic hash function
Page 36 of 45
Amazon Web Services – Overview of Security Processes June 2016

in combination with a secret key. As with any MAC, it may be used to

simultaneously verify both the data integrity and the authenticity of a message. Any
iterative cryptographic hash function, such as SHA-1 or SHA-256, may be used in
the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-SHA1
or HMAC-SHA256 accordingly. The cryptographic strength of the HMAC depends
upon the cryptographic strength of the underlying hash function, on the size and
quality of the key and the size of the hash output length in bits.

Hardware security module (HSM): An HSM is an appliance that provides

secure cryptographic key storage and operations within a tamper-resistant
hardware device. HSMs are designed to securely store cryptographic key material
and use the key material without exposing it outside the cryptographic boundary of
the appliance. The AWS CloudHSM service provides customers with dedicated,
single-tenant access to an HSM appliance.

Hypervisor: A hypervisor, also called Virtual Machine Monitor (VMM), is

computer software/hardware platform virtualization software that allows multiple
operating systems to run on a host computer concurrently.

Identity and Access Management (IAM): AWS IAM enables you to create
multiple users and manage the permissions for each of these users within your AWS
Account.

Identity pool: A store of user identity information in Amazon Cognito that is

specific to your AWS Account. Identity pools use IAM roles, which are permissions
that are not tied to a specific IAM user or group and that use temporary security
credentials for authenticating to the AWS resources defined in the role.

Identity Provider: An online service responsible for issuing identification

information for users who would like to interact with the service or with other
cooperating services. Examples of identity providers include Facebook, Google, and
Amazon.

Import/Export Service: An AWS service for transferring large amounts of data

to Amazon S3 or EBS storage by physically shipping a portable storage device to a
secure AWS facility.

Instance: An instance is a virtualized server, also known as a virtual machine

(VM), with its own hardware resources and guest OS. In EC2, an instance
represents one running copy of an Amazon Machine Image (AMI).

IP address: An Internet Protocol (IP) address is a numerical label that is assigned

Page 37 of 45
Amazon Web Services – Overview of Security Processes June 2016

to devices participating in a computer network utilizing the Internet Protocol for

communication between its nodes.

IP spoofing: Creation of IP packets with a forged source IP address, called

spoofing, with the purpose of concealing the identity of the sender or impersonating
another computing system.

Key: In cryptography, a key is a parameter that determines the output of a

cryptographic algorithm (called a hashing algorithm). A key pair is a set of security
credentials you use to prove your identity electronically and consists of a public key
and a private key.

Key rotation: The process of periodically changing the cryptographic keys used for
encrypting data or digitally signing requests. Just like changing passwords, rotating
keys minimizes the risk of unauthorized access if an attacker somehow obtains your
key or determines the value of it. AWS supports multiple concurrent access keys
and certificates, which allows customers to rotate keys and certificates into and out
of operation on a regular basis without any downtime to their application.

Mobile Analytics: An AWS service for collecting, visualizing, and understanding

mobile application usage data. It enables you to track customer behaviors, aggregate
metrics, and identify meaningful patterns in your mobile applications.

Multi-factor authentication (MFA): The use of two or more authentication

factors. Authentication factors include something you know (like a password) or
something you have (like a token that generates a random number). AWS IAM
allows the use of a six-digit single-use code in addition to the user name and
password credentials. Customers get this single-use code from an authentication
device that they keep in their physical possession (either a physical token device or a
virtual token from their smart phone).

Network ACLs: Stateless traffic filters that apply to all traffic inbound or
outbound from a subnet within an Amazon VPC. Network ACLs can contain ordered
rules to allow or deny traffic based upon IP protocol, by service port, as well as
source/destination IP address.

Object: The fundamental entities stored in Amazon S3. Objects consist of object
data and metadata. The data portion is opaque to Amazon S3. The metadata is a set
of name-value pairs that describe the object. These include some default metadata
such as the date last modified and standard HTTP metadata such as Content-Type.
The developer can also specify custom metadata at the time the Object is stored.

Page 38 of 45
Amazon Web Services – Overview of Security Processes June 2016

Paravirtualization: In computing, paravirtualization is a virtualization technique

that presents a software interface to virtual machines that is similar but not
identical to that of the underlying hardware.

Peering: A VPC peering connection is a networking connection between two VPCs

that enables you to route traffic between them using private IP addresses. Instances
in either VPC can communicate with each other as if they are within the same
network.

Port scanning: A port scan is a series of messages sent by someone attempting to

break into a computer to learn which computer network services, each associated
with a "well-known" port number, the computer provides.

Region: A named set of AWS resources in the same geographical area. Each region
contains at least two availability zones.

Replication: The continuous copying of data from a database in order to maintain

a second version of the database, usually for disaster recovery purposes. Customers
can use multiple AZs for their Amazon RDS database replication needs, or use Read
Replicas if using MySQL.

Relational Database Service (RDS): An AWS service that allows you to create a
relational database (DB) instance and flexibly scale the associated compute
resources and storage capacity to meet application demand. Amazon RDS is
available for Amazon Aurora, MySQL, PostgreSQL, Oracle, Microsoft SQL Server,
and MariaDB database engines.

Role: An entity in AWS IAM that has a set of permissions that can be assumed by
another entity. Use roles to enable applications running on your Amazon EC2
instances to securely access your AWS resources. You grant a specific set of
permissions to a role, use the role to launch an Amazon EC2 instance, and let EC2
automatically handle AWS credential management for your applications that run on
Amazon EC2.

Route 53: An authoritative DNS system that provides an update mechanism that
developers can use to manage their public DNS names, answering DNS queries and
translating domain names into IP address so computers can communicate with each
other.

Secret Access Key: A key that AWS assigns to you when you sign up for an AWS
Account. To make API calls or to work with the command line interface, each AWS
user needs the Secret Access Key and Access Key ID. The user signs each request
Page 39 of 45
Amazon Web Services – Overview of Security Processes June 2016

with the Secret Access Key and includes the Access Key ID in the request. To help
ensure the security of your AWS Account, the Secret Access Key is accessible only
during key and user creation. You must save the key (for example, in a text file that
you store securely) if you want to be able to access it again.

Security group: A security group gives you control over the protocols, ports, and
source IP address ranges that are allowed to reach your Amazon EC2 instances; in
other words, it defines the firewall rules for your instance. These rules specify which
incoming network traffic should be delivered to your instance (e.g., accept web
traffic on port 80).

Security Token Service (STS): The AWS STS APIs return temporary security
credentials consisting of a security token, an Access Key ID, and a Secret Access
Key. You can use STS to issue security credentials to users who need temporary
access to your resources. These users can be existing IAM users, non-AWS users
(federated identities), systems, or applications that need to access your AWS
resources.

Server-side encryption (SSE): An option for Amazon S3 storage for

automatically encrypting data at rest. With Amazon S3 SSE, customers can encrypt
data on upload simply by adding an additional request header when writing the
object. Decryption happens automatically when data is retrieved.
Service: Software or computing ability provided across a network (e.g., Amazon
EC2, Amazon S3).

Shard: In Amazon Kinesis, a shard is a uniquely identified group of data records in

an Amazon Kinesis stream. A Kinesis stream is composed of multiple shards, each
of which provides a fixed unit of capacity.

Signature: Refers to a digital signature, which is a mathematical way to confirm

the authenticity of a digital message. AWS uses signatures calculated with a
cryptographic algorithm and your private key to authenticate the requests you send
to our web services.

Simple Data Base (Simple DB): A non-relational data store that allows AWS
customers to store and query data items via web services requests. Amazon
SimpleDB creates and manages multiple geographically distributed replicas of the
customer’s data automatically to enable high availability and data durability.

Simple Email Service (SES): An AWS service that provides a scalable bulk and
transactional email-sending service for businesses and developers. In order to
maximize deliverability and dependability for senders, Amazon SES takes proactive

Page 40 of 45
Amazon Web Services – Overview of Security Processes June 2016

steps to prevent questionable content from being sent, so that ISPs view the service
as a trusted email origin.

Simple Mail Transfer Protocol (SMTP): An Internet standard for transmitting

email across IP networks, SMTP is used by the Amazon Simple Email Service.
Customers who used Amazon SES can use an SMTP interface to send email, but
must connect to an SMTP endpoint via TLS.

Simple Notification Service (SNS): An AWS service that makes it easy to set
up, operate, and send notifications from the cloud. Amazon SNS provides
developers with the ability to publish messages from an application and
immediately deliver them to subscribers or other applications.

Simple Queue Service (SQS): A scalable message queuing service from AWS
that enables asynchronous message-based communication between distributed
components of an application. The components can be computers or Amazon EC2
instances or a combination of both.

Simple Storage Service (Amazon S3): An AWS service that provides secure
storage for object files. Access to objects can be controlled at the file or bucket level
and can further restricted based on other conditions such as request IP source,
request time, etc. Files can also be encrypted automatically using AES-256
encryption.

Simple Workflow Service (SWF): An AWS service that allows customers to

build applications that coordinate work across distributed components. Using
Amazon SWF, developers can structure the various processing steps in an
application as “tasks” that drive work in distributed applications. Amazon SWF
coordinates these tasks, managing task execution dependencies, scheduling, and
concurrency based on a developer’s application logic.

Single sign-on: The capability to log in once but access multiple applications and
systems. A secure single sign-on capability can be provided to your federated users
(AWS and non-AWS users) by creating a URL that passes the temporary security
credentials to the AWS Management Console.

Snapshot: A customer-initiated backup of an EBS volume that is stored in Amazon

S3, or a customer-initiated backup of an RDS database that is stored in Amazon
RDS. A snapshot can be used as the starting point for a new EBS volume or Amazon
RDS database or to protect the data for long-term durability and recovery.

Secure Sockets Layer (SSL): A cryptographic protocol that provides security

Page 41 of 45
Amazon Web Services – Overview of Security Processes June 2016

over the Internet at the Application Layer. Both the TLS 1.0 and SSL 3.0 protocol
specifications use cryptographic mechanisms to implement the security services
that establish and maintain a secure TCP/IP connection. The secure connection
prevents eavesdropping, tampering, or message forgery. You can connect to an AWS
endpoint via HTTP or secure HTTP (HTTPS) using SSL.

Stateful firewall: In computing, a stateful firewall (any firewall that performs

stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track
of the state of network connections (such as TCP streams, UDP communication)
traveling across it.

Storage Gateway: An AWS service that securely connects a customer’s on-

premises software appliance with Amazon S3 storage by using a VM that the
customer deploys on a host in their data center running VMware ESXi Hypervisor.
Data is asynchronously transferred from the customer’s on-premises storage
hardware to AWS over SSL, and then stored encrypted in Amazon S3 using AES-
256.

Temporary security credentials: AWS credentials that provide temporary

access to AWS services. Temporary security credentials can be used to provide
identity federation between AWS services and non-AWS users in your own identity
and authorization system. Temporary security credentials consist of security token,
an Access Key ID, and a Secret Access Key.

Transcoder: A system that transcodes (converts) a media file (audio or video)

from one format, size, or quality to another. Amazon Elastic Transcoder makes it
easy for customers to transcode video files in a scalable and cost-effective fashion.

Transport Layer Security (TLS): A cryptographic protocol that provides

security over the Internet at the Application Layer. Customers who used Amazon’s
Simple Email Service must connect to an SMTP endpoint via TLS.

Tree hash: A tree hash is generated by computing a hash for each megabyte-sized
segment of the data, and then combining the hashes in tree fashion to represent
ever-growing adjacent segments of the data. Amazon Glacier checks the hash
against the data to help ensure that it has not been altered en route.

Vault: In Amazon Glacier, a vault is a container for storing archives. When you
create a vault, you specify a name and select an AWS region where you want to
create the vault. Each vault resource has a unique address.

Versioning: Every object in Amazon S3 has a key and a version ID. Objects with
Page 42 of 45
Amazon Web Services – Overview of Security Processes June 2016

the same key, but different version IDs can be stored in the same bucket. Versioning
is enabled at the bucket layer using PUT Bucket versioning.

Virtual Instance: Once an AMI has been launched, the resulting running system
is referred to as an instance. All instances based on the same AMI start out identical
and any information on them is lost when the instances are terminated or fail.

Virtual MFA: The capability for a user to get the six-digit, single-use MFA code
from their smart phone rather than from a token/fob. MFA is the use of an
additional factor (the single-use code) in conjunction with a user name and
password for authentication.

Virtual Private Cloud (VPC): An AWS service that enables customers to

provision an isolated section of the AWS cloud, including selecting their own IP
address range, defining subnets, and configuring routing tables and network
gateways.

Virtual Private Network (VPN): The capability to create a private, secure

network between two locations over a public network such as the Internet. AWS
customers can add an IPsec VPN connection between their Amazon VPC and their
data center, effectively extending their data center to the cloud while also providing
direct access to the Internet for public subnet instances in their Amazon VPC. In
this configuration, customers add a VPN appliance on their corporate data center
side.

WorkSpaces: An AWS managed desktop service that enables you to provision

cloud-based desktops for your users and allows them to sign in using a set of unique
credentials or their regular Active Directory credentials.

X.509: In cryptography, X.509 is a standard for a Public Key Infrastructure (PKI)

for single sign-on and Privilege Management Infrastructure (PMI). X.509 specifies
standard formats for public key certificates, certificate revocation lists, attribute
certificates, and a certification path validation algorithm. Some AWS products use
X.509 certificates instead of a Secret Access Key for access to certain interfaces. For
example, Amazon EC2 uses a Secret Access Key for access to its Query interface, but
it uses a signing certificate for access to its SOAP interface and command line tool
interface.

WorkDocs: An AWS managed enterprise storage and sharing service with

feedback capabilities for user collaboration.

Page 43 of 45
Amazon Web Services – Overview of Security Processes June 2016

Document Revisions

Jun 2016
• Updated compliance programs
• Updated regions

Nov 2014
• Updated compliance programs
• Updated shared security responsibility model
• Updated AWS Account security features
• Reorganized services into categories
• Updated several services with new features: CloudWatch, CloudTrail,
CloudFront, EBS, ElastiCache, Redshift, Route 53, S3, Trusted Advisor, and
WorkSpaces
• Added Cognito Security
• Added Mobile Analytics Security
• Added WorkDocs Security

Nov 2013
• Updated regions
• Updated several services with new features: CloudFront, DirectConnect,
DynamoDB, EBS, ELB, EMR, Amazon Glacier, IAM, OpsWorks, RDS, Redshift,
Route 53, Storage Gateway, and VPC
• Added AppStream Security
• Added CloudTrail Security
• Added Kinesis Security
• Added WorkSpaces Security

Page 44 of 45
Amazon Web Services – Overview of Security Processes June 2016

May 2013
• Updated IAM to incorporate roles and API access
• Updated MFA for API access for customer-specified privileged actions
• Updated RDS to add event notification, multi-AZ, and SSL to SQL Server 2012
• Updated VPC to add multiple IP addresses, static routing VPN, and VPC By
Default
• Updated several other services with new features: CloudFront, CloudWatch, EBS,
ElastiCache, Elastic Beanstalk, Route 53, S3, Storage Gateway
• Added Glacier Security
• Added Redshift Security
• Added Data Pipeline Security
• Added Transcoder Security
• Added Trusted Advisor Security
• Added OpsWorks Security
• Added CloudHSM Security

Page 45 of 45