©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

The AWS Shared Security Responsibility Model in

Practice

Nirav Kothari

Principal Consultant, AWS Professional Services

12/15/2016

AWS Global Footprint

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)Asia Pacific (Seoul)

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

São Paulo

EU Central (Frankfurt)

Asia Pacific (Tokyo)

China (Beijing)

Asia Pacific (Seoul)

Region

An independent collection of AWS

resources in a defined geography

A solid foundation for meeting location-

dependent privacy and compliance

requirements

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)Asia Pacific (Seoul)

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)Asia Pacific (Seoul)

Availability Zone

Designed as independent failure zones

Physically separated within a typical

metropolitan region

AWS Global Footprint

AWS Global Footprint

Edge Location

collections of servers in geographically

dispersed data centers

deliver content to end users with lower latency

AWS Global Footprint

AWS Global Footprint

16 Regions

42 Availability Zones

63 Edge locations

Over 1 million active customers

Every day, AWS adds enough new server

capacity to support Amazon.com when it was a

$7 billion global enterprise.

Data Locality

Customer chooses where to place data

AWS regions are geographically isolated by

design

Data is not replicated to other AWS regions

and doesn’t move unless you choose to move it

Data Locality in practice

Block level storage

Instance Storage (Elastic Cloud Compute - EC2)

Elastic Block Storage (EBS)

Object level storage

Simple Storage Service (S3)

Database storage

Relational Database Service (RDS)

NoSQL (DynamoDB)

Columnar (Redshift)

Caching (Elasticache)

Shared Responsibility

Who manages which parts?

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentC

ust

om

ers

AWS Shared Responsibility Model

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

AWS Shared Responsibility Model – Deep Dive

Will one model work for all services?

Infrastructure

Services

Container

Services

Abstract

Services

Network Traffic ProtectionEncryption / Integrity / Identity

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Platform & Applications Management

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Infrastructure Services

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

AW

S IAM

Cu

stom

er IA

M

Operating System, Network & Firewall Configuration

Server-Side EncryptionFire System and/or Data

AP

I End

po

ints

Infrastructure ServiceExample – EC2

• Foundation Services — Networking, Compute, Storage

• AWS Global Infrastructure

• AWS API Endpoints

AW

S

• Customer Data

• Customer Application

• Operating System

• Network & Firewall

• Customer IAM (Corporate Directory

Service)

• High Availability, Scaling

• Instance Management

• Data Protection (Transit, Rest, Backup)

• AWS IAM (Users, Groups, Roles,

Policies)

Custo

mers

RESPONSIBILITIES

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Firew

all C

on

figuratio

n

Platform & Applications Management

Operating System, Network Configuration

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Container Services Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M

AP

I End

po

ints

Container ServiceExample – RDS

• Foundational Services –

Networking, Compute, Storage

• AWS Global Infrastructure

• AWS API Endpoints

• Operating System

• Platform / Application

AW

S

• Customer Data

• Firewall (VPC)

• Customer IAM (DB Users, Table

Permissions)

• AWS IAM (Users, Groups, Roles,

Policies)

• High Availability

• Data Protection (Transit, Rest,

Backup)

• Scaling

Custo

mers

RESPONSIBILITIES

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Platform & Applications Management

Operating System, Network & Firewall Configuration

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Abstract Services

Managed by

Managed by

Data Protection by the PlatformProtection of Data at Rest

Network Traffic Protection by the PlatformProtection of Data at in Transit

(optional)

Opaque Data: 1’s and 0’s

(in flight / at rest)

Client-Side Data Encryption & Data Integrity Authentication

AP

I End

po

ints

AW

S IAM

• Foundational Services

• AWS Global Infrastructure

• AWS API Endpoints

• Operating System

• Platform / Application

• Data Protection (Rest - SSE, Transit)

• High Availability / Scaling

AW

S

• Customer Data

• Data Protection (Rest – CSE)

• AWS IAM (Users, Groups, Roles, Policies)

Custo

mers

Abstract ServiceExample – S3

Summary of Customer Responsibility in the Cloud

Customer IAM

AWS IAM

Firewall

Data

AWS IAM

Data

Applications

Operating System

Networking/Firewall

Data

Customer IAM

AWS IAM

Infrastructure

Services

Container

Services

Abstract

Services

Shared Responsibility

What about security OF the cloud?

Security Shared Responsibility Model

AWS is responsible

for the security OF

the cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Auditing - Comparisonon-prem vs on AWS

Start with bare concrete

Functionally optional – you can build a secure

system without it

Audits done by an in-house team

Accountable to yourself

Typically check once a year

Workload-specific compliance checks

Must keep pace and invest in security innovation

on-prem

Start on base of accredited services

Functionally necessary – high watermark of

requirements

Audits done by third party experts

Accountable to everyone

Continuous monitoring

Compliance approach based on all workload

scenarios

Security innovation drives broad compliance

on AWS

What this means

You benefit from an environment built for the most security

sensitive organizations

AWS manages 1,800+ security controls so you don’t have to

You get to define the right security controls for your workload

sensitivity

You always have full ownership and control of your data

AWS Assurance Programs

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Meet your own security objectives

Customer scope and

effort is reduced

Better results through

focused efforts

Built on AWS

consistent baseline

controls

Your own external audits

Cu

sto

mer

s Your own accreditation

Your own certifications

Navigating Shared Responsibility

Achieving accreditation or certification on

AWS is possible but how can we help?

AWS Enterprise Accelerator: Compliance Architectures

Sample Architecture –

Security Controls Matrix

Cloudformation Templates

5 x templates

User Guide

http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

Compliance Resources

https://aws.amazon.com/compliance/resources/

Education — AWS Security & Compliance

AWS Security Fundamentals

3 hour eLearning course

Target audience – Security Auditors/Analysts

It’s Free

AWS Security Operations

3 day Instructor Lead Training

Target audience – Security Engineer/Architects

12 Modules + Labs

Self paced labs available on http://qwiklabs.com

https://aws.amazon.com/training/course-descriptions/

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Center Website: https://aws.amazon.com/compliance

Security Center: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

AWS Audit Training: awsaudittraining@amazon.com

awscompliance@amazon.com

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Thank You