Security Features from a Public Cloud Provider

Security Features and Certifications that AWS Provides

Use this as a check list for your requirements and to compare against other public cloud offerings.

AWS Security Feature Description
World-class protection With the AWS Cloud, not only are infrastructure headaches removed, but so are many of the security issues that come with them. AWS’s world-class, highly secure data centers use state-of-the art electronic surveillance and multi-factor access (MFA) control systems. Data centers are staffed 24×7 by trained security guards, and access is authorized strictly on a least-privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures. The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the core AWS Cloud infrastructure, platforms, and services, please read our “Overview of Security Processes” white paper.
Secure access Customer access points, also called API endpoints, allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL
Built-in firewalls You can control how accessible your instances are by configuring built-in firewall rules – from totally public to completely private, or somewhere in between. And when your instances reside within a Virtual Private Cloud (VPC) subnet, you can control egress as well as ingress.
Unique users The AWS Identity and Access Management (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services. With AWS IAM, each user can have unique security credentials, eliminating the need for shared passwords or keys and allowing the security best practices of role separation and least privilege.
Multi-factor authentication AWS provides built-in support for MFA for use with AWS Accounts and individual IAM user accounts.
Private Subnets The AWS VPC service allows you to add another layer of network security to your instances by creating private subnets and even adding an IPsec VPN tunnel between your home network and your AWS VPC.
Encrypted data storage Customers can have the data and objects they store in Amazon S3, Glacier, Redshift, and Oracle RDS encrypted automatically using Advanced Encryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys
Dedicated connection option The AWS Direct Connect service allows you to establish a dedicated network connection from your premise to AWS. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple logical connections to enable you to access both public and private IP environments within your AWS Cloud
Security logs AWS CloudTrail provides logs of all user activity within your AWS account. You can see what actions were performed on each of your AWS resources and by whom.
Isolated GovCloud For customers who require additional measures in order to comply with US ITAR regulations, AWS provides an entirely separate region called AWS GovCloud (US) that provides an environment where customers can run ITAR-compliant applications, and provides special endpoints that use only FIPS 140-2 encryption.
CloudHSM For customers who must use Hardware Security Module (HSM) appliances for cryptographic key storage, AWS CloudHSM provides a highly secure and convenient way to store and manage keys.
Trusted Advisor Provided automatically when you sign up for premium support, the Trusted Advisor service is a convenient way for you to see where you could use a little more security. It monitors AWS resources and alerts you to security configuration gaps such as overly permissive access to certain EC2 instance ports and S3 storage buckets, minimal use of role segregation using IAM, and weak password policies

An Overview on Third-Party Attestations, Reports and Certifications for AWS

Third-Party Attestation, Report, or Certification Description
ITAR_png ITAR: The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS personnel is limited to US persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third party to validate that the proper controls are in place to support customer export compliance programs for this requirement.
PCI_png PCI DSS Level 1: AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the Cloud. In February 2013, the PCI Security Standards Council released “PCI DSS Cloud Computing Guidelines”. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the Cloud. AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the Cloud. The AWS PCI DSS Level 1 certification includes all AWS data centers worldwide that support in-scope services.
HIPAA HIPAA: AWS enables covered entities and their business associates subject to the US Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information. AWS will be signing business associate agreements with such customers. AWS also offers a HIPAA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The “Creating HIPAA-Compliant Medical Data Applications with AWS” whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance.
FISMA FISMA & DIACAP: AWS enables government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous federal civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP). AWS’s secure infrastructure has helped federal agencies expand Cloud computing use cases and deploy sensitive government data and applications in the Cloud while complying with the rigorous security requirements of federal standards.
DISA DoD CSM: The AWS GovCloud (US) region has been issued the industry’s first Level 3-5 Provisional Authorization, to allow DoD customers to deploy pilot applications with the enhanced control baselines corresponding to the sensitive-but-unclassified levels of the DoD Cloud Security Model. This DoD Authorization is equivalent to FISMA Moderate and High level systems which means, working in concert with our partners and customers, all DoD data except classified information can be authorized for use on AWS. DoD customers with prospective Level 3-5 applications should contact the DISA Enterprise Cloud Service Broker (ECSB) to begin the approval process. For more information please see the following CSM FAQ webpage:
FedRamp FedRAMP: AWS has achieved two Agency Authority to Operate (ATOs) under the FedRAMP at the Moderate impact level. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud products and services up to the Moderate level. All US government agencies can leverage the AWS Agency ATO packages stored in the FedRAMP repository to evaluate AWS for their applications and workloads, provide authorizations to use AWS, and transition workloads into the AWS environment.
AICPA SOC 1/SSAE 16/ISAE 3402 (formerly SAS70): AWS’s SOC 1 report audit attests that the control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.
AICPA SOC 2: In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into AWS security based on a defined industry standard and further demonstrates AWS’s commitment to protecting customer data. The AWS SOC 2 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.
SOC3 SOC 3: AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publicly available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal. The report includes the external auditor’s opinion of the operation of controls (based on the AICPA’s Security Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS infrastructure and services. The AWS SOC 3 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services. This is a great resource for customers to validate that AWS has obtained external auditor assurance without going through the process to request a SOC 2 report. View the AWS SOC 3 report.
FIPS FIPS 140-2: The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment.
ISO ISO 27001: AWS is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.

AWS has established a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices. The AWS ISO 27001 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.

CSA_crop CSA STAR: In 2011, the Cloud Security Alliance (CSA) launched STAR , an initiative to encourage transparency of security practices within Cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various Cloud computing offerings, thereby helping users assess the security of Cloud providers they currently use or are considering contracting with. AWS is a CSA STAR registrant and has completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ). The CSA-published CAIQ provides a way to reference and document what security controls exist in AWS’s Infrastructure as a Service (IaaS) offerings. The CAIQ provides a set of over 140 questions a Cloud consumer or Cloud auditor may wish to ask of a Cloud provider.