Overview of Security Processes – Summary of the Whitepaper
Shared Security Model
Amazon is responsible for hardware, data centers, facilities
all the managed services such as RDS, DynamoDB etc are Amazon’s responsibility for updates/patches
Customers are responsible for your own resources Security Groups, ACLs, bucket policies, EC2 roles etc
IP Spoofing
Customers need to inform AWS before conducting port scanning or vulnerability scanning tests on EC2 instances well in advance and take their permission.
Storage decommissioning process done by AWS
Delete data/scrub the disk
degauss magnetic disks
Network Security
Use SSL TLS
private subnets
ipsec VPN devices
Direct connect
Amazon is responsible for
DDOS (Denial of service)
Man in the middle attacks (MITM)
Port scanning
IP spoofing
Packet Sniffing
AWS trusted advisor
Inspects your resources and advises you to close ports or enable MFA etc
Instance isolation
Different instances running on the same host are isolated using XEN Hypervisor
Instance’s neighbors on the same host have no more access than instances running on another host
Memory is scrubbed (set to 0’s) by XEN before sending to available pool for re-allocation
AES-256 encryption of EBS volumes is available on powerful EC2 types
All data from EBS is decrypted before sending to EC2
All data coming from EC2 to EBS is encrypted before writing on EBS
Direct connect
Bypass internet and connect to AWS using dedicated connections (802.1q VLAN)