Overview of Security Processes – Summary of the Whitepaper

1. Shared Security Model
   1. Amazon is responsible for hardware, data centers, facilities
      1. all the managed services such as RDS, DynamoDB etc are Amazon’s responsibility for updates/patches
   2. Customers are responsible for your own resources Security Groups, ACLs, bucket policies, EC2 roles etc
2. IP Spoofing
   1. Customers need to inform AWS before conducting port scanning or vulnerability scanning tests on EC2 instances well in advance and take their permission.
3. Storage decommissioning process done by AWS
   1. Delete data/scrub the disk
   2. degauss magnetic disks
4. Network Security
   1. Use SSL TLS
   2. private subnets
   3. ipsec VPN devices
   4. Direct connect
5. Amazon is responsible for
   1. DDOS (Denial of service)
   2. Man in the middle attacks (MITM)
   3. Port scanning
   4. IP spoofing
   5. Packet Sniffing
6. AWS trusted advisor
   1. Inspects your resources and advises you to close ports or enable MFA etc
7. Instance isolation
   1. Different instances running on the same host are isolated using XEN Hypervisor
   2. Instance’s neighbors on the same host have no more access than instances running on another host
   3. Memory is scrubbed (set to 0’s) by XEN before sending to available pool for re-allocation
8. AES-256 encryption of EBS volumes is available on powerful EC2 types
   1. All data from EBS is decrypted before sending to EC2
   2. All data coming from EC2 to EBS is encrypted before writing on EBS
9. Direct connect
   1. Bypass internet and connect to AWS using dedicated connections (802.1q VLAN)
10. You must download the whitepaper and read completely before going to the exam.