Cloud Infrastructure Security

Could someone explain the security features of Amazon's EC2 and S3 for protecting sensitive data and applications?
K KAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
AWS Security covers
-Infrastructure Security
-DDoS Mitigation
-Data Encryption
-Inventory and Configuration
-Monitoring and Logging
-Identity and Access Control
-Penetration Testing

Specific EC2 and  S3 is secure by default. Two key security areas for simplifying the discussion here that I see it important in context are on (1) Data Confidentiality via Encryption and (2) Identity & Access Control of Data

(1) You can choose to encrypt data using SSE-S3, SSE-C, SSE-KMS, or a client library such as the Amazon S3 Encryption Client. All four enable you to store sensitive data encrypted at rest in Amazon S3.
You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.
SSE-S3 provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.
SSE-C enables you to leverage Amazon S3 to perform the encryption and decryption of your objects while retaining control of the keys used to encrypt objects.
SSE-KMS enables you to use AWS Key Management Service (AWS KMS) to manage your encryption keys. AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.
With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key. A new master key is issued at least monthly. Encrypted data, encryption keys and master keys are stored and secured on separate hosts for multiple layers of protection.
(2) By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific AWS resources.
For example, for Amazon EC2, one of the following AWS managed policies might meet your needs:
•PowerUserAccess
•ReadOnlyAccess
•AmazonEC2FullAccess
•AmazonEC2ReadOnlyAccess
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html

There is also Network access as another layer
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance via HTTP, so that external users can browse the content on your web server.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

More info on (1) and (2), see below
FAQ (See security section) - https://aws.amazon.com/s3/faqs/
Security overview - https://aws.amazon.com/security/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Laroy ShtotlandIT Security ConsultantCommented:
0
btanExec ConsultantCommented:
if possible, I suggest you look at AWS security whitepaper and check out
- Managing OS-level Access to Amazon EC2 Instances
- Protecting Data at Rest on Amazon S3
- Managing Application and Administrative Access to AWS Public Cloud Services
- Protecting Data in Transit to Amazon S3
- Using Amazon Virtual Private Cloud (VPC)
- Using Security Zoning and Network Segmentation
- Manage Security Monitoring, Alerting, Audit Trail, and Incident Response
https://aws.amazon.com/whitepapers/aws-security-best-practices/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AWS

From novice to tech pro — start learning today.