[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cloud Infrastructure Security

Posted on 2016-09-08
3
Medium Priority
?
156 Views
Last Modified: 2016-09-09
Could someone explain the security features of Amazon's EC2 and S3 for protecting sensitive data and applications?
0
Comment
Question by:K K
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41791235
AWS Security covers
-Infrastructure Security
-DDoS Mitigation
-Data Encryption
-Inventory and Configuration
-Monitoring and Logging
-Identity and Access Control
-Penetration Testing

Specific EC2 and  S3 is secure by default. Two key security areas for simplifying the discussion here that I see it important in context are on (1) Data Confidentiality via Encryption and (2) Identity & Access Control of Data

(1) You can choose to encrypt data using SSE-S3, SSE-C, SSE-KMS, or a client library such as the Amazon S3 Encryption Client. All four enable you to store sensitive data encrypted at rest in Amazon S3.
You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.
SSE-S3 provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.
SSE-C enables you to leverage Amazon S3 to perform the encryption and decryption of your objects while retaining control of the keys used to encrypt objects.
SSE-KMS enables you to use AWS Key Management Service (AWS KMS) to manage your encryption keys. AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.
With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key. A new master key is issued at least monthly. Encrypted data, encryption keys and master keys are stored and secured on separate hosts for multiple layers of protection.
(2) By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific AWS resources.
For example, for Amazon EC2, one of the following AWS managed policies might meet your needs:
•PowerUserAccess
•ReadOnlyAccess
•AmazonEC2FullAccess
•AmazonEC2ReadOnlyAccess
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html

There is also Network access as another layer
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance via HTTP, so that external users can browse the content on your web server.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

More info on (1) and (2), see below
FAQ (See security section) - https://aws.amazon.com/s3/faqs/
Security overview - https://aws.amazon.com/security/
0
 
LVL 5

Expert Comment

by:Laroy Shtotland
ID: 41791324
0
 
LVL 65

Expert Comment

by:btan
ID: 41791458
if possible, I suggest you look at AWS security whitepaper and check out
- Managing OS-level Access to Amazon EC2 Instances
- Protecting Data at Rest on Amazon S3
- Managing Application and Administrative Access to AWS Public Cloud Services
- Protecting Data in Transit to Amazon S3
- Using Amazon Virtual Private Cloud (VPC)
- Using Security Zoning and Network Segmentation
- Manage Security Monitoring, Alerting, Audit Trail, and Incident Response
https://aws.amazon.com/whitepapers/aws-security-best-practices/
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question