Solved

Cloud Infrastructure Security

Posted on 2016-09-08
3
127 Views
Last Modified: 2016-09-09
Could someone explain the security features of Amazon's EC2 and S3 for protecting sensitive data and applications?
0
Comment
Question by:K K
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41791235
AWS Security covers
-Infrastructure Security
-DDoS Mitigation
-Data Encryption
-Inventory and Configuration
-Monitoring and Logging
-Identity and Access Control
-Penetration Testing

Specific EC2 and  S3 is secure by default. Two key security areas for simplifying the discussion here that I see it important in context are on (1) Data Confidentiality via Encryption and (2) Identity & Access Control of Data

(1) You can choose to encrypt data using SSE-S3, SSE-C, SSE-KMS, or a client library such as the Amazon S3 Encryption Client. All four enable you to store sensitive data encrypted at rest in Amazon S3.
You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.
SSE-S3 provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.
SSE-C enables you to leverage Amazon S3 to perform the encryption and decryption of your objects while retaining control of the keys used to encrypt objects.
SSE-KMS enables you to use AWS Key Management Service (AWS KMS) to manage your encryption keys. AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.
With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key. A new master key is issued at least monthly. Encrypted data, encryption keys and master keys are stored and secured on separate hosts for multiple layers of protection.
(2) By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific AWS resources.
For example, for Amazon EC2, one of the following AWS managed policies might meet your needs:
•PowerUserAccess
•ReadOnlyAccess
•AmazonEC2FullAccess
•AmazonEC2ReadOnlyAccess
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html

There is also Network access as another layer
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance via HTTP, so that external users can browse the content on your web server.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

More info on (1) and (2), see below
FAQ (See security section) - https://aws.amazon.com/s3/faqs/
Security overview - https://aws.amazon.com/security/
0
 
LVL 5

Expert Comment

by:Laroy Shtotland
ID: 41791324
0
 
LVL 64

Expert Comment

by:btan
ID: 41791458
if possible, I suggest you look at AWS security whitepaper and check out
- Managing OS-level Access to Amazon EC2 Instances
- Protecting Data at Rest on Amazon S3
- Managing Application and Administrative Access to AWS Public Cloud Services
- Protecting Data in Transit to Amazon S3
- Using Amazon Virtual Private Cloud (VPC)
- Using Security Zoning and Network Segmentation
- Manage Security Monitoring, Alerting, Audit Trail, and Incident Response
https://aws.amazon.com/whitepapers/aws-security-best-practices/
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question