Solved

Cloud Infrastructure Security

Posted on 2016-09-08
3
70 Views
Last Modified: 2016-09-09
Could someone explain the security features of Amazon's EC2 and S3 for protecting sensitive data and applications?
0
Comment
Question by:K K
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41791235
AWS Security covers
-Infrastructure Security
-DDoS Mitigation
-Data Encryption
-Inventory and Configuration
-Monitoring and Logging
-Identity and Access Control
-Penetration Testing

Specific EC2 and  S3 is secure by default. Two key security areas for simplifying the discussion here that I see it important in context are on (1) Data Confidentiality via Encryption and (2) Identity & Access Control of Data

(1) You can choose to encrypt data using SSE-S3, SSE-C, SSE-KMS, or a client library such as the Amazon S3 Encryption Client. All four enable you to store sensitive data encrypted at rest in Amazon S3.
You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.
SSE-S3 provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.
SSE-C enables you to leverage Amazon S3 to perform the encryption and decryption of your objects while retaining control of the keys used to encrypt objects.
SSE-KMS enables you to use AWS Key Management Service (AWS KMS) to manage your encryption keys. AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.
With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key. A new master key is issued at least monthly. Encrypted data, encryption keys and master keys are stored and secured on separate hosts for multiple layers of protection.
(2) By using IAM with Amazon EC2, you can control whether users in your organization can perform a task using specific Amazon EC2 API actions and whether they can use specific AWS resources.
For example, for Amazon EC2, one of the following AWS managed policies might meet your needs:
•PowerUserAccess
•ReadOnlyAccess
•AmazonEC2FullAccess
•AmazonEC2ReadOnlyAccess
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html

There is also Network access as another layer
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance via HTTP, so that external users can browse the content on your web server.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

More info on (1) and (2), see below
FAQ (See security section) - https://aws.amazon.com/s3/faqs/
Security overview - https://aws.amazon.com/security/
0
 
LVL 4

Expert Comment

by:Laroy Shtotland
ID: 41791324
0
 
LVL 61

Expert Comment

by:btan
ID: 41791458
if possible, I suggest you look at AWS security whitepaper and check out
- Managing OS-level Access to Amazon EC2 Instances
- Protecting Data at Rest on Amazon S3
- Managing Application and Administrative Access to AWS Public Cloud Services
- Protecting Data in Transit to Amazon S3
- Using Amazon Virtual Private Cloud (VPC)
- Using Security Zoning and Network Segmentation
- Manage Security Monitoring, Alerting, Audit Trail, and Incident Response
https://aws.amazon.com/whitepapers/aws-security-best-practices/
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
This Micro Tutorial will explain how to export DynamoDB tables in Amazon Web Services.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now