AWS安全流程概述

1、 AWS安全流程概述Amazon Web Services: Overview of Security ProcessesTable of Contents HYPERLINK l _bookmark0 Introduction5 HYPERLINK l _bookmark1 Shared Security Responsibility Model5 HYPERLINK l _bookmark2 AWS Security Responsibilities6 HYPERLINK l _bookmark3 Customer Security Responsibilities6 HYPERLINK

2、l _bookmark4 AWS Global Infrastructure Security7 HYPERLINK l _bookmark5 AWS Compliance Program7 HYPERLINK l _bookmark6 Physical and Environmental Security7 HYPERLINK l _bookmark7 Fire Detection and Suppression8 HYPERLINK l _bookmark8 Power8 HYPERLINK l _bookmark9 Climate and Temperature8 HYPERLINK l

3、 _bookmark10 Management8 HYPERLINK l _bookmark11 Storage Device Decommissioning8 HYPERLINK l _bookmark12 Business Continuity Management8 HYPERLINK l _bookmark13 Availability8 HYPERLINK l _bookmark14 Incident Response9 HYPERLINK l _bookmark15 Company-Wide Executive Review9 HYPERLINK l _bookmark16 Com

4、munication9 HYPERLINK l _bookmark17 Network Security9 HYPERLINK l _bookmark18 Secure Network Architecture9 HYPERLINK l _bookmark19 Secure Access Points10 HYPERLINK l _bookmark20 Transmission Protection10 HYPERLINK l _bookmark21 Amazon Corporate Segregation10 HYPERLINK l _bookmark22 Fault-Tolerant De

5、sign10 HYPERLINK l _bookmark23 Network Monitoring and Protection12 HYPERLINK l _bookmark24 AWS Access14 HYPERLINK l _bookmark25 Account Review and Audit14 HYPERLINK l _bookmark26 Background Checks14 HYPERLINK l _bookmark27 Credentials Policy14 HYPERLINK l _bookmark28 Secure Design Principles14 HYPER

6、LINK l _bookmark29 Change Management14 HYPERLINK l _bookmark30 Software15 HYPERLINK l _bookmark31 Infrastructure15 HYPERLINK l _bookmark32 AWS Account Security Features16 HYPERLINK l _bookmark33 AWS Credentials16 HYPERLINK l _bookmark34 Passwords17 HYPERLINK l _bookmark35 AWS Multi-Factor Authentica

7、tion (AWS MFA)17 HYPERLINK l _bookmark36 Access Keys17 HYPERLINK l _bookmark37 Key Pairs18 HYPERLINK l _bookmark38 X.509 Certificates18 HYPERLINK l _bookmark39 Individual User Accounts19 HYPERLINK l _bookmark40 Secure HTTPS Access Points19 HYPERLINK l _bookmark41 Security Logs19 HYPERLINK l _bookmar

8、k42 AWS Trusted Advisor Security Checks20 HYPERLINK l _bookmark43 AWS Service-Specific Security20 HYPERLINK l _bookmark44 Compute Services20 HYPERLINK l _bookmark45 Amazon Elastic Compute Cloud (Amazon EC2) Security20 HYPERLINK l _bookmark46 Auto Scaling Security24 HYPERLINK l _bookmark47 Networking

9、 Services25 HYPERLINK l _bookmark48 Amazon Elastic Load Balancing Security25 HYPERLINK l _bookmark49 Amazon Virtual Private Cloud (Amazon VPC) Security26 HYPERLINK l _bookmark50 Amazon Route 53 Security31 HYPERLINK l _bookmark51 Amazon CloudFront Security32 HYPERLINK l _bookmark52 AWS Direct Connect

10、 Security34 HYPERLINK l _bookmark53 Storage Services34 HYPERLINK l _bookmark54 Amazon Simple Storage Service (Amazon S3) Security34 HYPERLINK l _bookmark55 AWS Glacier Security37 HYPERLINK l _bookmark56 AWS Storage Gateway Security38 HYPERLINK l _bookmark57 AWS Import/Export Security39 HYPERLINK l _

11、bookmark58 Database Services41 HYPERLINK l _bookmark59 Amazon DynamoDB Security41 HYPERLINK l _bookmark60 Amazon Relational Database Service (Amazon RDS) Security42 HYPERLINK l _bookmark61 Amazon Redshift Security45 HYPERLINK l _bookmark62 Amazon ElastiCache Security48 HYPERLINK l _bookmark63 Applic

12、ation Services49 HYPERLINK l _bookmark64 Amazon CloudSearch Security49 HYPERLINK l _bookmark65 Amazon Simple Queue Service (Amazon SQS) Security50 HYPERLINK l _bookmark66 Amazon Simple Notification Service (Amazon SNS) Security50 HYPERLINK l _bookmark67 Amazon Simple Workflow Service (Amazon SWF) Se

13、curity51 HYPERLINK l _bookmark68 Amazon Simple Email Service (Amazon SES) Security51 HYPERLINK l _bookmark69 Amazon Elastic Transcoder Service Security52 HYPERLINK l _bookmark70 Amazon AppStream Security53 HYPERLINK l _bookmark71 Analytics Services54 HYPERLINK l _bookmark72 Amazon Elastic MapReduce

14、(Amazon EMR) Security54 HYPERLINK l _bookmark73 Amazon Kinesis Security54 HYPERLINK l _bookmark74 AWS Data Pipeline Security55 HYPERLINK l _bookmark75 Deployment and Management Services56 HYPERLINK l _bookmark76 AWS Identity and Access Management (AWS IAM)56 HYPERLINK l _bookmark77 Amazon CloudWatch

15、 Security57 HYPERLINK l _bookmark78 AWS Elastic Beanstalk Security58 HYPERLINK l _bookmark79 AWS CloudFormation Security59 HYPERLINK l _bookmark80 AWS OpsWorks Security60 HYPERLINK l _bookmark81 AWS CloudHSM Security61 HYPERLINK l _bookmark82 AWS CloudTrail Security62 HYPERLINK l _bookmark83 Mobile

16、Services62 HYPERLINK l _bookmark84 Amazon Cognito62 HYPERLINK l _bookmark85 Amazon Mobile Analytics63 HYPERLINK l _bookmark86 Applications64 HYPERLINK l _bookmark87 Amazon WorkSpaces64 HYPERLINK l _bookmark88 Amazon Zocalo65 HYPERLINK l _bookmark89 Appendix Glossary of Terms67IntroductionAmazon Web

17、Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, providing the tools that enable customers to run a wide range of applications. Helping to protect the confidentiality, integrity, and availability of our customers systems and data is of the utmost

18、importance to AWS, as is maintaining customer trust and confidence. This document is intended to answer questions such as, “How does AWS help meprotect my data?” Specifically, AWS physical and operational security processes are described for the network and server infrastructure under AWSs managemen

19、t, as well as service-specific security implementations.Shared Security Responsibility ModelBefore we go into the details of how AWS secures its resources, we should talk about how security in the cloud is slightly different than security in your on-premises data centers. When you move computer syst

20、ems and data to the cloud, security responsibilities become shared between you and your cloud service provider. In this case, AWS is responsible for securing the underlying infrastructure that supports the cloud, and youre responsible for anything you put on the cloud or connect to the cloud. This s

21、hared security responsibility model can reduce your operational burden in many ways, and in some cases may even improve your default security posture without additional action on your part.Figure 1: AWS Shared Security Responsibility ModelThe amount of security configuration work you have to do vari

22、es depending on which services you select and how sensitive your data is. However, there are certain security featuressuch as individual user accounts and credentials, SSL/TLS for data transmissions, and user activity loggingthat you should configure no matter which AWS service you use. For more inf

23、ormation about these security features, see the “AWS Account Security Features” section below.AWS Security ResponsibilitiesAmazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardw

24、are, software, networking, and facilities that run AWS services. Protecting this infrastructure is AWSs number one priority, and while you cant visit our data centers or offices to see this protection firsthand, we provide several reports from third-party auditors who have verified our compliance wi

25、th a variety of computer security standards and regulations (for more information, visit (/compliance).Note that in addition to protecting this global infrastructure, AWS is responsible for the security configuration of its products that are considered managed services. Examples of these types of se

26、rvices include Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon Elastic MapReduce, Amazon WorkSpaces, and several other services. These services provide the scalability and flexibility of cloud-based resources with the additional benefit of being managed. For these services, AWS will handle basi

27、c security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery. For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additi

28、onal tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service.Customer Security ResponsibilitiesWith the AWS cloud, you can provision virtual servers, storage, databases, and desktops in minutes instead of weeks. You can also use cloud

29、-based analytics and workflow tools to process your data as you need it, and then store it in your own data centers or in the cloud. Which AWS services you use will determine how much configuration work you have to perform as part of your security responsibilities.AWS products that fall into the wel

30、l-understood category of Infrastructure as a Service (IaaS)such as Amazon EC2, Amazon VPC, and Amazon S3are completely under your control and require you to perform all of the necessary security configuration and management tasks. For example, for EC2 instances, youre responsible for management of t

31、he guest OS (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. These are basically the same security tasks that youre used to performing no matter

32、 where your servers are located.AWS managed services like Amazon RDS or Amazon Redshift provide all of the resources you need in order to perform a specific taskbut without the configuration work that can come with them. With managed services, you dont have to worry about launching and maintaining i

33、nstances, patching the guest OS or database, or replicating databasesAWS handles that for you. But as with all services, you should protect your AWS Account credentials and set up individual user accounts with Amazon Identity and Access Management (IAM) so that each of your users has their own crede

34、ntials and you can implement segregation of duties. We also recommend using multi-factor authentication (MFA) with each account, requiring the use of SSL/TLS to communicate with your AWS resources, and setting up API/user activity logging with AWS CloudTrail. For more information about additional me

35、asures you can take, refer to the HYPERLINK /AWS_Security_Best_Practices.pdf AWS Security Best HYPERLINK /AWS_Security_Best_Practices.pdf Practices whitepaper and recommended reading on the HYPERLINK /security/security-resources.html/ AWS Security Resources webpage.AWS Global Infrastructure Security

36、AWS operates the global cloud infrastructure that you use to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support

37、 the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of securitycompliance standards. As an AWS customer, you can be assured that youre building web architectures on top of some of the most secur

38、e computing infrastructure in the world.AWS Compliance ProgramThe AWS Compliance Program enables customers to understand the robust security in place and then helps them streamline their compliance with industry and government requirements for security and data protection. The IT infrastructure that

39、 AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)SOC 2SOC 3FISMA, DIACAP, and FedRAMPDOD CSM Levels 1-5PCI DSS Level 1ISO 27001ITARFIPS 140-2MTCS Level 3In addit

40、ion, the flexibility and control that the AWS platform provides allows customers to deploy solutions that meet several industry-specific standards, including:HIPAACloud Security Alliance (CSA)Motion Picture Association of America (MPAA)AWS provides a wide range of information regarding its IT contro

41、l environment to customers through white papers, reports, certifications, accreditations, and other third-party attestations. More information is available in the Risk and Compliance whitepaper available on the website: HYPERLINK /compliance/ /compliance/.Physical and Environmental SecurityAWSs data

42、 centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed i

43、n nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance,intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of

44、 two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.AWS only provides data center access and information to employees and contractors who have a legitimate business need for such p

45、rivileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.Fire Detection and

46、SuppressionAutomatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are p

47、rotected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.PowerThe data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units pro

48、vide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.Climate and TemperatureClimate control is required to maintain a constant operating temperature for servers and othe

49、r hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.ManagementAWS monitors electrical, mechan

50、ical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.Storage Device DecommissioningWhen a storage device has reached the end of its useful life, AWS procedures include a de

51、commissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of

52、 the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.Business Continuity ManagementAmazons infrastructure has a high level of availability and provides customers the features to deploy a resili

53、ent IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group.AvailabilityData centers are built in clusters in various global regions

54、. All data centers are online and serving customers; no datacenter is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Coreapplications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capa

55、city to enable traffic to be load-balanced to the remaining sites.AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure

56、zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities,

57、 they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.You should architect your AWS usage to take advantage of multiple regions and availability zones. Distri

58、buting applications across multiple availability zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.Incident ResponseThe Amazon Incident Management team employs industry-standard diagnostic procedures to drive resolution d

59、uring business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.Company-Wide Executive ReviewAmazons Internal Audit group has recently reviewed the AWS services resiliency plans, which are also periodically reviewed by members of

60、 the Senior Executive management team and the Audit Committee of the Board of Directors.CommunicationAWS has implemented various methods of internal communication at a global level to help employees understand their individual roles and responsibilities and to communicate significant events in a tim