AWS Risk and Compliance Whitepaper is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment.
AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:
Obtaining industry certifications and independent third-party attestations described in this document
Publishing information about the AWS security and control practices in whitepapers and web site content
Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)
Shared Responsibility model
AWS’ part in the shared responsibility includes
providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use
relieves the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates
Customers’ responsibility includes
configuring their IT environments in a secure and controlled manner for their purposes
responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall
stringent compliance requirements by leveraging technology such as host based firewalls, host based intrusion detection/prevention, encryption and key management
relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment
Risk and Compliance Governance
AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations
AWS customers are required to continue to maintain adequate governance over the entire IT control environment regardless of how IT is deployed.
Leading practices include
an understanding of required compliance objectives and requirements (from relevant sources),
establishment of a control environment that meets those objectives and requirements,
an understanding of the validation required based on the organization’s risk tolerance,
and verification of the operating effectiveness of their control environment.
Strong customer compliance and governance might include the following basic approach:
Review information available from AWS together with other information to understand as much of the entire IT environment as possible, and then document all compliance requirements.
Design and implement control objectives to meet the enterprise compliance requirements.
Identify and document controls owned by outside parties.
Verify that all control objectives are met and all key controls are designed and operating effectively.
Approaching compliance governance in this manner helps companies gain a better understanding of their control environment and will help clearly delineate the verification activities to be performed.
AWS Certifications, Programs, Reports, and Third-Party Attestations
AWS engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS.
AWS provides third-party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports directly to our customers under NDA.
Key Risk and Compliance Questions
AWS controls the physical components of that technology.
Customer owns and controls everything else, including control over connection points and transmissions
Auditing for most layers and controls above the physical controls remains the responsibility of the customer
AWS ISO 27001 and other certifications are available for auditors review
AWS-defined logical and physical controls is documented in the SOC 1 Type II report and available for review by audit and compliance teams
AWS customers control which physical region their data and their servers will be located
AWS replicates the data only within the region
AWS will not move customers’ content from the selected Regions without notifying the customer, unless required to comply with the law or requests of governmental entities
Data center tours
As AWS host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party.
An independent and competent auditor validates the presence and operation of controls as part of our SOC 1 Type II report.
This third-party validation provides customers with the independent perspective of the effectiveness of controls in place.
AWS customers that have signed a non-disclosure agreement with AWS may request a copy of the SOC 1 Type II report.
AWS strictly controls access to data centers, even for internal employees.
Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS data center manager per the AWS access policy
AWS environment is a virtualized, multi-tenant environment.
AWS has implemented security management processes, PCI controls, and other security controls designed to isolate each customer from other customers.
AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software.
Amazon EC2 utilizes a highly customized version of Xen hypervisor.
Hypervisor is regularly assessed for new and existing vulnerabilities and attack vectors by internal and external penetration teams, and is well suited for maintaining strong isolation between guest virtual machines
AWS is responsible for patching systems supporting the delivery of service to customers, such as the hypervisor and networking services
AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, SimpleDB, and EC2.
IPSec tunnels to VPC are also encrypted
All data stored by AWS on behalf of customers has strong tenant isolation security and control capabilities
AWS does not leverage any third-party cloud providers to deliver AWS services to customers.
Distributed Denial Of Service (DDoS) attacks
AWS network provides significant protection against traditional network security issues and the customer can implement further protection
AWS allows customers to move data as needed on and off AWS storage
Service & Customer provider business continuity
AWS does operate a business continuity program
AWS data centers incorporate physical protection against environmental risks.
AWS’ physical protection against environmental risks has been validated by an independent auditor and has been certified
AWS provides customers with the capability to implement a robust continuity plan with multi region/AZ deployment architectures, backups, data redundancy replication
Capability to scale
AWS cloud is distributed, highly secure and resilient, giving customers massive scale potential.
Customers may scale up or down, paying for only what they use
AWS does commit to high levels of availability in its service level agreements (SLA) for e.g. S3 99.9%
AWS system development lifecycle incorporates industry best practices which include formal design reviews by the AWS Security Team, source code analysis, threat modeling and completion of a risk assessment
AWS does not generally outsource development of software.
AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities, but do not include customer instances
AWS Security notifies the appropriate parties to remediate any identified vulnerabilities.
Customers can request permission to conduct scans and Penetration tests of their cloud infrastructure as long as they are limited to the customer’s instances and do not violate the AWS Acceptable Use Policy. Advance approval for these types of scans is required
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
When preparing for a compliance assessment of your system built inside of AWS. What are three best practices for you to prepare for an audit? Choose 3 answers
Gather evidence of your IT operational controls (Customer still needs to gather all the IT operation controls inline with their environment)
Request and obtain applicable third-party audited AWS compliance reports and certifications (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance)
Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review (AWS does not allow data center tour)
Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system’s Instances and endpoints (AWS requires prior approval to be taken to perform penetration tests)
Schedule meetings with AWS’s third-party auditors to provide evidence of AWS compliance that maps to your control objectives (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance)
In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
Operating system account security management
User group access management
Static code analysis
You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (Customer owned)
Protect against IP spoofing or packet sniffing
Assure all communication between EC2 instances and ELB is encrypted (Customer owned)
Install latest security patches on ELB, RDS and EC2 instances (Customer owned)
Which of the following statements is true about achieving PCI certification on the AWS platform? (Choose 2)
Your organization owns the compliance initiatives related to anything placed on the AWS infrastructure
Amazon EC2 instances must run on a single-tenancy environment (dedicated instance)
AWS manages card-holder environments
AWS Compliance provides assurance related to the underlying infrastructure