Public Cloud Providers

8/11/2019 Public Cloud Providers

1/47

1

Analysis of Amazon S3 Cloud Services

Joseph Beckman

Matthew Riedle

Hans Vargas

Purdue University

Authors Note


2/47

2

Joseph Beckman, Ph.D. Student, Center for Education and Research in Information

Assurance and Security (CERIAS), Purdue University

Matthew Riedle, M.S. Student, Cyber Forensics in Computer Information Technology,

Purdue University

Hans Vargas, M.S. Student, Center for Education and Research in Information Assurance

and Security (CERIAS), Purdue University.

This research was supported by Dr. Brandeis Marshall and Dr. Melissa Dark as part of

the INSuRE (The Information Security Research and Education) Research Grant, as well as the

National Security Agency (NSA) sponsoring and providing unclassified problems to be

researched.

Correspondence concerning this paper should be addressed to Joseph Beckman, Matthew

Riedle, and Hans Vargas, Purdue University, West Lafayette, IN 47906

Contact: [email protected], [email protected], [email protected]


3/47

3

Abstract1

Distributed computing is a familiar concept within computer science. Public distributed

computing, better known as cloud computing services, is a relatively new concept in the

marketplace. In recent years, individuals, corporations, and government agencies have begun to

leverage the resources of the Internet to perform tasks that had previously been limited to in-

house computer networks. Providers of these resources, collectively referred to as Cloud

Service Providers (CSPs), tout numerous benefits of their use, including the reduction of IT

costs. Prospective customers, however, should take a serious look at the risks, vulnerabilities,

and threats that may take place when relocating their resources to the cloud. The impacts of

cloud usage upon information security as it relates to confidentiality are not well understood, and

for that reason our research focuses on the Amazon S3 cloud storage service and as a case study

related to confidentiality from which to provide recommendations for improvement to existing

cloud security frameworks.

1Keywords: Amazon S3, AWS, Confidentiality, Cloud Computing, CSP, FedRAMP, 3PAO


4/47

4

Analysis of Amazon S3 Cloud Services

Introduction

Previous work2 categorizing risks within cloud computing identified threat and

vulnerability profiles of three major CSPs, comparing them against security controls required by

FedRAMP in order to approve the federal agencies migration of services to the cloud. This

project will focus primarily on federal agencies as the customer base of cloud services, but will

also take under consideration that private sector customers would benefit from security

guidelines established by FedRAMP adopters.

Amazon Web Services (AWS) was one of the first CSPs to be deemed compliant with

FedRAMP cloud storage service security guidelines which certified Amazons S3 cloud storage

service for use by United States federal government agencies. This project will attempt to

describe and explain the existence, usability and effectiveness of these security features related to

Amazon S3 with respect to the protection of confidentiality within the Infrastructure-as-a-

Service (IaaS) domain. It will also lay the groundwork for updating and adapting the existing

guidelines to more efficiently audit CSPs, as well as provide analysis based on open source

intelligence regarding the realization of vulnerabilities, adoption of remedial actions from

providers and customers.

2Vargas, Toriola (2012) Public Cloud Providers: A Risk Matrix.


5/47

5

Motivation

The aim of this project, through the evaluation of Amazon S3 cloud services and the re-

evaluation of the FedRAMP cloud services security guidelines, is to bring a greater level of

security to information stored in the cloud. Increasing the level of security in the cloud is an

important act to the field of information security, to the United States government, and to anyone

who uses cloud services. While this project will focus on the cloud security policies and

processes of the United States federal government, it has the potential to impact much of the

worlds population because of the widespread use of services like free e-mail, which operates

mainly as a cloud service.

Efforts to bring greater security to the cloud face many challenges that will impact this

project. The nature of cloud services, and one of the greatest benefits of this architecture, is the

lack of exposure of the systems back-end processes to the user. When evaluating the security of

such a system, however, the inability to examine these processes directly reduces the

effectiveness and meaningfulness of a security audit. Additionally, the cloud environment is very

dynamic; services are added, changed, and removed often as user needs and behaviors change.

As a result, our ability to produce changes to any security auditing framework that will be

durable and enduring will be will be limited to studying the effects that are possible to analyze

from the standpoint of a normal commercial service deployment.

While not being able to see the full impact of this project, we know that it is a relevant

issue to everyone. The motivation that is driving us to address this problem is the potential for its

solution to have wide-ranging impacts on any customer using web storage services.


6/47

6

Previous Work

An initial work on this project related to Public Cloud Providers was conducted as part of

the semester Fall-2012. That research presented an overview of the three major cloud service

providers: Amazon, Microsoft, and Google; and the determination of common threats and

vulnerabilities. Another important aspect was the evaluation of security controls available to

mitigate risk, specifically when Federal Agencies were considering transferring services to the

cloud. Institutions like FedRAMP (based on NIST standards) and CSA were consulted as

providers of guidelines and benchmarks for security in the cloud, as well as other, more specific

risk frameworks. As a result, a risk matrix was developed that displayed a match between risk

and security controls.

The trend towards moving services to cloud computing is relatively new, existing

literature on the topic of security in cloud computing tends to focus on one or more of three

areas: analyzing the security of cloud service providers (CSPs) environments, providing an

overview of the security landscape of cloud deployment models3, or creating an overall

framework for a more secure use of the cloud. Each of these three themes is addressed from

various perspectives, although comparisons tend to be rather straightforward and technical

(Batten, 2012)(Shraer, 2010)(Agrawal, 2010). Some of the work providing an overview of cloud

security discusses security in the cloud from the perspective of a particular discipline, such as

business (Gurkok, 2013). Others focus on aspects of the cloud security landscape like

institutional impact (Ksherti, 2013), or technical vulnerabilities (Marinescu, 2013). Given the

variety of missions being addressed by the myriad government agencies that may derive benefit

from and consider using Infrastructure-as-a-Service in the cloud, literature using all of these

3IaaS, PaaS, SaaS.


7/47


8/47

8

levels offered by CSPs. In order to accomplish this, BSI6 guidelines, which established

minimum-security requirements for cloud providers, were used as they describe security levels

for the K.O. (knock-out) criteria matrix. These criteria attempts to assess the security level of

cloud providers, with emphasis on Amazon as a cloud provider. The BSI represents one type of

benchmark similar to other efforts (FedRAMP in the US) that attempt to determine a security

level.

Similarly, potential users of cloud services could benefit from the existence of a cloud

certification authority that ensures the transparency of CSPs with respect to their security levels.

Such a level of security could be determined by using the K.O. criteria, providing customers with

better tools to choose cloud providers based on their security capabilities. In an increasing scale,

more and more CSPs are partnering with specialized security providers, in a Security-as-a-

Service model, to enhance cloud level of security for their customers. These services are directly

aimed to increase confidentiality rather than availability7.

According to Xiaoqi Ma (2012), the analysis of potential security risks related to cloud

services -as they relate to confidentiality, integrity and availability (CIA)- attempt to provide

answers focused on privacy. From data privacy protection to data integrity in cloud services, his

research represents a broad overview of security problems and proposed solutions. In the

meantime, Behl and Behl (2012) reviews the key challenges of implementing cloud security

solutions for a dynamic and changing cloud environment; it conducts analysis in order to

consider detailed specifications of the problem and descriptions of must have features for a

security solution. Some of the reasons that represent major concerns

6Federal Office for Information Security (Bundesamt fr Sicherheit in der Informationstechnik).7Ensuring timely and reliable access to and use of information


9/47

9

regarding security are: loss of control while moving services to the cloud, multi-tenancy or the

co-residence of same logical/physical mediums, and service level agreements (SLAs) as the

assurance of the right expectations are considered. It further details the need for information

integrity and privacy as well as identity federation. It concludes by recommending that cloud

security management should be enhanced in order to better control and manage user data; in

addition to that, it suggests that security should become a wrapper to all cloud deployment

models in a multilayer security solution.

Behl et al. (2012), however, reviews the key challenges of implementing cloud security

solutions for a dynamic and changing cloud environment. They conduct analysis in order to

consider detailed specifications of the problem of security in cloud computing and descriptions

of required features for a security solution. Some areas of major concern regarding security are:

loss of control while moving services to the cloud, multi-tenancy or the co-residence of same

logical/physical mediums, and SLAs as the assurance of the right expectations are considered. It

further details the need for information integrity and privacy as well as identity federation. Behl

et al. conclude by recommending that cloud security management should be enhanced in order to

better control and manage user data; and it suggests that security should become a wrapper to all

cloud deployment models in a multilayer security solution.

Contrary to some assumptions, moving to a cloud environment does not eliminate the risk

associated with security. In fact, outsourcing-computing resources to the cloud generates major

new security and privacy concerns. Moreover, service layer agreements (SLAs) might not

provide adequate legal protection for cloud computer users, who are often left to deal with events

beyond their control.


10/47

10

Amazon Computing

Some of the literature that we sought was related to specific Amazon cloud computing

services, this effort resulted in the discovery of some literature that brings a light of computing

services related to Amazon.

Marinescu (2013) suggests that an in-depth study of cache placement decisions over

various cloud storage options would be beneficial to a large class of users through data

persistence, monetary costs, and high performance needs of AWS in order to generate cost-

effective data placement strategies. Marinescu describes what adequate caching strategies8could

represent for cloud services. The costs considered are for Amazons S3, EC2

9

and EBS

10

, and are

then used to obtain relevant data through a series of experiments for cost evaluation. The

relevance of this paper is on the analysis of how these different services could be distinguished

from each other based on the cost effectiveness of each one.

Garfinkel (2007) article, was considered as a way to show the progress in authentication

mechanisms, from simple authentication strategy based on the SHA1-HMAC algorithm to

todays four mechanisms for controlling access to Amazon S3 resources : Identity and Access

Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string

authentication.

Abundant information about these four access control mechanisms are available from

Amazon S3 Access Control11, where each feature and capability are described. With IAM

policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or

8Caches can be deployed to maintain some set of precomputed/intermediate data for reuse. Especially in scientific

applications, precomputed data could not only replace the need to tirelessly compute redundant information, but it

can also significantly reduce the amount of data transfer required.9Amazon Elastic Compute Cloud (Amazon EC2)10Amazon Elastic Block Store (Amazon EBS)11

Access Control. Retrieved from: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html


11/47


12/47

12

For instance, the cloud security of Dropbox, Google Drive, and Microsoft SkyDrive are

all compared to have similar weaknesses, mostly pertaining to a lack of user authentication with

the sharing of data. This could be fixed by looking at how invitations to view the data can be

rendered useless after they have been activated. Preventing these links from continuing to work

after the recipient has used them; along with setting up a method to require a password in order

to use that link will help tighten down the security of sharing data in the cloud. From this

analysis we found ideas for investigating new security policies for cloud security.

The first chapter of Yangs and Jias (2014): Security for Cloud Storage Systems,

explores aspects of cloud technology, defining how they operate with data storage. Several items,

including on-demand self-service and network access, are already expected by the users of cloud

services when storing personal data. From there, there are two main threats described to plague

cloud providers. The first issue pertains to data integrity; users should be confident that the cloud

provider is correctly managing their personal data, especially after they want to delete it. The

second issue that arises pertains to access control; this issue is also due to the user being forced

to trust the cloud server for their access control policies. While the data integrity issue is outside

of our scope for this project, the access control information presented in this book will be very

useful in not only assessing the weakness of access control in cloud architectures, but it also

provides several concepts at how to fix these holes.


13/47

13

A Comparison of Approaches to Cloud Security

Tajadod et al. (2012) is based on the comparison of two CSPs, and it goes into detail

exploring those differences. We found relevant information about Amazon S3 as it details its

services in order to elaborate for the corresponding comparison. This description of security

features is presented following CIA. For Confidentiality it describes Amazon IAM 12MFA13, and

Key Rotation. With respect to Integrity, it describes encryption via SSL and HTTPS from client

and server sides as well as HMAC (hash-based message authentication code). Finally for

Availability, it specifies the SLA of Amazon as well as data replication capabilities.

Securing Cloud Services against Attacks

The securing of cloud services could obey reactive and proactive measures, and in that

regard Boot, Soknacki, and Somayaji provide an overview of security in the cloud computing

environment, but approach their overview from the perspective of potential attackers. This

overview, using descriptive methods, considers the various attacks that can be perpetrated upon a

client-server model, and then reduces the scope of these attacks to those that would impact the

current cloud environment, specifically one employing Hypervisor. The authors found that

attacks relating to denial-of-service, breach of confidentiality, and compromise of data integrity

are all applicable within the cloud. In relation to data confidentiality, the cloud adds a new threat

of data colocation to those of typical client-server security issues. Through colocation, an

12Identity and Access Management.

13MFA: Multi-Factor Authentication


14/47

14

attacker may be able to gain access to sensitive data residing on a cloud server by gaining access

to the server through the account of a user using weaker authentication techniques. This paper

also discuss the possibility of users with administrative-level access compromising sensitive data

either maliciously or accidentally. Though the authors feel that data encryption and monitoring

are important steps in ensuring the confidentiality of data in the cloud, these solutions remain

vulnerable to traffic analysis and cryptographic weaknesses and would require additional burden

upon cloud providers.

A document, written by Cem Gurkok (2013) as a chapter in the book, Computer and

Information Security Handbook, presents a view of cloud computing from a very strategic level.

Gurkok begins his work with an overview of the types of cloud computing platforms (SaaS,

IaaS, and PaaS), moves on to discuss security issues common to cloud services, and then

describes security issues specific to the types of cloud platforms. Gurkoks descriptive methods

are comprehensive and are able to analyze cloud security through the lens of the CIA triad, while

subdividing these issues by discipline (legal, technical, etc.), and by operative system

(infrastructure, operating system, application, etc.). The strategic level of this document provides

a starting point for the narrowing of our analysis of the problem space.

Auditing is addressed by Yu, Niu, Yang, Mu, and Susilo (2014) focuses not on cloud

security itself, rather on the function of auditing cloud services for security. This paper is the

result of conducting active attacks on cloud services, which showed that current auditing tools,

such as Oruta and Knox, failed to provide evidence that the authenticity and integrity of stored

files had been breached. In response, these authors propose a new framework that accounts for

the actions of an attacker who is active on the system and working against the goals of the

auditors. Though this work does not speak directly to the framework for security in the cloud


15/47

15

environment, it does present both the security audit process, and its current vulnerabilities. An

important aspect of our proposed framework, and of any security framework, should be the

ability to audit and verify the security of the system. Understanding these processes will be

important to the creation of a robust framework and successful evaluation of the Amazon S3

service.

Trustworthiness is researched by Shraer et al. (2010) especially after some identified 14

high-profile incidents as they related to data integrity and consistency and their relationship to

Confidentiality (through encryption) and availability (through resilience and protection against

loss). Venus is a service for securing user interactions with untrusted cloud storage, by

guaranteeing integrity and consistency. Even though this research represents an external

mechanism that could be added transparently to the cloud storage service (Amazon S3), it

provides evidence of the capability of this CSP infrastructure being able to support verification

mechanisms in their commodity cloud storage service. A split-brain simulated attack from a

system with two clients was performed in order to evaluate how venus detects service violations,

successfully identifying inconsistencies. This work represents external attempts [to cloud

providers] that enhance current storage solutions with insignificant overhead added.

Customers Role in Cloud Security

The role of customers in the acquisition, configuration, used and allocation of cloud

services falls under the responsibility of the customers in the exploitation of vulnerabilities.

Kshertis (2013) paper, from the journal Telecommunications Policy, states that a discrepancy

exists between the security claims of cloud computing vendors and users of cloud computing

14Amazon S3s silent data corruption, a privacy breach in Google Docs, and ma.gnolias data loss.


16/47

16

services. His largely descriptive study cites statistics from popular press surveys about the

security fears of cloud computing users to support his assertion. Ksherti also uses these surveys

as a jumping off point to discuss the institutions surrounding cloud computing, and how they

should be modified to build greater levels of security into the fabric of these institutions.

Specifically, he suggests the formation, through legal, technical, and social means, of a

normative culture of security in cloud computing. Given the size and diversity of missions within

the United States federal government, the importance of the culture of use surrounding cloud

computing in this environment cannot be overstated. This work will inform aspects of the

modified framework and evaluation of the Amazon S3 service that we provide in our work.

Security Framework for Cloud Services

A cloud security framework is presented by Nayak et al. (2012) detailing three phases:

server initialization, registration, and authentication, of cloud security that benefit from

incorporating user authentication into the overall cloud models. User authentication is used, in

the form of usernames and passwords in almost every system that people use on a daily basis,

such as online shopping, email, and social media. These methods are already applied by AWS in

their approach to cloud security, and the paper goes into detail about how the messages could be

laid out between Amazon's authentication servers and the user in order to maximize

authentication security. In the server authentication phase, each user is assigned a unique SK15

which is used in further steps to authenticate the users. The second phase, registration, is

dependent on whether the user is new or not. When a new user opens an Amazon S3 account,

that user must register with an email address which will need to then be verified by the user.

15Secret Key


17/47


18/47

18

is able to successfully authenticate the user, it is always advisable to include an additional

method of authentication on the chance that it does not work. In their testing, the access control

policies they designed, based off of personal habit characteristics, proved successful in

authenticating the user and preventing unauthorized access with a low failure rate.

While this system is not perfect at achieving authentication, it can prove beneficial to

Amazon's S3 cloud services. A large portion of the S3 involves data storage, which users want

quick access to from anywhere, hence using the cloud for their storage. By cloud providers,

including Amazon S3, implementing the TrustCube dynamics, they will be able to provide

quicker access for their users, allowing for better consumer satisfaction. The inclusion of user

habits is also a great method of adding an additional security layer for users who are extremely

security-conscious.

Mouratidis, et. al. (2103) provide a systematic and structured framework to the cloud

computing framework. Unlike other existing frameworks for cloud computing security, these

authors approach the topic of cloud provider selection from a decidedly technical perspective.

Although the approach is technical, descriptions within the work about high-level goal setting

work well to inform a comprehensive approach to security in this environment. This work is also

unique because it walks through a case study in building the proposed model. Despite the

existence of FedRAMP as a tool for evaluation of the security of cloud providers for the United

States federal government use, the section about secure cloud provider selection will highlight

areas within FedRAMP that may need augmentation.


19/47

19

Methods

Research was conducted on the confidentiality of data stored on the Amazon S3

Infrastructure-as-a-Service (IaaS) cloud storage environment for the purposes of developing

guidelines supplemental to FedRAMP that better address issues of confidentiality within this

environment. Time and financial constraints inherent in the course setting impacted both the

scope and nature of this research. First and foremost, the overall research methodology was

descriptive and qualitative as a result. Further, the scope of this project was narrowed to focus

only on the Amazon S3 storage service, rather than a broader assortment of Amazons cloud

service offerings, and only on the confidentiality aspect of the service, rather than all aspects of

the C-I-A triad.

The key aspect of research during this study was an extensive literature review, which

began with general research of the cloud computing environment. Ultimately, this review was

also narrowed necessarily to match the scope of the research question. Beyond narrowing the

focus of the research to confidentiality metrics and issues relating to the Amazon S3 cloud

storage service, issues and resolutions to issues that could not be verified either through testing

or through an independent third-party were also removed from the scope of this research;

however, Amazon has summarized how it complies with federal privacy laws (Amazon, 2014).

The research methods supported the following research motive: The cloud computing

environment is an extremely dynamic space, and several sets of guidelines are being developed

to promote secure use of cloud storage resources. In this context, the research question to be

answered in this study is, Are current FedRAMP guidelines sufficient to meet the challenges of

data confidentiality faced by United States federal government agencies in the Amazon S3 cloud,


20/47

20

or should guidelines be added, changed, or segmented by level of security required for a

project?

Discussion

On February 8, 2011, the Chief Information Officer of the United States released the

Federal Cloud Computing Strategy (FCCS) document (Kundra, 2011) . The goal of this

document was to set forth a strategy that would increase the efficiency of information technology

use in the federal government both in terms of cost and time (Kundra, 2011, p. 1) . The FCCS

policy is designed to work in conjunction with, and in support of, the CIO's February 2010

Federal Data Center Consolidation Initiative (FDCCI), which seeks to raise data center

efficiency through the elimination of 800 federal data centers by 2015 (Kundra, 2011, p. 8) .

Based on estimates by the federal Office of Management and Budget (OMB), 25% of federal IT

spending was now being targeted for migration to cloud computing environments (Kundra, 2011,

p. 1).

Within the Decision Framework for Cloud Migration, the FCCS document does discuss

security requirements to be considered when agencies make decisions about the type of cloud to

be used, and the speed at which migration should occur (Kundra, 2011, pp. 11-14) . FCCS

frames the evaluation criteria for security considerations in the cloud in terms of the Federal

Information Security Act (FISMA) requirements including, but not limited to Federal

Information Processing Standards (FIPS), and lays the responsibility for maintaining the

appropriate level of information security upon the individual agencies (Kundra, 2011, p. 13).

FCCS does, however, recognize that security (and other) concerns are likely to produce different

iterations of cloud computing within and among federal agencies by virtue of its recognition of

NIST's definition of cloud service models (Kundra, 2011, p. 6), and deployment models


21/47

21

(Kundra, 2011, p. 5), including private clouds. It also recognizes the need for a transparent

security environment between cloud providers and cloud consumers (Kundra, 2011, p. 26), and

cites the 2010 Federal Risk Authorization Management Program (FedRAMP) as responsible for

defining requirements for cloud computing security controls, including vulner-ability scanning,

and incident monitoring, logging and reporting, in support of the secure and transparent cloud

security environment (Kundra, 2011, p. 26). Also according to the FCCS, the Department of

Homeland Security will assist in the operational security of federal agencies using cloud services

by publishing a list of top security threats related to the cloud as needed, whereas NIST will

assist with continued monitoring of cloud solutions as outlined by the Six Step Risk

Management Framework (Kundra, 2011, p. 26) cited as Special Publication 800 -37, Revision

1 (Kundra, 2011, p. 26).

In the problem space of cloud computing controls exist several solutions frameworks.

FedRAMP, of course, applies to federal cloud computing and, consequently, plays a significant

role in defining the solution space. Because of its role as a controls structure for the United States

federal government, FedRAMP plays a significant role in that function for agencies that work

with the United States federal government, such as: state agencies, universities, private firms,

and foreign governments, as well as other entities that may not see the benefit in developing a

further structure. Despite FedRAMP's stature in the space, various other previously mentioned

controls structures exist. Organizations such as the Cloud Security Alliance (Cloud Security

Alliance, 2013), and trade-based professional associations (Mouratidis, 2013) have also proposed

control sets based on their own needs in cloud security. Our analysis has attempted to combine

those controls that, in our view, represent the best confidentiality controls for cloud computing

currently in existence across the community, compare the Amazon S3 service against these


22/47

22

augmented metrics, and return suggestions that are useful not only to Amazon S3, but to the

cloud computing community broadly. The timeline shownbelow presents Amazons security and

compliance releases that have impacted the security of the Amazon S3 cloud storage service that

serve as the basis for the discussion of problems and issues that follows.


23/47

23

Cloud Provider Perspective: Amazon Web Services (AWS)

AWS Compliance timeline

This compliance timeline shows security policies implemented and compliance events

starting in 2009 with HIPAA to the first quarter of 2013 with improvements to IAM policy

variables:

Date Security or Compliance Event Description

4/3/13 IAM Policy Variables Create policies containing variables that will

be dynamically evaluated using context fromthe authenticated user's session.

3/26/13 AWS CloudHSM Use dedicated Hardware Security Module

(HSM) appliances within the AWS Cloud.

3/11/13 VPC by default EC2 instances will be launched in a VPC for
http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/http://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.htmlhttp://aws.amazon.com/about-aws/whats-new/2013/03/26/announcing-aws-cloudhsm/http://aws.amazon.com/about-aws/whats-new/2013/04/03/announcing-iam-policy-variables/


24/47

24

new customers. Amazon Virtual Private

Cloud (Amazon VPC)

11/19/12 Cross-account API access using

IAM roles

Delegate temporary API access to AWS

services and resources within your AWS

account without having to share long-term

security credentials.

7/10/12 MFA-protected API access Enforce MFA authentication for AWS

service APIs via AWS Identity and Access

Management (IAM) policies.

6/11/12 IAM Roles Simplifies the process for applications to

secure access AWS service APIs from EC2

instances.

1/30/12 AWS Trusted Advisor Self-service access to proactive alerts that

identify opportunities to save money,

improve system performance, or close

security gaps.

11/11/11 Compliance Milestone: SOC 1,Type 2 Report

11/2/11 Support for virtual MFA devices Use a smartphone, tablet, or computer

running any application that supports the

open TOTP standard.

10/4/11 S3 server-side encryption Request encrypted storage when you store a

new object in Amazon S3 or when an

existing object is copied.

9/15/11 Compliance Milestone: FISMA

Moderate

8/16/11 AWS GovCloud AWS Region designed to allow US

government agencies and customers to move
http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/08/16/announcing-aws-govcloud-us/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/09/15/aws-fisma-moderate/http://aws.amazon.com/about-aws/whats-new/2011/10/04/amazon-s3-announces-server-side-encryption-support/http://aws.amazon.com/about-aws/whats-new/2011/11/02/Announcing-virtual-mfa-support/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2011/11/11/aws-publishes-new-service-organization-controls-1-report/http://aws.amazon.com/about-aws/whats-new/2012/01/30/amazon-web-services-introduces-new-premium-support-features/http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/http://aws.amazon.com/about-aws/whats-new/2012/07/10/Announcing-MFA-protected-API-access/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/http://aws.amazon.com/about-aws/whats-new/2012/11/19/Announcing-Cross-Account-API-Access-Using-IAM-Roles/


25/47

25

more sensitive workloads into the cloud by

addressing their specific regulatory and

compliance requirements.

8/3/11 AWS Direct Connect Enables you to bypass the public Internetwhen connecting to AWS.

12/7/10 Compliance Milestone: PCI DSS

Level 1

11/18/10 Compliance Milestone: ISO 27001

9/2/10 AWS Identity and Access

Management (IAM)

Enables to securely control access to AWS

services and resources for your users.

11/11/09 Compliance Milestone: SAS70

Type II Audit

8/31/09 AWS Multi-Factor Authentication

(MFA)

Provides an extra level of security that can be

applied to AWS environment.

8/26/09 Amazon VPC Provision a logically isolated section of the

Amazon Web Services (AWS) Cloud where

you can launch AWS resources in a virtual

network that you define.

4/6/09 Compliance milestone: white paper

for HIPAA-compliant data

applications

For a extended and detailed account of security related improvements to Amazon S3 for the

current 2014, see Appendix 1:Amazon Web Services (AWS) security updates.For a complete list

of compliance reports as well as certifications and third-party attestations, see Amazon WebServices. (2014). AWS Risk and Compliance Whitepaper.
http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/http://aws.amazon.com/about-aws/whats-new/2009/08/26/introducing-amazon-virtual-private-cloud/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/08/31/now-available---aws-multi-factor-authentication/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/09/02/announcing-aws-identity-and-access-management-iam-preview-beta/http://aws.amazon.com/about-aws/whats-new/2010/11/18/aws-achieves-iso-27001-certification/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2010/12/07/aws-achieves-pci-dss-level-1-compliance/http://aws.amazon.com/about-aws/whats-new/2011/08/03/Announcing-AWS-Direct-Connect/


26/47

26

Incidents related to Amazon S3 Configurations

This account of events attempts to present the perspective of security has to be from all

involved parties. When transferring services to the Cloud, there is a significant transference of

risk, but this transfer is not absolute and complete. The Customer(s) must remain vigilant to

the portion of responsibility it controls respect to security. In many cases this means the

overview of SLAs and ensuring that services are correctly configured to perform as expected

according to user or groups permissions to data privacy assurances. Following below there are

listed two reports that show configurations issues related to cloud services, one from the

customer side and another from the provider.

August 08, 2011 - Amazon S3 security: Exploiting misconfigurations (TechTarget

Magazine)

Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3

security and avoid inadvertent data exposure.A security researcher, Diji Ninja, had an epiphany

when considering how Amazon S3 storage functioned: If each URL was customized with a

unique account name, it would be possible to use existing brute force techniques to enumerate

the Amazon S3 buckets and possibly access the files. The researcher developed a tool to test this

theory using standard wordlists and running them against the Amazon S3 API. The tool can also

test whether the Amazon S3 storage bucket has been properly configured for public or private

access.

Running this tool with a simple word list produces enlightening results that demonstrate

both an Amazon S3 oversight and the importance of proper customer configuration. The tool

runs through the wordlist by testing access to bucket URLs in succession in this format:


27/47


28/47

28

After reviewing the permissions of 12,328 Amazon S3 buckets the Rapid7 team revealed

that, of the 1,951 'public' ones there were some 126 billion files exposed in all, around 60 percent

of which were images. However, there were also 28,000 PHP source files (including database

usernames, passwords and API keys) and 218,000 CSV files (including personal data such as

email addresses and telephone numbers). 5 million text files, large numbers of which were

marked as private or confidential and contained sensitive personal credentials; details about the

organisations concerned and their customers. Getting even more specific on the information that

was exposed in these buckets, Rapid7 cites examples such as sales records and accounts from a

large car dealership, source code and development tools from a mobile gaming outfit, sales

'battlecards' for a large software vendor and assorted cases of employee personal information

across various spreadsheets.

The most common exposure was through log backups that were left globally accessible.

Rapid7 has since worked with Amazon to disclose this misconfiguration as it recommended its

customers to check their bucket settings unless they really want to openly share their files.


29/47


30/47

30

framework itself, we remain curious about the potential impact of FedRAMPs recent change in

jurisdiction from the General Services Administration to the Office of the Chief Information

Officer. The directives from the CIOs office relating to federal cloud computing strateg y

suggest that this move is simply administrative, and that the overall direction of FedRAMP will

remain consistent (Kundra, 2011). Though FedRAMP must constantly evolve to meet the rapidly

changing security needs in cloud computing, large changes in the framework at this stage would

disrupt the CIOs vision for government computing in the cloud, and likely make the transition

of services to the cloud far more difficult.


31/47

31

Problems and Issues

This study faced two main issues in generating its results. The first and largest of these

issues was time. Once our group was formed, and our topic assigned, we began to identify the

problem set. We felt that a broad study of security frameworks across the service groups within

cloud computing was useful, but narrowed the topic down dramatically in order to be able to

provide a substantive deliverable by the end of the course term. The short time frame also

impacted our work by forcing removal from our scope verification and validation of information

provided by Amazon about the confidentiality of the S3 service, as well as the removal of a

testing phase related to Amazon's two-factor authentication offering for its cloud services,

including S3.

Testing of two-factor authentication was also impacted by the second issue of this study,

which is funding. Devices or services that may have impacted the confidentiality of S3 could not

be purchased due to lack of funds. Though the devices that Amazon uses for two-factor

authentication within the S3 service are relatively inexpensive, many of Amazon's cloud service

offerings that is targeted toward larger organizations, such as government agencies, are not.

Without access to these services, or models that would serve as adequate substitutes, we were

prevented from performing tasks that may have produced significant insight into the security

structure and function of Amazon's web services due to the possibility of breaking live Amazon

services. Doing so would have violated the bounds of this project.


32/47


33/47

33

All organizations using, or considering the use of, cloud services would likely benefit

from the adoption by standards organizations of a data classification system similar to the

security clearance system currently used by national security-related agencies in the United

States government. These levels would be more extensive than the current FedRAMP low, and

FedRAMP medium designations, and would also incorporate higher levels of security controls

similar to those found in the DoD cloud security model (DISA, 2014). Classifying data by

sensitivity for security and privacy purposes could balance the cost of security with the benefit of

that security at these different levels, especially if developed by consensus both inside and

outside of the national security apparatus. If cloud security framework systems were augmented

with these classifications, selection and utilization of cloud services would likely be much more

straightforward and consequently, more likely to be implemented effectively.

Moving forward in cloud computing security, it is becoming increasingly important to

understand the interaction within the cloud among the various services offered. For example,

because we were not able to test Amazon's cryptographic offerings that claim to encrypt data on

the service, we recommend that sensitive data be encrypted prior to being uploaded to the cloud;

however, this recommendation takes on added challenge when data is stored on the cloud by a

SaaS application that also lives in the cloud. In light of recent challenges with government web

portals that process highly privacy-sensitive information such aswww.healthcare.govworking in

support of the Affordable Care Act, it would seem to be unthinkable to implement such a system

in a private cloud environment. We suggest that, with the proper implementation of strong

controls and monitoring, even a healthcare.gov cloud may be able to share cloud space with

other agencies in a relatively secure manner.
http://www.healthcare.gov/http://www.healthcare.gov/http://www.healthcare.gov/http://www.healthcare.gov/


34/47

34

Because our time working on this project was so short, and because the cloud computing

environment is so dynamic, opportunities for future work on this topic abound. Certainly, SaaS

and PaaS are fertile ground for study, as are the availability and integrity aspects of the C-I-A

triad, since all of these topics were scoped out of this work. Creation or adoption of the

information classification system recommended above would also be extremely worthy of

investigation.

As more users migrate to these services, and as they begin to store more sensitive

information within the cloud, it is imperative that the confidentiality of their data is assured. If

we consider applications where critical health or genetic information is stored using the cloud, or

where troops in the field use a similar type of service to communicate critical information to

commanders, the impact of data confidentiality becomes clear. Though we will not be able to

solve the majority of challenges relating to the confidentiality of data in the cloud environment

over the course of a single semester, we feel that this project will make a real and lasting

contribution to the state-of-the-art in this area, and be able to be built upon by future class

research. Ultimately, we hope to make cloud storage more secure for millions of users

worldwide.


35/47

35

References

Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance April 2014.

Retrieved April 10, 2014 from:

http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf .

Astrova, I., Grivas, S. G., Schaaf, M., Koschel, A., Bernhardt, J., Kellermeier, M. D. Herr, M.

(2012). Security of a Public Cloud. 2012 Sixth International Conference on Innovative

Mobile and Internet Services in Ubiquitous Computing, 564569.

doi:10.1109/IMIS.2012.78

Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing Security Issues, 109114.

Chiu, D., & Agrawal, G. (2010). Evaluating caching and storage options on the Amazon Web

Services Cloud. 2010 11th IEEE/ACM International Conference on Grid Computing, 17

24. doi:10.1109/GRID.2010.5697949

Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., & Song, Z. (2010).

Authentication in the Clouds: A Framework and its, 16.

Cloud Security Alliance. (2013). SECURITY GUIDANCE FOR CRITICAL AREAS OF

FOCUS IN CLOUD, 0176.

Garfinkel, S. (2007). Commodity Grid Computing with Amazons S3 and EC2.

Gurkok, C. (2013). Securing Cloud Computing Systems. Computer and Information Security

Handbook 2e(pp. 97124). Elsevier Inc. doi:10.1016/B978-0-12-394397-2.00006-4

IronBee Open Source Web Application Firewall. (2013).

Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and

institutional evolution. Telecommunications Policy, 37(4-5), 372386.

doi:10.1016/j.telpol.2012.04.011
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdfhttp://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdfhttp://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf


36/47

36

Kundra, V. (2011). Federal Cloud Computing Strategy.

Ma, X. (2012). Security Concerns in Cloud Computing. 2012 Fourth International Conference

on Computational and Information Sciences, 10691072. doi:10.1109/ICCIS.2012.274

Marinescu, D. (2013). Cloud Computing Theory and Practice: Cloud Security (Chapter 9), 273

300. doi:10.1016/B978-0-12-404627-6.00009-9

Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support

selection of cloud providers based on security and privacy requirements.Journal of

Systems and Software, 86(9), 22762293. doi:10.1016/j.jss.2013.03.011

Nayak, S. K., Mohapatra, S., & Majhi, B. (2012). An Improved Mutual Authentication

Framework for Cloud Computing User message, 52(5), 3641.

Shraer, A., Cachin, C., & Cidon, A. (2010). Venus: Verification for untrusted cloud storage.

Workshop on Cloud , 1929. Retrieved from

http://dl.acm.org/citation.cfm?id=1866841

Tajadod, G., Batten, L., & Govinda, K. (2012). Microsoft and Amazon: A comparison of

approaches to cloud security, 539544.

Yang, K., & Jia, X. (2014). Security for Cloud Storage Systems. Springer.

Yu, Y., Niu, L., Yang, G., Mu, Y., & Susilo, W. (2014). On the security of auditing mechanisms

for secure cloud storage.Future Generation Computer Systems, 30, 127132.

doi:10.1016/j.future.2013.05.005

United States Defense Information Systems Agency. (2014). DoD Enterprise Cloud Service

Broker.


37/47

37

APPENDICES

APPENDIX 1: Amazon Web Services (AWS) security updates

Some of the latest security improvements to Amazon Web Services (AWS) for 2014 are

listed below in order to provide a documented overview of advancements respect providing a

more secure cloud services.

April 21, 2014 - AWS accounts access keys

AWS will remove the ability to retrieve existing secret access keys for your AWS (root) account.

Secret access keys are, as the name implies, secrets, like your password. Just as AWS doesnt

allow you to retrieve your password if you forget it, you will no longer be able to retrieve the

secret access keys for your root account. This is (and always has been) the case with secret

access keys for IAM users.

April 2, 2014 - Update to AWS Sign-In

The sign-in experience for IAM users accessing AWS websites such as the AWS Management

Console, Support, or Forums. The new sign-in experience continues to provide the same

functionality as the previous one, but provides a more consistent experience for IAM users when

signing in to AWS account whether it is on a PC, tablet, or mobile phone.

April 1, 2014 - RedShift receives FedRAMP Authority to Operate (ATO)

AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP

assessment and authorization process and has been added to our list of services covered under
http://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://aws.amazon.com/redshifthttp://aws.amazon.com/redshifthttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keyshttp://blogs.aws.amazon.com/security/post/Tx1JPM2L6BKDBK5/Coming-soon-An-important-change-to-how-you-manage-your-AWS-account-s-access-keys


38/47

38

our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S.

Department of Health and Human Services (HHS). This is the first new service we've added to

our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May

2013.

With the addition of Redshift we now have six FedRAMP covered services in our US East/West

FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West

FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and

use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it

simple and cost-effective to efficiently analyze all your data using your existing business

intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte

or more.

March 26, 2014 - AWS Secures DoD Provisional Authorization

AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model's

impact levels 1-2 for all four of AWS's Infrastructure Regions in the U.S., including AWS

GovCloud (US). With this distinction, AWS has shown it can meet the DoDs stringent security

and compliance requirements; and as a result, even more DoD agencies can now use AWSs

secure, compliant infrastructure. Built on the foundation of the FedRAMP Program, the DoD

CSM includes additional security controls specific to the DoD. The Defense Information

Systems Agency (DISA) assessed amazon compliance with additional security controls and

granted the authorization which will reduce the time necessary for DoD agencies to evaluate and

authorize the use of the AWS Cloud.
http://www.gsa.gov/portal/content/171827http://www.gsa.gov/portal/content/171827


39/47

39

March 18, 2014 - Use AWS CloudFormation to configure Web Identity Federation

Web identity federation in AWS STS enables you to create apps where users can sign in using a

web-based identity provider likeLogin with Amazon,Facebook, or Google. Your app can then

trade identity information from the provider for temporary security credentials that the app can

use to access AWS.

The AWS mobile development team created an S3PersonalFileStore sample app for iOS and

Android that shows you how to use web identity federation to let users store information in

individual S3 folders.

March 5, 2014 -High Availability IAM Design Patterns

AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable

resiliency against authentication and authorization failures in an application deployed on

Amazon EC2 using a high availability design pattern based onIAM roles.

February 27, 2014 -How do I protect cross-account access using MFA?

AWSannounced support for adding multi-factor authentication (MFA) for cross-account access.

This practice will demonstrate how to create policies that enforce MFA when IAM users from

one AWS account make programmatic requests for resources in a different account.

Many might maintain multiple AWS accounts, Amazon is frequently asked how to simplify

access management across those accounts. IAM roles provide a secure and controllable

mechanism to enable cross-account access. Roles allow you to accomplish cross-account access

without any credential sharing and without the need to create duplicate IAM users. With this

announcement, you can add another layer of protection for cross-account access by requiring the

users to authenticate using anMFA devicebefore assuming a role.
http://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProviderhttp://login.amazon.com/http://aws.amazon.com/articles/4617974389850313http://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.htmlhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://aws.typepad.com/aws/2014/02/mfa-protection-for-cross-account-access.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.htmlhttp://aws.typepad.com/aws/2014/02/mfa-protection-for-cross-account-access.htmlhttp://blogs.aws.amazon.com/security/post/TxIH1XOX2OOJKI/How-do-I-protect-cross-account-access-using-MFAhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.htmlhttp://blogs.aws.amazon.com/security/post/TxQ0OYRWOOK9L3/High-Availability-IAM-Design-Patternshttp://aws.amazon.com/articles/4617974389850313http://login.amazon.com/http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProviderhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federationhttp://blogs.aws.amazon.com/security/post/Tx1L257NEGB8ZFC/Use-AWS-CloudFormation-to-configure-Web-Identity-Federation


40/47

40

February 17, 2014 - Whitepaper: Security at Scale: Logging in AWS

Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail

can help Amazon customers to meet compliance and security requirements through the logging

of API calls. The API call history can be used to track changes to resources, perform security

analysis, operational troubleshooting and as an aid in meeting compliance requirements.

This whitepaper is primarily focused on the functionality of AWS CloudTrail and describes how

to:

Control access to log files

Obtain alerts on log file creation and misconfiguration

Manage changes to AWS resources and log files

Manage storage of log files

Generate customized reporting of log data

The paper also relates these features to major compliance program requirements related to

logging (e.g. ISO 27001:2005, PCI DSS v2.0, FedRAMP, etc.) and provides a robust compliance

program index in the appendix for your reference.

January 15, 2014 -Tracking Federated User Access to Amazon S3 and Best Practices for

Protecting Log Data

Auditing by using logs is an important capability of any cloud platform. There are several third

party solution providers that provide auditing and analysis using AWS logs. Last November

AWS announced its own logging and analysis service, calledAWS CloudTrail. While logging is

important, understanding how to interpret logs and alerts is crucial. In this blog post, Aaron

Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs

within a federated access control context.
http://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWShttp://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWShttp://media.amazonwebservices.com/AWS_Security_at_Scale_Logging_in_AWS.pdfhttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://aws.amazon.com/cloudtrail/http://aws.amazon.com/cloudtrail/http://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://blogs.aws.amazon.com/security/post/Tx1WBOHRU9GCIUG/Tracking-Federated-User-Access-to-Amazon-S3-and-Best-Practices-for-Protecting-Lohttp://media.amazonwebservices.com/AWS_Security_at_Scale_Logging_in_AWS.pdfhttp://blogs.aws.amazon.com/security/post/Tx8CG5W4YGH8UX/New-Whitepaper-Security-at-Scale-Logging-in-AWS


41/47

41

January 1, 2014 -Amazon Retrospective view of 2013

IAM: We posted a mixture of prescriptive guidance and detailed explanations about released

Identity and Access Management features and best practices geared towards practitioners.

Where's my secret access key?

A safer way to distribute AWS credentials to EC2

IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3

Resources)

Guidelines for when to use Accounts, Users, and Groups

How to rotate access keys for IAM users

Improve the security of your AWS account in less than 5 minutes

Securing access to AWS using MFAPart I

Securing access to AWS using MFAPart 2

Securing access to AWS using MFAPart 3

Policies and Permissions: IAM policies and permissions are powerful tools for authorization.

Therefore, we focused a number of articles to help you fully realize the potential of IAM.

Generating IAM Policies in Code

Writing IAM Policies: How to grant access to an Amazon S3 bucket

IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3

Resources)

Resource-level Permissions for EC2 Controlling Management Access on Specific

Instances

Announcement: Resource Permissions for additional EC2 API actions

Amazon EC2 Resource-Level Permissions for RunInstances

Announcing New IAM Policy Simulator A primer on RDS resource-level permissions

Announcing resource-level permissions for AWS OpsWorks

Identity Federation: AWS launched three identity federation features and also made several

smaller announcements
http://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013http://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013http://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/-span-class-matches-Where-s-span-span-class-matches-my-span-secret-access-keyhttp://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-span-class-matches-safer-span-span-class-matches-way-span-to-distribute-AWS-crhttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxQYSWLSAPYVGT/Guidelines-for-when-to-use-Accounts-Users-and-Groupshttp://blogs.aws.amazon.com/security/post/Tx15CIT22V4J8RP/How-to-rotate-access-keys-for-IAM-usershttp://blogs.aws.amazon.com/security/post/Tx3QSGD587OLBJB/Improve-the-security-of-your-AWS-account-in-less-than-5-minuteshttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx28W5SAINTLPXF/Generating-IAM-Policies-in-Codehttp://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-buckethttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/TxM6BPIXWFBDJS/Announcement-Resource-Permissions-for-additional-EC2-API-actionshttp://blogs.aws.amazon.com/security/post/Tx2YQ8C5IZM5RHH/Amazon-EC2-Resource-Level-Permissions-for-RunInstanceshttp://blogs.aws.amazon.com/security/post/TxTYGT3EHL3Y08/Announcing-New-IAM-Policy-Simulatorhttp://blogs.aws.amazon.com/security/post/Tx2H8VFYCM8A1BF/A-primer-on-RDS-resource-level-permissionshttp://blogs.aws.amazon.com/security/post/Tx2BCXSU68XSQM6/Announcing-resource-level-permissions-for-AWS-OpsWorkshttp://blogs.aws.amazon.com/security/post/Tx2BCXSU68XSQM6/Announcing-resource-level-permissions-for-AWS-OpsWorkshttp://blogs.aws.amazon.com/security/post/Tx2H8VFYCM8A1BF/A-primer-on-RDS-resource-level-permissionshttp://blogs.aws.amazon.com/security/post/TxTYGT3EHL3Y08/Announcing-New-IAM-Policy-Simulatorhttp://blogs.aws.amazon.com/security/post/Tx2YQ8C5IZM5RHH/Amazon-EC2-Resource-Level-Permissions-for-RunInstanceshttp://blogs.aws.amazon.com/security/post/TxM6BPIXWFBDJS/Announcement-Resource-Permissions-for-additional-EC2-API-actionshttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/-span-class-matches-Resource-span-span-class-matches-level-span-span-class-matchhttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-buckethttp://blogs.aws.amazon.com/security/post/Tx28W5SAINTLPXF/Generating-IAM-Policies-in-Codehttp://blogs.aws.amazon.com/security/post/Tx2A63BH8RJYB0B/Securing-access-to-AWS-using-MFA-Part-3http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-Ihttp://blogs.aws.amazon.com/security/post/Tx3QSGD587OLBJB/Improve-the-security-of-your-AWS-account-in-less-than-5-minuteshttp://blogs.aws.amazon.com/security/post/Tx15CIT22V4J8RP/How-to-rotate-access-keys-for-IAM-usershttp://blogs.aws.amazon.com/security/post/TxQYSWLSAPYVGT/Guidelines-for-when-to-use-Accounts-Users-and-Groupshttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourchttp://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-span-class-matches-safer-span-span-class-matches-way-span-to-distribute-AWS-crhttp://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/-span-class-matches-Where-s-span-span-class-matches-my-span-secret-access-keyhttp://blogs.aws.amazon.com/security/post/TxJXE4PKGTY78G/A-Retrospective-of-2013


42/47

42

Delegating API Access to AWS Services Using IAM Roles

Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML

2.0

New AWS web identity federation supports Amazon.com, Facebook, and Google

identities

Understanding the API options for securely delegating access to your AWS account

AWS CloudFormation now supports federated users and temporary security

credentials

New playground app to explore web identity federation with Amazon, Facebook, and

Google

Encryption:

Encrypting data in Amazon S3

AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)

Compliance:

Auditing Security Checklist for AWS Now Available

2013 PCI Compliance Package available now

New Whitepaper: AWS Cloud Security Best Practices

AWS Achieves First FedRAMP(SM) Agency ATOs

Other: Several important topics related to AWS Security were partner related and the other two

were references to other security related material published and distributed in different venues.

Controlling network access to EC2 instances using a bastion server

Recap of re:Invent Sessions

Credentials Best Practices on the AWS Java Developers Blog

CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3

Analyzing OS-Related Security Events on EC2 with SplunkStorm
http://blogs.aws.amazon.com/security/post/TxC24FI9IDXTY1/Delegating-API-Access-to-AWS-Services-Using-IAM-Roleshttp://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-accounthttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1274SCPXF81JI/Encrypting-data-in-Amazon-S3http://blogs.aws.amazon.com/security/post/Tx3I4NZ0SZEOZ48/AWS-CloudHSM-Use-Cases-Part-One-of-the-AWS-CloudHSM-Serieshttp://blogs.aws.amazon.com/security/post/Tx13K6TN0M2CRXF/Auditing-Security-Checklist-for-AWS-Now-Availablehttp://blogs.aws.amazon.com/security/post/Tx2BOQ6RM0ACYGT/2013-span-class-matches-PCI-span-span-class-matches-Compliance-span-Package-avaihttp://blogs.aws.amazon.com/security/post/TxDA6TS0KJK82R/New-span-class-matches-Whitepaper-span-AWS-Cloud-span-class-matches-Security-spahttp://blogs.aws.amazon.com/security/post/TxPDA8F0N24N8Y/AWS-Achieves-First-FedRAMP-SM-Agency-ATOshttp://blogs.aws.amazon.com/security/post/Tx2ZWDW1QA6D62Y/Controlling-span-class-matches-network-span-span-class-matches-access-span-to-EChttp://blogs.aws.amazon.com/security/post/Tx2NSGBHGI9PX9B/Recap-of-re-Invent-Sessionshttp://blogs.aws.amazon.com/security/post/Tx3TITQJ4FC8FG9/Credentials-Best-Practices-on-the-AWS-Java-Developers-Bloghttp://blogs.aws.amazon.com/security/post/Tx2TLNSAYXVZJA6/CloudBerry-Active-Directory-Bridge-for-Authenticating-non-AWS-AD-Users-to-S3http://blogs.aws.amazon.com/security/post/Tx3OX6P4BZQTV7K/Analyzing-OS-Related-Security-Events-on-EC2-with-SplunkStormhttp://blogs.aws.amazon.com/security/post/Tx3OX6P4BZQTV7K/Analyzing-OS-Related-Security-Events-on-EC2-with-SplunkStormhttp://blogs.aws.amazon.com/security/post/Tx2TLNSAYXVZJA6/CloudBerry-Active-Directory-Bridge-for-Authenticating-non-AWS-AD-Users-to-S3http://blogs.aws.amazon.com/security/post/Tx3TITQJ4FC8FG9/Credentials-Best-Practices-on-the-AWS-Java-Developers-Bloghttp://blogs.aws.amazon.com/security/post/Tx2NSGBHGI9PX9B/Recap-of-re-Invent-Sessionshttp://blogs.aws.amazon.com/security/post/Tx2ZWDW1QA6D62Y/Controlling-span-class-matches-network-span-span-class-matches-access-span-to-EChttp://blogs.aws.amazon.com/security/post/TxPDA8F0N24N8Y/AWS-Achieves-First-FedRAMP-SM-Agency-ATOshttp://blogs.aws.amazon.com/security/post/TxDA6TS0KJK82R/New-span-class-matches-Whitepaper-span-AWS-Cloud-span-class-matches-Security-spahttp://blogs.aws.amazon.com/security/post/Tx2BOQ6RM0ACYGT/2013-span-class-matches-PCI-span-span-class-matches-Compliance-span-Package-avaihttp://blogs.aws.amazon.com/security/post/Tx13K6TN0M2CRXF/Auditing-Security-Checklist-for-AWS-Now-Availablehttp://blogs.aws.amazon.com/security/post/Tx3I4NZ0SZEOZ48/AWS-CloudHSM-Use-Cases-Part-One-of-the-AWS-CloudHSM-Serieshttp://blogs.aws.amazon.com/security/post/Tx1274SCPXF81JI/Encrypting-data-in-Amazon-S3http://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1XTHT1VJ1SQLX/New-playground-app-to-explore-web-identity-federation-with-Amazon-Facebook-and-Ghttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1MTHUNZEOMMVI/AWS-CloudFormation-now-supports-federated-users-and-temporary-security-credentiahttp://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-accounthttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx2C3F8SSJIT6CE/New-AWS-web-identity-federation-supports-Amazon-com-Facebook-and-Google-identitihttp://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0http://blogs.aws.amazon.com/security/post/TxC24FI9IDXTY1/Delegating-API-Access-to-AWS-Services-Using-IAM-Roles


43/47


44/47

44

Consolidated Confidentiality Security Controls - DETAILED

Control DomainCCM V3.0

Control IDControl Specification

Application &Interface Security

Data Security /

Integrity

AIS-04

Policies and procedures shall be established, and supporting business processes

and technical measures implemented, to ensure protection of confidentiality,integrity, and availability of data exchanged between one or more system

interfaces, jurisdictions, or external business relationships to prevent improper

disclosure, alteration, or destruction. These policies, procedures, processes, and

measures shall be in accordance with known legal, statutory and regulatory

compliance obligations.

Audit Assurance &

Compliance

Information System

Regulatory Mapping

AAC-03

An inventory of the organization's external legal, statutory, and regulatory

compliance obligations associated with (and mapped to) any scope and

geographically-relevant presence of data or organizationally-owned or managed

(physical or virtual) infrastructure network and systems components shall be

maintained and regularly updated as per the business need (e.g., change in

impacted-scope and/or a change in any compliance obligation).

Business ContinuityManagement &

Operational

Resilience

Policy

BCR-11

Policies and procedures shall be established, and supporting business processes

and technical measures implemented, for appropriate IT governance and servicemanagement to ensure appropriate planning, delivery and support of the

organization's IT capabilities supporting business functions, workforce, and/or

customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5).

Additionally, policies and procedures shall include defined roles and

responsibilities supported by regular workforce training.

Change Control &

Configuration

Management

Outsourced

Development

CCC-02

The use of an outsourced workforce or external business relationship for

designing, developing, testing, and/or deploying the organization's own source

code shall require higher levels of assurance of trustworthy applications (e.g.,

management supervision, established and independently certified adherence

information security baselines, mandated information security training for

outsourced workforce, and ongoing security code reviews).

Change Control &

Configuration

Management

Quality Testing

CCC-03

A program for the systematic monitoring and evaluation to ensure that standards

of quality and security baselines are being met shall be established for allsoftware developed by the organization. Quality evaluation and acceptance

criteria for information systems, upgrades, and new versions shall be established

and documented, and tests of the system(s) shall be carried out both during

development and prior to acceptance to maintain security. Management shall

have a clear oversight capacity in the quality testing process, with the final product

being certified as "fit for purpose" (the product should be suitable for the intended

purpose) and "right first time" (mistakes should be eliminated) prior to release. It is

also necessary to incorporate technical security reviews (i.e., vulnerability

assessments and/or penetration testing) to remediate vulnerabilities that pose an

unreasonable business risk or risk to customers (tenants) prior to release.

Data Security &

Information LifecycleManagment

Classification

DSI-01

Data and objects containing data shall be assigned a classification based on data

type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints,

contractual constraints, value, sensitivity, criticality to the organization, third-party

obligation for retention, and prevention of unauthorized disclosure or misuse.

Data Security &

Information Lifecycle

Management

Information Leakage

Public Cloud Providers

Documents

Transcript of Public Cloud Providers