Government Compliance in AWS
May 01, 2020 / Bryan Reynolds
Reading Time: 11 minutes
Amazon Web Services (AWS) is an on-demand cloud computing platform with customers that include organizations, individuals, and governments. It consists of many services that collectively provide the tools and building blocks users need to develop their cloud infrastructure. Amazon Elastic Compute Cloud (EC2) is one of the most essential AWS services since it provides users with computer resources via a cluster of virtual machines (VMs). These resources include central processing units (CPUs), storage, memory, and networking capability. AWS VMs also include a choice of operating systems (OSs) and preloaded application software.
AWS place a high priority on data security, allowing users to achieve the cost savings and scalability they desire, while still maintaining the robust security needed for regulatory compliance. Its architecture data centers are designed to meet the needs of even the most security-sensitive organizations. The aspects of cloud security that are evolving most rapidly include identity and access management (IAM), encryption and key management, logging and monitoring, network segmentation, and protection from distributed denial of service (DDoS) attacks. AWS also offers advanced security services that allow users to proactively mitigate their risks in real-time. This capability allows users to meet their regulatory compliance requirements as they grow, without the upfront expenses of managing their own infrastructure.
A computing environment that meets compliance requirements generally has greater security. AWS includes many features that enable compliance for its customers as they scale their workloads. Cloud-based compliance has a lower entry cost and easier operations and maintaining physical infrastructure. AWS also provides users with greater oversight, more effective security control, and a higher degree of automation.
The security controls in AWS strengthen the users' existing compliance and certification programs. The automation of many of these controls reduces the number that users must maintain, thus lowering operational costs. It also provides users with more time to meet security requirements specific to their organization.
The responsibility for security compliance is shared between AWS and the customer. This model reduces the customer’s operational workload as compared to maintaining an on-premises data center. It also provides customers with greater flexibility and control when deploying their infrastructure in AWS.
AWS manages and operates security components from the host OS and is also responsible for the physical security of its infrastructure. The customer still has responsibility for the guest OS, including security patches and other software updates. Additional responsibilities of the customer include configuration of the security group firewall that AWS provides and associated application software.
Customers should choose their AWS security services carefully since their responsibilities vary considerably based on the number of factors. The most important of these include the way in which the services are integrated into the customer’s IT environment in addition to the laws for that jurisdiction.
The chart below provides greater detail on the differentiation of responsibility between AWS and its customers. In general, the customer is responsible for security “in” the cloud, while AWS is responsible for security “of” the cloud.
Figure 1: AWS Shared Security Responsibilities
AWS’ responsibility for “Security of the Cloud” refers to protecting the infrastructure that runs the services in the AWS Cloud. This infrastructure includes the platform’s physical hardware, software, networking and facilities that run AWS Cloud services.
The customer’s responsibilities for “Security in the Cloud” depend on the specific service in question, so the effort needed to configure and maintain that service can vary considerably. For example, AWS classifies Amazon EC2 as Infrastructure-as-a-Service (IaaS), meaning that customers must perform all the configuration and management tasks for this service. Customers that deploy EC2 instances are also responsible for maintaining the software on those instances, including updates to the OS, applications and utilities. In addition, the configuration of the firewall, or security group, that AWS provides for each instance is the customer’s responsibility.
On the other hand, AWS is responsible for managing abstracted services like Amazon DynamoDB and Amazon S3. Specific tasks include operation of the infrastructure layer, OS and platforms. AWS also controls the customers’ ability to store and retrieve data. However, customers are still responsible for managing their data, including the classification of assets, encryption of data and access permissions.
The shared responsibility model also applies to IT controls, including their management, operation and verification. AWS is responsible for managing the controls of the physical infrastructure of the environment. AWS platforms are deployed separately for each customer, so they can use this deployment as an opportunity to shift the management of some IT controls to AWS, resulting in a distributed control environment. Customers can also perform their own evaluation and verification of controls based on control and compliance documentation available from AWS. The specific types of IT controls that may be managed by AWS and/or its customers include shared controls, customer-specific controls and inherited controls.
Shared controls apply to both customer and infrastructure layers of the AWS platform, but in different contexts. AWS provides the infrastructure requirements while the customer implements their own controls for each service. For example, AWS perform configuration management on its infrastructure devices, but the customer must configure the applications, databases and OSs for their VMs. AWS is also responsible for managing the patches and upgrades on the infrastructure’s OSs and applications, while the customer is responsible for doing so on the VMs. AWS trains its own employees on security awareness, but customers must provide this training for their own employees.
Controls that are specific an application the customer is deploying within an AWS services are the sole responsibility of the customer. Applications that provide zone security often require customer-specific controls since they route data through specific security environments.
Customers can also inherit controls from AWS, which primarily consist of physical and environmental controls. Once inherited, these controls become the customer’s responsibility.
AWS classifies its assurance programs into certifications/attestations, laws/regulations, and alignments/frameworks. Third-party independent auditors perform certifications and attestations, which form the basis for AWS’ audit reports on compliance for those programs.
Laws/regulations and alignments/frameworks are specific to the customer’s function or industry. AWS supports these programs through its security features and documents such as compliance playbooks and white papers. However, AWS’ compliance with laws and regulations isn’t formalized because its certifications and attestations already cover compliance for these programs. In some cases, the relevant regulatory body doesn’t even offer program certification to cloud providers.
Many regulatory bodies have audited AWS environments and certified its infrastructure and services as compliant with their standards. These organizations come from industries and geographic regions throughout the world. Customers can use these certifications to validate the effectiveness of AWS security controls. AWS Assurance Programs currently include the following organizations:
Figure 2: Key AWS Certifications and Assurance Programs
See the AWS Assurance Programs website for the most current list of programs.
The International Organization for Standardization (ISO) is an international body that sets standards in many areas, including information security (IS). Specific ISO regulations that address this topic include ISO 27001, ISO 27017 and ISO 27018.
ISO 27001 outlines requirements for IS management systems and has been widely adopted throughout the world. It provides a systematic approach for organizations to manage sensitive information based on regular assessments.
ISO 27017 provides specific guidance on the IS aspects of cloud computing, including the implementation of cloud-specific IS controls for user organizations that supplement ISO 27001 and ISO 27002. ISO 27017 also includes guidance on IS controls for cloud providers. AWS has an attestation on ISO 27017, verifying its existing system of IS controls specific to cloud services. This attestation also demonstrates AWS’ general commitment to implementing best IS practices.
ISO 27018 is a set of practices for protecting Personally Identifiable Information (PII) data in the cloud, which is any data associated with a specific individual. These practices are based on ISO 27002 and provide guidance on implementing those controls as they apply to PII. AWS already has these controls in place to protect customer content.
The American Institute of Certified Public Accountants (AICPA) defines System and Organization Controls (SOC) as a set of reports resulting from a financial audit. Organizations use them for a variety of purposes such as validating reports on internal controls over information systems. SOC reports group these controls into categories known as Trust Service Principles.
AWS generates System and Organization Controls (SOC) reports based on independent third-party examinations describing AWS’ compliance on key objectives and controls. These reports help customers and their auditors understand how these controls support regulatory compliance requirements. AWS generates reports for SOC 1, SOC 2 and SOC 3.
SOC 1 reports include information on AWS’ control environment as it may relate to a customer’s internal controls over financial reporting (ICFR). It also provides guidance for customers to assess the effectiveness of their ICFR. SOC 2 provides AWS customers and their users with an independent assessment of AWS’ control environment as they relate to the availability, confidentiality and security of data on AWS platforms. SOC 3 reports are similar to SOC 2 reports except they’re intended form more general use and don’t contain internal information about AWS.
The Federal Risk and Authorization Management Program (FedRAMP) set standards for IS assessment, authorization and monitoring in the United States. It follows control standards that are already defined by the National Institute of Standards and Technology (NIST) and Federal Information Security Management Act of 2002 (FISMA).
AWS platforms are FedRAMP-compliant, which requires them to meet numerous standards. For example, they provide FedRAMP security controls and use the templates for security packages that are stored in the FedRAMP repository. Furthermore, an accredited independent Third Party Assessment Organization (3PAO) has assessed AWS and monitors it continuously for FedRAMP compliance.
The Health Insurance Portability and Accountability Act (HIPAA) specifies many data security standards for organizations that process or store Protected Health Information (PHI). AWS enables its customers and their partners to manage PHI in compliance with HIPAA requirements.
DoD Cloud Security Model
The U.S. Defense Information Systems Agency (DISA) specifies a cloud security model (CSM) for the Department of Defense (DoD), which it documents in the DoD Security Requirements Guide (SRG). The SRG provides an authorization process for DoD users with unique architectural requirements for their cloud platform as defined by their DISA Impact Level (IL).
AWS has complied with the Payment Card Industry (PCI) Data Security Standard (DSS) since 2010. Customers who store, process or transmit cardholder data on AWS can rely on its infrastructure when managing their PCI DSS compliance certification.
AWS customers always own their content, which allows them to store, move and manage it. They can also encrypt their data, both during transit and storage. AWS provides the tools to ensure that only authorized users are able to access a customer’s data. These tools allow access through services and geographic region.
AWS comprises more than 212 services as of 2020, many of which facilitate regulatory compliance.
Identity Access Management
Identity and Access Management (IAM) enables users to securely manage access to AWS services and resources. Administrators can create and manage user groups, allowing them to easily control access for many users with the same organizational role. They can also map those roles to permissions from central directory services.
The figure below illustrates the role of IAM with that of other security features in AWS. IAM creates individual accounts, ensuring that users have their own security credentials. The Secure Socket Layer (SSL) protocol establishes secure communications via HTTPS, while security groups are used to configure the rules for virtual firewalls. A Virtual Private Cloud (VPC) allows users to create low-level constraints for accessing network resources like subnets, gateways and network address translation (NAT).
Figure 3: AWS Identity and Access Management (IAM)
Amazon S3 Server Side Encryption (SSE) allows Amazon S3 to manage data encryption. It can use a key that AWS generates or one the customer provides, allowing customers to encrypt data as they upload it to AWS just by adding another request header when they write the data objects. AWS automatically decrypts the data when authorized users retrieve it.
Amazon Macie automatically discovers, classifies and protects sensitive data through the use of machine learning (ML). This data includes intellectual property (IP) and PII, which Macie can continuously monitor for access anomalies that could indicate unauthorized access or unintentional exposure.
AWS CloudHSM allows users to store their encryption keys in hardware security modules (HSMs) that meet government standards for secure key management. This capability ensures that only individual users can access their keys.
Federated users and applications don’t have AWS accounts, but they can obtain access to AWS resource for a limited time through the use of roles. This capability relies on external services such as Kerberos, Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory to authenticate non-AWS users.
AWS CloudTrail records the calls to AWS application programming interfaces (APIs) in log files, including the caller, caller IP address, time and request parameters. You can use this information for purposes such as compliance auditing, security analysis and tracking resource changes.
AWS Directory Service for Microsoft Active Directory
AWS Directory Service allows users to run Microsoft Active Directory (AD) in the cloud. You can also use it to connect AWS resources with Microsoft AD running on an on-premises server.
AWS builds its data centers in clusters around the world such that each cluster serves an AWS region. A customer may access any cluster and isn’t restricted to just the one in their region. Furthermore, customers can access multiple clusters at the same time. Customers retain complete control over which region they store their data in, which makes it easier to comply with regulations that have residency requirements. For example, customers based in the European Union (EU) may have a regulatory requirement to store all their data within the EU. In this case, they could choose to store their data in the AWS cluster in Frankfort, Germany exclusively.
The AWS infrastructure has a number of features that help users deploy a resilient architecture and maintain a high level of availability. For example, its physical servers are designed to minimize customer impact during system failures, whether they’re caused by hardware or software. AWS platforms also support many disaster recovery (DR) strategies, including “pilot light” and “hot standby” environments. A pilot light system means the infrastructure can be scaled up on short notice, while hot standby mode allows the system to quickly switch to a new infrastructure in the event the current one fails.
AWS doesn’t maintain any “cold” data centers, as all of them are serving customers at all times. In the event an entire data center becomes unavailable, traffic is automatically routed to other data centers. The distribution of applications across multiple AWS Availability Zones makes AWS platforms highly resilient to most types of failures, whether they’re natural or manmade. Customers can also increase the resiliency of their systems by maintaining multiple instances of their infrastructure in different Availability Zones. They can then achieve very short recovery times through the use of data replication.
These customers are still responsible for managing the backup and recovery of their own data, but they can use the AWS infrastructure to recover critical systems quickly after a disaster without incurring the expense of maintaining another physical site.
The automation of security functions is a vital part of regulatory compliance because it reduces the chances of improper configuration due to human error. It also gives the IT department more time to focus on business-critical tasks. Furthermore, security automation often involves the greater integration of APIs in daily operations, which makes it easier for development and operations teams to work closely together. This feature is essential in DevOps, which is quickly becoming the preferred practice for many organizations.
Automated security checks are especially important when deploying new code since it allows organizations to enforce the security controls that government compliance often requires to ensure the protection and integrity of data at all times. Another scenario in which automation is particularly useful occurs when an organization maintains infrastructure both on-premises and in the cloud. These hybrid environments require a seamless integration of the two infrastructures that’s only possible with a high degree of automation.
Amazon Inspector is an AWS service that automatically assesses the security of AWS applications, helping to improve the compliance posture of applications deployed on that platform. This service checks applications for security vulnerabilities in addition to deviations from best practices. Inspector also generates detailed reports of its findings prioritized by severity level.
These reports are based on an extensive knowledge base of rules that Inspector maps to common best practices in security. For example, the Inspector checks for the enablement of remote root login and versions of software with known vulnerabilities. AWS security researchers regularly update Inspector’s rules.
Data security is becoming increasingly regulated by many governments and other organizations throughout the world. The responsibility for security in an AWS cloud is shared between AWS and the customer, making it essential to understand which party is responsible for meeting a particular requirement. AWS complies with many assurance programs to ensure that its customers can meet their standards, which requires regular monitoring and updates to keep these certifications current. A variety of tools are also available in AWS to help customers maintain their regulatory compliance. Baytech, an AWS Migration consulting firm, has experienced staff ready to assist you on your next project.