Global Infrastructure, Security, Privacy & Compliance Flashcards
There have been a number of news stories recently about AWS customers having sensitive data exposed because their Amazon S3 buckets were configured to allow public access – why does this keep happening?
Amazon S3 is secure by default. If customers use the default configuration, the bucket locks down access to just the account owner and root administrator. More than a million customers use Amazon S3 safely and securely.
A core tenet of AWS, since the very start has been to allow builders the flexibility to change our default configurations to suit whatever style of application they’re constructing. Public websites or publicly downloadable content, for example, requires buckets to be configured with world read access.
As is the case on-premises or anywhere else, when you set a new access control configuration, an application builder needs to ensure that it protects access the way that they intended.
Amazon S3 includes native functionality to help customers avoid inadvertent misconfigurations, such as a prominent indicator in the S3 console next to each bucket that is publicly accessible and the S3 Block Public Access feature, which allows account administrators to centrally control access settings to prevent variation in their security configurations. We have a number of services to help customers audit and consider their configuration changes. These services include AWS CloudTrail (which audits access and other operations on AWS resources such as Amazon S3 buckets) and Amazon Macie (which uses ML to recognize sensitive data such as personally identifiable information (PII) or intellectual property, and provides dashboards and alerts that give visibility into how this data is being accessed or moved).
We will continue to add capabilities that provide our customers with additional ways to triple check their customizations.
What can customers do to help ensure they do not inadvertently expose data by misconfiguring an Amazon S3 bucket?
While Amazon S3 is secure by default, we provide a range of features and services that can help customers avoid misconfigurations. For instance, AWS Config allows customers to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state. Some of these rules are designed to automatically identify buckets that allow global read or write access by checking all buckets in the account and flagging content that is publicly available. With AWS CloudTrail, customers can log, continuously monitor, and retain account activity related to actions across their AWS infrastructure which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts without any configuration necessary). Amazon Macie is a security service that uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible. We are also continuously introducing new features and capabilities to Amazon S3 that make it even easier for customers to store their data safely, such as permission checks which prominently display an indicator in the Amazon S3 console next to each bucket that is publicly accessible, and the S3 Block Public Access feature, which allows account administrators to centrally control access settings to prevent variation in their security configurations.
There is a lot of concern around security and privacy of customer data. If AWS gets a request to hand over data, what will you do?
Amazon and AWS are vigilant about our customers’ privacy and have implemented sophisticated technical and physical measures to prevent unauthorized access. We have a world-class team of security experts monitoring our systems 24/7 to protect customer content. We will not disclose customer content in response to requests unless required to do so to comply with a legally valid and binding order, such as a subpoena or a court order. Additionally, when possible we would notify the customer before disclosing their content so they could seek protection from disclosure. It’s also important to point out that customers can choose to encrypt their content as part of a standard security process for highly sensitive content. AWS provides tools customers can use to encrypt their data at rest or in motion, or customers can choose from a number of supported 3rd party security solutions. Content that has been encrypted is rendered useless without the applicable decryption keys.
Once Data is stored in AWS, who owns it?
AWS customers retain ownership and control of their content stored in AWS.
Does AWS require the same authorization from the government for requests for data stored in facilities in the U.S. and abroad?
Yes – we use the same rigorous standards to protect our customers’ content regardless of which AWS Region they use for storage.
What is AWS’s stance on privacy?
Regardless of where a request for customer content comes from, we are vigilant about our customers’ privacy and have implemented sophisticated technical and physical measures to prevent unauthorized access. We have a world-class team of security experts monitoring our systems 24/7 to protect customer content. We will not disclose customer content in response to requests unless required to do so to comply with a legally valid and binding order, such as a subpoena or a court order. Additionally, we would notify the customer before disclosing their content so they could seek protection from disclosure, unless prohibited by law. It’s also important to point out that customers can choose to encrypt their content as part of a standard security process for highly sensitive content. AWS provides tools customers can use to encrypt their data at rest or in motion, or customers can choose from a number of supported 3rd party security solutions. Content that has been encrypted is rendered useless without the applicable decryption keys.
Has AWS changed its policy regarding moving customer data from one region to another?
One of AWS’s main benefits is its global footprint which enables customers to deploy globally within minutes. AWS customers are increasingly operating in more than one AWS region because their customers are located all over the globe. To address the needs of our customers, we’re launching more features that make it easier for customers to operate in multiple regions, features like S3 CRR, EC2’s CR AMI Copy, etc. As always, customers retain complete ownership of their data, and it will not be moved between regions without customer consent. By providing our customers with features like these, we make it easier for them to both operate globally while retaining control over where their data is stored.
Can customers and potential customers initiate a third party audit of your controls? Can they visit facilities or delegate a third party to visit the facilities?
Customers can audit their own AWS environment, and AWS provides a wide range of account audit services such as AWS CloudTrail, AWS Config, and AWS Config Rules. Customers can evaluate the effectiveness of AWS-managed controls through our independent third-party audit reports and compliance evaluations via the Amazon Artifacts portal; some are freely available on our web site, and some are available under NDA. Customers cannot visit AWS facilities, but the security measures we have in place are tested in great detail and are fully documented in our independent audit reports.
Some countries outside the U.S. are looking at laws that require local companies to keep data “in country” among other governance controls. How does an AWS customer outside the U.S. comply with these new laws?
The AWS Cloud spans 69 Availability Zones within 22 geographic Regions around the world, with announced plans for 16 more Availability Zones and five more Regions in Indonesia, Italy, Japan, South Africa, and Spain. We have two Regions on the East coast of the United States, two Regions on the West coast of the United States. We have Regions in Europe, in the UK, Germany, France, Ireland, and Sweden, in the Middle East, in Bahrain, in Singapore, in Japan, in Korea, in India, in Australia, in Brazil, and in China. Then we have two U.S. Regions called GovCloud (US) which is for customers with specific compliance requirements (such as FedRAMP) and can help support customer compliance with a variety of other requirements like ITAR and CJIS
With AWS, customers choose which Region to store their data. They own and control their data, including where it is stored, how it is stored, and who has access. We don’t move their data from the Region they choose, without their consent, and customers who care about protecting their data can encrypt their data in motion or at rest. For example, to learn how we help customers comply with the privacy laws in Australia, Australian companies download a whitepaper on our compliance website that specifically addresses their potential concerns.
I would also say that I think as lawmakers take the time to get the facts about these cloud services, what’s possible for customers, and the relative value propositions of various offerings that they will not put their companies at competitive disadvantages relative to their global peers.
What does AWS do to prevent misuse of AWS services?
AWS employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services. We have automatic systems in place that detect and block many attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down or isolate the abusive behavior.
gal activities across the Internet have been commonplace long before the cloud. Abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to disable their software once the abusive behavior is investigated and confirmed. This is a significant improvement over the Internet as a whole where abusive hosts can often be inaccessible and run unabated for long periods of time. Additionally, users of Amazon EC2 use the same precautions to secure and protect their websites as they would with traditional hosting solutions. It is no easier for would-be abusers to compromise EC2 based websites than other publicly available websites. We encourage anyone who thinks they see misuse of the service to email abuse@amazonaws.com.
Isn’t it easy for hackers to use Amazon EC2 to attack others?
It’s important to understand that a person with mal-intent can find a server from anywhere – whether it’s in the cloud or not. AWS also has a dedicated team of engineers and investigators who build algorithms and mechanisms to proactively detect and prevent misuse of our services. We also respond quickly if customers or third parties bring suspected misuse to our attention. We encourage anyone who thinks they see misuse of the service to email abuse@amazonaws.com.
What are your plans for global expansion?
The AWS global infrastructure is comprised of 69 Availability Zones within 22 geographic Regions with announced plans for 16 more Availability Zones and five more AWS Regions in Indonesia, Italy, Japan, South Africa, and Spain – and we’re not close to being done. There’s a very, very large opportunity for cloud computing internationally and you can expect that we’ll continue to add Regions.
Where have you announced new AWS Regions?
I can confirm that we will have five more Regions in Indonesia, Italy, Japan, South Africa, and Spain coming online. I have no additional details to share at this time.
When are you going to open a region in [country]?
We’re constantly getting feedback from customers on where they would like the next AWS Region and we have a long list of target countries [and U.S. locations] that we are looking at. We’re always re-evaluating and reprioritizing that list and [Country/U.S. location] is just one of the many possibilities that we are currently looking at. In the fullness of time you can expect AWS Regions in multiple major countries and U.S. locations around the world.
How do you choose your next region?
Where we locate our Regions is based on a combination of factors. We consider locations in terms of how much geographic area we can cover—to give customers low latency when running applications, the availability of renewable energy, and the local government’s long-term commitment to investing in technology infrastructure.
We also look at countries with data sovereignty preferences where, for whatever reason, customers are less likely to consume services when the infrastructure is not operated from within their country, such as the case in Germany.
There are a number of other factors we consider. If you look at the size of the area that we touch in our business including infrastructure software, hardware, and data center services, these are trillions of dollars worldwide, both short and long term. And if you look at the amount of computing that’s being done in each major country of the world, it probably warrants having multiple Regions not just in the U.S., but also in Europe, and in other Asian and Latin American countries. We’re far from being done adding Regions.
