AWS is an incredibly rich ecosystem of services and tools, some of which have security aspects baked in (like S3 SSE), and others that provide overarching security capabilities (like IAM and VPC) that apply to many services. With regard to data storage, operating system, and applications, security functions largely the same in the cloud or on-premises software. Customers can and should continue to follow best practices that have served them well in their own data centers.
When moving to the public cloud, security is front and center, but many CTOs and CIOs first have to go through an education period in order to even learn the right questions to ask. In that education, they happen across both familiar questions like, "What options exist to encrypt data in transit and at rest?" and, "How does my provider lessen the risk of an internal breach at their facilities?" as well as a whole other new set of questions like, "What is a hypervisor and how does it impact security?" and "How does public cloud impact compliance and regulatory concerns?"
Compiling the long list of "known unknowns" and then crawling through hundreds of pages of formal and informal documentation seeking to answer them can be a Herculean effort consuming weeks of valuable time, and still leaving lots of loose ends at the conclusion. In this white paper, we aim to close that gap quicker and more reliably by explaining the most important aspects of AWS security and what that means to the enterprise.
General Security Best Practices
The great news about security in any public cloud is that it's largely the same as security in an on-premises data center. The two biggest attack vectors any hacker aims for are always Operating System, and Application (Code) Layers, and security in these layers is handled the same on-prem or in cloud. One locks down access via Role Based Access Controls (RBAC), keeps their systems patched, rotates passwords, obfuscates sensitive data, runs static code analysis, and performs periodic penetration and vulnerability scans in order to keep those layers secure.
Those needing to provide additional security by encrypting data on the wire or at rest will find that, in addition to the open source and proprietary tools they already use, public cloud offers several additional capabilities. Many of AWS' services, such as S3, EBS, CloudFront, and others make adding native encryption capabilities as simple as ticking off a checkbox in the web GUI. In addition, AWS provides multiple options for managing encryption keys, ranging from the very high end via Hardware Security Module or "CloudHSM," to their Key Management Service (KMS), to integration with customer-managed external Key Management Infrastructure.
When encrypting data at rest in S3, for example, one could use keys provided via any of the methods above (or even S3's native Server Side Encryption or "SSE" capability), and S3 will automatically encrypt and decrypt data on the fly, keeping the data securely encrypted at rest.