AWS セキュリティとコンプライアンス

  • View

  • Download

Embed Size (px)

Text of AWS セキュリティとコンプライアンス

  • 1. AWS 2012.11.19

2. AWS AWS 3. & SOX ISO 27001 PCI DSS Level I HIPAA SOC 1/SSAE 16/ISAE 3402/SOC 2 FISMA Low ATO FISMA Moderate ATO DIACAP MAC II Sensitive FedRAMP Customer/SI Partner/ISV OS ( ) / /. AWS () AWSVM AWS VM Amazon (EBS) API SSL IP ( IPindividual IP or Classless Inter-Domain Routing (CIDR) ). Virtual Private Cloud (VPC) AWS IPSec VPN 2011/11/13 update 4. 5. AWS Security Center ( 1 AWS Identity & Access Management (AWS IAM) AWS Multi-Factor Authentication (AWS MFA) 6. Control ownership. Who owns which controls for cloud- deployed infrastructure? Auditing IT. How can auditing of the cloud provider be accomplished? Sarbanes-Oxley compliance. How is SOX compliance achieved if in- scope systems are deployed in the cloud provider environment? HIPAA compliance. Is it possible to meet HIPAA certification requirements while deployed in the cloud provider environment? GLBA compliance. Is it possible to meet GLBA certification requirements while deployed in the cloud provider environment? Federal regulation compliance. Is it possible for a US Government agency to be compliant with security and privacy regulations while deployed in the cloud provider environment? Data location. Where does customer data reside? E-Discovery. Does the cloud provider meet the customers needs to meet electronic discovery procedures and requirements? Data center tours. Are data center tours by customers allowed by the cloud provider? Third party access. Are third parties allowed access to the cloud provider data centers? Privileged actions. Are privileged actions monitored and controlled? Insider access. Does the cloud provider address the threat of inappropriate insider access to customer data and applications? Multi-tenancy. Is customer segregation implemented securely? Hypervisor vulnerabilities. Has the cloud provider addressed known hypervisor vulnerabilities? Vulnerability management. Are systems patched appropriately? Encryption. Do the provided services support encryption? Data ownership. What are the cloud providers rights over customer data? Data isolation. Does the cloud provider adequately isolate customer data? Composite services. Does the cloud provider layer its service with other providers cloud services? Physical and environmental controls. Are these controls operated by the cloud provider specified? Client-side protection. Does the cloud provider allow customers to secure and manage access from clients, such as PC and mobile devices? Server security. Does the cloud provider allow customers to secure their virtual servers? Identity and Access Management. Does the service include IAM capabilities? Scheduled maintenance outages. Does the provider specify when systems will be brought down for maintenance? Capability to scale. Does the provider allow customers to scale beyond the original agreement? Service availability. Does the provider commit to a high level of availability? Distributed Denial Of Service (DDoS) attacks. How does the provider protect their service against DDoS attacks? Data portability. Can the data stored with a service provider be exported by customer request? Service provider business continuity. Does the service provider operate a business continuity program? Customer business continuity. Does the service provider allow customers to implement a business continuity plan? Data durability. Does the service specify data durability? Backups. Does the service provide backups to tapes? Price increases. Will the service provider raise prices unexpectedly? Sustainability. Does the service provider company have long term sustainability potential? 7. AWS Customer OS OS 8. / () AWS API API : X.509 certificate S3: Simple DB: AWS OS LDAP, Active Directory/ADFS, etc... AWS Identity and Access Management (IAM) 9. E3 IAM AWS AWS S3 (Secure Delete) 10. AWS DRDC 1ISP 11. 12. AWS SSAE 16/ISAE 3402SOC1 SOC2 ISO 27001 Certification PCI DSS Level 1 Service Provider : Sarbanes-Oxley (SOX) FISMA (US) HIPAA () ASPSaaS() 13. SSAE16/ISAE3402 SOC1 2011615 SAS70SSAE16/ISAE3402 AWS AWS NDASOC1 14. SOC2 / Trust AWS NDASOC2 15. ISO 27001 ISO 27002 AWSInformation Security Management System (ISMS) faqs/ 16. PCI DSS Level1 Service Provider PCI DSS 2.0 EC2, EBS, S3, VPC, RDS, ELB, IAM (QSA) AWS Qualified Incident Response Assessors (QIRA) 17. CSA Consensus Assesments Initiative Questionnaire CSA Consensus Assessments Initiative Questionnaire CSA AWS *CSA AWS 18. AWS ? ? 19. AWS 20. Amazon : 22 21. EU A B US A C B Amazon CloudWatch Note: vailability Zone A Availabilit y Zone B D A B A B C 22. AWS CloudFront, Route 53 S3, S3 RRS, SimpleDB, SQS, RDS Multi-AZ, EBS Snapshots EBS, RDS EC2 ephemeral drives (a.k.a. instance store) 23. EC2 AWSSSH (a.k.a. ) (/) AWS 24. Firewall Physical Interfaces Amazon EC2 Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups 25. 26. - - VPC (ACLs): VPC OS (iptables) - - - Encrypted File System Encrypted Swap File OSFirewall AmazonSecurityGroups Inbound Traffic 27. Web Tier Application Tier Database Tier 80443 APssh DB Amazon EC2 Security Group Firewall 28. Distributed Denial of Service (DDoS): Man in the Middle (MITM): SSL EC2 IP: OS : AWS : 29. AWS AWS ( 30. Amazon EC2 VPN VPN 31. Amazon Virtual Private Cloud (VPC) Amazon 1 IP INOUT ElasticIPVPC VPNVPC 4 32. VPC - Dedicated Instances $10/ Dedicated Instance VPCDedicated 33. Amazon S3 : SSL 99.999999999% 99.99% (MFA Delete) 34. DoD 5220.22-MNational Industrial Security Program Operating Manual NIST 800-88 Guidelines for Media Sanitization ) 35. AWS 36. AWS AWS AWS_Security_Whitepaper.pdf AWS S_Risk_and_Compliance_Whitepaper.pdf 37. 42