Amazon Web Services Amazon Web Services: Overview of Security Processes
Page 2
features—such as individual user accounts and credentials, SSL/TLS for data
transmissions, and user activity logging—that you should configure no matter which
AWS service you use. For more information about these security features, see the AWS
Account Security Features section.
AWS Security Responsibilities
Amazon Web Services is responsible for protecting the global infrastructure that runs all
of the services offered in the AWS Cloud. This infrastructure comprises the hardware,
software, networking, and facilities that run AWS services. Protecting this infrastructure
is the number one priority of AWS. Although, you can’t visit our data centers or offices to
see this protection firsthand, we provide several reports from third-party auditors who
have verified our compliance with a variety of computer security standards and
regulations. For more information, visit AWS Compliance.
Note that in addition to protecting this global infrastructure, AWS is responsible for the
security configuration of its products that are considered managed services. Examples
of these types of services include Amazon DynamoDB, Amazon RDS, Amazon
Redshift, Amazon EMR, Amazon WorkSpaces, and several other services. These
services provide the scalability and flexibility of cloud-based resources with the
additional benefit of being managed. For these services, AWS handles basic security
tasks like guest operating system (OS) and database patching, firewall configuration,
and disaster recovery. For most of these managed services, all you have to do is
configure logical access controls for the resources and protect your account credentials.
A few of them may require additional tasks, such as setting up database user accounts,
but overall the security configuration work is performed by the service.
Customer Security Responsibilities
With the AWS cloud, you can provision virtual servers, storage, databases, and
desktops in minutes instead of weeks. You can also use cloud-based analytics and
workflow tools to process your data as you need it, and then store it in your own data
centers or in the cloud. The AWS services that you use determine how much
configuration work you have to perform as part of your security responsibilities.
AWS products that fall into the well-understood category of Infrastructure-as-a-Service
(IaaS)—such as Amazon EC2, Amazon VPC, and Amazon S3—are completely under
your control and require you to perform all of the necessary security configuration and
management tasks. For example, for EC2 instances, you’re responsible for
management of the guest OS (including updates and security patches), any application