Scribd Logo
Upload

Welcome to Scribd!

  • 7 views

    05-Outposts Security and Data Residency

    Uploaded by

    Chung Tran Thanh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    05-Outposts Security and Data Residency

    Uploaded by

    Chung Tran Thanh
    7 views27 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    7 views27 pages

    05-Outposts Security and Data Residency

    Uploaded by

    Chung Tran Thanh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 27

    AWS Outposts - Security & Data

    Residency

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Agenda
    Updates to Shared Responsibility Model

    Data handling on Outposts

    Data Residency – SCPs

    VPC traffic inspection

    Questions

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Shared responsibility model

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    In Region Shared Responsibility Model

    CUSTOMER IAM
    CUSTOMER DATA
    PLATFORM & APPLICATION MANAGEMENT
    OPERATING SYSTEM, NETWORK & FIREWALL MANAGED BY
    CONFIGURATION AWS
    CLIENT-SIDE DATA ENCRYPTION
    SERVER-SIDE ENCRYPTION NETWORK TRAFFIC PROTECTION
    CUSTOMERS
    & DATA INTEGRITY
    File System and/or Data Encryption / Integrity / Identity
    AUTHENTICATION

    AWS IAM
    FOUNDATION
    ENDPOINTS

    COMPUTE STORAGE DATABASES NETWORKING


    SERVICES MANAGED BY
    AWS

    AWS GLOBAL AVAILABILITY EDGE


    AWS
    REGIONS
    INFRASTRUCTURE ZONES LOCATIONS

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    AWS Outposts Shared Responsibility Model

    CUSTOMER IAM
    CUSTOMER DATA
    PLATFORM & APPLICATION MANAGEMENT
    OPERATING SYSTEM, NETWORK & FIREWALL MANAGED BY
    CONFIGURATION AWS
    CLIENT-SIDE DATA ENCRYPTION
    SERVER-SIDE ENCRYPTION NETWORK TRAFFIC PROTECTION
    CUSTOMERS
    & DATA INTEGRITY
    File System and/or Data Encryption / Integrity / Identity
    AUTHENTICATION

    CUSTOMER PHYSICAL SECURITY REGIONAL ENVIRONMENTAL CAPACITY


    DATACENTER & ACCESS CONTROL CONNECTIVITY CONTROLS MANAGEMENT

    AWS IAM
    FOUNDATION
    ENDPOINTS

    COMPUTE STORAGE DATABASES NETWORKING


    SERVICES MANAGED BY
    AWS

    AWS
    AWS GLOBAL REGIONS
    AVAILABILITY EDGE

    INFRASTRUCTURE ZONES LOCATIONS

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Physical Security

    Nitro Security Keys – Key material is wrapped to external key


    stored in removable device and is leveraged as apart of a TPM
    • Removal renders data unusable
    • Screw on key allows for physical destruction
    • Meets NIST 800-88 Data Sanitization requirements

    Tamper Detection
    Physical assessment capabilities embedded in each Outpost server
    similar to AWS Snowball (see picture)

    Datacenter security requirements are spelled out in the service


    terms
    https://aws.amazon.com/service-terms/#4._AWS_Outposts

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    6
    Logical Security - Service Link Specifics

    Control plane stays within the region AWS Region

    Availability
    VPN tunnels to anchor points within a single Zone Control
    Plane
    Availability Zone

    TCP/UDP port 443 required

    Each Outposts server makes a service link


    connection to the region Outbound to TCP/UDP
    port 443; originating from
    the Outpost on-premises
    Service link is established outbound from the
    Outpost

    Consists of Data plane and Management Plane

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data Handling

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data at rest

    • S3 buckets encrypted using SSE-S3 encryption by default


    • EBS volumes encrypted by default using aws/ebs managed key
    • Physical disk volume encrypted with AES-XTS-256 using keys rooted
    to Nitro controller
    • Storage volume used to store the keys encrypted using key rooted to
    the physical Nitro Security Device
    • Nitro Security Device : contains a micro-controlled with a tamper-
    resistant key storage

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data Erasure and Outpost Removal

    • On resource termination
    • Data erased on the Outposts locally from EC2 instance and EBS
    volumes
    • During hardware removal or end of term
    • Nitro security key destroyed and handed over to customer for
    additional erasure if desired
    • In accordance with NIST SP 800-88 Rev. 1.

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Nitro-security key
    NDA

    Photo of Nitro Security Key removed from


    server with label for screw driver destruction.

    Internal view of Nitro Security Key showing screw over micro-controller.

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Nitro

    Nitro cards Nitro Security Chip Nitro Hypervisor

    VPC networking Integrated into motherboard Lightweight hypervisor


    Amazon Elastic Block Store Protects hardware resources Memory and CPU allocation
    (Amazon EBS) Hardware root of trust Bare metal-like performance
    Instance storage
    System controller

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data Privacy

    https://aws.amazon.com/compliance/data-privacy-faq/

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data Residency
    SCPs and IAM

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Data residency friendly services

    • Depends on customer’s data classification and


    subjected to testing

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Permission controls

    • Service Control Policies and IAM Policies may implement preventative


    controls to enforce data residency requirements by preventing specific
    API calls which would transfer data to the region.
    • Not all service actions supported.
    • Some services may require additional customization

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Disable EC2 launches on non-outposts subnet
    { "Version": "2012-10-17", "Statement":[{ "Sid": "DenyNotOutpostSubnet", "Effect":"Deny", "Action": [
    "ec2:RunInstances", "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ],
    "Condition": { "ForAllValues:ArnNotEquals": { "ec2:Subnet": ["${join(", ", var.outpost_subnet_arns)}"] } } }] }

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Restrict uploading objects to S3 in region

    {
    "Sid": "BlockPutsToRegion",
    "Action": [
    "s3:PutObject"
    ],
    "Resource": ["arn:aws:s3:::*"],
    "Effect": "Deny"
    }

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Testing

    aws ec2 --profile test create-snapshot --volume-id vol-079f5e0a7a12c938e --outpost-arn


    arn:aws:outposts:us-west-2:{redacted}:outpost/op-0d4579457ff2dc345

    aws ec2 --profile test create-snapshot --volume-id vol-


    079f5e0a7a12c938e

    aws s3api put-object --bucket arn:aws:s3-outposts:${var.region}:{redacted}:outpost/op-


    01ac5d28a6a232904/accesspoint/test-data-residency --key testkey --body /etc/os-release

    aws s3api put-object --bucket arn:aws:s3:${var.region}:{redacted}:accesspoint/test-data-


    residency --key testkey --body /etc/os-release aws s3api put-object --bucket test-data-
    residency --key testkey --body /etc/os-release

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Generic Testing

    aws iam simulate-principal-policy --policy-source-arn


    arn:aws:iam::289938704165:role/PowerUserWithDataResidency --context-entries
    ContextKeyName=aws:RequestedRegion,ContextKeyValues="us-west-2",ContextKeyType=string --action-names
    appmesh:*

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Traffic inspection
    VPC Structure

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Intranet

    VPC
    VPC extended
    from Region

    Subnet 3
    IGW
    EC2
    instance

    NAT-GW Firewall
    LGW CND

    VPCE

    AWS Outposts Destination Target Other On-Prem resources


    VPC-CIDR Local
    COIP LGW
    On-prem LGW
    Supports data residency
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Internet : Option-1

    VPC
    VPC extended
    from Region

    Subnet 3
    IGW
    EC2
    instance

    NAT-GW Firewall
    LGW CND

    VPCE

    AWS Outposts Destination Target


    VPC-CIDR Local
    COIP LGW
    On-prem LGW
    Supports data residency 0.0.0.0/0 LGW

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Internet
    Internet : Option-2
    Internet

    AWS Region AWS Outposts

    Internet gateway

    Service link
    EC2
    GWLBE instanc
    DX e

    Security VPC
    GWLB

    Security Block Subnet

    Other On-Prem resources

    • No recommended to multiple RTT Security Appliance instances


    with region
    • Does not support data residency
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Internet Option-3 : Centralized inspection with TGW

    AWS Outposts AWS Region

    VPC 1
    VPC 4

    Instance 1
    Appliance or Security VPC

    GWLB Firewall Fleet


    VPC 2
    North-South Inspection
    (Traffic to/from Internet)

    Instance 2
    Transit
    Gateway

    VPC 3

    Instance 3

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Does not support data residency
    VPC to VPC Inspection with TGW (extension of Option-3 for Intranet)

    AWS Region
    AWS Outposts
    1. You can perform N/S and E/W inspection using same fleet.
    2. NAT can reside inside or outside of appliance fleet VPC
    VPC 1

    VPC 4
    Appliance or Security VPC

    Instance 1 GWLB Firewall Fleet


    North-South Inspection
    (Traffic to/from Internet)
    VPC 2

    Instance 2 Appliance or Security VPC 2


    Transit
    Gateway GWLB Firewall Fleet
    East-West Inspection
    VPC 3
    (VPC to VPC Traffic)

    Instance 3

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Does not support data residency
    Q&A

    © 2022, Amazon Web Services, Inc. or its Affiliates.

    You might also like