05-Outposts Security and Data Residency
05-Outposts Security and Data Residency
05-Outposts Security and Data Residency
Residency
Questions
CUSTOMER IAM
CUSTOMER DATA
PLATFORM & APPLICATION MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL MANAGED BY
CONFIGURATION AWS
CLIENT-SIDE DATA ENCRYPTION
SERVER-SIDE ENCRYPTION NETWORK TRAFFIC PROTECTION
CUSTOMERS
& DATA INTEGRITY
File System and/or Data Encryption / Integrity / Identity
AUTHENTICATION
AWS IAM
FOUNDATION
ENDPOINTS
CUSTOMER IAM
CUSTOMER DATA
PLATFORM & APPLICATION MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL MANAGED BY
CONFIGURATION AWS
CLIENT-SIDE DATA ENCRYPTION
SERVER-SIDE ENCRYPTION NETWORK TRAFFIC PROTECTION
CUSTOMERS
& DATA INTEGRITY
File System and/or Data Encryption / Integrity / Identity
AUTHENTICATION
AWS IAM
FOUNDATION
ENDPOINTS
AWS
AWS GLOBAL REGIONS
AVAILABILITY EDGE
Tamper Detection
Physical assessment capabilities embedded in each Outpost server
similar to AWS Snowball (see picture)
Availability
VPN tunnels to anchor points within a single Zone Control
Plane
Availability Zone
• On resource termination
• Data erased on the Outposts locally from EC2 instance and EBS
volumes
• During hardware removal or end of term
• Nitro security key destroyed and handed over to customer for
additional erasure if desired
• In accordance with NIST SP 800-88 Rev. 1.
https://aws.amazon.com/compliance/data-privacy-faq/
{
"Sid": "BlockPutsToRegion",
"Action": [
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::*"],
"Effect": "Deny"
}
VPC
VPC extended
from Region
Subnet 3
IGW
EC2
instance
NAT-GW Firewall
LGW CND
VPCE
VPC
VPC extended
from Region
Subnet 3
IGW
EC2
instance
NAT-GW Firewall
LGW CND
VPCE
Internet gateway
Service link
EC2
GWLBE instanc
DX e
Security VPC
GWLB
VPC 1
VPC 4
Instance 1
Appliance or Security VPC
Instance 2
Transit
Gateway
VPC 3
Instance 3
AWS Region
AWS Outposts
1. You can perform N/S and E/W inspection using same fleet.
2. NAT can reside inside or outside of appliance fleet VPC
VPC 1
VPC 4
Appliance or Security VPC
Instance 3