Public Cloud Providers

1
Analysis of Amazon S3 Cloud Services

Joseph Beckman
Matthew Riedle
Hans Vargas

Purdue University

Authors Note
2

Joseph Beckman, Ph.D. Student, Center for Education and Research in Information
Assurance and Security (CERIAS), Purdue University
Matthew Riedle, M.S. Student, Cyber Forensics in Computer Information Technology,
Purdue University
Hans Vargas, M.S. Student, Center for Education and Research in Information Assurance
and Security (CERIAS), Purdue University.

This research was supported by Dr. Brandeis Marshall and Dr. Melissa Dark as part of
the INSuRE (The Information Security Research and Education) Research Grant, as well as the
National Security Agency (NSA) sponsoring and providing unclassified problems to be
researched.
Correspondence concerning this paper should be addressed to Joseph Beckman, Matthew
Riedle, and Hans Vargas, Purdue University, West Lafayette, IN 47906
Contact: beckmanj@purdue.edu, mriedle@purdue.edu, hvargas@purdue.edu

3
Abstract
1

Distributed computing is a familiar concept within computer science. Public distributed
computing, better known as cloud computing services, is a relatively new concept in the
marketplace. In recent years, individuals, corporations, and government agencies have begun to
leverage the resources of the Internet to perform tasks that had previously been limited to in-
house computer networks. Providers of these resources, collectively referred to as Cloud
Service Providers (CSPs), tout numerous benefits of their use, including the reduction of IT
costs. Prospective customers, however, should take a serious look at the risks, vulnerabilities,
and threats that may take place when relocating their resources to the cloud. The impacts of
cloud usage upon information security as it relates to confidentiality are not well understood, and
for that reason our research focuses on the Amazon S3 cloud storage service and as a case study
related to confidentiality from which to provide recommendations for improvement to existing
cloud security frameworks.

1
Keywords: Amazon S3, AWS, Confidentiality, Cloud Computing, CSP, FedRAMP, 3PAO
4

Analysis of Amazon S3 Cloud Services
Introduction
Previous work
2
categorizing risks within cloud computing identified threat and
vulnerability profiles of three major CSPs, comparing them against security controls required by
FedRAMP in order to approve the federal agencies migration of services to the cloud. This
project will focus primarily on federal agencies as the customer base of cloud services, but will
also take under consideration that private sector customers would benefit from security
guidelines established by FedRAMP adopters.
Amazon Web Services (AWS) was one of the first CSPs to be deemed compliant with
FedRAMP cloud storage service security guidelines which certified Amazons S3 cloud storage
service for use by United States federal government agencies. This project will attempt to
describe and explain the existence, usability and effectiveness of these security features related to
Amazon S3 with respect to the protection of confidentiality within the Infrastructure-as-a-
Service (IaaS) domain. It will also lay the groundwork for updating and adapting the existing
guidelines to more efficiently audit CSPs, as well as provide analysis based on open source
intelligence regarding the realization of vulnerabilities, adoption of remedial actions from
providers and customers.

2
Vargas, Toriola (2012) Public Cloud Providers: A Risk Matrix.
5

Motivation
The aim of this project, through the evaluation of Amazon S3 cloud services and the re-
evaluation of the FedRAMP cloud services security guidelines, is to bring a greater level of
security to information stored in the cloud. Increasing the level of security in the cloud is an
important act to the field of information security, to the United States government, and to anyone
who uses cloud services. While this project will focus on the cloud security policies and
processes of the United States federal government, it has the potential to impact much of the
worlds population because of the widespread use of services like free e-mail, which operates
mainly as a cloud service.
Efforts to bring greater security to the cloud face many challenges that will impact this
project. The nature of cloud services, and one of the greatest benefits of this architecture, is the
lack of exposure of the systems back-end processes to the user. When evaluating the security of
such a system, however, the inability to examine these processes directly reduces the
effectiveness and meaningfulness of a security audit. Additionally, the cloud environment is very
dynamic; services are added, changed, and removed often as user needs and behaviors change.
As a result, our ability to produce changes to any security auditing framework that will be
durable and enduring will be will be limited to studying the effects that are possible to analyze
from the standpoint of a normal commercial service deployment.
While not being able to see the full impact of this project, we know that it is a relevant
issue to everyone. The motivation that is driving us to address this problem is the potential for its
solution to have wide-ranging impacts on any customer using web storage services.

6

Previous Work
An initial work on this project related to Public Cloud Providers was conducted as part of
the semester Fall-2012. That research presented an overview of the three major cloud service
providers: Amazon, Microsoft, and Google; and the determination of common threats and
vulnerabilities. Another important aspect was the evaluation of security controls available to
mitigate risk, specifically when Federal Agencies were considering transferring services to the
cloud. Institutions like FedRAMP (based on NIST standards) and CSA were consulted as
providers of guidelines and benchmarks for security in the cloud, as well as other, more specific
risk frameworks. As a result, a risk matrix was developed that displayed a match between risk
and security controls.
The trend towards moving services to cloud computing is relatively new, existing
literature on the topic of security in cloud computing tends to focus on one or more of three
areas: analyzing the security of cloud service providers (CSPs) environments, providing an
overview of the security landscape of cloud deployment models
3
, or creating an overall
framework for a more secure use of the cloud. Each of these three themes is addressed from
various perspectives, although comparisons tend to be rather straightforward and technical
(Batten, 2012)(Shraer, 2010)(Agrawal, 2010). Some of the work providing an overview of cloud
security discusses security in the cloud from the perspective of a particular discipline, such as
business (Gurkok, 2013). Others focus on aspects of the cloud security landscape like
institutional impact (Ksherti, 2013), or technical vulnerabilities (Marinescu, 2013). Given the
variety of missions being addressed by the myriad government agencies that may derive benefit
from and consider using Infrastructure-as-a-Service in the cloud, literature using all of these

3
IaaS, PaaS, SaaS.
7
approaches will be valuable in forming our evaluation of Confidentiality in the Amazon S3
service.
Though some have attempted to create general frameworks for more secure cloud
computing (Cloud Security Alliance, 2013)(Mouratidis, 2013) frameworks are also coming into
existence that are focused by discipline or organization type. FedRAMP guidelines for United
States federal government cloud service providers are focused broadly on the needs of the federal
government; as SAS-70 Type II accounting audit guidelines are applied to cloud computing from
the perspective of financial auditing. In order to provide a comprehensive assessment of the
Confidentiality aspect of security within the Amazon S3 Infrastructure-as-a-Service platform, we
will consider existing discipline-related overviews and frameworks along with work relating to
specific aspects of cloud security that touch on confidentiality
4
. For the purposes of this
analysis, we have categorized the issues facing the topic into the following themes.

General Cloud Security Issues
Astrova et al. (2012) reviewed the state of current security in cloud environments and
their relationship to CIAAA
5
. The relevance of this subject lays on the analysis of the basis of
security, and the challenges introduced by cloud computing in the context of both benefits and
drawbacks. One of the arguments presented is that the use of cloud services does not necessarily
lower the customers security level, meaning that those levels should be based on the
customers requirements of security; which inevitably will lead to the identification of security

4
Preserving authorized restrictions on access and disclosure, by protecting personal privacy and proprietary
information.
5
Confidentiality, Integrity, Availability, Authentication and Authorization
8
levels offered by CSPs. In order to accomplish this, BSI
6
guidelines, which established
minimum-security requirements for cloud providers, were used as they describe security levels
for the K.O. (knock-out) criteria matrix. These criteria attempts to assess the security level of
cloud providers, with emphasis on Amazon as a cloud provider. The BSI represents one type of
benchmark similar to other efforts (FedRAMP in the US) that attempt to determine a security
level.
Similarly, potential users of cloud services could benefit from the existence of a cloud
certification authority that ensures the transparency of CSPs with respect to their security levels.
Such a level of security could be determined by using the K.O. criteria, providing customers with
better tools to choose cloud providers based on their security capabilities. In an increasing scale,
more and more CSPs are partnering with specialized security providers, in a Security-as-a-
Service model, to enhance cloud level of security for their customers. These services are directly
aimed to increase confidentiality rather than availability
7
.
According to Xiaoqi Ma (2012), the analysis of potential security risks related to cloud
services -as they relate to confidentiality, integrity and availability (CIA)- attempt to provide
answers focused on privacy. From data privacy protection to data integrity in cloud services, his
research represents a broad overview of security problems and proposed solutions. In the
meantime, Behl and Behl (2012) reviews the key challenges of implementing cloud security
solutions for a dynamic and changing cloud environment; it conducts analysis in order to
consider detailed specifications of the problem and descriptions of must have features for a
security solution. Some of the reasons that represent major concerns

6
Federal Office for Information Security (Bundesamt fr Sicherheit in der Informationstechnik).
7
Ensuring timely and reliable access to and use of information
9
regarding security are: loss of control while moving services to the cloud, multi-tenancy or the
co-residence of same logical/physical mediums, and service level agreements (SLAs) as the
assurance of the right expectations are considered. It further details the need for information
integrity and privacy as well as identity federation. It concludes by recommending that cloud
security management should be enhanced in order to better control and manage user data; in
addition to that, it suggests that security should become a wrapper to all cloud deployment
models in a multilayer security solution.
Behl et al. (2012), however, reviews the key challenges of implementing cloud security
solutions for a dynamic and changing cloud environment. They conduct analysis in order to
consider detailed specifications of the problem of security in cloud computing and descriptions
of required features for a security solution. Some areas of major concern regarding security are:
loss of control while moving services to the cloud, multi-tenancy or the co-residence of same
logical/physical mediums, and SLAs as the assurance of the right expectations are considered. It
further details the need for information integrity and privacy as well as identity federation. Behl
et al. conclude by recommending that cloud security management should be enhanced in order to
better control and manage user data; and it suggests that security should become a wrapper to all
cloud deployment models in a multilayer security solution.
Contrary to some assumptions, moving to a cloud environment does not eliminate the risk
associated with security. In fact, outsourcing-computing resources to the cloud generates major
new security and privacy concerns. Moreover, service layer agreements (SLAs) might not
provide adequate legal protection for cloud computer users, who are often left to deal with events
beyond their control.

10
Amazon Computing
Some of the literature that we sought was related to specific Amazon cloud computing
services, this effort resulted in the discovery of some literature that brings a light of computing
services related to Amazon.
Marinescu (2013) suggests that an in-depth study of cache placement decisions over
various cloud storage options would be beneficial to a large class of users through data
persistence, monetary costs, and high performance needs of AWS in order to generate cost-
effective data placement strategies. Marinescu describes what adequate caching strategies
8
could
represent for cloud services. The costs considered are for Amazons S3, EC2
9
and EBS
10
, and are
then used to obtain relevant data through a series of experiments for cost evaluation. The
relevance of this paper is on the analysis of how these different services could be distinguished
from each other based on the cost effectiveness of each one.
Garfinkel (2007) article, was considered as a way to show the progress in authentication
mechanisms, from simple authentication strategy based on the SHA1-HMAC algorithm to
todays four mechanisms for controlling access to Amazon S3 resources: Identity and Access
Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string
authentication.
Abundant information about these four access control mechanisms are available from
Amazon S3 Access Control
11
, where each feature and capability are described. With IAM
policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or

8
Caches can be deployed to maintain some set of precomputed/intermediate data for reuse. Especially in scientific
applications, precomputed data could not only replace the need to tirelessly compute redundant information, but it
can also significantly reduce the amount of data transfer required.
9
Amazon Elastic Compute Cloud (Amazon EC2)
10
Amazon Elastic Block Store (Amazon EBS)
11
Access Control. Retrieved from: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html
11
objects while also retaining full control over everything the users do. With bucket policies,
companies can define rules, which apply broadly across all requests to their Amazon S3
resources, such as granting write privileges to a subset of Amazon S3 resources. Customers can
also restrict access based on an aspect of the request, such as HTTP referrer and IP Address.
With ACLs, customers can grant specific permissions (i.e. read, write, full_control) to specific
users for an individual bucket or object. With query string authentication, customers can create a
URL to an Amazon S3 object, which is only valid for a limited time.

Concerns about Security in the Cloud Storage
Cloud storage as a service is becoming a sought after commodity, this growing trend has
also raised concerns about the underlying security concerns about this service. Regarding this
concern Chou et al. (2013) discuss overall security weaknesses that exist in several different
cloud architectures through the investigation of three of the most popular data storage CSPs:
Microsoft SkyDrive, Google Drive, and Dropbox. However, the weaknesses are not specific to
these CSPs, and could very well exist in Amazon's S3 data storage service.
The main point of Chou is that even though the data is encrypted while uploading to or
downloading from the cloud servers, the weakness lies in the data as it is shared with others.
There are three identified methods of sharing: public, private, and secret URLs. Public sharing is
the easiest and is achieved by publishing a URL by which anyone can access the data. Private
sharing is used by forcing anyone the data will be shared with to be verified through email, and
then logs into the dropbox application in order to view the data. A secret URL is a cross between
the other sharing methods in which a unique URL is generated which the owner can send to
anyone they wish to share the data with without needing any further authentication.
12
For instance, the cloud security of Dropbox, Google Drive, and Microsoft SkyDrive are
all compared to have similar weaknesses, mostly pertaining to a lack of user authentication with
the sharing of data. This could be fixed by looking at how invitations to view the data can be
rendered useless after they have been activated. Preventing these links from continuing to work
after the recipient has used them; along with setting up a method to require a password in order
to use that link will help tighten down the security of sharing data in the cloud. From this
analysis we found ideas for investigating new security policies for cloud security.
The first chapter of Yangs and Jias (2014): Security for Cloud Storage Systems,
explores aspects of cloud technology, defining how they operate with data storage. Several items,
including on-demand self-service and network access, are already expected by the users of cloud
services when storing personal data. From there, there are two main threats described to plague
cloud providers. The first issue pertains to data integrity; users should be confident that the cloud
provider is correctly managing their personal data, especially after they want to delete it. The
second issue that arises pertains to access control; this issue is also due to the user being forced
to trust the cloud server for their access control policies. While the data integrity issue is outside
of our scope for this project, the access control information presented in this book will be very
useful in not only assessing the weakness of access control in cloud architectures, but it also
provides several concepts at how to fix these holes.

13
A Comparison of Approaches to Cloud Security

Tajadod et al. (2012) is based on the comparison of two CSPs, and it goes into detail
exploring those differences. We found relevant information about Amazon S3 as it details its
services in order to elaborate for the corresponding comparison. This description of security
features is presented following CIA. For Confidentiality it describes Amazon IAM
12
MFA
13
, and
Key Rotation. With respect to Integrity, it describes encryption via SSL and HTTPS from client
and server sides as well as HMAC (hash-based message authentication code). Finally for
Availability, it specifies the SLA of Amazon as well as data replication capabilities.

Securing Cloud Services against Attacks

The securing of cloud services could obey reactive and proactive measures, and in that
regard Boot, Soknacki, and Somayaji provide an overview of security in the cloud computing
environment, but approach their overview from the perspective of potential attackers. This
overview, using descriptive methods, considers the various attacks that can be perpetrated upon a
client-server model, and then reduces the scope of these attacks to those that would impact the
current cloud environment, specifically one employing Hypervisor. The authors found that
attacks relating to denial-of-service, breach of confidentiality, and compromise of data integrity
are all applicable within the cloud. In relation to data confidentiality, the cloud adds a new threat
of data colocation to those of typical client-server security issues. Through colocation, an

12
Identity and Access Management.
13
MFA: Multi-Factor Authentication
14
attacker may be able to gain access to sensitive data residing on a cloud server by gaining access
to the server through the account of a user using weaker authentication techniques. This paper
also discuss the possibility of users with administrative-level access compromising sensitive data
either maliciously or accidentally. Though the authors feel that data encryption and monitoring
are important steps in ensuring the confidentiality of data in the cloud, these solutions remain
vulnerable to traffic analysis and cryptographic weaknesses and would require additional burden
upon cloud providers.
A document, written by Cem Gurkok (2013) as a chapter in the book, Computer and
Information Security Handbook, presents a view of cloud computing from a very strategic level.
Gurkok begins his work with an overview of the types of cloud computing platforms (SaaS,
IaaS, and PaaS), moves on to discuss security issues common to cloud services, and then
describes security issues specific to the types of cloud platforms. Gurkoks descriptive methods
are comprehensive and are able to analyze cloud security through the lens of the CIA triad, while
subdividing these issues by discipline (legal, technical, etc.), and by operative system
(infrastructure, operating system, application, etc.). The strategic level of this document provides
a starting point for the narrowing of our analysis of the problem space.
Auditing is addressed by Yu, Niu, Yang, Mu, and Susilo (2014) focuses not on cloud
security itself, rather on the function of auditing cloud services for security. This paper is the
result of conducting active attacks on cloud services, which showed that current auditing tools,
such as Oruta and Knox, failed to provide evidence that the authenticity and integrity of stored
files had been breached. In response, these authors propose a new framework that accounts for
the actions of an attacker who is active on the system and working against the goals of the
auditors. Though this work does not speak directly to the framework for security in the cloud
15
environment, it does present both the security audit process, and its current vulnerabilities. An
important aspect of our proposed framework, and of any security framework, should be the
ability to audit and verify the security of the system. Understanding these processes will be
important to the creation of a robust framework and successful evaluation of the Amazon S3
service.
Trustworthiness is researched by Shraer et al. (2010) especially after some identified
14

high-profile incidents as they related to data integrity and consistency and their relationship to
Confidentiality (through encryption) and availability (through resilience and protection against
loss). Venus is a service for securing user interactions with untrusted cloud storage, by
guaranteeing integrity and consistency. Even though this research represents an external
mechanism that could be added transparently to the cloud storage service (Amazon S3), it
provides evidence of the capability of this CSP infrastructure being able to support verification
mechanisms in their commodity cloud storage service. A split-brain simulated attack from a
system with two clients was performed in order to evaluate how venus detects service violations,
successfully identifying inconsistencies. This work represents external attempts [to cloud
providers] that enhance current storage solutions with insignificant overhead added.

Customers Role in Cloud Security
The role of customers in the acquisition, configuration, used and allocation of cloud
services falls under the responsibility of the customers in the exploitation of vulnerabilities.
Kshertis (2013) paper, from the journal Telecommunications Policy, states that a discrepancy
exists between the security claims of cloud computing vendors and users of cloud computing

14
Amazon S3s silent data corruption, a privacy breach in Google Docs, and ma.gnolias data loss.
16
services. His largely descriptive study cites statistics from popular press surveys about the
security fears of cloud computing users to support his assertion. Ksherti also uses these surveys
as a jumping off point to discuss the institutions surrounding cloud computing, and how they
should be modified to build greater levels of security into the fabric of these institutions.
Specifically, he suggests the formation, through legal, technical, and social means, of a
normative culture of security in cloud computing. Given the size and diversity of missions within
the United States federal government, the importance of the culture of use surrounding cloud
computing in this environment cannot be overstated. This work will inform aspects of the
modified framework and evaluation of the Amazon S3 service that we provide in our work.

Security Framework for Cloud Services
A cloud security framework is presented by Nayak et al. (2012) detailing three phases:
server initialization, registration, and authentication, of cloud security that benefit from
incorporating user authentication into the overall cloud models. User authentication is used, in
the form of usernames and passwords in almost every system that people use on a daily basis,
such as online shopping, email, and social media. These methods are already applied by AWS in
their approach to cloud security, and the paper goes into detail about how the messages could be
laid out between Amazon's authentication servers and the user in order to maximize
authentication security. In the server authentication phase, each user is assigned a unique SK
15

which is used in further steps to authenticate the users. The second phase, registration, is
dependent on whether the user is new or not. When a new user opens an Amazon S3 account,
that user must register with an email address which will need to then be verified by the user.

15
Secret Key
17
When an existing user approaches Amazon S3, they proceed directly to the third step, user
authentication, where the username and password combination is verified against Amazon's
servers. This step can be further secured by using a Two-Factor Authentication device which
would require an additional piece of information generated from a separate device in order to
login to their account. Through the use of this security framework, Amazon S3 is able to thwart
several attack methods, including non-reply attacks and man-in-the-middle attacks.
The Cloud Security Alliance (CSA) (2014) has also produced a cloud security guidance
that segments cloud computing security issues into several domains. Two domains that were the
most relevant to Confidentiality were information management and data security (fifth domain),
as well as identity, entitlement, and access management (twelfth domain). The authors
recommend using a data security lifecycle for evaluating and defining cloud data security
strategy as a high level overview of cloud security.
Considering the vast number of computers in the world today, and the various forms of
home PCs and mobile devices, security needs to be a top priority, especially when they are being
used to access personal data from cloud services. Chow, et al. (2010) introduce a new framework
of cloud access security, of particular use when on mobile devices, named TrustCube. This
framework aims to add to the typical methods of authentication (what you know, what you have,
and what you are) by including what you do, through keeping track of a user's habits. This
TrustCube authentication would run on cloud servers and be able to be accessed by any CSP to
more quickly authenticate users.
Chow, Jakobsson, et. al (2010) were able to implement a version of TrustCube to work
with mobile devices. They configured the software to keep track of user characteristics,
including calling patterns, website access, and location. They also realize that while this software
18
is able to successfully authenticate the user, it is always advisable to include an additional
method of authentication on the chance that it does not work. In their testing, the access control
policies they designed, based off of personal habit characteristics, proved successful in
authenticating the user and preventing unauthorized access with a low failure rate.
While this system is not perfect at achieving authentication, it can prove beneficial to
Amazon's S3 cloud services. A large portion of the S3 involves data storage, which users want
quick access to from anywhere, hence using the cloud for their storage. By cloud providers,
including Amazon S3, implementing the TrustCube dynamics, they will be able to provide
quicker access for their users, allowing for better consumer satisfaction. The inclusion of user
habits is also a great method of adding an additional security layer for users who are extremely
security-conscious.
Mouratidis, et. al. (2103) provide a systematic and structured framework to the cloud
computing framework. Unlike other existing frameworks for cloud computing security, these
authors approach the topic of cloud provider selection from a decidedly technical perspective.
Although the approach is technical, descriptions within the work about high-level goal setting
work well to inform a comprehensive approach to security in this environment. This work is also
unique because it walks through a case study in building the proposed model. Despite the
existence of FedRAMP as a tool for evaluation of the security of cloud providers for the United
States federal government use, the section about secure cloud provider selection will highlight
areas within FedRAMP that may need augmentation.

19

Methods
Research was conducted on the confidentiality of data stored on the Amazon S3
Infrastructure-as-a-Service (IaaS) cloud storage environment for the purposes of developing
guidelines supplemental to FedRAMP that better address issues of confidentiality within this
environment. Time and financial constraints inherent in the course setting impacted both the
scope and nature of this research. First and foremost, the overall research methodology was
descriptive and qualitative as a result. Further, the scope of this project was narrowed to focus
only on the Amazon S3 storage service, rather than a broader assortment of Amazons cloud
service offerings, and only on the confidentiality aspect of the service, rather than all aspects of
the C-I-A triad.
The key aspect of research during this study was an extensive literature review, which
began with general research of the cloud computing environment. Ultimately, this review was
also narrowed necessarily to match the scope of the research question. Beyond narrowing the
focus of the research to confidentiality metrics and issues relating to the Amazon S3 cloud
storage service, issues and resolutions to issues that could not be verified either through testing
or through an independent third-party were also removed from the scope of this research;
however, Amazon has summarized how it complies with federal privacy laws (Amazon, 2014).
The research methods supported the following research motive: The cloud computing
environment is an extremely dynamic space, and several sets of guidelines are being developed
to promote secure use of cloud storage resources. In this context, the research question to be
answered in this study is, Are current FedRAMP guidelines sufficient to meet the challenges of
data confidentiality faced by United States federal government agencies in the Amazon S3 cloud,
20
or should guidelines be added, changed, or segmented by level of security required for a
project?

Discussion
On February 8, 2011, the Chief Information Officer of the United States released the
Federal Cloud Computing Strategy (FCCS) document (Kundra, 2011). The goal of this
document was to set forth a strategy that would increase the efficiency of information technology
use in the federal government both in terms of cost and time (Kundra, 2011, p. 1). The FCCS
policy is designed to work in conjunction with, and in support of, the CIO's February 2010
Federal Data Center Consolidation Initiative (FDCCI), which seeks to raise data center
efficiency through the elimination of 800 federal data centers by 2015 (Kundra, 2011, p. 8).
Based on estimates by the federal Office of Management and Budget (OMB), 25% of federal IT
spending was now being targeted for migration to cloud computing environments (Kundra, 2011,
p. 1).
Within the Decision Framework for Cloud Migration, the FCCS document does discuss
security requirements to be considered when agencies make decisions about the type of cloud to
be used, and the speed at which migration should occur (Kundra, 2011, pp. 11-14). FCCS
frames the evaluation criteria for security considerations in the cloud in terms of the Federal
Information Security Act (FISMA) requirements including, but not limited to Federal
Information Processing Standards (FIPS), and lays the responsibility for maintaining the
appropriate level of information security upon the individual agencies (Kundra, 2011, p. 13).
FCCS does, however, recognize that security (and other) concerns are likely to produce different
iterations of cloud computing within and among federal agencies by virtue of its recognition of
NIST's definition of cloud service models (Kundra, 2011, p. 6), and deployment models
21
(Kundra, 2011, p. 5), including private clouds. It also recognizes the need for a transparent
security environment between cloud providers and cloud consumers (Kundra, 2011, p. 26), and
cites the 2010 Federal Risk Authorization Management Program (FedRAMP) as responsible for
defining requirements for cloud computing security controls, including vulnerability scanning,
and incident monitoring, logging and reporting, in support of the secure and transparent cloud
security environment (Kundra, 2011, p. 26). Also according to the FCCS, the Department of
Homeland Security will assist in the operational security of federal agencies using cloud services
by publishing a list of top security threats related to the cloud as needed, whereas NIST will
assist with continued monitoring of cloud solutions as outlined by the Six Step Risk
Management Framework (Kundra, 2011, p. 26) cited as Special Publication 800-37, Revision
1 (Kundra, 2011, p. 26).
In the problem space of cloud computing controls exist several solutions frameworks.
FedRAMP, of course, applies to federal cloud computing and, consequently, plays a significant
role in defining the solution space. Because of its role as a controls structure for the United States
federal government, FedRAMP plays a significant role in that function for agencies that work
with the United States federal government, such as: state agencies, universities, private firms,
and foreign governments, as well as other entities that may not see the benefit in developing a
further structure. Despite FedRAMP's stature in the space, various other previously mentioned
controls structures exist. Organizations such as the Cloud Security Alliance (Cloud Security
Alliance, 2013), and trade-based professional associations (Mouratidis, 2013) have also proposed
control sets based on their own needs in cloud security. Our analysis has attempted to combine
those controls that, in our view, represent the best confidentiality controls for cloud computing
currently in existence across the community, compare the Amazon S3 service against these
22
augmented metrics, and return suggestions that are useful not only to Amazon S3, but to the
cloud computing community broadly. The timeline shown below presents Amazons security and
compliance releases that have impacted the security of the Amazon S3 cloud storage service that
serve as the basis for the discussion of problems and issues that follows.

23

Cloud Provider Perspective: Amazon Web Services (AWS)

AWS Compliance timeline
This compliance timeline shows security policies implemented and compliance events
starting in 2009 with HIPAA to the first quarter of 2013 with improvements to IAM policy
variables:

Date Security or Compliance Event Description
4/3/13 IAM Policy Variables Create policies containing variables that will
be dynamically evaluated using context from
the authenticated user's session.
3/26/13 AWS CloudHSM Use dedicated Hardware Security Module
(HSM) appliances within the AWS Cloud.
3/11/13 VPC by default EC2 instances will be launched in a VPC for
24
new customers. Amazon Virtual Private
Cloud (Amazon VPC)

11/19/12 Cross-account API access using
IAM roles
Delegate temporary API access to AWS
services and resources within your AWS
account without having to share long-term
security credentials.
7/10/12 MFA-protected API access Enforce MFA authentication for AWS
service APIs via AWS Identity and Access
Management (IAM) policies.
6/11/12 IAM Roles Simplifies the process for applications to
secure access AWS service APIs from EC2
instances.
1/30/12 AWS Trusted Advisor Self-service access to proactive alerts that
identify opportunities to save money,
improve system performance, or close
security gaps.
11/11/11 Compliance Milestone: SOC 1,
Type 2 Report

11/2/11 Support for virtual MFA devices Use a smartphone, tablet, or computer
running any application that supports the
open TOTP standard.
10/4/11 S3 server-side encryption Request encrypted storage when you store a
new object in Amazon S3 or when an
existing object is copied.
9/15/11 Compliance Milestone: FISMA
Moderate

8/16/11 AWS GovCloud AWS Region designed to allow US
government agencies and customers to move
25
more sensitive workloads into the cloud by
addressing their specific regulatory and
compliance requirements.
8/3/11 AWS Direct Connect Enables you to bypass the public Internet
when connecting to AWS.
12/7/10 Compliance Milestone: PCI DSS
Level 1

11/18/10 Compliance Milestone: ISO 27001
9/2/10 AWS Identity and Access
Management (IAM)
Enables to securely control access to AWS
services and resources for your users.
11/11/09 Compliance Milestone: SAS70
Type II Audit

8/31/09 AWS Multi-Factor Authentication
(MFA)
Provides an extra level of security that can be
applied to AWS environment.
8/26/09 Amazon VPC Provision a logically isolated section of the
Amazon Web Services (AWS) Cloud where
you can launch AWS resources in a virtual
network that you define.
4/6/09 Compliance milestone: white paper
for HIPAA-compliant data
applications

For a extended and detailed account of security related improvements to Amazon S3 for the
current 2014, see Appendix 1: Amazon Web Services (AWS) security updates. For a complete list
of compliance reports as well as certifications and third-party attestations, see Amazon Web
Services. (2014). AWS Risk and Compliance Whitepaper.
26
Incidents related to Amazon S3 Configurations
This account of events attempts to present the perspective of security has to be from all
involved parties. When transferring services to the Cloud, there is a significant transference of
risk, but this transfer is not absolute and complete. The Customer(s) must remain vigilant to
the portion of responsibility it controls respect to security. In many cases this means the
overview of SLAs and ensuring that services are correctly configured to perform as expected
according to user or groups permissions to data privacy assurances. Following below there are
listed two reports that show configurations issues related to cloud services, one from the
customer side and another from the provider.

August 08, 2011 - Amazon S3 security: Exploiting misconfigurations (TechTarget
Magazine)
Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3
security and avoid inadvertent data exposure. A security researcher, Diji Ninja, had an epiphany
when considering how Amazon S3 storage functioned: If each URL was customized with a
unique account name, it would be possible to use existing brute force techniques to enumerate
the Amazon S3 buckets and possibly access the files. The researcher developed a tool to test this
theory using standard wordlists and running them against the Amazon S3 API. The tool can also
test whether the Amazon S3 storage bucket has been properly configured for public or private
access.
Running this tool with a simple word list produces enlightening results that demonstrate
both an Amazon S3 oversight and the importance of proper customer configuration. The tool
runs through the wordlist by testing access to bucket URLs in succession in this format:
27
http://s3.amazonaws.com/wordlist. Using a wordlist of only 2,700 words, a scan revealed the
existence of roughly 15,000 files contained in Amazon buckets, both public and private.
Most surprising, even files that exist in buckets and that are marked as private are still listed by
name even though they cannot be accessed. Customers may not realize that the names of their
files contained in these private buckets are available to anyone with a Web browser and the
proper URL to their bucket. Anyone using this services should, at a minimum, consider a generic
naming convention to obfuscate the contents of the bucket from public access.
Ninjas test produced another surprising result: A large amount of publicly accessible buckets.
Customers may not have configured the storage properly for public/private access and
inadvertently exposed private data to the Internet. This data may include: pictures stored in the
Amazon S3 storage buckets, customer invoices, and sensitive documents containing Social
Security numbers and other private data that was not meant to be shared. Amazon S3 customers
should create controls to maintain and monitor the permissions set on storage buckets to avoid
the risk of an inadvertent breach of confidential data.

March-April, 2013 - Amazon S3 misconfiguration exposes businesses data (Computing
Magazine) (CloudPro) (Rapid7
16
)
Amazons Simple Storage Service (S3) users may have misconfigured their accounts
leading to the exposure of business data to the public security solution provider Rapid7 has
found.
The firm discovered 12328 unique buckets, and of those buckets 1951 were public buckets
meaning that nearly one in six buckets could be looked at by anyone that is interested.

16
https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
28
After reviewing the permissions of 12,328 Amazon S3 buckets the Rapid7 team revealed
that, of the 1,951 'public' ones there were some 126 billion files exposed in all, around 60 percent
of which were images. However, there were also 28,000 PHP source files (including database
usernames, passwords and API keys) and 218,000 CSV files (including personal data such as
email addresses and telephone numbers). 5 million text files, large numbers of which were
marked as private or confidential and contained sensitive personal credentials; details about the
organisations concerned and their customers. Getting even more specific on the information that
was exposed in these buckets, Rapid7 cites examples such as sales records and accounts from a
large car dealership, source code and development tools from a mobile gaming outfit, sales
'battlecards' for a large software vendor and assorted cases of employee personal information
across various spreadsheets.
The most common exposure was through log backups that were left globally accessible.
Rapid7 has since worked with Amazon to disclose this misconfiguration as it recommended its
customers to check their bucket settings unless they really want to openly share their files.

29

Third Parties and Other Perspectives
As the cloud computing environment continues to grow and evolve, third party service
providers will continue to offer products and services that are touted as enhancements to the
cloud computing experience. Currently, this dynamic is, in part, represented in the cloud security
space by makers of front-end managers, such as cloudberry, for S3 services, and by an open-
source distributed web application firewall project called IronBee. Services like the previously
mentioned could become viable in the space of major cloud computing vendors, it would become
a marker to provide innovative solutions with the cloud as as platform, and represent a
competitive driver to push cloud providers toward a higher level of security. Further research
ought to be pursued in this subject.

FedRAMP Changes: What is the impact in cloud services?
According to several influential IT professionals
17
, the combination of education,
experience and the advent of the Federal Risk and Authorization Management Program standards
regulations intended to standardize cloud security will increase cloud adoption in
government significantly over the next few years
18
. While benefits and security continue to
mature, agencies become more comfortable with the culture changes involved in reliance on the
cloud for computing resources. Cloud providers have to build trust with their customers, and the
currency is information,.
19
While we have no reason to expect major changes in FedRAMP or
its administration that would negatively impact the education efforts, trust, or the FedRAMP

17
Brocade and FCW, retrieved from: www. FCW.com/ResearchREportCloudComputing
18
ibid.
19
ibid.
30
framework itself, we remain curious about the potential impact of FedRAMPs recent change in
jurisdiction from the General Services Administration to the Office of the Chief Information
Officer. The directives from the CIOs office relating to federal cloud computing strategy
suggest that this move is simply administrative, and that the overall direction of FedRAMP will
remain consistent (Kundra, 2011). Though FedRAMP must constantly evolve to meet the rapidly
changing security needs in cloud computing, large changes in the framework at this stage would
disrupt the CIOs vision for government computing in the cloud, and likely make the transition
of services to the cloud far more difficult.

31

Problems and Issues
This study faced two main issues in generating its results. The first and largest of these
issues was time. Once our group was formed, and our topic assigned, we began to identify the
problem set. We felt that a broad study of security frameworks across the service groups within
cloud computing was useful, but narrowed the topic down dramatically in order to be able to
provide a substantive deliverable by the end of the course term. The short time frame also
impacted our work by forcing removal from our scope verification and validation of information
provided by Amazon about the confidentiality of the S3 service, as well as the removal of a
testing phase related to Amazon's two-factor authentication offering for its cloud services,
including S3.
Testing of two-factor authentication was also impacted by the second issue of this study,
which is funding. Devices or services that may have impacted the confidentiality of S3 could not
be purchased due to lack of funds. Though the devices that Amazon uses for two-factor
authentication within the S3 service are relatively inexpensive, many of Amazon's cloud service
offerings that is targeted toward larger organizations, such as government agencies, are not.
Without access to these services, or models that would serve as adequate substitutes, we were
prevented from performing tasks that may have produced significant insight into the security
structure and function of Amazon's web services due to the possibility of breaking live Amazon
services. Doing so would have violated the bounds of this project.

32

Conclusions and Future Study

This project focuses on a small subset of the security challenges currently facing cloud
computing; however, it has the potential to produce large-scale impacts on users of cloud storage
services. Simply because the cloud computing space is growing so rapidly, any work that affects
the space will impact an enormous number of users. We feel that this project will guide the
security posture not only of Amazons S3 service, but also be able to enhance guidelines for the
confidentiality of data on cloud storage services across other providers.
FedRAMP, and other creators of frameworks relating to the security of cloud computing
are making strong progress in a challenging and quickly evolving space. The breadth of
frameworks like CSA and FedRAMP, which make them useful to most cloud computing users,
also place the real burden of providing useful security to those seeking guidance from these
frameworks upon the person or people who are evaluating the cloud use against the guidelines.
In the case of FedRAMP provider evaluations, this burden falls to the third party service
evaluators. This system provides a security vulnerability because the suite of provider offerings
is not evaluated against specific agency or project needs. This responsibility falls to agencies
considering the use of cloud services, who are likely not to have expertise in such evaluations.
Once again, consulting firms may add value in this space, but their understanding of the needs of
the agency is questionable, and gaining that type of understanding would likely be expensive.
Consequently, while FedRAMP is a strong framework from which to begin evaluation of cloud
service providers against customer needs, we believe that augmenting FedRAMP based on the
following suggestions would add greater confidentiality to the framework.
33
All organizations using, or considering the use of, cloud services would likely benefit
from the adoption by standards organizations of a data classification system similar to the
security clearance system currently used by national security-related agencies in the United
States government. These levels would be more extensive than the current FedRAMP low, and
FedRAMP medium designations, and would also incorporate higher levels of security controls
similar to those found in the DoD cloud security model (DISA, 2014). Classifying data by
sensitivity for security and privacy purposes could balance the cost of security with the benefit of
that security at these different levels, especially if developed by consensus both inside and
outside of the national security apparatus. If cloud security framework systems were augmented
with these classifications, selection and utilization of cloud services would likely be much more
straightforward and consequently, more likely to be implemented effectively.
Moving forward in cloud computing security, it is becoming increasingly important to
understand the interaction within the cloud among the various services offered. For example,
because we were not able to test Amazon's cryptographic offerings that claim to encrypt data on
the service, we recommend that sensitive data be encrypted prior to being uploaded to the cloud;
however, this recommendation takes on added challenge when data is stored on the cloud by a
SaaS application that also lives in the cloud. In light of recent challenges with government web
portals that process highly privacy-sensitive information such as www.healthcare.gov working in
support of the Affordable Care Act, it would seem to be unthinkable to implement such a system
in a private cloud environment. We suggest that, with the proper implementation of strong
controls and monitoring, even a healthcare.gov cloud may be able to share cloud space with
other agencies in a relatively secure manner.
34
Because our time working on this project was so short, and because the cloud computing
environment is so dynamic, opportunities for future work on this topic abound. Certainly, SaaS
and PaaS are fertile ground for study, as are the availability and integrity aspects of the C-I-A
triad, since all of these topics were scoped out of this work. Creation or adoption of the
information classification system recommended above would also be extremely worthy of
investigation.
As more users migrate to these services, and as they begin to store more sensitive
information within the cloud, it is imperative that the confidentiality of their data is assured. If
we consider applications where critical health or genetic information is stored using the cloud, or
where troops in the field use a similar type of service to communicate critical information to
commanders, the impact of data confidentiality becomes clear. Though we will not be able to
solve the majority of challenges relating to the confidentiality of data in the cloud environment
over the course of a single semester, we feel that this project will make a real and lasting
contribution to the state-of-the-art in this area, and be able to be built upon by future class
research. Ultimately, we hope to make cloud storage more secure for millions of users
worldwide.

35

References
Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance April 2014.
Retrieved April 10, 2014 from:
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf.
Astrova, I., Grivas, S. G., Schaaf, M., Koschel, A., Bernhardt, J., Kellermeier, M. D. Herr, M.
(2012). Security of a Public Cloud. 2012 Sixth International Conference on Innovative
Mobile and Internet Services in Ubiquitous Computing, 564569.
doi:10.1109/IMIS.2012.78
Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing Security Issues, 109114.
Chiu, D., & Agrawal, G. (2010). Evaluating caching and storage options on the Amazon Web
Services Cloud. 2010 11th IEEE/ACM International Conference on Grid Computing, 17
24. doi:10.1109/GRID.2010.5697949
Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., & Song, Z. (2010).
Authentication in the Clouds: A Framework and its, 16.
Cloud Security Alliance. (2013). SECURITY GUIDANCE FOR CRITICAL AREAS OF
FOCUS IN CLOUD, 0176.
Garfinkel, S. (2007). Commodity Grid Computing with Amazons S3 and EC2.
Gurkok, C. (2013). Securing Cloud Computing Systems. Computer and Information Security
Handbook 2e (pp. 97124). Elsevier Inc. doi:10.1016/B978-0-12-394397-2.00006-4
IronBee Open Source Web Application Firewall. (2013).
Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and
institutional evolution. Telecommunications Policy, 37(4-5), 372386.
doi:10.1016/j.telpol.2012.04.011
36
Kundra, V. (2011). Federal Cloud Computing Strategy.
Ma, X. (2012). Security Concerns in Cloud Computing. 2012 Fourth International Conference
on Computational and Information Sciences, 10691072. doi:10.1109/ICCIS.2012.274
Marinescu, D. (2013). Cloud Computing Theory and Practice: Cloud Security (Chapter 9), 273
300. doi:10.1016/B978-0-12-404627-6.00009-9
Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support
selection of cloud providers based on security and privacy requirements. Journal of
Systems and Software, 86(9), 22762293. doi:10.1016/j.jss.2013.03.011
Nayak, S. K., Mohapatra, S., & Majhi, B. (2012). An Improved Mutual Authentication
Framework for Cloud Computing User message, 52(5), 3641.
Shraer, A., Cachin, C., & Cidon, A. (2010). Venus: Verification for untrusted cloud storage.
Workshop on Cloud , 1929. Retrieved from
http://dl.acm.org/citation.cfm?id=1866841
Tajadod, G., Batten, L., & Govinda, K. (2012). Microsoft and Amazon: A comparison of
approaches to cloud security, 539544.
Yang, K., & Jia, X. (2014). Security for Cloud Storage Systems. Springer.
Yu, Y., Niu, L., Yang, G., Mu, Y., & Susilo, W. (2014). On the security of auditing mechanisms
for secure cloud storage. Future Generation Computer Systems, 30, 127132.
doi:10.1016/j.future.2013.05.005
United States Defense Information Systems Agency. (2014). DoD Enterprise Cloud Service
Broker.

37
APPENDICES

APPENDIX 1: Amazon Web Services (AWS) security updates
Some of the latest security improvements to Amazon Web Services (AWS) for 2014 are
listed below in order to provide a documented overview of advancements respect providing a
more secure cloud services.

April 21, 2014 - AWS accounts access keys
AWS will remove the ability to retrieve existing secret access keys for your AWS (root) account.
Secret access keys are, as the name implies, secrets, like your password. Just as AWS doesnt
allow you to retrieve your password if you forget it, you will no longer be able to retrieve the
secret access keys for your root account. This is (and always has been) the case with secret
access keys for IAM users.

April 2, 2014 - Update to AWS Sign-In
The sign-in experience for IAM users accessing AWS websites such as the AWS Management
Console, Support, or Forums. The new sign-in experience continues to provide the same
functionality as the previous one, but provides a more consistent experience for IAM users when
signing in to AWS account whether it is on a PC, tablet, or mobile phone.

April 1, 2014 - RedShift receives FedRAMP Authority to Operate (ATO)
AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP
assessment and authorization process and has been added to our list of services covered under
38
our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S.
Department of Health and Human Services (HHS). This is the first new service we've added to
our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May
2013.
With the addition of Redshift we now have six FedRAMP covered services in our US East/West
FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West
FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and
use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.
Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it
simple and cost-effective to efficiently analyze all your data using your existing business
intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte
or more.

March 26, 2014 - AWS Secures DoD Provisional Authorization
AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model's
impact levels 1-2 for all four of AWS's Infrastructure Regions in the U.S., including AWS
GovCloud (US). With this distinction, AWS has shown it can meet the DoDs stringent security
and compliance requirements; and as a result, even more DoD agencies can now use AWSs
secure, compliant infrastructure. Built on the foundation of the FedRAMP Program, the DoD
CSM includes additional security controls specific to the DoD. The Defense Information
Systems Agency (DISA) assessed amazon compliance with additional security controls and
granted the authorization which will reduce the time necessary for DoD agencies to evaluate and
authorize the use of the AWS Cloud.

39
March 18, 2014 - Use AWS CloudFormation to configure Web Identity Federation
Web identity federation in AWS STS enables you to create apps where users can sign in using a
web-based identity provider like Login with Amazon, Facebook, or Google. Your app can then
trade identity information from the provider for temporary security credentials that the app can
use to access AWS.
The AWS mobile development team created an S3PersonalFileStore sample app for iOS and
Android that shows you how to use web identity federation to let users store information in
individual S3 folders.

March 5, 2014 - High Availability IAM Design Patterns
AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable
resiliency against authentication and authorization failures in an application deployed on
Amazon EC2 using a high availability design pattern based on IAM roles.

February 27, 2014 - How do I protect cross-account access using MFA?
AWS announced support for adding multi-factor authentication (MFA) for cross-account access.
This practice will demonstrate how to create policies that enforce MFA when IAM users from
one AWS account make programmatic requests for resources in a different account.
Many might maintain multiple AWS accounts, Amazon is frequently asked how to simplify
access management across those accounts. IAM roles provide a secure and controllable
mechanism to enable cross-account access. Roles allow you to accomplish cross-account access
without any credential sharing and without the need to create duplicate IAM users. With this
announcement, you can add another layer of protection for cross-account access by requiring the
users to authenticate using an MFA device before assuming a role.
40

February 17, 2014 - Whitepaper: Security at Scale: Logging in AWS
Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail
can help Amazon customers to meet compliance and security requirements through the logging
of API calls. The API call history can be used to track changes to resources, perform security
analysis, operational troubleshooting and as an aid in meeting compliance requirements.
This whitepaper is primarily focused on the functionality of AWS CloudTrail and describes how
to:
Control access to log files
Obtain alerts on log file creation and misconfiguration
Manage changes to AWS resources and log files
Manage storage of log files
Generate customized reporting of log data
The paper also relates these features to major compliance program requirements related to
logging (e.g. ISO 27001:2005, PCI DSS v2.0, FedRAMP, etc.) and provides a robust compliance
program index in the appendix for your reference.

January 15, 2014 - Tracking Federated User Access to Amazon S3 and Best Practices for
Protecting Log Data
Auditing by using logs is an important capability of any cloud platform. There are several third
party solution providers that provide auditing and analysis using AWS logs. Last November
AWS announced its own logging and analysis service, called AWS CloudTrail. While logging is
important, understanding how to interpret logs and alerts is crucial. In this blog post, Aaron
Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs
within a federated access control context.
41

January 1, 2014 - Amazon Retrospective view of 2013
IAM: We posted a mixture of prescriptive guidance and detailed explanations about released
Identity and Access Management features and best practices geared towards practitioners.
Where's my secret access key?
A safer way to distribute AWS credentials to EC2
IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3
Resources)
Guidelines for when to use Accounts, Users, and Groups
How to rotate access keys for IAM users
Improve the security of your AWS account in less than 5 minutes
Securing access to AWS using MFA Part I
Securing access to AWS using MFA Part 2
Securing access to AWS using MFA Part 3
Policies and Permissions: IAM policies and permissions are powerful tools for authorization.
Therefore, we focused a number of articles to help you fully realize the potential of IAM.
Generating IAM Policies in Code
Writing IAM Policies: How to grant access to an Amazon S3 bucket
IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3
Resources)
Resource-level Permissions for EC2 Controlling Management Access on Specific
Instances
Announcement: Resource Permissions for additional EC2 API actions
Amazon EC2 Resource-Level Permissions for RunInstances
Announcing New IAM Policy Simulator
A primer on RDS resource-level permissions
Announcing resource-level permissions for AWS OpsWorks
Identity Federation: AWS launched three identity federation features and also made several
smaller announcements
42
Delegating API Access to AWS Services Using IAM Roles
Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML
2.0
New AWS web identity federation supports Amazon.com, Facebook, and Google
identities
Understanding the API options for securely delegating access to your AWS account
AWS CloudFormation now supports federated users and temporary security
credentials
New playground app to explore web identity federation with Amazon, Facebook, and
Google
Encryption:
Encrypting data in Amazon S3
AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)
Compliance:
Auditing Security Checklist for AWS Now Available
2013 PCI Compliance Package available now
New Whitepaper: AWS Cloud Security Best Practices
AWS Achieves First FedRAMP(SM) Agency ATOs
Other: Several important topics related to AWS Security were partner related and the other two
were references to other security related material published and distributed in different venues.
Controlling network access to EC2 instances using a bastion server
Recap of re:Invent Sessions
Credentials Best Practices on the AWS Java Developers Blog
CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3
Analyzing OS-Related Security Events on EC2 with SplunkStorm

43
APPENDIX 2: Consolidated Confidentiality Security Controls
Control Domain
CCM V3.0 Control
ID
Application & Interface Security - Data Security / Integrity AIS-04
Audit Assurance & Compliance - Information System Regulatory Mapping AAC-03
Business Continuity Management & Operational Resilience - Policy BCR-11
Change Control & Configuration Management - Outsourced Development CCC-02
Change Control & Configuration Management - Quality Testing CCC-03
Data Security & Information Lifecycle Managment - Classification DSI-01
Data Security & Information Lifecycle Management - Information Leakage DSI-05
Data Security & Information Lifecycle Management - Non-Production Data DSI-06
Data Security & Information Lifecycle Management - Secure Disposal DSI-08
Datacenter Security - Asset Management DCS-01
Governance and Risk Management - Data Focus Risk Assessments GRM-02
Governance and Risk Management - Management Oversight GRM-03
Governance and Risk Management - Management Program GRM-04
Governance and Risk Management - Risk Assessments GRM-10
Human Resources - Background Screening HRS-02
Human Resources - Industry Knowledge / Benchmarking HRS-05
Human Resources - Non-Disclosure Agreements HRS-07
Human Resources - Roles / Responsibilities HRS-08
Human Resources - User Responsibility HRS-11
Identity & Access Management - Trusted Sources IAM-08
Security Incident Management, E-Discovery & Cloud Forensics - Contact / Authority Maintenance SEF-01
Security Incident Management, E-Discovery & Cloud Forensics - Incident Management SEF-02
Security Incident Management, E-Discovery & Cloud Forensics - Incident Reporting SEF-03
Security Incident Management, E-Discovery & Cloud Forensics - Incident Response Legal Preparation SEF-04
Security Incident Management, E-Discovery & Cloud Forensics - Incident Response Metrics SEF-05
Supply Chain Management, Transparency and Accountability - Network / Infrastructure Services STA-03
Supply Chain Management, Transparency and Accountability - Supply Chain Agreements STA-05
Supply Chain Management, Transparency and Accountability - Third Party Audits STA-09

44
Consolidated Confidentiality Security Controls - DETAILED
Control Domain
CCM V3.0
Control ID
Control Specification
Application &
Interface Security
Data Security /
Integrity
AIS-04
Policies and procedures shall be established, and supporting business processes
and technical measures implemented, to ensure protection of confidentiality,
integrity, and availability of data exchanged between one or more system
interfaces, jurisdictions, or external business relationships to prevent improper
disclosure, alteration, or destruction. These policies, procedures, processes, and
measures shall be in accordance with known legal, statutory and regulatory
compliance obligations.
Audit Assurance &
Compliance
Information System
Regulatory Mapping
AAC-03
An inventory of the organization's external legal, statutory, and regulatory
compliance obligations associated with (and mapped to) any scope and
geographically-relevant presence of data or organizationally-owned or managed
(physical or virtual) infrastructure network and systems components shall be
maintained and regularly updated as per the business need (e.g., change in
impacted-scope and/or a change in any compliance obligation).
Business Continuity
Management &
Operational
Resilience
Policy
BCR-11
and technical measures implemented, for appropriate IT governance and service
management to ensure appropriate planning, delivery and support of the
organization's IT capabilities supporting business functions, workforce, and/or
customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5).
Additionally, policies and procedures shall include defined roles and
responsibilities supported by regular workforce training.
Change Control &
Configuration
Management
Outsourced
Development
CCC-02
The use of an outsourced workforce or external business relationship for
designing, developing, testing, and/or deploying the organization's own source
code shall require higher levels of assurance of trustworthy applications (e.g.,
management supervision, established and independently certified adherence
information security baselines, mandated information security training for
outsourced workforce, and ongoing security code reviews).
Change Control &
Configuration
Management
Quality Testing
CCC-03
A program for the systematic monitoring and evaluation to ensure that standards
of quality and security baselines are being met shall be established for all
software developed by the organization. Quality evaluation and acceptance
criteria for information systems, upgrades, and new versions shall be established
and documented, and tests of the system(s) shall be carried out both during
development and prior to acceptance to maintain security. Management shall
have a clear oversight capacity in the quality testing process, with the final product
being certified as "fit for purpose" (the product should be suitable for the intended
purpose) and "right first time" (mistakes should be eliminated) prior to release. It is
also necessary to incorporate technical security reviews (i.e., vulnerability
assessments and/or penetration testing) to remediate vulnerabilities that pose an
unreasonable business risk or risk to customers (tenants) prior to release.
Data Security &
Information Lifecycle
Managment
Classification
DSI-01
Data and objects containing data shall be assigned a classification based on data
type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints,
contractual constraints, value, sensitivity, criticality to the organization, third-party
obligation for retention, and prevention of unauthorized disclosure or misuse.
Data Security &
Management
Information Leakage
DSI-05
Security mechanisms shall be implemented to prevent data leakage.
45
Data Security &
Management
Non-Production Data
DSI-06
Production data shall not be replicated or used in non-production environments.
Data Security &
ManagementSecure
Disposal
DSI-08
and technical measures implemented, for the secure disposal and complete
removal of data from all storage media, ensuring data is not recoverable by any
computer forensic means.
Datacenter Security
Asset Management
DCS-01
Assets must be classified in terms of business criticality in support of dynamic and
distributed physical and virtual computing environments, service-level
expectations, and operational continuity requirements. A complete inventory of
business-critical assets located at all sites and/or geographical locations and their
usage over time shall be maintained and updated regularly (or in real-time), and
assigned ownership supported by defined roles and responsibilities, including
those assets used, owned, or managed by customers (tenants).
Governance and Risk
Management
Data Focus Risk
Assessments
GRM-02
Risk assessments associated with data governance requirements shall be
conducted at planned intervals and shall consider the following:
Awareness of where sensitive data is stored and transmitted across
applications, databases, servers, and network infrastructure
Compliance with defined retention periods and end-of-life disposal requirements
Data classification and protection from unauthorized use, access, loss,
destruction, and falsification
Governance and Risk
Management
Management
Oversight
GRM-03
Managers are responsible for maintaining awareness of, and complying with,
security policies, procedures and standards that are relevant to their area of
responsibility.
Governance and Risk
Management
Management Program
GRM-04
An Information Security Management Program (ISMP) shall be developed,
documented, approved, and implemented that includes administrative, technical,
and physical safeguards to protect assets and data from loss, misuse,
unauthorized access, disclosure, alteration, and destruction. The security program
shall include, but not be limited to, the following areas insofar as they relate to the
characteristics of the business:
Risk management
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Governance and Risk
Management
Risk Assessments
GRM-10
Aligned with the enterprise-wide framework, formal risk assessments shall be
performed at least annually or at planned intervals, to determine the likelihood and
impact of all identified risks using qualitative and quantitative methods. The
likelihood and impact associated with inherent and residual risk shall be
determined independently, considering all risk categories (e.g., audit results,
threat and vulnerability analysis, and regulatory compliance).
46
Human Resources
Background Screening
HRS-02
Pursuant to local laws, regulations, ethics, and contractual constraints, all
employment candidates, contractors, and third parties shall be subject to
background verification proportional to the data classification to be accessed, the
business requirements, and acceptable risk.
Human Resources
Industry Knowledge /
Benchmarking
HRS-05
Industry security knowledge and benchmarking through networking, specialist
security forums, and professional associations shall be maintained.
Human Resources
Non-Disclosure
Agreements
HRS-07
Requirements for non-disclosure or confidentiality agreements reflecting the
organization's needs for the protection of data and operational details shall be
identified, documented, and reviewed at planned intervals.
Human Resources
Roles /
Responsibilities
HRS-08
Roles and responsibilities of contractors, employees, and third-party users shall
be documented as they relate to information assets and security.
Human Resources
User Responsibility
HRS-11
All personnel shall be made aware of their roles and responsibilities for:
Maintaining awareness and compliance with established policies and
procedures and applicable legal, statutory, or regulatory compliance obligations.
Maintaining a safe and secure working environment
Identity & Access
Management
Trusted Sources
IAM-08
Policies and procedures are established for permissible storage and access of
identities used for authentication to ensure identities are only accessible based on
rules of least privilege and replication limitation only to users explicitly defined as
business necessary.
Security Incident
Management, E-
Discovery & Cloud
Forensics
Contact / Authority
Maintenance
SEF-01
Points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities shall be maintained and
regularly updated (e.g., change in impacted-scope and/or a change in any
compliance obligation) to ensure direct compliance liaisons have been established
and to be prepared for a forensic investigation requiring rapid engagement with
law enforcement.
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
SEF-02
and technical measures implemented, to triage security-related events and ensure
timely and thorough incident management, as per established IT service
management policies and procedures.
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Reporting
SEF-03
Workforce personnel and external business relationships shall be informed of their
responsibility and, if required, shall consent and/or contractually agree to report all
information security events in a timely manner. Information security events shall
be reported through predefined communications channels in a timely manner
adhering to applicable legal, statutory, or regulatory compliance obligations.
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Legal Preparation
SEF-04
In the event a follow-up action concerning a person or organization after an
information security incident requires legal action, proper forensic procedures,
including chain of custody, shall be required for the preservation and presentation
of evidence to support potential legal action subject to the relevant jurisdiction.
Upon notification, customers (tenants) and/or other external business
relationships impacted by a security breach shall be given the opportunity to
participate as is legally permissible in the forensic investigation.
47
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Metrics
SEF-05
Mechanisms shall be put in place to monitor and quantify the types, volumes, and
costs of information security incidents.
Supply Chain
Management,
Transparency and
Accountability
Network /
Infrastructure Services
STA-03
Business-critical or customer (tenant) impacting (physical and virtual) application
and system-system interface (API) designs and configurations, and infrastructure
network and systems components, shall be designed, developed, and deployed in
accordance with mutually agreed-upon service and capacity-level expectations,
as well as IT governance and service management policies and procedures.
Supply Chain
Management,
Transparency and
Accountability
Supply Chain
Agreements
STA-05
Supply chain agreements (e.g., SLAs) between providers and customers (tenants)
shall incorporate at least the following mutually-agreed upon provisions and/or
terms:
Scope of business relationship and services offered (e.g., customer (tenant)
data acquisition, exchange and usage, feature sets and functionality, personnel
and infrastructure network and systems components for service delivery and
support, roles and responsibilities of provider and customer (tenant) and any
subcontracted or outsourced business relationships, physical geographical
location of hosted services, and any known regulatory compliance considerations)
Information security requirements, provider and customer (tenant) primary
points of contact for the duration of the business relationship, and references to
detailed supporting and relevant business processes and technical measures
implemented to enable effectively governance, risk management, assurance and
legal, statutory and regulatory compliance obligations by all impacted business
relationships
Notification and/or pre-authorization of any changes controlled by the provider
with customer (tenant) impacts
Timely notification of a security incident (or confirmed breach) to all customers
(tenants) and other business relationships impacted (i.e., up- and down-stream
impacted supply chain)
Assessment and independent verification of compliance with agreement
provisions and/or terms (e.g., industry-acceptable certification, attestation audit
report, or equivalent forms of assurance) without posing an unacceptable
business risk of exposure to the organization being assessed
Expiration of the business relationship and treatment of customer (tenant) data
impacted
Customer (tenant) service-to-service application (API) and data interoperability
and portability requirements for application development and information
exchange, usage, and integrity persistence
Supply Chain
Management,
Transparency and
Accountability
Third Party Audits
STA-09
Third-party service providers shall demonstrate compliance with information
security and confidentiality, service definitions, and delivery level agreements
included in third-party contracts. Third-party reports, records, and services shall
undergo audit and review at planned intervals to govern and maintain compliance
with the service delivery agreements.

Public Cloud Providers

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Public Cloud Providers

Hochgeladen von

Copyright:

Verfügbare Formate

1

Analysis of Amazon S3 Cloud Services

Das könnte Ihnen auch gefallen