Category: Government

Whether you want to review a Security and Compliance track session you attended at re:Invent 2015, or you want to experience a session for the first time, videos and slide decks from the Security and Compliance track are now available.

SEC201: AWS Security State of the Union: How Should We All Think About Security?

• Video
• Slide deck

SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud

• Video
• Slide deck

SEC203: Journey to Securing Time Inc.’s Move to the Cloud

• Video
• Slide deck

(more…)

AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.

With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift.  The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

(more…)

I’m very excited to share that AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model’s impact levels 1-2 for all four of AWS’s Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoD’s stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWS’s secure, compliant infrastructure. To learn more about the AWS DoD Provisional Authorization, please visit https://aws.amazon.com/compliance/dod-csm-faqs.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD.  The Defense Information Systems Agency (DISA) assessed our compliance with those additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.

With today’s announcement, our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog, and DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team.  For more information on AWS security and compliance, please visit the AWS Security Center, https://aws.amazon.com/security, and the AWS Compliance Center, https://aws.amazon.com/compliance.

Chad Woolf
Director, AWS Risk & Compliance

<Repost from AWS Blog, here in its entirety>

One of the most powerful features of AWS Identity and Access Management (IAM) is its ability to issue temporary security credentials and grant controlled access to people in a network without having to define individual identities for each user (i.e., identity federation). This enables customers to extend their existing authentication systems and allow users to Single Sign-On (SSO) to the AWS Management Console.

Last November, we released sample code that will allow customers to create a federation proxy server that uses IAM roles to create temporary security credentials which can be used by Windows Active Directory users to Single Sign-On (SSO) to the AWS Management Console. Thousands of universities and government institutions currently use Shibboleth as their SSO authentication system across many disparate systems. We’ve received feedback from these customers who want a sample demonstrating how to leverage existing Shibboleth systems to easily enable SSO to the AWS Management Console.

Today, we are excited to release additional sample code that extends the functionality of the federation proxy to support Shibboleth using the Security Assertion Markup Language (SAML). The sample code empowers system architects and admins to configure Shibboleth and IAM so users can leverage AWS services while still managing the user’s credentials in their local directory. The sample allows federated users to log into the AWS Management Console without having to create individual IAM users. This approach of federating the use of AWS is a great way to expand and extend your organization’s ability to securely access AWS resources.  (more…)

In part I of our series on multi-factor authentication (MFA), we mentioned that the next topic would be securing access to AWS APIs with MFA. This week’s guest blogger Kai Zhao, Product Manager on our AWS Identity and Access Management (IAM) team, will give a brief overview of AWS MFA-protected API access.

Introduction

MFA-protected API access extends AWS MFA protection to AWS service APIs. You can enforce MFA authentication for AWS service APIs via AWS Identity and Access Management (IAM) policies. This provides an extra layer of security over powerful operations that you designate, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3. (more…)

I’m very excited to share that AWS is now a FedRAMP-compliant cloud service provider. See the Amazon press release. This is game-changing news for our U.S. government customers and systems integrators and other companies that provide products and services to the U.S. government because:

1. It provides agencies a standardized approach to security assessment, authorization, and continuous monitoring for AWS products and services. Prior to the FedRAMP process, government security assessments of cloud providers were not standardized; each varied greatly in scope and depth and were an inefficient use of time and resources. Through FedRAMP, agencies now have a mechanism to obtain comprehensive AWS security assessment documentation and to perform an evaluation of our environment. Agencies can immediately request access to the AWS FedRAMP package by submitting a FedRAMP Package Access Request Form and begin moving through the process to evaluate our platform and authorize AWS for sensitive government workloads.
2. It demonstrates the AWS environment meets the high bar of the FedRAMP security and control requirements. This means U.S. government customers can immediately start leveraging the Authority to Operate (ATO) provided by the Department of Health and Human Services (HHS) to use the AWS cloud. Kevin Charest, HHS Chief Information Security Officer, shared that by using AWS, all of the HHS Operating Divisions can now “reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”
3. It provides agencies with the immediate ability to comply with the Office of Management and Budget’s (OMB) mandate to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB).

(more…)