Difference between revisions of "Amazon Web Services"

From LIMSWiki
Jump to navigationJump to search
(MSS)
m
Line 153: Line 153:
==Managed security services==
==Managed security services==
AWS doesn't appear to explicitly advertise "managed security services." AWS does, however, offer a standard managed services portfolio through its AWS Managed Services offering.<ref name="AWSMana">{{cite web |url=https://aws.amazon.com/managed-services/ |title=AWS Managed Services |publisher=AWS |accessdate=27 May 2021}}</ref> Security and network management is offered as services of AWS Managed Services, but the breadth of that security management is dependent on which operations plan is selected: Accelerate or Advanced. At both levels, security monitoring is provided using AWS GuardDuty/Amazon Macie. However, it's security conformance, IAM and security review, access management, managed firewall, endpoint protection, and network configuration varies depending on the plan chosen. Consult the [https://aws.amazon.com/managed-services/features/ plan feature table] on AWS to learn more.<ref name="AWSManFeat">{{cite web |url=https://aws.amazon.com/managed-services/features/ |title=AWS Managed Services Features |publisher=AWS |accessdate=27 May 2021}}</ref>
AWS doesn't appear to explicitly advertise "managed security services." AWS does, however, offer a standard managed services portfolio through its AWS Managed Services offering.<ref name="AWSMana">{{cite web |url=https://aws.amazon.com/managed-services/ |title=AWS Managed Services |publisher=AWS |accessdate=27 May 2021}}</ref> Security and network management is offered as services of AWS Managed Services, but the breadth of that security management is dependent on which operations plan is selected: Accelerate or Advanced. At both levels, security monitoring is provided using AWS GuardDuty/Amazon Macie. However, it's security conformance, IAM and security review, access management, managed firewall, endpoint protection, and network configuration varies depending on the plan chosen. Consult the [https://aws.amazon.com/managed-services/features/ plan feature table] on AWS to learn more.<ref name="AWSManFeat">{{cite web |url=https://aws.amazon.com/managed-services/features/ |title=AWS Managed Services Features |publisher=AWS |accessdate=27 May 2021}}</ref>


==Additional information==
==Additional information==

Revision as of 18:34, 27 May 2021

Amazon Web Services
Industry Cloud computing, Web services
Founder(s) Jeff Bezos
Headquarters Seattle, Washington, United States
Area served Worldwide
Key people Adam Selipsky (CEO)
Products IaaS, PaaS, DBaaS, DaaS
Revenue $12.7 billion (2020, Q4)[1]
Parent Amazon
Website aws.amazon.com


Amazon Web Services ( also known as AWS) is an American cloud computing company that provides public, private, hybrid, and multicloud solutions to enterprises, organizations, governments, and individuals. AWS more than 200 data centers distributed in various locations around the world, with Africa and South America the least represented.[2] The company provides more than 100 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, cloud communication, data analysis, media management, container and middleware management, developer support, scientific computing, internet of things, and virtual and augmented reality.[3]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 5 of the wiki-based guide Choosing and Implementing a Cloud-based Service for your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.


1. What experience do you have working with laboratory customers in our specific industry?

Examples of labs that have worked with AWS include Glidewell Laboratories[4], Merck Research Laboratories[5], National Renewable Energy Laboratory[6], and the upcoming Innovation Lab.[7] Additionally, an AWS article titled "Building the foundation for Lab of the Future using AWS" published in 2019 provides some insight into what a laboratory integrated with AWS cloud offerings might look like.[8] It's also worth noting that numerous laboratory information management system (LIMS) and laboratory information system (LIS) developers have offered their solution on AWS over the years, including Abbott Informatics Corporation[9], Core Informatics, LLC[10], LabLynx, Inc.[11], Orchard Software Corporation[12], PD Evidence, LLC[13], and Thermo Scientific.[14] An AWS representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used AWS.


2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about AWS integrations. AWS offers a variety of Application Integration services, described as "a suite of services that enable communication between decoupled components within microservices, distributed systems, and serverless applications."[15] This includes management for application programming interfaces, event-driven architectures, messaging, data flows, and serverless workflows.[15] Additionally, AWS applies a variety of techniques to integrate with existing on-premises system, including AWS Outposts[16], as well as the combination of AWS DataSync with File Gateway.[17] Another document worth examining is AWS' eBook on building a hybrid cloud strategy.


3. What is the average total historical downtime for the service(s) we're interested in?

You'll largely have to ask this of AWS and see what response they give you. That said, third parties like StatusGator have been monitoring AWS downtime for years and make for one possible option to assess the types of historical downtime AWS has seen. Historically, AWS outages have garnered a number of headlines over the years, pretty much every year since at least 2011.[18][19][20] One must keep in mind, however, that these reported outages affect only certain regions or services, not the entirety of AWS. Which is why it's important to get numbers from an AWS representative about, realistically, what sort of outage you should expect for your specific services, keeping in mind how AWS measures uptime percentages in its service agreements.[21]


4. Do we receive comprehensive downtime support in the case of downtime?

AWS does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with AWS what downtime support they provide based on the services your organization are interested in.


5. Where are your servers located, and how is data securely transferred to and from those servers?

AWS has 80 Availability Zones, each with one or more discrete data centers, with 15 more Availability Zones planned (as of April 2021).[2] These zones are distributed in various locations around the world, with Africa and South America the least represented. AWS uses its content delivery network Amazon Cloudfront, which "securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment." Security capabilities for Cloudfront include field-level encryption, HTTPS, and multiple other layers of Amazon protection.[22] When moving data to and from on-premises and AWS systems, AWS provides AWS DataSync, which ensures "end-to-end security, including encryption and integrity validation, to ensure your data arrives securely, intact, and ready to use."[23] Data in motion is encrypted using a trimmed-down version of Transport Layer Security (TLS) called s2n, designed "to provide you with network encryption that is easier to understand and that is fully auditable."[24] Other protections are in place as well, as seen in the security portion of AWS' Well-Architected Framework. As for data localization and residency requirements, an AWS eBook on the topic addresses some elements of this topic, largely in the scope of Amazon Outposts; discuss the topic further with an AWS representative.


6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

AWS discusses personnel and third-party access management in regards to physical data security on its data center controls page. However, it does not reference the specific certifications and training required for those who have permission to access your data. You will have to inquire with AWS about these considerations when asking this question.


7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all AWS machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.


8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

Like Alibaba, AWS have moved past a paradigm of physical separation of data pools. In 2020, writing for AWS, Hyun and Anderson updated their whitepaper on logical separation on AWS, addressing how "identity management, network security, serverless and containers services, host and instance features, logging, and encryption" can fill the same shoes as physical separation, while also providing a U.S. Department of Defense use case that highlights logical separation as meeting physical separation intent.[25]

However, the concept of tenant isolation is addressed by AWS in multiple ways, from whitepapers to training courses and videos. The primary whitepaper addresses the concepts and architecture behind AWS' tenant isolation practices, primarily as they relate to software as a service (SaaS). Further technical details on how your data is segregated, if required, may be garnered in discussion with AWS.


9. Do you have documented data security policies?

AWA documents its security practices in several places:

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an AWS representative to obtain them.


10. How do you test your platform's security?

According to Amazon, customers are allowed to perform penetration testing of eight of its services without prior approval, though "[c]ustomers are not permitted to conduct any security assessments of AWS infrastructure, or the AWS services themselves."[26] Other types of testing that are allowed, with restrictions, include network stress testing, DDoS simulation testing, and other simulated events.[26] Amazon also appears to have a bug bounty program, managed by HackerOne.[27] As for AWS running attack-and-defense drills or breach and attach simulations on its own infrastructure, no public information could be found regarding this. You'll have to discuss this topic with an AWS representative.


11. What are your policies for security audits, intrusion detection, and intrusion reporting?

Audits: Per AWS: "AWS regularly undergoes independent third-party attestation audits to provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of global and regional security frameworks dependent on region and industry. AWS participates in over 50 different audit programs."[28] This is demonstrated by its compliance credentials (e.g., see its trust center). AWS also provides guidance for customers conducting security audits of their own configurations, etc.

Intrusion detection and reporting: AWS details its intrusion detection and prevention systems for its EC2 products in a two-page brochure. They state that these tools are capable of "alerting administrators of possible incidents, logging information, and reporting attempts," and are able to "actively prevent or block intrusions that are detected."[29] AWS also has Amazon GuardDuty for Amazon S3 instances, able "to identify unusual activity within your accounts, analyze the security relevance of the activity, given the context in which it was invoked, and apply predictive probability to make a final verdict on whether that activity is sufficiently anomalous to warrant investigation."[30] Confirm the intrusion detection and reporting services available to you for the services you plan to use.


12. What data logging information is kept and acted upon in relation to our data?

AWS has several data logging tools for customers, including Centralized Logging, Amazon CloudWatch, and AWS CloudTrail. AWS makes its data privacy policy relatively clear; however, AWS doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. (They only state that they automatically collect "offering usage, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs."[31]) Be sure an AWS representative is clear about what logging information they collect and use as it relates to your data.


13. How thorough are those logs and can we audit them on-demand?

Most AWS documentation references managing and viewing logs related to your own activities. However, unlike Alibaba, it's unclear if you are able to audit internal AWS logs on-demand. This is a conversation to have with an AWS representative.


14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

Yes, AWS will sign a business associate agreement.[32] Consult their HIPAA compliance page for more details on their approach to HIPAA compliance.


15. What happens to our data should the contract expire or be terminated?

The AWS base agreement states[33]:

Unless we terminate your use of the Service Offerings pursuant to Section 7.2(b), during the 30 days following the Termination Date:

(i) we will not take action to remove from the AWS systems any of Your Content as a result of the termination; and

(ii) we will allow you to retrieve Your Content from the Services only if you have paid all amounts due under this Agreement.

However, clarify this policy in full with an AWS representative.


16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how AWS would handle your data should they go out of business; consult with an AWS representative about this topic. As for catastrophic events, most documentation from AWS seems to address how you, the customer, should address disaster recovery, but little discusses AWS' own approach to catastrophic events. Like Alibaba, AWS uses three zones for redundancy: "Amazon S3 objects are stored across a minimum of three Availability Zones providing 99.999999999% durability of objects over a given year. Regardless of your cloud provider, there is the potential for failures to impact your workload. Therefore, you must take steps to implement resiliency if you need your workload to be reliability [sic]."[34] It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an AWS representative.


17. Can we use your interface to extract our data when we want, and in what format will it be?

AWS doesn't make it publicly clear how data migration from AWS to another cloud service would work. However, they advertise their AWS DataSync service "for moving data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services."[23] They also offer a database migration service from your systems to AWS. But AWS doesn't appear to address migrating data from their systems. Your data would presumably be in some AWS database format. One article author has even stated that transferring data out of AWS costs money[35], though it's not clear if this is true. It's unclear whether or not a third-party cloud transfer service (e.g., Cloudsfer) would be required or useful when moving from AWS to another cloud service. In the end, if there are still questions on this topic, discuss it with an AWS representative.


18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an AWS representative.


Managed security services

AWS doesn't appear to explicitly advertise "managed security services." AWS does, however, offer a standard managed services portfolio through its AWS Managed Services offering.[36] Security and network management is offered as services of AWS Managed Services, but the breadth of that security management is dependent on which operations plan is selected: Accelerate or Advanced. At both levels, security monitoring is provided using AWS GuardDuty/Amazon Macie. However, it's security conformance, IAM and security review, access management, managed firewall, endpoint protection, and network configuration varies depending on the plan chosen. Consult the plan feature table on AWS to learn more.[37]


Additional information

Documentation and other media

External links

References

  1. Novet, J. (2 February 2021). "Amazon’s cloud division reports 28% revenue growth; AWS head Andy Jassy to succeed Bezos as Amazon CEO". CNBC. https://www.cnbc.com/2021/02/02/aws-earnings-q4-2020.html. Retrieved 25 April 2021. 
  2. 2.0 2.1 "Global Infrastructure". Amazon Web Services. https://aws.amazon.com/about-aws/global-infrastructure/. Retrieved 25 April 2021. 
  3. "AWS Solutions Library". Amazon Web Services. https://aws.amazon.com/solutions/. Retrieved 25 April 2021. 
  4. "Glidewell Laboratories Gains Deeper Data Insights Faster with Amazon Redshift and Attunity" (PDF). Amazon Web Services. 2017. https://www.qlik.com/us/-/media/files/resource-library/global-us/direct/case-studies/cs-glidewell-laboratories-qlik-and-amazon-case-study-en.pdf. Retrieved 25 April 2021. 
  5. "AWS Data Exchange". Amazon Web Services. https://aws.amazon.com/data-exchange/. Retrieved 25 April 2021. 
  6. "National Renewable Energy Laboratory’s OpenEI.org Case Study". Amazon Web Services. 2014. https://aws.amazon.com/solutions/case-studies/core-informatics/. Retrieved 25 April 2021. 
  7. Ozdemir, D. (29 December 2020). "Pfizer, Amazon, and AstraZeneca Team Up To Build Laboratory in Israel". Interesting Engineering. https://interestingengineering.com/pfizer-amazon-and-astrazeneca-team-up-to-build-laboratory-in-israel. Retrieved 25 April 2021. 
  8. Coker, S.; Atnoor, D.; Buckner, P. (11 September 2019). "Building the foundation for Lab of the Future using AWS". AWS for Industries. Amazon Web Services. https://aws.amazon.com/blogs/industries/building-the-foundation-for-lab-of-the-future-using-aws/. Retrieved 25 April 2021. 
  9. "Cloud Services". Abbot Informatics Corporation. https://www.informatics.abbott/us/en/offerings/cloud-services. Retrieved 25 April 2021. 
  10. "Core Informatics Case Study". Amazon Web Services. 2017. https://aws.amazon.com/solutions/case-studies/core-informatics/. Retrieved 25 April 2021. 
  11. "Cloud Hosting". LabLynx, Inc. https://www.lablynx.com/cloud-hosting/. Retrieved 25 April 2021. 
  12. "Orchard Announces Amazon Web Service–based Cloud Services Solution for Its Orchard Harvest Customers". Orchard Software Corporation. 5 October 2020. https://www.orchardsoft.com/press_release/orchard-announces-amazon-web-servicebased-cloud-services-solution-for-its-orchard-harvest-customers/. Retrieved 25 April 2021. 
  13. "PDEvidence Helps Solve Crimes Faster Using Automated AWS-Based System". Amazon Web Services. 2018. https://aws.amazon.com/solutions/case-studies/pdevidence/. Retrieved 25 April 2021. 
  14. Hall, H. (4 August 2020). "New deployment model optimizes LIMS implementation in the Amazon Web Services Cloud". R&D World. https://www.rdworldonline.com/new-deployment-model-optimizes-lims-implementation-in-the-amazon-web-services-cloud/. Retrieved 25 April 2021. 
  15. 15.0 15.1 "Application Integration on AWS". Amazon Web Services. https://aws.amazon.com/products/application-integration/. Retrieved 25 April 2021. 
  16. "AWS Outposts". Amazon Web Services. https://aws.amazon.com/outposts/. Retrieved 25 April 2021. 
  17. Rajamani, S.; Bartley, J. (27 November 2020). "From on premises to AWS: Hybrid-cloud architecture for network file shares". AWS Storage Blog. Amazon Web Services. https://aws.amazon.com/blogs/storage/from-on-premises-to-aws-hybrid-cloud-architecture-for-network-file-shares/. Retrieved 25 April 2021. 
  18. RIQ News Desk. "Top 7 AWS Outages That Wreaked Havoc". ReadITQuik. https://www.readitquik.com/articles/cloud-3/top-7-aws-outages-that-wreaked-havoc/. Retrieved 25 April 2021. 
  19. Swearingen, J. (2 March 2018). "When Amazon Web Services Goes Down, So Does a Lot of the Web". Intelligencer. https://nymag.com/intelligencer/2018/03/when-amazon-web-services-goes-down-so-does-a-lot-of-the-web.html. Retrieved 25 April 2021. 
  20. Malone, K. (30 November 2020). "Businesses can avoid cloud provider downtime with redundancy — but at what cost?". CIODive. https://www.ciodive.com/news/aws-outage-cloud-recovery-interoperability/589844/. Retrieved 25 April 2021. 
  21. "Amazon Compute Service Level Agreement". Amazon Web Services. 22 July 2020. https://aws.amazon.com/compute/sla/. Retrieved 25 April 2021. 
  22. "Amazon Cloudfront". Amazon Web Services. https://aws.amazon.com/cloudfront/. Retrieved 25 April 2021. 
  23. 23.0 23.1 "AWS DataSync". Amazon Web Services. https://aws.amazon.com/datasync/. Retrieved 25 April 2021.  Cite error: Invalid <ref> tag; name "AWSDataSync" defined multiple times with different content
  24. Beer, K. (11 June 2020). "The importance of encryption and how AWS can help". AWS Security Blog. https://aws.amazon.com/blogs/security/importance-of-encryption-and-how-aws-can-help. Retrieved 25 April 2021. 
  25. Hyun, M.; Anderson, T. (29 July 2020). "Logical separation: Moving beyond physical isolation in the cloud computing era". AWS Security Blog. https://aws.amazon.com/blogs/security/logical-separation-moving-beyond-physical-isolation-in-the-cloud-computing-era/. Retrieved 25 April 2021. 
  26. 26.0 26.1 "Penetration Testing". Amazon Web Services. https://aws.amazon.com/security/penetration-testing/. Retrieved 25 April 2021. 
  27. "Amazon Vulnerability Research Program". HackerOne. April 2020. https://hackerone.com/amazonvrp?type=team. Retrieved 25 April 2021. 
  28. "AWS risk and compliance program". Amazon Web Services: Risk and Compliance. Amazon Web Services. 11 March 2021. https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/aws-risk-and-compliance-program.html. Retrieved 25 April 2021. 
  29. "Intrusion Detection Systems and Intrusion Prevention Systems for EC2 Instances" (PDF). Amazon Web Services. https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_01_TSB_Final.pdf. Retrieved 25 April 2021. 
  30. Megiddo, A. (12 March 2021). "How you can use Amazon GuardDuty to detect suspicious activity within your AWS account". AWS Security Blog. Amazon Web Services. https://aws.amazon.com/blogs/security/how-you-can-use-amazon-guardduty-to-detect-suspicious-activity-within-your-aws-account/. Retrieved 25 April 2021. 
  31. "Privacy Notice". Amazon Web Services. https://aws.amazon.com/privacy/. Retrieved 25 April 2021. 
  32. "HIPAA". Amazon Web Services. https://aws.amazon.com/compliance/hipaa-compliance/. Retrieved 25 April 2021. 
  33. "AWS Customer Agreement". Amazon Web Services. https://aws.amazon.com/agreement/. Retrieved 25 April 2021. 
  34. "Failure Management". Reliability Pillar. Amazon Web Services. July 2020. https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/failure-management.html. Retrieved 25 April 2021. 
  35. Oles, B. (14 August 2019). "A Guide to Automated Cloud Database Deployments". SeveralNines. https://severalnines.com/database-blog/guide-automated-cloud-database-deployments. Retrieved 25 April 2021. 
  36. "AWS Managed Services". AWS. https://aws.amazon.com/managed-services/. Retrieved 27 May 2021. 
  37. "AWS Managed Services Features". AWS. https://aws.amazon.com/managed-services/features/. Retrieved 27 May 2021.