Can I trust in Amazon Web Services security offerings regarding on communication between services?

Probably this question has a quick answer, however, I want a more detailed answer explaining how AWS provides a secure approach to guarantee safe communication between services.

Look at these examples

This code is a real example, basically is executed from a Lambda function

var sns = new AWS.SNS();
var params = {
    Message: "SMS message test",
    MessageStructure: 'string',
    PhoneNumber: '0045xxxxxxxx',
    Subject: 'Alarm',
    MessageAttributes :{
        'AWS.SNS.SMS.SenderID': {
            'DataType': 'String',
            'StringValue': 'MySender'
        },
        'AWS.SNS.SMS.SMSType': 'Transactional'
    }
};

sns.publish(params, function(err_publish, data) {
    if (err_publish) {}
});

The code above publishes a message to a specific number through the SNS service.

As you can see, the telephone number is a sensitive data that will travel from the Lambda function to the SNS endpoint.


var lambda = new AWS.Lambda({region: REGION, apiVersion: '2015-03-31'});
// create JSON object for parameters for invoking Lambda function
var pullParams = {
    FunctionName : 'slotPull',
    InvocationType : 'RequestResponse',
    LogType : 'None'
};

// create variable to hold data returned by the Lambda function
var pullResults;
lambda.invoke(pullParams, function(error, data) {
    if (error) {
        prompt(error);
    } else {
        pullResults = JSON.parse(data.Payload);
    }
});

The code above invokes a Lambda function from a Lambda function. That code sends as payload sensitive data as well.

And so on, there are a lot of scenarios, architectures, Etc., where communication between services is being executed.

Can I trust in AWS security offerings for this kind of scenarios, architectures, Etc?

1 answer

  • answered 2018-01-11 20:24 Ele

    AWS offers a huge set of services and some of them are well integrated to accomplish different scenarios from AI, Serverless, Bot, Notifications, Etc.

    We can execute Lambda functions from an API Gateway, from SNS notification, Etc. This communication between services happens within the Amazon's Private Network, so, for sure each call, execution, Etc., is private and secure.

    Why?

    First, we have to understand how a service calls other services?

    Like all of us we execute API calls to trigger services in AWS, AWS itself does the same thing. The SDKs and Restful services that AWS provides, execute requests using protocol HTTPS, therefore every communication will be encrypted. Further, everything happens within the Amazon's Private Network which is a very secure isolated network.

    Take a look at Shared Responsibility Model to learn more about the scope of your responsibility.

    enter image description here

    Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS, provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.

    The AWS responsibility is to provide a secure infrastructure. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

    Security of the Cloud

    AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

    Security in the Cloud

    Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

    Conclusion, AWS service integration guarantees a secure approach for communication between services, however, the customer is responsible to configure every part of your architecture to meet the requirements for your infrastructure. AWS will provide a secure channel of communication between the services within its Private Network.

    Resources