India Cloud Security and Compliance
Overview
With tens of thousands of customers in India already making great use of AWS to drive cost savings, accelerate innovation, speed time to market and expand their geographic reach, this new region will become a great home for startups, small-to-medium businesses, enterprises, and the public sector.
The AWS Asia Pacific (Mumbai) Region is designed and built to meet rigorous compliance standards, providing high levels of security for all AWS customers. As with every AWS Region, the Asia Pacific (Mumbai) Region is compliant with applicable national and local data protection laws. Customers have the assurance that your content stored in the Asia Pacific (Mumbai) Region will not move to another region unless legally required to do so or the customer moves it.
With Amazon Web Services we have created the flexibility and speed which you require in order to innovate faster.
-
Data Sovereignty
Customers retain control and ownership over the data that they choose to store with AWS, they also choose the geographical region in which they store their content. AWS will not disclose or move your content unless legally required to do so.
-
Privacy Queries
Customers should review the Using AWS in the context of Common Privacy and Data Protection Considerations to understand the choices they need to make for maintaining privacy of the data they store on AWS. Customers can review the AISPL privacy page for information on AWS privacy policy for AISPL. AWS will only use customer account information in accordance with the Privacy Policy. The Privacy Policy does not apply to customer content.
-
Shared Responsibility Model
Because AWS customers retain ownership and control over their content within the AWS environment, they also retain responsibilities relating to the security of that content as part of the AWS “shared responsibility” model. This Shared Responsibility Model is fundamental to understanding the respective roles of the customer and AWS in the context of privacy and data protection requirements that may apply to content that customer choose to store or process using AWS services.
-
Securing Physical Access Controls
- AWS’ data centers are state of the art, utilizing innovative architectural and engineering approaches. AWS has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
- AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
- AWS’ data centers are state of the art, utilizing innovative architectural and engineering approaches. AWS has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
-
Securing Logical Access Controls
- AWS is responsible for implementing and configuring the logical access controls for the underlying infrastructure that provide the services for use of the customer.
- Customers are responsible for configuring and implementing logical access controls for their half of the Shared Responsibility Model, which includes securing services that AWS provides to the customer such as IAM, MFA or the use of restrictive access control policies.
- AWS defined resources (ARN) can also have Access Control List policies applied to ensure that rules are consistently enforced and that enforcement exists on the resources regardless of the user attempting to access the resource.
-
Security Resources & Data Controls
AWS provides a number of services and features to help the customer secure their resources:
- Network Control via VPC:
- Security Groups
- NACLs
- Subnets
- Route tables
- Application Security Assessment:
-
Logging Access to Resources
- CloudTrail for an audit trail of all API activity on the AWS platform, allowing the customer to determine who took what action and from where.
- VPC Flow Logs for logging network flow
- Operating System and Application logs for activity on the instance.
- Cloudwatch Logs for processing VPC Flow logs, or on instance logs