Delivering on the AWS Digital Sovereignty Pledge: Unrestricted management
Earning and keeping customers trust is the cornerstone of AWS’s operations. We are aware that achieving this requires protecting business information. We are already aware that claims and accountability are still necessary to earn trust.
<p>In November 2022, we announced the new <a href="https://aws.amazon.com/blogs/security/aws-digital-sovereignty-pledge-control-without-compromise/" target="_blank" rel="noopener">AWS Digital Sovereignty Pledge</a>, our commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud. Two pillars of this are verifiable control over data access, and the ability to encrypt everything everywhere. We already offer a range of <a href="https://aws.amazon.com/compliance/data-protection/" target="_blank" rel="noopener">data protection</a> features, accreditations, and contractual commitments that give customers control over where they locate their data, who can access it, and how it is used. Today, I’d like to update you on how we are continuing to earn your trust with verifiable control over customer data access and external control of your encryption keys.</p> <h3>AWS Nitro System achieves independent third-party validation</h3> <p>We are committed to helping our customers meet evolving sovereignty requirements and providing greater transparency and assurances to how AWS services are designed and operated. With the <a href="https://aws.amazon.com/ec2/nitro/" target="_blank" rel="noopener">AWS Nitro System</a>, which is the foundation of AWS computing service Amazon EC2, we <a href="https://docs.aws.amazon.com/pdfs/whitepapers/latest/security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.pdf" target="_blank" rel="noopener">designed and delivered first-of-a-kind innovation</a> by eliminating any mechanism AWS personnel have to access customer data on Nitro. Our removal of an operator access mechanism was unique in 2017 when we first launched the Nitro System.</p> <p>As we continue to deliver on our digital sovereignty pledge of customer control over data access, I’m excited to share with you an independent report on the security design of the AWS Nitro System. We engaged <a href="https://www.nccgroupplc.com/" target="_blank" rel="noopener">NCC Group</a>, a global cybersecurity consulting firm, to conduct an architecture review of our security claims of the Nitro System and produce a public report. This report confirms that the AWS Nitro System, by design, has no mechanism for anyone at AWS to access your data on Nitro hosts. The report evaluates the architecture of the Nitro System and our claims about operator access. It concludes that “As a matter of design, NCC Group found no gaps in the Nitro System that would compromise these security claims.” It also goes on to state, “NCC Group finds…there is no indication that a cloud service provider employee can obtain such access…to any host.” Our computing infrastructure, the Nitro System, has no operator access mechanism, and now is supported by a third-party analysis of those data controls. Read more in the <a href="https://research.nccgroup.com/2023/05/03/public-report-aws-nitro-system-api-security-claims/" rel="noopener" target="_blank">NCC Group report</a>.</p> <h3>New AWS Service Term</h3> <p>At AWS, security is our top priority. The NCC report shows the Nitro System is an exceptional computing backbone for AWS, with security at its core. The Nitro controls that prevent operator access are so fundamental to the Nitro System that we’ve added them in our <a href="https://aws.amazon.com/service-terms/" target="_blank" rel="noopener">AWS Service Terms</a>, which are applicable to anyone who uses AWS.</p> <p>Our AWS Service Terms now include the following on the Nitro System:</p> <blockquote> <p>AWS personnel do not have access to Your Content on AWS Nitro System EC2 instances. There are no technical means or APIs available to AWS personnel to read, copy, extract, modify, or otherwise access Your Content on an AWS Nitro System EC2 instance or encrypted-EBS volume attached to an AWS Nitro System EC2 instance. Access to AWS Nitro System EC2 instance APIs – which enable AWS personnel to operate the system without access to Your Content – is always logged, and always requires authentication and authorization.</p> </blockquote> <h3>External control of your encryption keys with AWS KMS External Key Store</h3> <p>As part of our promise to continue to make the AWS Cloud sovereign-by-design, we pledged to continue to invest in an ambitious roadmap of capabilities, which includes our encryption capabilities. <a href="https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks/" target="_blank" rel="noopener">At re:Invent 2022</a>, we took further steps to deliver on this roadmap of encrypt everything everywhere with encryption keys managed inside or outside the AWS Cloud by announcing the availability of <a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener">AWS Key Management Service (AWS KMS)</a> <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html" target="_blank" rel="noopener">External Key Store</a> (XKS). This innovation supports our customers who have a regulatory need to store and use their encryption keys outside the AWS Cloud. The <a href="https://github.com/aws/aws-kms-xksproxy-api-spec" target="_blank" rel="noopener">open source XKS specification</a> offers customers the flexibility to adapt to different HSM deployment use cases. While AWS KMS also prevents AWS personnel from accessing customer keys, this new capability may help some customers demonstrate compliance with specific regulations or industry expectations requiring storage and use of encryption keys outside of an AWS data center for certain workloads.</p> <p>In order to accelerate our customers’ ability to adopt XKS for regulatory purposes, we collaborated with external HSM, key management, and integration service providers that our customers trust. To date, <a href="https://cpl.thalesgroup.com/encryption/amazon-web-services-aws/external-key-store-xks" target="_blank" rel="noopener">Thales</a>, <a href="https://www.entrust.com/blog/2022/12/ownership-control-and-possession-a-new-aws-feature-for-key-management-with-the-cloud/" target="_blank" rel="noopener">Entrust</a>, <a href="https://www.fortanix.com/solutions/use-case/xks-for-aws" target="_blank" rel="noopener">Fortanix</a>, <a href="https://duokey.com/duokey-for-aws-xks/" target="_blank" rel="noopener">DuoKey</a>, and <a href="https://developer.hashicorp.com/vault/docs/enterprise/pkcs11-provider/aws-xks" target="_blank" rel="noopener">HashiCorp</a> have launched XKS implementations, and <a href="https://www.salesforce.com/eu/blog/2022/09/hyperforce-external-encryption-key-management.html" target="_blank" rel="noopener">Salesforce</a>, <a href="https://atos.net/wp-content/uploads/2022/11/PR-AWS-and-Atos-Strengthen-Collaboration-with-New-Strategic-Partnership-to-Transform-the-Infrastructure-Outsourcing-Industry.pdf" target="_blank" rel="noopener">Atos</a>, and <a href="https://www.t-systems.com/resource/blob/565764/e2f43a1e5c9403151b07649c11faf89a/DL-Flyer-External-Key-Managment-for-AWS-T-Systems-EN-12-2022.pdf" target="_blank" rel="noopener">T-Systems</a> have announced that they are building integrated service offerings around XKS. In addition, many SaaS solutions offer integration with AWS KMS for key management of their encryption offerings. Customers using these solutions, such as the offerings from <a href="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html" target="_blank" rel="noopener">Databricks</a>, <a href="https://www.mongodb.com/docs/manual/core/csfle/reference/kms-providers/" target="_blank" rel="noopener">MongoDB</a>, <a href="https://docs.reltio.com/en/explore/get-your-bearings-in-reltio/console/tenant-management-applications/tenant-management/get-started-with-reltio-shield/encrypt-your-tenant-with-reltio-shield" target="_blank" rel="noopener">Reltio</a>, <a href="https://slack.com/enterprise-key-management" target="_blank" rel="noopener">Slack</a>, <a href="https://docs.snowflake.com/en/user-guide/security-encryption-manage" target="_blank" rel="noopener">Snowflake</a>, and <a href="https://support.zoom.us/hc/en-us/articles/4410211313293-Using-Customer-Managed-Key" target="_blank" rel="noopener">Zoom</a>, can now utilize keys in external key managers via XKS to secure data. This allows customers to simplify their key management strategies across AWS as well as certain SaaS solutions by providing a centralized place to manage access policies and audit key usage.</p> <p>We remain committed to helping our customers meet security, privacy, and digital sovereignty requirements. We will continue to innovate sovereignty features, controls, and assurances within the global AWS Cloud and deliver them without compromise to the full power of AWS.</p> <p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->