Issue link: https://read.uberflip.com/i/1182528
Amazon Web Services – Architecting for Genomic Data Security and Compliance in AWS December 2014 Page 15 of 17 NIST 800-53, dbGaP Security Best Practices Appendix A, or other regionally accepted criteria. Software should also be configured according to application-specific best practices, and OS and software patches should be kept up-to-date. When you run operating systems and applications in AWS, you are responsible for configuring and maintaining your operating systems and applications, as well as the feature configurations in the associated AWS services such as Amazon EC2 and Amazon S3. As a concrete example, imagine that a security vulnerability in the standard SSL/TLS shared library is discovered. In this scenario, AWS will review and remediate the vulnerability in the foundation services (see Figure 1), and you will review and remediate the operating systems and applications, as well as any service configuration updates needed for hybrid deployments. You must also take care to properly configure the OS and applications to restrict remote access to the instances and applications. Examples include locking down security groups to only allow SSH or RDP from certain IP ranges, ensuring strong password or other authentication policies, and restricting user administrative rights on OS and applications. Auditing, Logging, and Monitoring Researchers who manage controlled access data are required to report any inadvertent data release in accordance with the terms in the Data Use Certification, breach of data security, or other data management incidents contrary to the terms of data access. The dbGaP security recommendations recommend use of security auditing and intrusion detection software that regularly scans and detects potential data intrusions. Within the AWS ecosystem, you have the option to use built-in monitoring tools, such as Amazon CloudWatch, as well as a rich partner ecosystem of security and monitoring software specifically built for AWS cloud services. The AWS Partner Network lists a variety of system integrators and software vendors that can help you meet security and compliance requirements. For more information, see the AWS Life Science Partner webpage 6 . Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms. Amazon CloudWatch provides performance metrics on the individual resource level, such as Amazon EC2 instance CPU load, and network IO, and sets up thresholds on these metrics to raise alarms when the threshold is passed. For example, you can set an alarm to detect unusual spikes in network traffic from an Amazon EC2 instance that may be an indication of a compromised system. CloudWatch alarms can integrate with other AWS services to send the alerts simultaneously to multiple destinations. Example methods and destinations might include a message queue in Amazon Simple Queuing Service (Amazon SQS) which is continuously monitored by watchdog processes that will automatically quarantine a system; a mobile text message to security and operations staff that need to react to immediate threats; an email to security and compliance teams who audit the event and take action as needed. Within Amazon CloudWatch you can also define custom metrics and populate these with whatever information is useful, even outside of a security and compliance requirement. For instance, an Amazon CloudWatch metric can monitor the size of a data ingest queue to trigger 6 http://aws.amazon.com/partners/competencies/life-sciences/