Shared Security Responsibility Model for AWS Access

Yale Minimum Security Requirement

AWS Provides

Yale IT Provides 

Your Responsibility

General Requirements

Scanning/Auditing

ITS Information Security may scan/audit Yale resources.

You are responsible for for allowing ITS to scan/audit your resources.

Data Identification

You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: Risk Classification Guideline

If you have additional data use agreements, you are responsible to adhering to the contractual agreement.

If your account contains HIPAA data, you are required to notify cloud.support@yale.edu so that the ITS Cloud Support team will add your account to Yale's BAA with AWS.

You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the data classification of your data changes.

Maintain Contact Information

If you are the owner or administrator of an AWS account, you are responsible for keeping contact information up to date.If you are the owner or administrator of an AWS account, you are responsible for keeping contact information up to date by notifying cloud.support@yale.edu of any changes:

• Owner Department,

• Owner Department Contact,

• Support Department,

• Support Department Contact and

• COA (charging instructions).

AWS sends notices relevant to your account to the email address associated with your account.  This is typically an O365 Distribution List of the form aws-partner-YourLabName@yale.edu.  If you are the owner or administrator of an account, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes.

Application Software Inventory

You hold the responsibility for continuously tracking and monitoring the software that you install within your AWS account. This is crucial both for detecting any unauthorized activity and for diagnostic purposes related to system performance and security.

Enterprise Authentication and Multi-Factor Authentication (MFA)

AWS provides several options for enterprise authentication and MFA for AWS console login.

ITS has set up the AWS Single Sign-On (SSO) service to facilitate access to the AWS console using your NetID credentials using Duo Multi-Factor Authentication (MFA) for added security.

Enterprise-level authentication is mandatory for accessing moderate and high-risk data, with Multi-Factor Authentication (MFA) being a requisite for high-risk data specifically.

Creating local accounts is strongly discouraged, especially for low-risk data, as they do not have Multi-Factor Authentication (MFA) enabled by default and are disabled for console access..

As the owner or administrator of an AWS account, it falls under your responsibility to communicate with cloud.support@yale.edu for adding or removing an individual's console access.

Furthermore, you are obligated to implement and enforce both enterprise authentication and MFA across all resources you manage. This includes, but is not limited to, server logins and application accesses.

Data Encryption

Encryption at rest:  AWS offers optional encryption at rest, for example; EC2 EBS volumes, EFS file systems and S3 buckets; these resources can be encrypted but are not encrypted by default.

Encryption in transit: AWS permits you to optionally mount an EFS file system using TLS to enable encryption in transit. You can optionally protect S3 data in transit using Secure Sockets Layer (SSL) or client-side encryption. You can optionally use SSL from your application to encrypt a connection to a RDS DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL.

You are responsible for encrypting moderate and high risk data at rest.

You are responsible for ensuring that all high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the AWS service/resource.  This applies to communication by the application(s) as well as management/maintenance connections.  SSL encryption is highly recommended even for moderate or low risk data.

Centralized System Logging

AWS makes AWS Cloudtrail, Cloudwatch, and GuardDuty services available for logging/auditing of AWS environments.

Yale IT has enabled Cloudtrail, Cloudwatch, SecurityHub, Wiz and GuardDuty on all AWS partner accounts.  Cloudtrail logs are stored in a separate AWS account. 

You are responsible for responding to alerts from Cloudwatch and GuardDuty.  If you are working with high risk data, you are responsible for capturing authentication activity for all your services/resources/applications to a centralized location.

Users are responsible for remediating any vulnerabilities reported by Wiz.

Backups/Restores

AWS has considerable redundancy and HA capabilities but does not automatically back up virtual servers or data. 

Some services such as RDS provide backups by default.

ITS provides backups for servers and databases deployed in ITS managed AWS accounts.  ITS does not provide backups for Partner AWS accounts.

You are responsible for ensuring that your data in AWS is adequately backed up. This involves not only setting up backups for resources that aren't automatically backed up but also verifying the integrity of those backups to ensure they can be successfully restored.

We strongly recommend consulting the documentation for the specific AWS service(s) you are using. This will help you determine whether automatic data backups are performed and if those backups meet your particular requirements.

Backup procedures are mandatory for all resources, services, applications, and disks containing moderate or high-risk data. They are also strongly recommended for any services that offer backup capabilities.

The AWS Backup service is one option you can use for backing up your resources.

High Availability and Disaster Recovery

AWS has services in many geographical regions.  Each region has multiple availability zones (distinct data centers that do not share infrastructure).   PaaS and SaaS services are typically highly resilient, but IaaS services need to be architected/setup with availability in mind.

Yale maintains redundant private connections to the AWS cloud network.

It is your responsibility to understand if the AWS services you are using are resilient across availability zones within a region or across regions and to design a high availability architecture and/or disaster recovery plan to meet your target recovery time and recovery point objectives.

Should your application demand high availability or have specific disaster recovery considerations, you are encouraged to reach out to cloud.support@yale.edu for assistance.

Service and Application Monitoring

AWS posts service health information for the AWS platform at https://status.aws.amazon.com.  AWS sends (to the email address associated with your account) notifications of AWS incidents directly related to your account.

Yale IT monitors the status of the AWS platform as a whole and AWS services.  Issues with AWS which impact Yale are posted on the #aws channel at https://yale.slack.com and on the ITS System Status Page.

If you would like your application to be monitored by ITS staff or to receive notifications if a service issue may impact your work, through the Enterprise Monitoring service page: https://yale.service-now.com/it?id=service_offering&sys_id=9b9132291b829c90ae6997d58d4bcb0b or contact helpdesk@yale.edu (203-432-9000) for assistance.

Alerts and Notices

AWS sends email notices relevant to your account to your account owner.  Emails are sent to an Office 365 Distribution List, typically formatted as aws-partner-YourLabName@aws.yale.edu

Yale IT configures guardrails to help you to meet your security responsibilities.  These guardrails send alerts to your account owner email list.

If you are the account owner or administrator, it is your responsibility to address alerts and notices sent to your account owner email list.

Attestation

AWS offers security related services such as Trusted Advisor (to provide proactive recommendations on best practices for your AWS account) and GuardDuty (to monitor your account for unauthorized activity).

You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. 

You are required to accept this document as Terms of Use upon your first login to the AWS console and again annually or when there are changes to the document.

Yale IT reserves the right to disable your account for failure to abide with the guidelines set by this Shared Responsibility document.

Virtual machines (VMs) and Databases

Harden OS Image

Hardened OS images from the Center for Internet Security (CIS) are available within AWS.  CIS images are modified versions of the base operating system to align with secure configuration standards that are collaboratively developed and used by thousands worldwide.

These hardened images help mitigate many common threats of denial of service, insufficient authorization, and overlapping trust boundaries.

To see the complete list of CIS hardened OS images available in AWS, see this link 

Servers should be configured following CIS security standards, especially when managing high-risk data. It's advisable to use CIS-hardened images from the AWS Marketplace, though note that they are not required and come with additional costs.

If you opt not to use one of the available CIS images, it's crucial to consult the security guidelines specific to the operating system you're employing. Make sure to implement as many of these guidelines as are practical for your setup.

We suggest visiting the CIS web site as a valuable starting point for information.

Use a Supported Operating System

AWS provides images of all supported operating systems in the AWS Marketplace.

If you deploy a virtual machine, you must use a supported version of the operating system as described on the ITS Operating System Recommendations page and maintain the operating system at a supported version.

OS Patching

Operating system images in AWS which are provided by vendors typically do not have automatic updating enabled.

If you own a virtual machine, it's your responsibility to ensure that the operating system remains up-to-date. This involves verifying that updates, including security patches, are installed on at least a monthly basis.

Application Patching

If you are running a virtual machine, it's your responsibility to keep all installed applications up-to-date with the latest security-related patches and updates. This extends to all libraries and non-OS components that your application relies on.

To ensure compliance, you should actively collaborate with your application vendor(s). Familiarize yourself with the update procedures for your specific applications and stay informed about any new security updates or releases that become available.

The Security Planning Assessment (SPA) process must be completed for all applications which handle moderate or high risk data.

Network Protection

AWS includes built in network protections for the AWS platform.

Yale IT manages firewalls for the private Yale data center networks extended into AWS (10.5.x.x and 10.9.x.x addresses) for logging traffic between campus and AWS.

Yale IT has taken additional measures by configuring Network Access Control Lists (ACLs). These ACLs are set to permit only HTTPS, SSH, and RDP traffic to flow to your 10.5.x.x and 10.9.x.x subnets.

You are responsible for safeguarding your network against malicious external access by utilizing AWS Network Access Control Lists (ACLs). You have the flexibility to modify the ACLs provided by Yale IT to better suit your specific requirements.

For systems handling moderate and high-risk data, the use of host-based firewalls or AWS Security Groups is mandatory. For all other systems, it's strongly recommended. Available firewall options include Windows Firewall, iptables, or ufw/firewalld.

When deploying resources, they should be allocated to private subnets within the account. It's important to note that resources on these private subnets are not permitted to use public IP addresses. If external access to a resource is required, the following steps must be taken:

First, complete a Security Planning Assessment (SPA) and obtain approval for external access to the application from the ITS Information Security Office.

For moderate and high-risk data:

Contact the Yale IT load balancing team to facilitate opening the application to the Internet via a Yale-managed F5 endpoint. This will include setting up a routable IP, DNS entry, and SSL certificate to ensure secure communications.

Collaborate with Yale ITS to establish any necessary Web Application Firewall (WAF) requirements or solutions.

For low risk data:

You may use AWS Application and Network Load Balancers for public access. These should be configured on the public DMZ subnets within your AWS account. If you're using an Application Load Balancer (ALB), it's essential to enable the Web Application Firewall (WAF). For both types of cloud-based load balancers, you are required to capture access logs and store them in an S3 bucket within your AWS account. For a comprehensive overview of AWS Managed Rules for WAFs, you can refer to this link: AWS Managed Rules for WAFs.

For any further questions or if you require assistance in configuring your load balancers, please reach out to cloud.support@yale.edu.

Hosting websites

Web Sites

AWS provides a variety of different resources/services for web hosting/management.

Websites are governed by the following university policies, as well as any additional school- or department-specific policies, regulations and guidelines that apply to your use:

• 1604 Data Classification Policy

• 1605 Web Accessibility Policy

• 1607 Information Technology Appropriate Use Policy

• Yale Identity Web Guidelines

You must agree to follow these guidelines and all other applicable policies, regulations and guidelines before creating a website.

School of Medicine departments and units (with the exception of MB&B), including faculty lab websites, are not eligible and must contact the YSM Web Group at ysm.editor@yale.edu for more information about the School of Medicine’s web services offerings.

Users of Yale data are responsible for securing that data. To secure data, you must use a Yale IT System that matches your risk classification. For example, if you need to store high risk data, you must use a Yale IT System for storing data classified as high risk. The risk classification of a Yale IT System cannot be lower than the data classification.

Data Classification is one element of the risk classification of a Yale IT System. See the Risk Classification Guideline to learn about all three elements. This will help you determine the overall risk associated with the work you do on behalf of Yale’s mission.

The Service Classification page indicates the risk classifications allowed on commonly used Yale IT Services. See the Service Classification Table for services that secure your data classification.

Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts.

“Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions.

Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement.

Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access.

If the http://yale.edu or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.

• The domain name will be verified by the Yale webmaster.

• YaleSites will verify that the website is not a commercial endorsement of third party software or endeavor. 

• Appropriateness of content will be reviewed to support Yale's reputation.

http://med.yale.edu domain names have special attention as noted above.

AI Services

Artificial Intelligence

AWS ensures adherence to GDPR and HIPAA standards, safeguarding data integrity. Data remains private, not utilized for model enhancement nor shared with third parties. AWS facilitates encryption both in-transit and at-rest via AWS Key Management Service. Governance and audit requirements are supported through Amazon CloudWatch and AWS CloudTrail, while automated abuse detection mechanisms are in place to prevent potential misuse of AI services.

Yale IT provides individual IP range for each account which secures AWS Cognitive Services for each subscription to their own IP subnets.

You are responsible for adhering to current university policies on academic integrity and ensuring that AI application complies with the Yale University Policy Against Discrimination and Harassment and University Sexual Misconduct Policies

Protect confidential data: You should not enter data classified as confidential (moderate, high-risk), including non-public research data, into publicly available generative AI tools, in accordance with Yale’s Minimum Security Standards. Information shared with generative AI tools using default settings is not private and could expose proprietary or sensitive information to unauthorized parties.

You are responsible for maintaining security and confidentiality of the training data and access to the data models.

You are responsible for any content that you produce or publish that includes AI-generated material: AI-generated content can be inaccurate, misleading, or entirely fabricated (sometimes called “hallucinations”) or may contain copyrighted material. Review your AI-generated content before publication. You are responsible for helping to prevent AI hallucinations and the accuracies of responses.

Be alert for AI-enabled phishing: Generative AI has made it easier for malicious actors to create sophisticated scams at a far greater scale. Continue to follow security best practices and report suspicious messages to helpdesk@yale.edu

Other services

AWS Trusted Advisor provides security best practice checks and recommendations both for your AWS environment in general and for specific AWS services.

AWS provides a whitepaper with recommendations for architecting HIPAA compliant solutions on AWS.

AWS provides AWS Secrets Manager to help you protect secrets needed to access your applications, services, and IT resources.

You are responsible for securing all AWS services used in your account to meet Yale's Minimum Security Standards. 

A good place to start is to review AWS Trusted Advisor security best practice checks for your AWS account and addressing any security recommendations necessary to meet Yale's standards.

If your account contains PHI, you are responsible for reviewing the AWS whitepaper Architecting for HIPAA Security and Compliance on Amazon Web Services and applying security recommendations to services used in your account. 

Even if your account does not contain PHI, you should be aware if the HIPAA security recommendations for services you are using are required to meet Yale's standards.

You are responsible for protecting secrets needed to access your applications, services or resources by storing them in a private location and encrypting them at rest and in transit.