Terms and Conditions for Use
Yale's AWS environment is to be used only for Yale University purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities are monitored for administrative and security purposes. Anyone using the environment consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your AWS space. Use is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies.
You are responsible for making sure that Yale's Minimum Security Standards are met either by AWS, by Yale IT or by you.
All services and applications which handle moderate or high risk data must have a Security Design Review on record with Yale IT Information Security Office as required by the Minimum Security Standards.
For more information on Yale IT security, see https://cybersecurity.yale.edu/
About the Shared Security Responsibility Model
Cloud providers like Amazon AWS and Microsoft Azure are responsible for the security of the platform that they provide, while users of those platforms are responsible for configuring the solutions they build in a secure manner. This is known as the Shared Responsibility Model for cloud services.
If you have your own AWS "partner account" via the Cloud Support service, you are responsible for security configurations beyond what AWS and Yale provide. If you are unable to implement your responsibilities, consider using the Spinup Self-Service portal or our Managed Servers - Linux or Managed Servers - Windows services.
When reading the table below, please keep in mind the following definitions:
- "AWS" refers to features of AWS services as Amazon provides them to Yale and are generally not under the control of Yale.
- "Yale" or "IT" refers to work which has been done by Yale IT to configure the service to meet Yale requirements or to align with recommendations which are Yale-specific.
- "You" or "User" refers to things that you must do to protect the security and integrity of your work, either as a best practice or to comply with a Yale policy.
Yale Minimum Security Requirement | AWS Provides | Yale IT Provides | Your Responsibility |
| General Requirements | |||
|---|---|---|---|
| Scanning/Auditing | ITS Information Security may scan/audit Yale resources. | You are responsible for for allowing ITS to scan/audit your resources. | |
| Data Identification | You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystems If you have additional data use agreements, you are responsible to adhering to the contractual agreement. If your account contains HIPAA data, you are required to notify cloud.support@yale.edu so that the ITS Cloud Support team will add your account to Yale's BAA with AWS. You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the data classification of your data changes. | ||
| Maintain Contact Information | If you are the owner or administrator of an AWS account, you are responsible for keeping contact information up to date by notifying cloud.support@yale.edu of any changes:
AWS sends notices relevant to your account to the email address associated with your account. This is typically an O365 Distribution List of the form aws-partner-YourLabName@yale.edu. If you are the owner or administrator of an account, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes. | ||
| Application Software Inventory | You are responsible for tracking and monitoring the software you install in your AWS environment in order to detect unauthorized activity and for diagnostic purposes. | ||
| Enterprise Authentication and Multi-Factor Authentication (MFA) | AWS provides several options for enterprise authentication and MFA for AWS console login. | ITS has configured the AWS SSO (Single Sign-On) service to provide access to the AWS console using your netid credentials. AWS SSO requires Duo multi-factor authentication. (NOTE: AWS SSO is configured for ITS Partner accounts, and is targetted to be available in ITS managed AWS accounts in Summer 2020.) | Enterprise authentication is required for access to moderate and high risk data. MFA is required for access to high risk data. Even for low risk data, the creation of local accounts is strongly discouraged. If you are the owner or administrator of an AWS account, you are responsible for emailing cloud.support@yale.edu to add/remove an individual's console access. You are responsible for implementing and enforcing enterprise authentication and MFA on any/all resources such as logins to the servers and applications that you are using.
|
| Data Encryption | Encryption at rest: AWS offers optional encryption at rest, for example; EC2 EBS volumes, EFS file systems and S3 buckets; these resources can be encrypted but are not encrypted by default. Encryption in transit: AWS permits you to optionally mount an EFS file system using TLS to enable encryption in transit. You can optionally protect S3 data in transit using Secure Sockets Layer (SSL) or client-side encryption. You can optionally use SSL from your application to encrypt a connection to a RDS DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL. | You are responsible for encrypting moderate and high risk data at rest. You are responsible for ensuring that all high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the AWS service/resource. This applies to communication by the application(s) as well as management/maintenance connections. SSL encryption is highly recommended even for moderate or low risk data. | |
| Centralized System Logging | AWS makes AWS Cloudtrail, Cloudwatch, and GuardDuty services available for logging/auditing of AWS environments. | Yale IT has enabled Cloudtrail, Cloudwatch and GuardDuty on all AWS partner accounts. Cloudwatch logs are stored in a separate AWS account. | If you are working with high risk data, you are responsible for capturing authentication activity for all your services/resources/applications to a centralized location. |
Backups/Restores | AWS has considerable redundancy and HA capabilities but does not automatically back up virtual servers or data. Some services such as RDS provide backups by default. | ITS provides backups for servers and databases deployed in ITS managed AWS accounts. ITS does not provide backups for Partner AWS accounts. | You are responsible for backups of your data in AWS. This includes setting up backups for resources that are not backed up automatically and verifying that backups that are made are valid and able to be restored. Please check the documentation for the AWS service(s) that you are using to determine if they perform data backups automatically and whether those backups meet your requirements. Backup is mandatory for all resources/services/applications and disks with moderate or high risk data and strongly recommended for all services that support it. The AWS Backup service is one option you can use for backing up your resources. |
| High Availability and Disaster Recovery | AWS has services in many geographical regions. Each region has multiple availability zones (distinct data centers that do not share infrastructure). PaaS and SaaS services are typically highly resilient, but IaaS services need to be architected/setup with availability in mind. | Yale maintains redundant private connections to the AWS cloud network. | It is your responsibility to understand if the AWS services you are using are resilient across availability zones within a region or across regions and to design a high availability architecture and/or disaster recovery plan to meet your target recovery time and recovery point objectives. If you application requires high availability and/or special disaster recovery considerations, contact cloud.support@yale.edu for assistance. |
| Service and Application Monitoring | AWS posts service health information for the AWS platform at https://status.aws.amazon.com. AWS sends (to the email address associated with your account) notifications of AWS incidents directly related to your account. | Yale IT monitors the status of the AWS platform as a whole and AWS services. Issues with AWS which impact Yale are posted on the #aws channel at https://yale.slack.com and on the ITS System Status Page. | If you would like your application to be monitored by ITS staff or to receive notifications if a service issue may impact your work, submit a ticket using ServiceNow or contact helpdesk@yale.edu (203-432-9000) for assistance. |
| Alerts and Notices | AWS sends email notices relevant to your account to your account owner. This is typically an O365 Distribution List of the form aws-partner-YourLabName@aws.yale.edu. | Yale IT configures guardrails to help you to meet your security responsibilities. These guardrails send alerts to your account owner email list. | If you are the account owner or administrator, it is your responsibility to address alerts and notices sent to your account owner email list. |
| Attestation | AWS offers security related services such as Trusted Advisor (to provide proactive recommendations on best practices for your AWS environment) and GuardDuty (to monitor your environment for unauthorized activity). | You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. You are required to accept this document as Terms of Use upon your first login to the AWS console and again annually or when there are changes to the document. Yale IT reserves the right to disable your account for failure to abide with the guidelines set by this Shared Responsibility document. | |
Virtual machines (VMs) and Databases | |||
Harden OS Image | Hardened OS images from the Center for Internet Security (CIS) are available within AWS. CIS images are modified versions of the base operating system to align with secure configuration standards that are collaboratively developed and used by thousands worldwide. These hardened images help mitigate many common threats of denial of service, insufficient authorization, and overlapping trust boundaries. To see the complete list of CIS hardened OS images available in AWS, see this link | Servers are required to be configured using CIS security standards. Use of CIS hardened images is recommended for all uses and required for systems working with high risk data. The CIS images are available through the AWS Marketplace and carry an additional cost. If you do not use one of the CIS images, be sure to review the security guidelines for the operating system you are using and implement as many of them as are feasible. The CIS web site is a very good place to start. | |
| Use a Supported Operating System | AWS provides images of all supported operating systems in the AWS Marketplace. | If you deploy a virtual machine, you must use a supported version of the operating system as described on the ITS Operating System Recommendations page and maintain the operating system at a supported version. | |
| OS Patching | Operating system images in AWS which are provided by vendors typically do not have automatic updating enabled. | If you have a virtual machine, you are responsible for making sure that the operating system is kept up to date by verifying that updates are installed at least a monthly. | |
| Application Patching | If you are running a virtual machine, you are responsible for keeping the application(s) installed on it up to date with security-related patches/updates. This includes all libraries and non-OS components on which the application is dependent. You should work with your application vendor(s) to be aware of the update procedure for your application and stay informed with respect to security updates/new releases for those applications. The Security Design Review (SDR) process must be completed for all applications which handle moderate or high risk data. | ||
| Network Protection | AWS includes built in network protections for the AWS platform. | Yale IT manages firewalls for the private Yale data center networks extended into AWS (10.5.x.x addresses) for logging traffic between campus and AWS. Beginning in FY21, Yale IT is configuring Network ACLs allowing only HTTPS, SSH and RDP traffic to your 10.5.x.x subnets. | You are responsible for protecting your network from malicious external access using AWS Network ACLs. You may modify the IT provided ACL to meet your requirements. Host-based firewalls or AWS Security Groups are required for moderate and high risk data and recommended for all systems. Firewall options include Windows Firewall, iptables or ufw/firewalld. Resources should be deployed onto private subnets in the account. Resources on the private subnets may not use public IP's. If you need a resource to be accessible from outside of Yale, you must do the following: For moderate and high risk data: 1. Complete a Security Design Review (SDR) and receive approval for external access to the application from the ITS Information Security Office. 2. Request the Yale IT load balancing team to open the application to the Internet through a Yale-managed F5 endpoint. This will include a routable IP, DNS entry and SSL certificate for secure communications. 3. Work with Yale ITS to define Web Application Firewall (WAF) requirements/solutions if needed. For low risk data: An AWS Application and Network Load Balancers may be used for public access and should be configured on the public DMZ subnets in the account. For an ALB the Web Application Firewall (WAF) should be enabled and for both types of cloud load balancers access logs must be captured to a S3 bucket within the AWS account. An overview of AWS Managed Rules for WAFs can be found here https://aws.amazon.com/blogs/aws/announcing-aws-managed-rules-for-aws-waf/. For additional questions or assistance configuring load balancers please contact cloud.support@yale.edu |
Hosting websites | |||
| Web Sites | AWS provides a variety of different resources/services for web hosting/management. | Websites are governed by the following university policies, as well as any additional school- or department-specific policies, regulations and guidelines that apply to your use:
You must agree to follow these guidelines and all other applicable policies, regulations and guidelines before creating a website. School of Medicine departments and units (with the exception of MB&B), including faculty lab websites, are not eligible and must contact the YSM Web Group at ysm.editor@yale.edu for more information about the School of Medicine’s web services offerings. The university expects all Yale community members to comply with applicable privacy and intellectual property laws. Websites are only authorized for the handling of low-risk data and must not be used in connection with medium- or high-risk data. For more information on data classification, visit the Protect Your Data page on the IT at Yale Cybersecurity website. Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts. “Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions. Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement. Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access. If the yale.edu domain or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.
med.yale.edu domain names have special attention as noted above. | |
| Other services | |||
AWS Trusted Advisor provides security best practice checks and recommendations both for your AWS environment in general and for specific AWS services. AWS provides a whitepaper with recommendations for architecting HIPAA compliant solutions on AWS. AWS provides AWS Secrets Manager to help you protect secrets needed to access your applications, services, and IT resources. | You are responsible for securing all AWS services used in your account to meet Yale's Minimum Security Standards. A good place to start is to review AWS Trusted Advisor security best practice checks for your AWS account and addressing any security recommendations necessary to meet Yale's standards. If your account contains PHI, you are responsible for reviewing the AWS whitepaper Architecting for HIPAA Security and Compliance on Amazon Web Services and applying security recommendations to services used in your account. Even if your account does not contain PHI, you should be aware if the HIPAA security recommendations for services you are using are required to meet Yale's standards. You are responsible for protecting secrets needed to access your applications, services or resources by storing them in a private location and encrypting them at rest and in transit. | ||