Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Amazon EC2 doesn't directly utilize API keys in the same manner as some other services. Access is primarily managed through IAM roles and credentials. | |
| Authentication & Authorization | API Key Management | True | While not explicitly API keys in the traditional sense, IAM users and roles effectively act as API keys with robust lifecycle management. | API keys are not directly managed for VPC; IAM is the primary mechanism. |
| Authentication & Authorization | IAM Integration | True | Amazon EC2 is deeply integrated with AWS Identity and Access Management (IAM), allowing for granular access control through roles and policies. | |
| Authentication & Authorization | IAM Integration | True | Amazon VPC leverages AWS Identity and Access Management (IAM) for granular access control to resources within the VPC. | |
| Authentication & Authorization | MFA | True | AWS IAM supports MFA for user accounts accessing EC2. Enforcement of MFA is the responsibility of the administrator. | Requires configuration and user adoption. |
| Authentication & Authorization | MFA | True | AWS IAM supports MFA for enhanced security of user accounts which manage VPC resources. | |
| Authentication & Authorization | Service Account Support | True | AWS IAM roles can function as service accounts, allowing programmatic access to EC2 with least privilege configurations. | |
| Authentication & Authorization | Service Account Support | True | IAM roles can be used to provide least-privilege access for EC2 instances and other resources within the VPC. | |
| Authentication & Authorization | Standard Protocols | True | Amazon EC2 uses standard protocols like HTTPS and integrates with IAM, which leverages industry standard authentication methods. | |
| Authentication & Authorization | Standard Protocols | True | AWS uses various standard protocols, including variations of OAuth and related mechanisms, for access and authorization to its services and APIs related to VPC management. | |
| Compliance & Certifications | Compliance Documentation | True | AWS publishes compliance reports and documentation related to its services, including information relevant to VPC. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides extensive compliance documentation and reports for EC2. | |
| Compliance & Certifications | Industry Certifications | True | AWS EC2 complies with numerous industry standards and certifications, but specific compliance varies by region and configuration. | |
| Compliance & Certifications | Industry Certifications | True | AWS regularly undergoes audits and certifications to comply with various industry standards, including ISO 27001, SOC, and others. These certifications apply to AWS infrastructure generally and indirectly to VPC. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction within a VPC requires integrating with other AWS services and implementing appropriate application-level controls. | Requires integration with other AWS services. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction is not a built-in feature of EC2. This requires the use of third-party tools or custom development. | |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | Amazon VPC doesn't natively provide DLP scanning; it needs to be integrated with services like Amazon Macie. | Requires integration with other AWS services. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | Amazon EC2 does not have built-in DLP scanning capabilities. Users must leverage other AWS services like Macie or third-party solutions. | |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | AWS offers various mechanisms like VPC peering, transit gateways and Direct Connect to control cross-region data transfer. However, implementing appropriate controls requires careful planning and configuration. | Requires careful configuration. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | AWS offers tools like VPC peering and AWS Direct Connect to control data transfer between regions. However, the user is responsible for configuring and managing these controls to restrict data flow. | Requires configuration and management by the user. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides tools and documentation to help identify the region where EC2 instances and their associated data are located. However, precise data location within a region is not always guaranteed. | |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides tools and documentation to identify the region where your resources are located. However, precise data location within a region may not always be available. | |
| Data Residency & Sovereignty | Region Selection | True | Amazon EC2 allows deploying instances in various AWS regions globally, enabling users to comply with data residency requirements. | |
| Data Residency & Sovereignty | Region Selection | True | Amazon VPC allows you to launch resources in various AWS regions globally, enabling you to meet data residency requirements. | |
| Encryption | Encryption at Rest | True | Amazon EC2 supports encryption at rest via EBS encryption, including options for customer-managed keys (CMKs) through AWS KMS. However, encryption is not enabled by default and needs to be explicitly configured. | Requires configuration. |
| Encryption | Encryption at Rest | True | Amazon EBS and other storage services within a VPC support encryption at rest with options for customer-managed and AWS-managed keys. This requires explicit configuration. | Requires configuration of specific services. |
| Encryption | Encryption in Transit | True | Amazon VPC utilizes TLS/SSL for communication between AWS services and your resources. You can also configure your own encryption methods for communication within your VPC. | |
| Encryption | Encryption in Transit | True | Amazon EC2 uses TLS/SSL for communication between the client and the service. Configurations allowing the user to specify cipher suites are available. | |
| Logging & Monitoring | Access Logging | True | EC2 instance logs provide access information. However, configuration and integration with a logging service such as CloudWatch is required. | Requires configuration. |
| Logging & Monitoring | Access Logging | True | AWS offers various logging services (e.g., CloudWatch Logs) which can be integrated to capture detailed access logs. This needs to be configured explicitly. | Requires configuration of relevant services. |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail provides audit logs for API calls made to EC2. | |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail provides audit logs for API calls and configuration changes related to VPC. | |
| Logging & Monitoring | Log Retention | True | CloudWatch Logs allows configuring retention policies for EC2 logs. | Requires configuration. |
| Logging & Monitoring | Log Retention | True | Log retention policies are configurable for CloudWatch Logs and other relevant AWS logging services. | Requires configuration. |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch provides monitoring and alerting capabilities for EC2 instances. | |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch provides monitoring and alerting capabilities for VPC resources. | |
| Network Security | API Gateway Integration | True | While not directly integrated, EC2 instances can be accessed and managed through API Gateway if properly configured. This offers centralized traffic management opportunities. | |
| Network Security | API Gateway Integration | True | Amazon API Gateway can be used to manage and secure access to applications and services running within a VPC. | Indirect integration. |
| Network Security | DDoS Protection | True | AWS Shield provides DDoS protection for EC2 instances. However, it's not inherently built-in and might require configuration and subscription to higher tiers for more robust protection. | Requires configuration and potential additional costs. |
| Network Security | DDoS Protection | True | AWS Shield and other AWS services offer DDoS protection. This requires explicit configuration and may incur additional costs. | Requires configuration. |
| Network Security | Firewall Rules | True | Security groups act as firewalls for EC2 instances, allowing granular control of ingress and egress traffic. | |
| Network Security | Firewall Rules | True | Security groups and Network ACLs provide granular control over ingress and egress network traffic within a VPC. | |
| Network Security | Private Access | True | Amazon EC2 supports private connectivity through VPCs and other networking features like VPC peering and Direct Connect. | |
| Network Security | Private Access | True | Amazon VPC supports private connectivity through various features, including VPC peering, Direct Connect, and Transit Gateway. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | While EC2 itself isn't an API in the traditional sense, AWS promotes secure API design principles which indirectly influence the security of EC2 deployments and related APIs. | Indirectly, through best practices. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | While not a direct function of VPC, AWS promotes secure API design principles which indirectly impact the design and implementation of applications within a VPC. | Indirectly applicable. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | False | Code review and testing for applications within a VPC are the responsibility of the customer. | Customer responsibility. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | False | AWS does not provide built-in code review or testing for user-created applications deployed on EC2 instances. These are the responsibility of the users. | |
| Vulnerability Management & Patching | Security Updates | True | AWS regularly releases security updates for its services, including those related to VPC. The responsibility for patching operating systems and applications running within the VPC lies with the customer. | |
| Vulnerability Management & Patching | Security Updates | True | AWS regularly releases security updates for the EC2 infrastructure. However, patching of guest operating systems is the responsibility of the user. | Responsibility lies with the user. |
| Vulnerability Management & Patching | Vulnerability Scanning | False | Amazon VPC itself does not provide vulnerability scanning. Customers are responsible for implementing vulnerability scanning tools and procedures for their instances and applications within the VPC. | Not a built-in feature. |
| Vulnerability Management & Patching | Vulnerability Scanning | False | AWS does not provide built-in vulnerability scanning for EC2 instances. Users are responsible for employing third-party or custom solutions. |