Building a Sheltered Harbor compliant data vault on AWS


AWS is the first Cloud Service Provider (CSP) to join the Sheltered Harbor Alliance Partner Program and has developed a Sheltered Harbor vaulting architecture to provide participating financial institutions with a blueprint and guidance on building-out their Sheltered Harbor compliant and certifiable cloud-based data vault with native AWS services. AWS's resilient infrastructure, security capabilities, and scalability can assist organizations in implementing and maintaining the necessary technical components to meet and exceed the standards set forth by Sheltered Harbor.

In this article we map the requirements set forth by Sheltered Harbor in their specifications - “the data vault is encrypted, unchangeable, and completely separated from the institution’s infrastructure, including all backups” to a data vault architecture built on AWS. In essence, we will focus on: 1/ Building a data vault that is secure, survivable and Immutable that is, 2/ Air-gapped (isolated) from the primary production environment, and 3/ Implement forensics – To ensure that the data being written to the vault is free from ransomware and malware.

Secure and Immutable Data Vault

Immutable & survivable data vault

AWS regards a Data Vault (DV) as a secure, immutable, highly automated, and user-restricted area where a "golden copy" of data is stored. In the event of a malicious attack, a data vault can be used to fully restore the critical data, assuming that all regular operational abilities (backup, restore, disaster recovery, business continuity, etc.) have failed to restore the applications and/or data to an operational state. It is important to note that data vaulting is not considered a solution that falls under daily operational routines in terms of user and application access. This distinction is necessary due to the similarity of processes, tooling, and data terminology used by both the data vault and regular operational procedures.

Amazon Simple Storage Service (Amazon S3) is a secure and versatile storage solution that offers robust data protection and management features. This service provides immutable storage, ensuring data integrity through durability, scalability, and versioning capabilities. Customers can implement a Write-Once-Read-Many (WORM) model for enhanced data security with the Amazon S3 Object Lock feature. Amazon S3 Object Lock is a powerful feature that prevents data deletion or modification for specified periods or indefinitely as defined by the customer. This functionality is particularly valuable in a cyber incident where an organization's primary infrastructure could be compromised, and the data copy outside the primary AWS organization remains immutable and accessible for restoration. Amazon S3 Object Lock has been evaluated by Cohasset Associates for compliance with SEC 17a-4, CFTC, and FINRA regulations, which provides assurance for organizations operating in regulated environments.

Survivable design is enabled by using Amazon S3 which provides 99.999999999% (11 9's) of data durability of objects over a given year. It is able to sustain data in the event of an entire S3 Availability Zone loss, sustain concurrent device failures by quickly detecting and repairing any lost redundancy, and also regularly verifies the integrity of data using checksums.

Security of data at rest and in transit

Amazon S3 provides robust security measures to protect data both in transit and at rest. For data in transit, S3 supports encryption using HTTPS (TLS) for all API operations. You can enforce this by configuring bucket policies to require encrypted connections, using the AWS CLI or SDKs with SSL, and implementing client-side encryption before uploading data. These measures ensure that data remains secure as it travels to and from S3.

For data at rest in Amazon S3, multiple encryption options are available, including Server-Side Encryption with AWS KMS Keys (SSE-KMS), Server-Side Encryption with Customer-Provided Keys (SSE-C), and client-side encryption. To ensure data protection in S3, customers can enable data to be encrypted by default at a bucket level, can use customer-managed keys for greater control over keys, or encrypt data locally before being uploaded. Additional security measures to enhance S3 data protection include implementing least privilege access, enabling S3 Block Public Access, using S3 Versioning and Object Lock, and monitoring resources with AWS CloudTrail and CloudWatch.

AWS Key Management Service (KMS) plays a crucial role in S3 security by providing centralized control over cryptographic keys used for data protection. KMS supports encryption and decryption using customer-managed keys and supports both Symmetric and Asymmetric keys. For customers needing to encrypt or decrypt data locally within their applications to meet Sheltered Harbor compliance, the AWS Encryption SDK supports AWS KMS as a key provider. This integration ensures a seamless and secure encryption process, allowing users to maintain control over their encryption keys while leveraging the robust infrastructure of AWS.

Security of the data vault

Assurance is enabled in the reference architecture by using AWS IAM to create different permissioned roles so that clear boundaries are established on who can write data outside of AWS Org into a vault account and similarly who can read data from the vault for testing or restoration purpose.

Amazon GuardDuty to monitor AWS accounts and workloads for malicious activity and to deliver detailed security findings for visibility and remediation; AWS CloudTrail to monitor and record account activity (including all AWS KMS key usage) across the solution on AWS for control over storage, analysis, and remediation actions.

Air-gapped (isolated) environment

Mapping to Sheltered Harbor’s specifications on AWS aligns with the architecture as defined in cyber event recovery architecture in financial services. Logical air-gapping is enabled in the reference architecture by using: AWS Direct Connect to bypass the public internet with a secure, dedicated connection to the solution; AWS Organizations to segregate the vault account from other production workload accounts; AWS Identity and Access Management (IAM) to enable cross account access; AWS Lambda to attach or detach IAM policies for temporary cross-account access; and Amazon EventBridge to automate the management of temporary cross-account access according to set times or events.

AWS Sheltered Harbor Vault Architecture.

In the architecture above, Air-gapping is achieved by creating a vault zone outside of the primary AWS organization that isolates critical data from the production environment and the internet in an immutable / WORM model. This isolation is maintained using network controls and access controls, such as next-generation firewalls and zero trust frameworks. The vault zone is kept unreachable from the outside, and data is pulled into the vault from various sources rather than pushed, adding an additional layer of protection. The architecture also includes Ingress and Egress zones which are ephemeral in nature and provides a digital air gap, ensuring that the vault remains secure and isolated from potential threats.

Forensic scanning of data

Amazon S3 offers several options for forensic scanning of data to detect ransomware or malware. The native AWS solution, Amazon GuardDuty Malware Protection for S3, provides automatic scanning of new object uploads using multiple scanning engines. It supports file sizes up to 5 TB, can add scan status tags to objects, and integrates with other AWS security services. Additionally, third-party solutions like Elastio Ransomware and Malware Scanning and SentinelOne Threat Detection for S3 offer specialized solutions with features such as real-time scanning and ransomware-specific scanning capabilities that may be utilized as well.

When selecting a solution, it's important to consider factors like scanning performance, scalability, integration capabilities with existing workflows and security tools, and the ability to scan both new and existing files. Most solutions provide features such as automatic quarantine of infected files, detailed threat reporting, and integration with other security systems. The choice ultimately depends on specific requirements, existing security infrastructure, and budget constraints.


AWS Professional Services works with customers to build tailored cyber recovery solutions that align with the Sheltered Harbor reference design, using native AWS services and AWS partner solutions.

For any questions or further clarifications please contact Sheltered Harbor or your AWS account team to help you comply with the Sheltered Harbor on AWS.