Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
2020-05-25 Agenda
Clar*wn 0 5 H L1/ -G] J HQM u • ■1 • 111.1111■■■ 7P H❑ 11TI❑3 0 01117 HP SHLDCFH161A1-HM/ QT 111 ■ FFRP ' ' c. 1"11 —up ' IJI• DER 1' 111 HOMEFMP DNHEUM HPH(WIRX !' • ►;M ► &•, p'R r:. I: . ■111■■111■■ 1■■■1RE *P DM DP EHIM FCUDJVCO-W o .AD ) FIP .N411DVN411 NUM - • . 1R• ► LHT LHGu•In�lulyr ff D\ASGD\AH[FRCWFVVM 11 : -rM•r r m■■m■■■1; ►jai■■■■■ 'Car, • .0 1.• r: o� .• �•.I� • I.•.rn a -nl•c■ a -\i - -� : - • • ' l/� 111 ■ - I. r i111 [IC ID . 1"�, ; I�. • 11. 1"•, II ►71 : ' � 11; U�1 1► 111 • .11' (U) ID • :40 PAW(17; r \I ll D ll !,. 11 h. I! • D ll �D ll 1. ll.\ 1 • rll (1)�� ' O�IIi� 1: r 1 ll 111(11; (1?�. ' 11 11 � '� I: 111 11 ; 1 1; 1;' • Cc 111 \►, �)t !1; + ' 11) c ; lLN�' 11.111 c 1: - ' c 1 !1 \► 1; lrn ■ 1,• ti, . - r r r o) 1: r ►y, 1; I I) .• rl.11r ■ r ■ - mcc r ■ 11e.o. r ti. a c■ t 111■11111■■■ N-11 UP 11412NO 3DUW ■■ wros-Iwa!►�,r �p�lJl ■ : - � ■1 ■ �, II ■ �, I.• Incl, 11) ��� v� I�� r:: - ■ Irie■ �, �nl ■ m■ ■ ■Im - e WE a -I .1�14-111all ■- N, ME III VOM Z, Mom FEM 10AmMAI-11WD'Al, IDO11,1 ■ �e ■ ■1111 3 ■ H ■ a■ 5 HSR" • ■1 ■■1 119• 'SRVHG-2 I I LFLDCB 11)■ ■3- ■ D■ 5 H RCU fir,.■. 1; - ■ P 'Z - ■■ LM 1 HU • U FRG : aMMJS WG 1■ R 11)■■ ■ n■ lid- HaM -i- - L\MH 5 HSRL)VV ■imlsifflIlUK10971 t EPA ",IT11 ■ ■11 ICS r:: II) .■ �■ 1 HP ' ED t IU t D■- 11R : RLSRLEkNZ FU LFHVFLFU ■ G■ ■■ ►' 111■■111■111 COSM MCUZO\RCEA HODUV 1 - 1'•■ r"ll MA1; -l1 ! it M"11.11 : ■. LQV HIGE ■ 111■111111 ►' 111■■111■■ 3WH 1 t 111■11111■■■ N-11 UP 111112 m : Ly UA 1 . 1�•I�.�r,.n I�r��[r 1; -■ a 11 1.0.1;� t:. � ■ ■ ■ '- m■m■ m■■1 1 - RFILFP r: ■ cl)) .■.■.1 DCCU RJR Y H HUSP■. c., H LHZ ■ Me ■ EFF7 v - ■ ■ cc ■ HU ER U RRGA aEFWJ6 WG 1 - 1�•0 renm IT L, ; -11 a 11 1�•Il.c� ■ - nll [r o)Ilt� ■ ■■ ME A.L14 lNill - ►- � � FFN DP LHvM 0 QFLSDCR OU - 7 RZ a/ LS -R ❑ LR=N_ LFU D-aU * LEQN ❑❑❑ 6 SSR&AI D CIRSDOW LO RIMU[1R1 L UFFU&Q❑ J � DCM Dl9Po n D RLA RAI RI 12 V CZ DLL FU DLGQI 1EX5 HT HWAVLM ❑❑❑ 3 LR OLM R H - CP UMTLEG MA@CFHWO CLFLSDUW-DV-D 5 HV MI A 2 9,' ❑ 1 ::�11. In, I� �, �,1 �l. ■ D!.[: aWn D RIJI: WR 1+' V CZ D11,1N aSO II:5 HT HMRMHI HGAM - HLCP RIMR14 MTM 11.0 r" 1 C DI1 1. 111 M 11,R &2 • ■ ■■111 1 t RU5 REF1 LMI2 DN Lffl11 FREW LF7 Y RLFHAFU DLGQJ1: HCW ■■■ 11 -FDF it HMLM MAW) - iA D Fa [II :�,10 :t . ,1 .■ ■■111 1 D RLJ5 -i 0.11 ' DN Lffl11 FRQFP LF7 DM - ILIP-U DJD 0 [ HCW ■■■ HUll G FfDF I MM[11 MAW (11. FF F F�0 :t 'A!,I:�0,■ 1 - I UP : Di : K'• N)) .0 11 DCCJ HUR Y H HUSP HCK H LHZ III a! 1 -! !1; -0! 11.O.C+ Y LUW I' 111 K -N LF05 HAG -OM L2 ■WGo [I - ►I.0 • 1 I�r �[r 1; -■ a 11 1�•I�.c� ■ - nll [r K 0)1111 ■ rn� ❑❑� G MY U A RP P MI 15 HSRLAl 3 DJ HF[fl t 111■11111■■■ N-11 - • 11412 m : Ly NO ■■m■ 1 • 1,� 1��'r:: oilr• �• 1 - In'��■ ti A x 'T z,w61:[leDO '� 9 mAll11 WIN! ■■■ ❑❑riioii 0 LQ WIR XMA CUIDJ URO:� L RlMVV-& RP P IMH SLAM❑❑ ❑❑❑❑ ❑❑FIll * HCS -I Da R HLCP HOM RP P MC -0 H -M LI 10 D I.1I -U❑❑❑ II)•! It IIIY Ia- • ` -�' ' 1'. '�'� C''� [U � 111■11111■■■ ■■■ ■ ■ , ■ 11 �- K, , � i/o1 - �� C� Ili - 1'•■ ■■111 -• 1"Itob111■■111■■ �(li)] '� �l• 1%• 11ii SII "r �r 1 ■ A lli� �A- • ��: -�- ' 1', IIRi IIA ■ HSRUO 111■■111■r:. FGDU& UVW HDF15 SII ME HM HDF 15 c■ RP III G� fl" ■ 111 DEK31LW W10 t 111■1111■■■fl Rt -LM C- HCO& RP - IMHT W ENAR5 HSEM 111■■111■ ■ S 111■■[T1■IIIIi ■ t• \ACFW • -• 1r••/ 5 HI HLBLGIU;P U 1 ■ LILILIFFiTTIL1001 HCHLM - X11- HCV& -;- - Md r vA • � �- 111■■111■ -•. ! • ►us, .- ► ■■■111■IIIIK' l5 - A 11 0 I1 111■!\� [I � ISA u■111 1 HP RAW [ 11 ■ HI DQJ - ■LG -F FM Y UFVCR K'. QQM I:. MaU 11 RLYV1l HZ FD\AM19 LMU1 '■M 13 11)• 1 ID "■ 11 7 LP KI] C E- W+0 ■ 111■11 LILIL1 i'. QQCLOJ ■•M H HUSP HaN : -i- - MHIO UA "Wil' 111 ■■■ ■■■ ■■■ ■■■ ■■■ I ENE rTAFM t 111■11111■■■ NI -11 UP 11412NO 1111■ONEU ■■m ■■■■■1■■nlll ■ In■ ���) ��. n- ■�L��) m■II ■fr r:: ■ 1111■ ■ IOZ MN, HP - . - EFCDVSHLM5 FISRM . [ILL 11■111► I' HG -RQ 1 t 111■IIII■77■ ■■111 1111■■111■■11111 ■ ID■ N�) p,•lll- ■ II) 111■ ► : -r � ■ IM rr'.5 HP - HLID ■c;. - -rI■ rc . ■1■■■1■O HG -RQ • rl■1111■■■■ ■■111 1111■■111■■11111 O 111■ [I1) D"111- NI) 111■111■16r r:. ■ 1111■ ■ MZ \r,.N, HP - Huo A - EFKE!;. it HSRM. EEE]E 11■1. G •111■ ■■■■■ ■■111 ■■■■■If■L]rW HLQJ 111■ LOL7 ARA q% I1. II) 1R 1 Q IC ! '.li ►r, ■ ►r, ■. ►, W ■.r: G .■ ■ul ti. a u■Xr I O .■ R■ ■l1 M- \r - 111 QW Ill lR W11 HCHM - HLC. HCM& RP IMH15 ► ' ►r; ■■111 ■■1111111■■7P FU 111■ [I1) D"■ P HQGE M [ITIFEEFIEMI& -r SLIH HQk FCQ ■ LOZ IRBMA - Il ►,•11.1iR W40 QFLSDBVR r:. G= "11 ■■111 ■■■■■�■■IIID O 111■ [I I) �r"■ ■ [I1) 111■■1■111r r: ,�1"PAVIOMI ■ '- IIIC� K II)■■ ■ 111■C ID`s- 11 ,: -�' ' ►''►- 1�i 1111■ ' � i111J - �' li � 111 - 1" ■ .11 ❑❑❑ 2 VVHP VU -W 1111■ : -� " !1 ■ rl �� 1111■ � '' ��- �. 3DJH Clarington If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 Council Minutes Date: May 4, 2020 Time: 7:00 PM Location: Council Chambers, 2nd Floor Municipal Administrative Centre 40 Temperance Street Bowmanville, Ontario Present Were: Mayor A. Foster Present by Electronic Councillor G. Anderson, Councillor R. Hooper, Councillor J. Means: Jones, Councillor J. Neal, Councillor M. Zwart Absent: Councillor C. Traill Staff Present: A. Greentree, M. Chambers Staff Present by A. Allison, G. Acorn, R. Albright, S. Brake, F. Langmaid, Electronic Means: R. Maciver, M. Marano, T. Pinn, G. Weir, 1. Call to Order Mayor Foster called the meeting to order at 7:00 PM. 2. Moment of Reflection Councillor Hooper led the meeting in a moment of reflection. 3. Land Acknowledgement Statement Councillor Hooper recited the land acknowledgement statement. 4. Declaration of Interest Councillor Neal declared an indirect interest in Item 1 d of the Joint General Government and Planning and Development Committees Report, Memo from Faye Langmaid, Acting Director of Planning Services, regarding Recommendation Report- Proposed Official Plan Amendment and Rezoning to Implement the Bowmanville Neighbourhood Character Study. 3DJHT Clarftwn 5. Announcements May 4, 2020 Council Minutes Members of Council announced upcoming community events and matters of community interest. 6. Adoption of Minutes of Previous Meeting(s) 6.1 Minutes of a regular meeting of Council dated April 14, 2020 Resolution # C-192-20 Moved by Councillor Neal Seconded by Councillor Zwart That the minutes of the regular meeting of the Council held on April 14, 2020, be approved. Carried 7. Presentations 7.1 Gioseph Anello, Acting Director Solid Waste Management and Gary Muller, Director of Planning, Region of Durham Region Regarding Report PSD -013-20 - Region of Durham Mixed Waste Pre -Sort and Anaerobic Digestion Organics Processing Facility Gioseph Anello, Acting Director Solid Waste Management and Gary Muller, Director of Planning, Region of Durham Region, were present via electronic means regarding Report PSD -013-20 - Region of Durham Mixed Waste Pre -Sort and Anaerobic Digestion Organics Processing Facility. They made a verbal presentation to accompany an electronic presentation. Susan Siopis, Commissioner of Works, provided details of the presentation outline. Ms. Siopis noted the Elaine Baxter-Trahair, Chief Administrative Office and Brian Bridgeman, Commissioner of Planning were also present. Ms. Baxter-Trahair, noted that they have read the Staff report and are prepared to answer and address any questions. Mr. Anello highlighted the various types of mixed waste, the pre-sort process and the process of anaerobic digestion. He reviewed the various drivers for managing organic waste which included the regional drivers, market drivers and the provincial requirements. Mr. Anello provided details on the siting study process and the steps which have been taken to determine the proposed site and highlighted the surrounding area. He explained that the Region wants to ensure design excellence in the design and how they plan to achieve this. Mr. Anello reviewed the proposed site location and why it was chosen. He explained the facility development principles and noted an integrated and complementary approach was used. Mr. Anello explained the focus on the south site and the focus on ensuring compatibility and committing to zero odour emissions beyond the lot line. Mr. Muller reviewed the facility and how it is providing a distinct sustainability focus. He explained that they are looking to enable the development of a gateway and for the opportunity to develop the north side of this development. Mr. Muller concluded by noting the Region of Durham is committed to continuous engagement and to working with the 2 3 DJ HTI Clarington May 4, 2020 Council Minutes Municipality of Clarington to achieve the vision. Ms. Baxter-Trahair concluded by explaining their intent of this presentation is for the Municipality of Clarington to reconsider the decision to be an unwilling host for the Anaerobic Digestion Facility. She continued by noting that she hopes the presentation answered the questions and the Municipality of Clarington is able to share the vision for the project. Ms. Baxter-Trahair added that a recommendation report is going to Regional Council on May 27, 2020 which will include details on partnership, procurement and the siting process for proposed Anaerobic Digestion Facility. They answered questions from the Members of Council. Ms. Siopis explained that the report is required for the May 27, 2020 Council meeting to permit the RFQ over the summer and the project procurement in the fall of 2020. This will allow the Region to meet the late 2023 early 2024 deadline for the completion of project. Ms. Siopis confirmed that the Region would be willing enter into an agreement to detail where the waste will come from and that is will only include waste from the Region of Durham. Resolution # C-193-20 Moved by Councillor Hooper Seconded by Councillor Anderson That the Rules of Procedure be suspended to allow Members of Committee to ask questions to the presentation from the Region of Durham for a second time. Carried Ms. Siopis noted that the integrated site they are envisioning does not exist in North America and will allow them to manage, take care of, and recover their own waste. She added that the no pre-sort facilities exist in North America however Anaerobic Digestion and Incineration do exist in North America. Recess Resolution # C-194-20 Moved by Councillor Neal Seconded by Councillor Jones That the Council recess for 10 minutes. Carried The meeting reconvened at 8:46 PM with Mayor Foster in the Chair. 8. Delegations None 9. Communications — Receive for Information There were no communications to be received for information. 3 3DJHT Clarington May 4, 2020 Council Minutes 10. Communications — Direction 10.1 Confidential Memo from Faye Langmaid regarding Courtice Waterfront and Energy Park Secondary Plan 10.2 Confidential Memo from Rob Maciver, Municipal Solicitor regarding Cedar Crest Beach — Beach Erosion/Property Loss Resolution # C-195-20 Moved by Councillor Jones Seconded by Councillor Hooper That Correspondence Item 10.1 and 10.2 be approved on consent as follows: That Correspondence Item 10. 1, Memo from Faye Langmaid, Acting Director of Planning, regarding Courtice Waterfront and Energy Park Secondary Plan, be referred to the consideration of Item 8 of the Joint General Government and Planning and Development Committees Report. That Correspondence Item 10.2, Memo from Rob Maciver, Municipal Solicitor regarding Cedar Crest Beach - Beach Erosion/Property Loss, be referred to the consideration of Item 7 of the Joint General Government and Planning and Development Committees Report. Carried 11. Committee Reports 11.1 Advisory Committee Reports 11.1.1 Minutes of the Clarington Heritage Committee dated April 21, 2020 11.1.2 Minutes of the Tourism Advisory Committee dated April 21, 2020 Resolution # C-196-20 Moved by Councillor Zwart Seconded by Councillor Neal That Advisory Committee Report Items 11.1.1 and 11.1.2, be approved. Carried 0 3DJHT Clarington May 4, 2020 Council Minutes 11.2 Joint General Government and Planning and Development Committees Report of April 27, 2020 Resolution # C-197-20 Moved by Councillor Neal Seconded by Councillor Zwart That the recommendations contained in the Joint General Government and Planning and Development Committee Report of April 27, 2020, be approved on consent, with the exception of items 1d, 5, 6 7, 8. Carried Item 1d - Memo from Faye Langmaid, Acting Director of Planning Services, Regarding Recommendation Report - Proposed Official Plan Amendment and Rezoning to Implement the Bowmanville Neighbourhood Character Study Councillor Neal declared an indirect interest in Item 1 d of the Joint General Government and Planning and Development Committees Report as it relates to his law practice. Councillor Neal muted his audio and video and refrained from discussion and voting on this matter. Resolution # C-198-20 Moved by Councillor Zwart Seconded by Councillor Hooper That the Memo from Faye Langmaid, Acting Director of Planning Services, Regarding Recommendation Report - Proposed Official Plan Amendment and Rezoning to Implement the Bowmanville Neighbourhood Character Study, be received for information. Carried Councillor Neal returned to the meeting. Item 5 - Melanie Hakl, Administrative Clerk 2, Legislative Services, Town of Gravenhurst, Regarding Support for Adding Community Gardens, Garden Centres and Nurseries to the Essential Services List during the COVID-19 Pandemic Resolution # C-199-20 Moved by Councillor Neal Seconded by Councillor Jones That the Correspondence from Melanie Hakl, Administrative Clerk 2, Legislative Services, Town of Gravenhurst, Regarding Support for Adding Community Gardens, Garden Centres and Nurseries to the Essential Services List during the COVID-19 Pandemic, be received for information. Carried 5 3 DJ H®❑ Clarington May 4, 2020 Council Minutes Item 6 - COD-014-20 RFP2020-2 Ward Boundary Review Resolution # C-200-20 Moved by Councillor Neal Seconded by Councillor Zwart That Report COD-014-20 be received; That the proposal received from Watson & Associates Economists Ltd, being the most responsive bidder meeting all terms and conditions and specifications of RFP2020-2 and subject to a satisfactory reference check, be awarded the contract for the provision of consulting services to complete the Ward Boundary Review; That the total funds required for this project in the amount of $66,074.80 (Net HST Rebate) which includes the over budget amount of $1,074.80 be funded from within approved budget allocations as provided from the following accounts: Description Account Number Amount Elections Professional Fees 100-19-193-10190-7161 $65,000 Admin Professional Fees 100-19-130-00000-7161 $1,074 That all interested parties listed in Report COD -014-20 and any delegations be advised of Council's decision. Carried Item 7 - Report PSD -012-20 - Cedar Crest Beach Update — Beach Erosion/Property Loss Study Resolution # C-201-20 Moved by Councillor Neal Seconded by Councillor Zwart That Report PSD -012-20, Cedar Crest Beach Update — Beach Erosion/Property Loss Study, be referred to the end of the Agenda to be considered during Closed Session. Carried Item 8 - Region of Durham Mixed Waste Pre -Sort and Anaerobic Digestion Organics Processing Facility — Site Selection Process Municipal Comments on Evaluation of Short -List of Sites and Identification of Preferred Site Resolution # C-202-20 Moved by Councillor Neal Seconded by Councillor Anderson That Report PSD -013-20 be received; 3 DJ H®❑ Clarington May 4, 2020 Council Minutes That Clarington declare Wself to be an unwilling host community to anaerobic digestion and waste pre-sort facility as recommended in the preliminary siting report; That Report PSD -013-20 be adopted as the Municipality of Clarington's comments on the Mixed Waste Transfer/Pre-Sort and Anaerobic Digestion Organics Processing Facility Siting Report (GHD, March 6, 2020); That the Region of Durham be requested to address the comments in Report PSD -013-20; That the Region of Durham be requested to collaborate with the Municipality by committing and contributing to the economic development objectives of the Courtice Waterfront and Energy Park area; That staff be requested to provide a confidential memo regarding development options being explored for the waterfront park at the May 4, 2020 Council meeting; That a copy of Report PSD -013-20 and Council's decision be sent to the Region of Durham, the Ministry of Environment, Conservation and Parks, and the other Durham Region area municipalities; and That all interested parties listed in Report PSD -013-20 and any delegations be advised of Council's decision. Yes (6): Mayor Foster, Councillor Anderson, Councillor Hooper, Councillor Jones, Councillor Neal, and Councillor Zwart Absent (1): Councillor Traill Carried on a Recorded Vote Later in the Meeting, See following Motions (6 to 0) Resolution # C-203-20 Moved by Councillor Neal Seconded by Councillor Anderson That the foregoing Resolution #C-202-20 be amended as follows: In Paragraph two: "That the words "the Regional" be inserted before the word anaerobic" ; That the following be added at the end: "That Staff report back to the June 15th meeting on whether the siting of the Anaerobic Digestion Organics Processing Facility, in Clarington's Energy Park is a breach of the 2010 EFW Host Community Agreement provisions."; and 7 3 DJ H®❑ Clarington May 4, 2020 Council Minutes That Paragraph six be replaced with the following: "That the Memo from Faye Langmaid, Acting Director of Planning, regarding Courtice Waterfront and Energy Park Secondary Plan, be received for information;" Yes (6): Mayor Foster, Councillor Anderson, Councillor Hooper, Councillor Jones, Councillor Neal, and Councillor Zwart Absent (1): Councillor Traill Carried (6 to 0) The foregoing Resolution #C-202-20 was then put a vote and carried as amended on a recorded vote. 12. Staff Reports 12.1 Report FND-010-20 - COVID-19 Cash Flow Analysis Resolution # C-204-20 Moved by Councillor Hooper Seconded by Councillor Zwart That Report FND-010-20 be received for information. Tabled see following motions Resolution # C-205-20 Moved by Councillor Neal Seconded by Councillor Zwart That Report FND-010-20 be tabled to later in the meeting to be considered during Closed Session. Carried 13. Business Arising from Procedural Notice of Motion None 14. Unfinished Business 14.1 Report EGD -006-20 Cedar Crest Beach Rd and West Beach Rd Berm Review and Estimates (Tabled from the May 4, 2020 Joint Committees Meeting) Lifted from the Table Resolution # C-206-20 Moved by Councillor Neal Seconded by Councillor Anderson That Report EGD -006-20 Cedar Crest Beach Rd and West Beach Rd Berm Review and Estimates, be lifted from the table. Carried 3 DJ H®❑ Clarington May 4, 2020 Council Minutes Resolution # C-207-20 Moved by Councillor Neal Seconded by Councillor Anderson That Report EGD-006-20 Cedar Crest Beach Rd and West Beach Rd Berm Review and Estimates, be tabled to the May 11, 2020 General Government Committee meeting. Carried Recess Resolution # C-208-20 Moved by Councillor Neal Seconded by Councillor Jones That the Council recess for 10 minutes. Carried The meeting reconvened at 9:52 PM with Mayor Foster in the Chair. 14.2 Report EGD -007-20 - Temporary Bike Lanes on Prestonvale Road Resolution # C-209-20 Moved by Councillor Jones Seconded by Councillor Neal That Report EGD -007-20 be received; That temporary bike lanes be created using the staff recommended route and signage but that no barrels be use; That parking on Prestonvale Road from Robert Adams Drive to Bloor Street be temporarily prohibited at all times, until the end of August 2020; That signs for bike friendly area be placed on Prestonvale Road between Glenabbey Drive to Bloor Street; and That all interested parties listed in Report and any delegations be advised of Council's decision. Carried as Amended See following motions Resolution # C-210-20 Moved by Councillor Jones Seconded by Councillor Neal That the foregoing Resolution #C-209-20 be amended as follows: "Paragraph 3 be amended to delete "Bloor Street" and replaced with "the southerly urban section of Prestonvale Road"; and 9 3 DJ H®❑ Clarington That the following be added: Carried May 4, 2020 Council Minutes That the necessary by-law to amend the Traffic By-law to enact Council's decision be approved." Resolution # C-211-20 Moved by Councillor Neal Seconded by Councillor Jones That the Rules of Procedure be suspended to allow Members of Committee to speak to the foregoing Resolution #C-209-20 for a second time. Carried The foregoing Resolution #C-209-20 was then put a vote and carried as amended. Item 7 - Report PSD -012-20 - Cedar Crest Beach Update — Beach Erosion/Property Loss Study 12.1 - Report FND-010-20 - COVID-19 Cash Flow Analysis Closed Session Resolution # C-212-20 Moved by Councillor Neal Seconded by Councillor Anderson That, in accordance with Section 239 (2) of the Municipal Act, 2001, as amended, the meeting be closed for the purpose of discussing two matters, which deal with, x personal matters about an identifiable individual, including municipal or local board employees and with labour relations or employee negotiations; x a matter that deals with advice that is subject to solictor-client privilege, including communications necessary for that purpose. Carried Rise and Report The meeting resumed in open session at 11:04 PM. Mayor Foster advised that two items were discussed in "closed" session in accordance with Section 239(2) of the Municipal Act, 2001 and one resolution was passed on a procedural matter. 10 3 QJ H®❑ Clarington May 4, 2020 Council Minutes Item 7 - Report PSD-012-20 - Cedar Crest Beach Update — Beach Erosion/Property Loss Study Resolution # C-213-20 Moved by Councillor Neal Seconded by Councillor Anderson That Report PSD -012-20 - Cedar Crest Beach Update — Beach Erosion/Property Loss Study, be tabled to the May 11, 2020 General Government Committee meeting. Carried 12.1 Report FND-010-20 - COVID-19 Cash Flow Analysis Earlier in the meeting Report FND-010-20 was tabled to be considered during Closed Session (See Resolution #C-204-20). Resolution #C-204-20 was then before Council, was put to a vote and carried. 15. By-laws 15.1 2020-029 - Being a By-law to amend By-law 2014-059 entitled "a By-law to Regulate Traffic and Parking on Highways, Private Property and Municipal Property" Resolution # C-214-20 Moved by Councillor Hooper Seconded by Councillor Jones That leave be granted to introduce By-law 2020-029; and That the said by-law be approved. Carried 16. Procedural Notices of Motion None 17. Other Business Councillor Neal enquired about 3574 Concession Road 3 and a letter sent from Planning regarding the minimum distance separation on agricultural property. Councillor Neal referred to photos of Pebblestone Road and Trulls Road and noted his concerns with the with priority of road repairs in the Municipality. Councillor Neal enquired about the leaves on the sides of the roads and when they will be cleaned up. 11 3 DJ H®❑ Clarington May 4, 2020 Council Minutes 18. Confirming By-Law Resolution # C-214-20 Moved by Councillor Hooper Seconded by Councillor Anderson That leave be granted to introduce By-law 2020-030, being a by-law to confirm the proceedings of the Council of the Municipality of Clarington at a regular meeting held on the 4th day of May, 2020; and That the said by-law be approved. Carried 19. Adjournment Resolution # C-215-20 Moved by Councillor Anderson Seconded by Councillor Zwart That the meeting adjourn at 11:21 PM. Carried Mayor 12 3 Q1 H®❑ Municipal Clerk May 4, 2020 BY E-MAIL: agreentree@clarington.net C. Anne Greentree, Municipal Clerk ❑OU4M LSlJJP = Municipality of Clarington 40 Temperance Street Bowmanville, ON LIC 3A6 Dear Madam: ADR Chambers Ombuds Office www.municipalombuds.ca Telephone: 1.800.941.3655 Fax: 1.877.803.5127 Email: ombudsman@adr.ca P.O. Box 1006, 31 Adelaide St. E, Toronto, Ontario M5C 2K4 RE: MUN-431-0419 Complaint against the Municipality of Clarington Our investigation of the complaint against the Municipality of Clarington has been completed, and I have enclosed the Ombudsman EUILMOUS = As you are aware, both parties were provided the opportunity to comment on the draft report. The Ombudsman then takes the comments into account and makes any modifications deemed appropriate. In this case, apart from anonymizing the final report (replacing names with titles and/or initials), the report is unchanged from the last version you received. Our file in this matter is now closed. Yours sincerely, Peter Maniatakis Deputy Ombuds Q OR I ' 111 ■ ADR Chambers Municipal Ombuds Office www.municipalombuds.ca Telephone: 1.800.941.3655 Fax: 1.877.803.5127 Email: ombudsman@adr.ca P.O. Box 1006, 31 Adelaide St. E., Toronto, Ontario M5C 21<4 INVESTIGATION REPORT Complainant: Complaint Reference Number: Complaint Commenced: Date Required Information Received: Report Date: Investigator: Terms of Reference [Anon] MUN-431-0419 May 16, 2019 February 7, 2020 May 4, 2020 Michael L. Maynard This report has been prepared pursuant to the ADR Chambers Ombuds Office [Anon] and Clarington page 2 March 16, 2020 telephone interview with the Complainant on September 13, 2019, and December 2, 2019; (iii) a telephone interview with [Anon], Manager of Municipal Law Enforcement for Clarington, ("DA") on November 7, 2019; (iv) a telephone interview with [Anon], Manager of Construction for Clarington ("TR"), on November 8, 2019; (v) independent research on Clarington By -Law 2007-070 ("By-law 2007-070" or the "Property Standards By-law"); and (vi) other research, as necessary. Statements and Documents of the Complainant The following statements were provided by the Complainant in writing, and through the telephone interview conducted with the Complainant: The Complainant lives in Clarington in an end -unit free -hold townhouse which she purchased in 2005. She purchased the home as a new build and stated she was the first person to live on the block. The Complainant advised that the Downspout for the adjacent property (an attached townhouse) runs down the wall from the neighbour's eavestrough attached to the neighbour's overhanging porch roof. It is secured to a wall that adjoins the homes, on the Complainant's side of the property line, over the Complainant's driveway, beside the garage door. Initially, from the time of builder's installation, the Downspout wrapped tightly around the wall, bending towards the neighbour's front step, where it turned again to run along the step on the neighbour's side of the property line, before bending one final time to deposit the flow of water onto the lawn. The previous owner of the attached dwelling, however, changed the configuration of the Downspout, extending it to wrap around a flower bed which abuts the front step on the front lawn of the property, approximately 0.3 metres from the Complainant's driveway. The Complainant states that the extended length of the Downspout, and the fact that the elbow over her part of the driveway is not tight to the wall, causes snow and ice to fall on it, loosening it at the elbow connection. The elbow that sits over a portion of the Complainant's driveway, running parallel to the ground where the Downspout begins to wrap around towards the neighbour's side of the property, leaks onto the Complainant's driveway, causing winter ice buildup immediately adjacent to her vehicle, posing a slip and fall risk to her. In warmer temperatures, the water pools next to her foundation. According to the Complainant, she approached the neighbour in the Spring of 2015 to request that the dripping elbow be repaired; however, the neighbour did not respond to the Complainant's requests. [Anon] and Clarington March 16, 2020 page 3 The Complainant reported that, in the Autumn of 2015, she approached the By-law Enforcement office of the Municipality of Clarington to have the matter addressed. Though initially hesitant to address the matter, someone named "[anon]" ("JM") in the By-law Enforcement office eventually sent a letter to the neighbour to have the leak corrected. Several days after the letter was sent, the Complainant witnessed two men repairing the Downspout. However, after the work was completed, at the time of the next rainfall, the Complainant noticed that the elbow joint [Anon] and Clarington page 4 March 16, 2020 however, that to her understanding, "the Councillor did not seem to follow up on the matter with the By-law Enforcement Office and nothing was done'." In the summer of 2018, the Complainant sent a registered letter to the Clerk of the Municipality. She received a telephone call several days after sending the letter advising that it had been received and that someone would reply. She then received a letter dated September 6, 2018, signed by DA, stating that the damaged eavestrough (though the issue was about the Downspout, not an eavestrough) had been repaired in 2015 and was determined to be in compliance with property standards. He again advised that the Downspout appears to be "shared" and that the issue was a civil matter between neighbours, and not the business of the Municipality. After receiving DA's response, the Complainant wrote again to the Clerk advising of her disagreement and dissatisfaction with the By-law Enforcement Office's response and conclusions. The Clerk responded by way of correspondence dated November 26, 2018, in which she stated that the Downspout collects water from both rooftops. The Complainant does not agree that this factor makes the Downspout shared, as the units are freehold. The Clerk also advised the Complainant that a By-law Enforcement Officer (JM) visited the property and did not believe there to be a compliance issue with the Downspout. According to the Complainant, the By-law Enforcement Officer did not leave her vehicle to conduct the inspection but viewed the Downspout from the road. Furthermore, the Complainant disagrees with the By-law Enforcement Officer's position, as in the Complainant's view, the matter is related to her health and safety. To that end, the Complainant made reference to the Municipality of Clarington website, which states that the purpose of the Property Standards By-law is to set "[ [Anon] and Clarington page 5 March 16, 2020 property line was. AA also referenced the Downspout as being "shared" and noted that the water came from the rooftops of both properties. In an email from AA to the Complainant, dated April 23, 2019, AA states: "These pictures make it clear to me that the downspout is shared in the sense that it takes water from both properties and therefore both property owners must share responsibility for its maintenance." For reasons already outlined in this report, the Complainant disagrees with this assessment. In addition to her statements to and correspondence with the Ombudsman's office, the Complainant also provided documentary evidence in the form of correspondence with various municipal employees and photographic evidence of the Downspout and surrounding property. Facts and Issues in the Complaint - Statements and Documents of the Respondent The following is an excerpt from a letter to the Complainant from the Municipal Clerk for Clarington, [Anon] ("AG"), dated March 15, 2019, in which AG summarized the Municipality's position, a copy of which was provided by both Parties: "In my discussion with [DA] he confirmed that he fully understands that your townhouse is freehold. When he made the statement in his letter [that the downspout is shared] he was referring to the water that flows through the downspout, not the ownership. As water runs downhill, the downspout which is causing you the concern actually collects any water which flows to it which could be flowing from your roof and your neighbours (sic). [Anon] and Clarington March 16, 2020 page 6 create a violation to Clarington's by-laws and therefore no further action is required on behalf of the Municipality. The downspout is on private property and has not and does not violate any municipal by-laws. [ [Anon] and Clarington March 16, 2020 page 7 The Municipality, through the Clerk, also pointed out that the courts have tended to show deference to municipal by-law enforcement officers when determining whether or how to deal with enforcement matters. Facts and Issues in the Complaint [Anon] and Clarington March 16, 2020 page 8 health and safety of occupants, the environment and the value of the lands." The Municipality contends that the matter does not fall under the Property Standards By-law, and additionally that it is a private matter between the neighbours, and thus it is outside of Clarington's jurisdiction. Nevertheless, the Municipality has previously inspected the Downspout and found it to be compliant in 2015. Through a plain language reading of Clarington's By-law 2007-070, it is my view that a leaking Downspout which causes water to be discharged onto a neighbour's property is a matter of property standards and does fall under the jurisdiction of the Municipality, through its Property Standards By-law. Moreover, the Municipality has stated on its website that the intent of the Property Standards By-law is to "[ [Anon] and Clarington page 9 March 16, 2020 Accordingly, the Complainant is of the position that ownership of a downspout is determined by where the downspout connects to the eavestrough, and to whose property it drains, not by the flow of water, which does not recognise property lines, nor by the fact that part of a downspout encroaches the adjacent property through a necessity (or error) of design. The Municipality has taken the position that it cannot determine ownership of the Downspout, as it runs on both sides of the property line at different junctures and deposits water collected in eavestroughs which are connected to both houses. This configuration has been in place since the homes were constructed. I agree with each party's logic to a point. It does not in my view make sense that the Downspout in question is shared property when the houses are freehold properties. I also agree that the source or flow of rainwater is not the determinative issue with respect to ownership of the Downspout. However, it is also clear that the Downspout was designed, from the point of construction, to follow a path which takes it on both sides of the property line, and this may constitute, as the Municipality asserts, an element of common ownership (such as with an overhanging tree or line fence). Precedent in terms of previous actions taken in this case is also a factor for contemplation. I have accordingly considered the following: First, it is clear to me that the Downspout is connected to the neighbour's property through the eavestrough on the neighbour's porch roof. However, a small section of that porch roof (and the connected eavestrough) overhangs the property line to the Complainant's side. The connection point between the Downspout and eavestrough is on that part of the porch roof which overhangs the property line. Thus, the connection point of the Downspout to the rooftop appears to be entirely on the Complainant's property. Second, the Downspout was clearly designed by the builder to deposit water on the neighbour's lawn, not on the Complainant's property. This is clearly visible when viewing the property from the front. Furthermore, it is noted that every other town house on the street appears to have one front Downspout that deposits water on their own lawn. From the best I can tell through viewing the fronts of the homes on Google [Anon] and Clarington page 10 March 16, 2020 StreetView, all properties except the two in question (being the homes of the Complainant and her neighbour) have downspouts that do not cross property boundaries (though they all take water from adjacent rooftops to a certain extent because the houses are all connected, and water does not recognize such boundaries). Third, the Downspout was altered by the previous owner of the adjacent property to wrap around his flower bed. The Complainant stated that she had no input into this decision. According to the Complainant, the Downspout was considered by the previous owner of the adjacent property to be his alone, and he altered it on his own. The Complainant also reported that the leaks from the elbow joint over her driveway began after these modifications were made. I have no reason to not accept these assertions as true. Fourth, the Municipality issued a letter to the Complainant's neighbour in the autumn of 2015 requesting a repair to the Downspout where it was leaking on the neighbour [Anon] and Clarington March 16, 2020 Additional Considerations page 11 With respect to the Municipality's position that it cannot order a property owner to repair something on a neighbour's property, I acknowledge and understand the logic of such position. However, the Complainant has clearly and repeatedly indicated that she is not only open to the neighbour fixing the Downspout elbow where it encroaches on her property, but indeed, she has actively advocated for this to happen. If the Complainant approves of the use of her property to make such repair (which, she does), and again noting the exceptionality of these circumstances, there is no reason for the Municipality to point to that issue as a reason for not making such a request of the neighbour just as it had done in 2015. That being said, I also see no reason before me, given the elements of common ownership which I have found to exist (while making no determination on actual ownership or property rights) that the Complainant would be reasonably barred from repairing the leak herself, were she so inclined, in much the same way as she would be enabled to trim an overhanging tree or repair a line fence. The Municipality has clearly indicated it does not object to this from a by-law enforcement perspective. This is a determination which the Complainant will have to make on her own accord, however, and about which she may want to seek legal advice. Should Clarington intervene in this matter, or should deference be shown to Clarington's By- law Enforcement Office in respect of its determination (s) on compliance? Clarington has advanced the position that in respect of matters of by-law enforcement, the courts have generally shown deference to by-law enforcement officers to determine compliance (or non-compliance) without interference. Our own reading of the caselaw on this point indicates that Clarington's position is correct. In Foley v. Shamess, the Ontario Court of Appeal held that: "For it is one thing to say a municipality has a duty to enforce its by-laws. The way it enforces them is quite another thing. As I read the case law, a municipality has a broad discretion in determining how it will enforce its by-laws, as long as it acts reasonably and in good faith. That makes common sense. The manner of [Anon] and Clarington March 16, 2020 page 12 enforcement ought not to be left to the whims or dictates of property owners." Accordingly, it is my view that, so long as Clarington's By-law Enforcement Office is acting reasonably and in good faith, which is presumed, and it inspects the Downspout to determine compliance (which is understood to have occurred), the Municipality's subsequent determination as to whether the Downspout is in compliance ought not to be fettered by the Ombudsman's office. To be clear on this point, I do note that Clarington has indicated that the Downspout was inspected and found to be in compliance, and accordingly that the leak does not represent an infraction that requires enforcement action on the municipality's part. A change in circumstances (e.g. should the problem worsen) may warrant a re -inspection. Assuming such an inspection is done reasonably and in good faith, the decision reached on such an inspection is likely not reviewable by the Municipal Ombudsman. Conclusion It is my conclusion that the leaking Downspout falls under the jurisdiction of municipal property standards as set out in By-law 2007-070, the Property Standards By-law. I further conclude that the Municipality set a precedent by treating the Downspout as the neighbour's property (and not as the Complainant's property) in the past, and that the Complainant has a reasonable expectation that the Municipality would continue to act accordingly by not treating the Downspout issue as being out of its jurisdiction. I also find, however, that it is wholly within the Municipality's By-law Enforcement department's discretion to determine whether the Downspout is compliant with its by- laws, as well as to determine what course(s) of action are to be taken (or not taken) in respect of enforcement. To the extent Clarington's Municipal By-law Enforcement department has determined through its own inspection of the Downspout that it is compliant with the Property Standards By-law, I am not empowered to make any recommendations and defer, as the courts have done, to the discretion of the By-law Enforcement Officer(s) making such determination(s). I would like to thank the Parties for their assistance and cooperation. I trust this report clarifies the matters at issue and provides reasonable guidance through its conclusion(s). [Anon] and Clarington March 16, 2020 All of which is respectfully submitted. Yours very truly, Michael L. Maynard ADRO Investigator page 13 ClatVgt0110 Memo If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 To: Mayor Foster and Members of Council From: Marie Marano, Director of Corporate Services Date: May 19, 2020 Subject: COD -018-20 Municipal Business Solution ❑ Questions At a meeting held on May 11, 2020, the General Government Committee passed the following Resolution #GG -100-20: That Report COD -018-20, Municipal Business Solution, be referred to staff to report on the following: 1. Who is the company? 2. Who is the developer of the software? 3. Who will provide support? 4. What modules are we purchasing? 5. Integration of Existing Software 6. Amazon Cloud This memo is circulated in advance for opportunity to review, and it will be included on the Council agenda for May 25, 2020 to be considered in conjunction with COD -018-20. 1. Who is the company? There are two companies involved the Municipal Business Solution that is presented for Council approval in COD -018-20- A company called CSDC developed the Amanda software which is the technology platform that will run all the modules identified in the RFP. They have been in business and selling the Amanda product for over 25 years. CSDC rebranded themselves as Calytera in 2017 ❑ 2018 to expand their company. Until 2017, CSDC handled all support, sales, and implementation of the Amanda software themselves. With the expansion they retained the software development part of their company and outsourced software services by partnering with leading IT companies that they trusted to sell, implement, integrate and set up hosting of the software. Vision33 is the company that will do the software implementation to accommodate Clarington business processes, integrate them with existing applications, and support the Amanda software over the 10 -year project period. It is one of only 5 partners that Calytera has allowed to sell the Amanda software. Vision33 is a certified partner of Calytera. The Corporation of the Municipality of Clarington 40 Temperance Street, Bowmanville ON L1 C 3A6 1905-623-3379 3 DJ H®❑ 0 arin Clat!W9t0J7 Memo Attachment #1: Email from Calytera provides evidence of support of Vision33 as a trusted partner. 2. Who is the developer of the software? The developer of the Amanda software was initially CSDC, now known as Calytera. Amanda is owned and published by Calytera. Vision33 will be working with the 0 QFLSD CL -DQG-IP S®P I -IA R0A4RQW- P H -N 0+0 CF1SD3MV1LHTEl1.FlP HCW_ and expectations. The solution will be tested throughout the build to ensure that it is I C DMP H�_iV9H10 ❑CLFLSDDVIV-LHT-UP HCW 3. Who will provide support? 9I14;Q]11E11QEHWlF0 FC[FLSDUVIV-SPoCVR-FRCDFVfor support throughout the implementation and will continue that support over the 10 -year proposal. Vision33 references noted their conscientiousness, commitment to budget and excellence in communication, as well as an acknowledgement that they would use this company in future. The platform is not database specific as it will run on either Oracle or MS -SQL and will be hosted by the vendor. Both Clarington and the vendor have the skillset required to support both. Vision33 has been in business for over 25 years as noted by consultant in the presentation at the GGC meeting. It is also mentioned in the Calytera endorsement in Attachment #1. 4. What modules are we purchasing? The Municipality has a number of robust applications such as the financial, taxation, budget, and purchasing solutions that were not considered as part of the RFP because they work well and are not at end -of -useful -life. As such it was not considered cost efficient to include them in the scope of the MBS. The Land Development Office (LDO) application is one of the largest database modules; it is used by multiple departments and has been in place for over 15 years. It is critical that it be replaced soon as it is approaching end -of -useful life and does not have any of the web -based functionality required to service our residents. It does not have mobile capability and as a result, time consuming and inefficient manual processes are still in use. The current environment does not permit access to online and real-time data or information. In fact, during the COVID-19 period, the Municipal Law Enforcement Division was not able to rely on reporting from the LDO system to assist in fulfilling their COVID-19 Provincial Reporting requirements due to system limitations, and as such had to manually calculate the reporting data. LDO has changed ownership over 5 times recently, which is also very concerning for dependability of support in the remaining time until it can be replaced. Page 2 of 5 Q W1 ' m■ Clat!W9t0J7 Memo Report COD -018-20 in section 1.2, identifies a number of the business processes that are included in the MBS product, including LDO, the Customer Relationship Management CRM module which will connect all information related to a property or site, an eForms Strategy to allow forms to be completed electronically, and other remote access capabilities. These are just a few of the major components that were listed and endorsed in the IT Strategic Plan of 2017 and have been budgeted over the subsequent years. Section 1.6 of COD -018-20 further identifies 17 additional business processes that will be included, which will increase efficiency and effectiveness of key activities in almost every department. As noted in section 2.1 there were 275 business and technical requirements explored in the development of the RFP, and the working committee scoped the project to 108 mandatory requirements. The Municipality was concerned that there would not be a company capable of fulfilling all requirements. It is considered a significant benefit to the Municipality, that Vision33 is a reputable company who met the threshold for the business requirements of the RFP. Vision33 will have a contractual commitment to complete all requirements represented in the RFP submission. Key Departments using the system have outlined the further details, benefits and efficiencies of this MBS in section 3.6 to 3.14 of the report. An enterprise system is a cross -functional information system that provides organization -wide coordination and integration of the key business processes and in the case of the MBS system it is our land-based applications. A key Corporate benefit to PoIISLL41 A ROS LCaEH LC PdI LDQG DFFFW--9QI-IIJ Em facilitating data sharing and integration with our financial, document management and mapping software, creating a true Geographic Information System (GIS). The result would be a fully integrated solution that will provide access and on-line options for businesses and residents and will be a more cyber -secure environment. 5. Integration with Existing Software Vision33 is responsible for building and implementing the mandatory modules of the RFP using the Amanda software and then integrating or linking them with existing applications such as Laserfiche, CityWide Financial/Operations modules, Great Plains Purchasing module etc. Having responsibility for integration under one company L Vision33, is considered the most efficient approach versus relying on multiple companies to set connecting links to existing applications that are not required to be replaced. Multiple company access and responsibility would prove more timely, inconsistent and become a more costly end product. There could also be a risk of cyber vulnerability with multiple access to the system, and as such extra diligence and oversight to ensure that the integrity of the system is maintained, could result. Page 3 of 5 0 arin ClaIVOOJ7 Memo Attachment # 2: Amanda Integrations, provides additional background information regarding how Amanda integrates with third -party applications. 6. Amazon Cloud: Amazon Cloud services will host the MBS solution and the data. The data will reside in Canada and therefore subject to Canadian law and security requirements. The benefit of having a Cloud based solution is that Vision33 will ensure that Clarington is running the most recent version of the software and will not need to allocate the internal staff IT resources to oversee upgrades or require additional on-site storage. Attachment #3: Vision33 environments are secured via 2048 SSL encryption certificate. Cloud Security Amazon Web Services Overview of Security Process is provided as further information. 7. Additional Question was Asked on Area Municipalities: a. Pickering, Whitby & Ajax Pickering, Whitby and Ajax provided email confirmation of their situation as outlined below. Each has the Amanda software system that was initially set up as an on-site solution; they are not on web/cloud-based platforms and as such they are not receiving automatic updates on the current version Amanda as they are released. Pickering stated that they have had Amanda software since 2003 with little issue. They expressed no concerns with the system crashing, and they have had good support form Calytera. They acknowledge that Calytera is looking to their partners to provide support going forward. • . • - • - • . • . - =INot -I 1-�1D1� �i ■ e ■ ES VAR, NIT1,YWYMM ■ ►r, 100 ►�10 MEW1 RVAR11;LI 1A■nl ■,►n;u■ In�.■ti. is - ■ with the turn around to the version 7 of Amanda. $ 3 P DCXD=Ell[]ElkD/F ey have not had any issues in years. They also state that Amanda is great software that can be leveraged in an infinite number of ways. They are running their application on -premise and use Oracle as their database. It is their intention to upgrade to version 7 either later this year or early in 2021. Page 4 of 5 01-01M m■ Clatington b. Oshawa Memo Information from the Oshawa system was researched in the preparation of the Clarington solution. They have a multiple software solution to their system which is more costly over a 5 -year span LLOFN-GZkMOAROOLFLV-V-LUOLUCEVRCVLTIayear proposal, and it relies on multiple partners to service the system. Their current system runs CRM on Lagan, CityView for LDO and Maximo for their Works/Operations management which they are still implementing over an expected 29 -month timeframe. Their overall annual maintenance cost for the three -solution environment is approximately $280,000 for an on -premise solution. Marie Marano Director of Corporate Services C. Andrew Allison, Chief Administrative Officer Department Heads Rob Van Dyk, IT Manager David Ferguson, Purchasing Manager Brajesh Datt, IT Business Development Supervisor Page 5 of 5 COD -018-20 MBS Memo -Questions Email from Calytera re Vision33 Attachment # 1 Hi Sandra, Thanks for your time today, here are a few bullets I hope will help you express the strength of the Calytera & Vision33 partnership. ❑ Vision33 has a 25+ year record of successfully helping government agencies harness the power of technology to improve their operations and services. ❑ They have an office in Mississauga and their Canadian headquarters is based in 6 W- RKQVF-1 H❑ I RF-QQ ®Q❑ ❑ Calytera has Canadian offices in Mississauga and Ottawa, Ontario ❑ although headquartered in Austin, Texas, our Ontario customer base is significant and the continued support and growth of this customer base is a priority for Calytera. ❑ Vision33 is a certified Calytera partner and with more certified Amanda resources on staff than any other partner. Their certified Amanda resources are supported by project managers and technical resources who have significant experience managing technology implementations for government agencies. ❑ They have significant experience in implementing enterprise -grade Amanda solutions for more than 30 jurisdictions including the City of Portland, City of Vancouver, Orange County, the State of Ohio and Volusia County. ❑ Vision33 is currently implementing Amanda solutions in Fresno County, the City of Kent, Washington and the City of Richmond, British Columbia. ❑ Calytera and Vision33 team members meet weekly to review projects, share best practices, conduct training and development sessions and to provide feedback into the Amanda product roadmap. ❑ Vision33 has a direct -line to the Calytera team for any product -related support needed by Customers. Please let me know if there is anything else I can help with. Derek i JML CALYT E RA Derek McConnery Manager, Partner Success 669.247.9154 d.mcconnery(cDcalytera.com calytera.com 3 DJ Ham❑ Municipality of Clarington ON Attachment # 2 to Memo on COD -018-20 Municipality of Clarington Amanda Integrations A benefit of implementing Amanda into your technology ecosystem is that the platform is built to have robust integration capabilities. As an enterprise solution, Amanda will integrate with existing as well as future technologies within the Municipality. Amanda provides an extensive set of mechanisms and APIs to allow flexible and easy integration with any third -party system, application or service regardless of their implementation technology. 0 Amanda is designed with plug and play architecture that includes custom adaptors for many popular applications: User Authentication (LDAP, Active Directory, etc.) ❑ Electronic Document Management Systems (Laserfiche, FileNet, SharePoint, Alfresco, etc.) ❑ Financials (Oracle, SAP, JDEdwards, etc.) ❑ Geographic Information Systems (ESRI, ArcGIS, etc.) ❑ Reporting (Crystal Reports, Oracle, Business Objects, SSRS, etc.) ❑ Calendars (Office 365/Outlook, Microsoft Exchange, Google, etc.) 0 Web Services A SOAP and REST API that enables external systems to connect to Amanda. 0 Batch Scheduler ❑ Event or time -driven module that allows for automated transfer of information. Supports transfer of single or bulk records via many common protocols. 0 Enterprise Application Integration (EAI) Amanda EAI is a comprehensive integration solution that enables bi-directional information exchange with a third - party application, service or system. The EAI adaptor has a highly extensible architecture. Out-of-the-box it provides support for multiple communication protocols (HTTP/S, FTP, SMTP), offers flexible message format (XML, delimited file, etc.), push/pull initiation, event and time driven operation as well as synchronous and asynchronous data exchange. 0 Pre -Built Adaptors for existing commercial and open -source applications Municipality of Clarington ON Attachment # 2 to Memo on COD -018-20 00cument J1c€ountinp Management Sy5Iem5 �}rstetns And ePlaFi Mush# * Review More... Software MiCratiofr Ut�line Payment Processors Vision33 will leverage the adapters, webservices and batch components for the integrations between the stated Municipality systems and Amanda. These have been scoped as part of the RFP response, budget and deliverables. Vision33 will confirm these integration specifics during project discovery with the Municipality. For the Dynamics Great Plains (GP) 2018 Financial System, Amanda will utilize a blended approach for transactions. ❑ When real-time exchange is required, VisiR_1M_HLD1HTIP D❑CDI_V_DCLQ91i'n Web Services and extendable Enterprise Application Integration (EAI). Great Plains Power Apps built-in data connectors for web services will allow for the two systems to operate efficiently and securely. ❑ For larger data sets, that typically occur monthly, Amanda will post monthly revenue allocations via Batch Scheduler and API data exchange into Great Plains. This can be reconciled and posted to GL and cost centers shared from Amanda. The time -period (monthly) will bHLEDViGR_VHI0 XA SDMNM- requirements. Reconciliation and reporting can occur in each system independently or as a consolidated effort using built-in reporting tools. Q W1 ' m■ ■' �■'�.■ [�111 March 2020 aws 44%���47 Notices Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and BUD I LMDAM /)C : 6 [S [Sl1RYLC-WDVM/M without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. © 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved. Content.c Introduction..........................................................................................................................1 Shared Security Responsibility Model................................................................................1 AWS Security Responsibilities.........................................................................................2 Customer Security Responsibilities.................................................................................2 AWS Global Infrastructure Security....................................................................................3 AWSCompliance Program..............................................................................................3 Physical and Environmental Security..............................................................................4 Business Continuity Management...................................................................................6 NetworkSecurity..............................................................................................................7 AWSAccess...................................................................................................................11 Secure Design Principles...............................................................................................12 ChangeManagement.....................................................................................................12 AWS Account Security Features...................................................................................14 Individual User Accounts...............................................................................................19 Secure HTTPS Access Points.......................................................................................19 SecurityLogs..................................................................................................................20 AWS Trusted Advisor Security Checks.........................................................................20 AWS Config Security Checks........................................................................................21 AWS Service -Specific Security.........................................................................................21 ComputeServices..........................................................................................................21 NetworkingServices......................................................................................................28 StorageServices............................................................................................................43 DatabaseServices.........................................................................................................55 ApplicationServices.......................................................................................................66 AnalyticsServices..........................................................................................................73 Deployment and Management Services.......................................................................77 MobileServices..............................................................................................................82 Applications....................................................................................................................85 Document Revisions..........................................................................................................88 Abstract This document is intended to answer questions, such as How does AWS help me ensure that my data is secure? Specifically, this paper describes AWS physical and operational security processes for the network and server infrastructure under the management of AWS. 3 QJ HTFI Amazon Web Services Amazon Web Services: Overview of Security Processes Introduction Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, providing the tools that enable customers to run a wide range of applications. Helping to protect the confidentiality, integrity, and availability of RXUFXVAP HMC W VDQGtDDVR V&1XR RVAP SRU90ce to AWS, as is maintaining customer trust and confidence. Shared Security Responsibility Model Before covering the details of how AWS secures its resources, it is important to understand how security in the cloud is slightly different than security in your on - premises data centers. When you move computer systems and data to the cloud, security responsibilities become shared between you and your cloud service provider. In this case, AWS is responsible for securing the underlying infrastructure that supports \NH-FUXGIDQGIR(tH[UfvSFUAEUIRLECEX QJ E1RX1SXVRQWH1FqRXGRLFRQCHFVWV1HF1 cloud. This shared security responsibility model can reduce your operational burden in many ways, and in some cases may even improve your default security posture without additional action on your part. OMpty�ffi TORAGE DATARA91111111111111k NETWORKING Figure 1: AWS shared security responsibility model The amount of security configuration work you have to do varies depending on which services you select and how sensitive your data is. However, there are certain security aws '01-01M 111 ■ Page 1 Amazon Web Services Amazon Web Services: Overview of Security Processes features' such as individual user accounts and credentials, SSL/TLS for data transmissions, and user activity logging' that you should configure no matter which AWS service you use. For more information about these security features, see the AWS Account Security Features section. AWS Security Responsibilities Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS services. Protecting this infrastructure is the number one priority of AWS. Although, ERX[FDC WLMYWUGDOFFFF-IDPoIJ RLRILFH\/ML see this protection firsthand, we provide several reports from third -party auditors who have verified our compliance with a variety of computer security standards and regulations. For more information, visit AWS Compliance. Note that in addition to protecting this global infrastructure, AWS is responsible for the security configuration of its products that are considered managed services. Examples of these types of services include Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon EMR, Amazon WorkSpaces, and several other services. These services provide the scalability and flexibility of cloud -based resources with the additional benefit of being managed. For these services, AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery. For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additional tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service. Customer Security Responsibilities With the AWS cloud, you can provision virtual servers, storage, databases, and desktops in minutes instead of weeks. You can also use cloud -based analytics and workflow tools to process your data as you need it, and then store it in your own data centers or in the cloud. The AWS services that you use determine how much configuration work you have to perform as part of your security responsibilities. AWS products that fall into the well -understood category of Infrastructure -as -a -Service (laaS)' such as Amazon EC2, Amazon VPC, and Amazon S3' are completely under your control and require you to perform all of the necessary security configuration and P DCDJ HP HK / iM/i) RUH-IP S®UARIU( & 11MA@GFHVT1FRX1UH1WVSRGME8 Ru_ management of the guest OS (including updates and security patches), any application aW 01-01M 111 ■ Page 2 Amazon Web Services Amazon Web Services: Overview of Security Processes software or utilities you install on the instances, and the configuration of the AWS provided firewall (called a security group) on each instance. These are basically the sa P H UI l HWRUP LQJ CC,R P DOLZ KHLHmf MARY14VDW11 located. AWS managed services like Amazon RDS or Amazon Redshift provide all of the resources you need to perform a specific task' but without the configuration work that can FRP HLZ LWV -P [if U41P DCDJ HCS YHVRIZ RU L1DERX1DXC FKQJ ❑ and maintaining instances, patching the guest OS or database, or replicating databases' AWS handles that for you. But as with all services, you should protect your AWS Account credentials and set up individual user accounts with Amazon Identity and Access Management (IAM) so that each of your users has their own credentials and you can implement segregation of duties. We also recommend using multi -factor authentication (MFA) with each account, requiring the use of SSL/TLS to communicate with your AWS resources, and setting up API/user activity logging with AWS CloudTrail. For more information about additional measures you can take, refer to the AWS Security Best Practices whitepaper and recommended reading on the AWS Security Learning webpage. AWS Global Infrastructure Security AWS operates the global cloud infrastructure that you use to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards. As an AWS customer, ERX[ffDQEH U1 lDQ QJ LZ F E R MRP HR VI[P RAW secure computing infrastructure in the world. AWS Compliance Program AWS Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities are shared. By tying together governance -focused, audit friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish and operate in an AWS security control environment. The IT infrastructure aW Q Il I ' 111 ■ Page 3 Amazon Web Services Amazon Web Services: Overview of Security Processes that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including: ❑ SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70) ❑ SOC 2 ❑ SOC 3 ❑ FISMA, DIACAP, and FedRAMP ❑ DOD CSM Levels 1-5 ❑ PCI DSS Level 1 ❑ ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018 ❑ ITAR ❑ FIPS 140-2 ❑ MTCS Level 3 ❑ HITRUST In addition, the flexibility and control that the AWS platform provides allows customers to deploy solutions that meet several industry -specific standards, including: ❑ Criminal Justice Information Services (CJIS) F- Cloud Security Alliance (CSA) F- Family Educational Rights and Privacy Act (FERPA) F Health Insurance Portability and Accountability Act (HIPAA) F Motion Picture Association of America (MPAA) AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, accreditations, and other third - party attestations. For more information, see AWS Compliance. Physical and Environmental Security AWS data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in facilities that are not aws '01-01M 111 ■ Page 4 Amazon Web Services Amazon Web Services: Overview of Security Processes branded as AWS facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two -factor authentication a minimum of two times to access data center floors. All visitors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely. Fire Detection and Suppression Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet -pipe, double - interlocked pre -action, or gaseous sprinkler systems. Power The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility. Climate and Temperature Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. aws '01-01M 111 ■ Page 5 Amazon Web Services Amazon Web Services: Overview of Security Processes Management AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment. Storage Device Decommissioning When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 ❑ XLa1W-V 1 RU0 HC3Dr6 DCWMLBZQAD\�6 rWH FRP P I1&UUU ISU; FHW Business Continuity Management ❑ P DERQV1O lD/1A1CF1DQ +CV]DIPUJ KA )N�-M DYDL®EMNDQG.SI /FXVUP HW VW features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group. Availability Data centers are built in clusters in various global regions. All data centers are online DQGMAJff)J FXW/1kP HQPeIUM�FFM TQFD\M7R1 IMLIH automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load- balanced to the remaining sites. AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier -1 transit providers. You should architect your AWS usage to take advantage of multiple regions and availability zones. Distributing applications across multiple availability zones provides aws '01-01M 111 ■ Page 6 Amazon Web Services Amazon Web Services: Overview of Security Processes the ability to remain resilient in the face of most failure modes, including natural disasters or system failures. Incident Response The Amazon Incident Management team employs industry -standard diagnostic procedures to drive resolution during business -impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution. Company -Wide Executive Review ❑P DEFZQV CWAECOLXGVV LR<S HGA W-lu: 6 I_VIU1FF VtFM.Q-ICF_LSQCM_L which are also periodically reviewed by members of the Senior Executive management team and the Audit Committee of the Board of Directors. Communication AWS has implemented various methods of internal communication at a global level to help employees understand their individual roles and responsibilities and to communicate significant events in a timely manner. These methods include orientation and training programs for newly hired employees; regular management meetings for updates on business performance and other matters; and electronics means such as video conferencing, electronic mail messages, and the posting of information via the Amazon intranet. AWS has also implemented various methods of external communication to support its customer base and the community. Mechanisms are in place to allow the customer support team to be notified of operational issues that impact the customer experience. A Service Health Dashboard is available and maintained by the customer support team to alert customers to any issues that may be of broad impact. The AWS Cloud Security Center is available to provide you with security and compliance details about AWS. You can also subscribe to AWS Support offerings that include direct communication with the customer support team and proactive alerts to any customer impacting issues. Network Security The AWS network has been architected to permit you to select the level of security and resiliency appropriate for your workload. To enable you to build geographically dispersed, fault-tolerant web architectures with cloud resources, AWS has implemented a world-class network infrastructure that is carefully monitored and managed. aws '01-01M 111 ■ Page 7 Amazon Web Services Amazon Web Services: Overview of Security Processes Secure Network Architecture Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon ,CIRLP DuEQ-6HFXU VI-I7KHVHFSR(FHV D hFDXUAP D\ffDD SX <J-G'X\ L T: 6 VL111&/ - Manage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs. Secure Access Points AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS), which allows you to establish a secure communication session with your storage or compute instances within AWS. To support customers with FIPS cryptographic requirements, the SSL -terminating load balancers in AWS GovCloud (US) are FIPS 140 -2 -compliant. In addition, AWS has implemented network devices that are dedicated to managing interfacing communications with Internet service providers (ISPs). AWS employs a redundant connection to more than one communication service at each Internet -facing edge of the AWS network. These connections each have dedicated network devices. Transmission Protection You can connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. For customers who require additional layers of network security, AWS offers the Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and your data center. For more information about VPC configuration options, see the Amazon Virtual Private Cloud (Amazon VPC) SecuritV section. a1S '01-01M 111 ■ Page 8 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon Corporate Segregation Logically, the AWS Production network is segregated from the Amazon Corporate network by means of a complex set of network security / segregation devices. AWS developers and administrators on the corporate network who need to access AWS cloud components in order to maintain them must explicitly request access through the AWS ticketing system. All requests are reviewed and approved by the applicable service owner. Approved AWS personnel then connect to the AWS network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review. Access to bastion hosts require SSH public- key authentication for all user accounts on the host. For more information on AWS developer and administrator logical access, see AWS Access below. Fault -Tolerant Design ❑ P DERQVM lV/1A1CF1DQl1I+QDVD1PU J KMYHCR D)UMMNDQG�Sd MAW capability to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data centers are built in clusters in various global regions. All data centers are online DQG 4JUX I_FXV1RP IFQk ULV3FR(-40-FD\/HRI IMLH1automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load -balanced to the remaining sites. AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by region). In addition to utilizing discrete uninterruptible power supply (UPS) and onsite backup generators, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier -1 transit providers. You should architect your AWS usage to take advantage of multiple regions and availability zones. Distributing applications across multiple availability zones provides the ability to remain resilient in the face of most failure scenarios, including natural disasters or system failures. However, you should be aware of location -dependent a1S '01-01M 111 ■ Page 9 Amazon Web Services Amazon Web Services: Overview of Security Processes privacy and compliance requirements, such as the EU Data Privacy Directive. Data is not replicated between regions unless proactively done so by the customer, thus allowing customers with these types of data placement and privacy requirements the ability to establish compliant environments. It should be noted that all communications between regions is across public internet infrastructure; therefore, appropriate encryption methods should be used to protect sensitive data. Data centers are built in clusters in various global regions, including: US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt), EU (Ireland), Asia Pacific (Seoul) Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), China (Beijing), and South America (Sao Paulo). For a complete list of AWS Regions, see the AWS Global Infrastructure page. AWS GovCloud (US) is an isolated AWS Region designed to allow US government agencies and customers to move workloads into the cloud by helping them meet certain regulatory and compliance requirements. The AWS GovCloud (US) framework allows US government agencies and their contractors to comply with U.S. International Traffic in Arms Regulations (ITAR) regulations as well as the Federal Risk and Authorization Management Program (FedRAMP) requirements. AWS GovCloud (US) has received an Agency Authorization to Operate (ATO) from the US Department of Health and Human Services (HHS) utilizing a FedRAMP accredited Third Party Assessment Organization (3PAO) for several AWS services. The AWS GovCloud (US) Region provides the same fault-tolerant design as other regions, with two Availability Zones. In addition, the AWS GovCloud (US) region is a mandatory AWS Virtual Private Cloud (VPC) service by default to create an isolated portion of the AWS cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses. For more information, see AWS GovCloud (US). Network Monitoring and Protection AWS uses a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity. Systems within AWS are extensively instrumented to monitor key operational metrics. Alarms are configured to automatically notify operations and management personnel when early warning thresholds are crossed on key operational metrics. An on-call aws '01-01M 111 ■ Page 10 Amazon Web Services Amazon Web Services: Overview of Security Processes schedule is used so personnel are always available to respond to operational issues. This includes a pager system so alarms are quickly and reliably communicated to operations personnel. Documentation is maintained to aid and inform operations personnel in handling incidents or issues. If the resolution of an issue requires collaboration, a conferencing system is used which supports communication and logging capabilities. Trained call leaders facilitate communication and progress during the handling of operational issues that require collaboration. Post-mortems are convened after any significant operational issue, regardless of external impact, and Cause of Error (COE) documents are drafted so the root cause is captured and preventative actions are taken in the future. Implementation of the preventative measures is tracked during weekly operations meetings. AWS Access The AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access. The Amazon Corporate network relies on user IDs, passwords, and Kerberos, whereas the AWS Production network requires SSH public -key authentication through a bastion host. AWS developers and administrators on the Amazon Corporate network who need to access AWS cloud components must explicitly request access through the AWS access management system. All requests are reviewed and approved by the appropriate owner or manager. Account Review and Audit Accounts are reviewed every 90 days; explicit re -approval is required or access to the resource is automatically revoked. Access is also automatically revoked when an 1-P SGJ-HVLLFF IIP ISP DEFQL+Xman Resources system. Windows and 81 ,; DFFRKWDIIHIGY eIG-DC P DERQV-SHIM LAARQP DMJ HP HCS/ LVAP IJFP RYFMLI the user from all systems. Requests for changes in access are captured in the Amazon permissions management tool audit log. When changes in an emSOt:M ArE-X EBF FHWO must be explicitly approved to the resource or it will be automatically revoked. aW '01-01M 111 ■ Page 11 Amazon Web Services Amazon Web Services: Overview of Security Processes Background Checks AWS has established formal policies and procedures to delineate the minimum standards for logical access to AWS platform and infrastructure hosts. AWS conducts criminal background checks, as permitted by law, as part of pre- employment screening SLMffHV RUW SOLF- DC�RP P HQALEW Z WMHJII P Sg+H ❑ access. The policies also identify functional responsibilities for the administration of logical access and security. Credentials Policy AWS Security has established a credentials policy with required configurations and expiration intervals. Passwords must be complex and are forced to be changed every 90 days. Secure Design Principles The AWS development process follows secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment. Static code analysis tools are run as a part of the standard build process, and all deployed software undergoes recurring penetration testing performed by carefully selected industry experts. Our security risk assessment reviews begin during the design phase and the engagement lasts through launch to ongoing operations. Change Management Routine, emergency, and configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented in accordance with industry norms for similar systems. Updates to the AWS infrastructure are done to minimize any impact on the customer and their use of the services. AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard when service use is likely to be adversely affected. Software AWS applies a systematic approach to managing change so that changes to customer - impacting services are thoroughly reviewed, tested, approved, and well -communicated. The AWS change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are: a1S '01-01M 111 ■ Page 12 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ Reviewed ❑ Peer reviews of the technical aspects of a change are required. Tested []Changes being applied are tested to help ensure they will behave as expected and not adversely impact performance. ❑ Approved ❑ All changes must be authorized in order to provide appropriate oversight and understanding of business impact. Changes are typically pushed into production in a phased deployment starting with lowest impact areas. Deployments are tested on a single system and closely monitored so impacts can be evaluated. Service owners have a number of configurable metrics that meD\/XLHVgH HDP R 1191-- AHLYFHN/-XS\AU-CP [G -G K3 -UH\/- 7 KHVH-P HZFV DUH❑ closely monitored with thresholds and alarming in place. Rollback procedures are documented in the Change Management (CM) ticket. When possible, changes are scheduled during regular change windows. Emergency changes to production systems that require deviations from standard change management procedures are associated with an incident and are logged and approved as appropriate. Periodically, AWS performs self -audits of changes to key services to monitor quality, maintain high standards, and facilitate continuous improvement of the change management process. Any exceptions are analyzed to determine the root cause, and appropriate actions are taken to bring the change into compliance or roll back the change if necessary. Actions are then taken to address and remediate the process or people issue. Infrastructure ❑ P DI -RQIV & RLSRIDNF-F SSQFDBWVCP FGIYH(B'SV DMP DM J I -M Vl:: 1\ 1 DL HARFD)(1RP D\N[;7 ❑ processes for UNIX/Linux hosts in the areas of third -party software delivery, internally developed software, and configuration management. The Infrastructure team maintains and operates a UNIX/Linux configuration management framework to address hardware scalability, availability, auditing, and security management. By centrally managing hosts through the use of automated processes that manage change, Amazon is able to achieve its goals of high availability, repeatability, scalability, security, and disaster recovery. Systems and network engineers monitor the status of these automated tools on a continuous basis, reviewing reports to respond to hosts that fail to obtain or update their configuration and software. aws '01-01M 111 ■ Page 13 Amazon Web Services Amazon Web Services: Overview of Security Processes Internally developed configuration management software is installed when new hardware is provisioned. These tools are run on all UNIX hosts to validate that they are configured and that software is installed in compliance with standards determined by the role assigned to the host. This configuration management software also helps to regularly update packages that are already installed on the host. Only approved personnel enabled through the permissions service may log in to the central configuration management servers. AWS Account Security Features AWS provides a variety of tools and features that you can use to keep your AWS Account and resources safe from unauthorized use. This includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks. You can take advantage of all of these security tools no matter which AWS services you select. AWS Credentials To help ensure that only authorized users and processes access your AWS Account and resources, AWS uses several types of credentials for authentication. These include passwords, cryptographic keys, digital signatures, and certificates. We also provide the option of requiring multi -factor authentication (MFA) to log into your AWS Account or IAM user accounts. The following table highlights the various AWS credentials and their uses. Table 1: Credential types and uses Credential Type Use Description Passwords AWS root account or IAM A string of characters used to log into user account login to the your AWS account or IAM account. AWS Management Console AWS passwords must be a minimum of 6 characters and may be up to 128 characters. Multi -Factor AWS root account or IAM A six -digit single -use code that is Authentication user account login to the required in addition to your password to (MFA) AWS Management Console log in to your AWS Account or IAM user account. aws '01-01M 111 ■ Page 14 Amazon Web Services Amazon Web Services: Overview of Security Processes Credential Type Use Description Access Keys Digitally signed requests to Includes an access key ID and a secret AWS APIs (using the AWS access key. You use access keys to SDK, CLI, or REST/Query digitally sign programmatic requests APIs) that you make to AWS. Key Pairs SSH login to EC2 instances A key pair is required to connect to an CloudFront signed URLs EC2 instance launched from a public AMI. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096. You can have a key pair generated automatically for you when you launch the instance or you can upload your own. X.509 Certificates Digitally signed SOAP X.509 certificates are only used to sign requests to AWS APIs SOAP -based requests (currently used SSL server certificates for only with Amazon S3). You can have HTTPS AWS create an X.509 certificate and private key that you can download, or you can upload your own certificate by using the Security Credentials page. You can download a Credential Report for your account at any time from the Security & ld G-QBD(V-SD1 H117 KMtHSRLY8AVDQRl _ RXWDFFRX AJ -LW_ credentials' whether they use a password, whether their password expires and must be changed regularly, the last time they changed their password, the last time they rotated their access keys, and whether they have MFA enabled. For security reasons, if your credentials have been lost or forgotten, you cannot recover them or re -download them. However, you can create new credentials and then disable or delete the old set of credentials. In fact, AWS recommends that you change (rotate) your access keys and certificates on DAIWJ XOUED AVI_I_Q R+Q-113 1 MICR�2 IYEO(MIRMUMP SDFVAZARXlJDSSffDARQV availability, AWS supports multiple concurrent access keys and certificates. With this feature, you can rotate keys and certificates into and out of operation on a regular basis without any downtime to your application. This can help to mitigate risk from lost or aws 0101M ' 111 ■ Page 15 Amazon Web Services Amazon Web Services: Overview of Security Processes compromised access keys or certificates. The AWS IAM API enables you to rotate the access keys of your AWS Account as well as for IAM user accounts. Passwords Passwords are required to access your AWS Account, individual IAM user accounts, AWS Discussion Forums, and the AWS Support Center. You specify the password when you first create the account, and you can change it at any time by going to the Security Credentials page. AWS passwords can be up to 128 characters long and contain special characters, so we encourage you to create a strong password that cannot be easily guessed. You can set a password policy for your IAM user accounts to ensure that strong passwords are used and that they are changed often. A password policy is a set of rules that define the type of password an IAM user can set. For more information about password policies, see Managing Passwords for IAM Users. AWS Multi -Factor Authentication (MFA) AWS Multi -Factor Authentication (MFA) is an additional layer of security for accessing AWS services. When you enable this optional feature, you must provide a six -digit single -use code in addition to your standard user name and password credentials before access is granted to your AWS Account settings or AWS services and resources. You get this single -use code from an authentication device that you keep in your physical possession. This is called multi -factor authentication because more than one authentication factor is checked before access is granted: a password (something you know) and the precise code from your authentication device (something you have). You can enable MFA devices for your AWS Account as well as for the users you have created under your AWS Account with AWS IAM. In addition, you add MFA protection I RUDFFHWI DFLRA/U : 6 LLL FFRXC W- RUZ KHCEEPXLZ DC -DM [DCVI-UILRX�' LIFLll DWGI under one AWS Account to use an IAM role to access resources under another AWS Account. You can require the user to use MFA before assuming the role as an additional layer of security. AWS MFA supports the use of both hardware tokens and virtual MFA devices. Virtual MFA devices use the same protocols as the physical MFA devices, but can run on any mobile hardware device, including a smartphone. A virtual MFA device uses a software application that generates six -digit authentication codes that are compatible with the Time -Based One -Time Password (TOTP) standard, as described in RFC 6238. Most virtual MFA applications allow you to host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be aws '01-01M 111 ■ Page 16 Amazon Web Services Amazon Web Services: Overview of Security Processes aware that because a virtual MFA might be run on a less secure device such as a smartphone, a virtual MFA might not provide the same level of security as a hardware MFA device. You can also enforce MFA authentication for AWS service APIs in order to provide an extra layer of protection over powerful or privileged actions such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3. You do this by adding an MFA -authentication requirement to an IAM access policy. You can attach these access policies to IAM users, IAM groups, or resources that support Access Control Lists (ACLs) like Amazon S3 buckets, SQS queues, and SNS topics. It is easy to obtain hardware tokens from a participating third -party provider or virtual MFA applications from an AppStore and to set it up for use via the AWS website. More information is available at AWS Multi -Factor Authentication (MFA). Access Keys AWS requires that all API requests be signed that is, they must include a digital signature that AWS can use to verify the identity of the requestor. You calculate the digital signature using a cryptographic hash function. The input to the hash function in this case includes the text of your request and your secret access key. If you use any of the AWS SDKs to generate requests, the digital signature calculation is done for you; otherwise, you can have your application calculate it and include it in your REST or Query requests by following the directions in Making Requests Using the AWS SDKs. Not only does the signing process help protect message integrity by preventing tampering with the request while it is in transit, it also helps protect against potential replay attacks. A request must reach AWS within 15 minutes of the time stamp in the request. Otherwise, AWS denies the request. The most recent version of the digital signature calculation process is Signature Version 4, which calculates the signature using the HMAC-SHA256 protocol. Version 4 provides an additional measure of protection over previous versions by requiring that you sign the message using a key that is derived from your secret access key rather than using the secret access key itself. In addition, you derive the signing key based on credential scope, which facilitates cryptographic isolation of the signing key. Because access keys can be misused if they fall into the wrong hands, we encourage you to save them in a safe place and not embed them in your code. For customers with large fleets of elastically scaling EC2 instances, the use of IAM roles can be a more secure and convenient way to manage the distribution of access keys. IAM roles aW Q W1 I ' 111 ■ Page 17 Amazon Web Services Amazon Web Services: Overview of Security Processes provide temporary credentials, which not only get automatically loaded to the target instance, but are also automatically rotated multiple times a day. Key Pairs Amazon EC2 instances created from a public AMI use a public/private key pair rather than a password for signing in via Secure Shell (SSH).The public key is embedded in your instance, and you use the private key to sign in securely without a password. After you create your own AMIs, you can choose other mechanisms to securely log in to your new instances. You can have a key pair generated automatically for you when you launch the instance or you can upload your own. Save the private key in a safe place on your system, and record the location where you saved it. For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you want to distribute restricted content that someone paid for. You create Amazon CloudFront key pairs by using the Security Credentials page. CloudFront key pairs can be created only by the root account and cannot be created by IAM users. X.509 Certificates X.509 certificates are used to sign SOAP -based requests. X.509 certificates contain a public key and additional metadata (like an expiration date that AWS verifies when you upload the certificate), and is associated with a private key. When you create a request, you create a digital signature with your private key and then include that signature in the request, along with your certificate. AWS verifies that you're the sender by decrypting the signature with the public key that is in your certificate. AWS also verifies that the certificate you sent matches the certificate that you uploaded to AWS. For your AWS Account, you can have AWS create an X.509 certificate and private key that you can download, or you can upload your own certificate by using the Security Credentials page. For IAM users, you must create the X.509 certificate (signing certificate) by using third -party software. In contrast with root account credentials, AWS cannot create an X.509 certificate for IAM users. After you create the certificate, you attach it to an IAM user by using IAM. In addition to SOAP requests, X.509 certificates are used as SSL/TLS server certificates for customers who want to use HTTPS to encrypt their transmissions. To use them for HTTPS, you can use an open -source tool like OpenSSL to create a unique aws 01-01M 111 ■ Page 18 Amazon Web Services Amazon Web Services: Overview of Security Processes SLMMM1I M RX 1FQFISIbaI L H❑ VRFU ►hV0+& HMFD\N[6 U QQJ 5 HTXMWld& 6 5 [1] that you s u b m i VVRD[FHLMFD\NDX ❑ EM6', RE\UQ M FHLELFDWFU RXCMPO-CL use the AWS CLI to upload the certificate, private key, and certificate chain to IAM. ❑RXZDWJQ HODQ;_ 1JT1❑❑[FHLUFCJWVCFLdDNDR(\ARP LfGt LOX-LLO , df�_K & ❑❑ instances. The certificate is only required to create an instance -backed AMI (as opposed to an EBS -backed AMI). You can have AWS create an X.509 certificate and private key that you can download, or you can upload your own certificate by using the Security Credentials page. Individual User Accounts AWS provides a centralized mechanism called AWS Identity and Access Management (IAM) for creating and managing individual users within your AWS Account. A user can be any individual, system, or application that interacts with AWS resources, either programmatically or through the AWS Management Console or AWS Command Line Interface (CLI). Each user has a unique name within the AWS Account, and a unique set of security credentials not shared with other users. AWS IAM eliminates the need to share passwords or keys, and enables you to minimize the use of your AWS Account credentials. With IAM, you define policies that control which AWS services your users can access and what they can do with them. You can grant users only the minimum permissions they need to perform their jobs. See the AWS Identity and Access Management (AWS IAM) section for more information. Secure HTTPS Access Points For greater communication security when accessing AWS resources, you should use HTTPS instead of HTTP for data transmissions. HTTPS uses the SSL/TLS protocol, which uses public -key cryptography to prevent eavesdropping, tampering, and forgery. All AWS services provide secure customer access points (also called API endpoints) that allow you to establish secure HTTPS communication sessions. Several services also now offer more advanced cipher suites that use the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol. ECDHE allows SSL/TLS clients to provide Perfect Forward Secrecy, which uses session keys that are ephemeral and not stored anywhere. This helps prevent the decoding of captured data by unauthorized third parties, even if the secret long-term key itself is compromised. aws '01-01M 111 ■ Page 19 Amazon Web Services Amazon Web Services: Overview of Security Processes Security Logs As important as credentials and encrypted endpoints are for preventing security problems, logs are just as crucial for understanding events after a problem has occurred. And to be effective as a security tool, a log must include not just a list of what happened and when, but also identify the source. To help you with your after -the -fact investigations and near -real time intrusion detection, AWS CloudTrail provides a log of events within your account. For each event, you can see what service was accessed, what action was performed, and who made the request. CloudTrail captures API calls, as well as other things such as console sign -in events. Once you have enabled CloudTrail, event logs are delivered about every 5 minutes. You can configure CloudTrail so that it aggregates log files from multiple regions and/or accounts into a single Amazon S3 bucket. By default, a single trail will record and deliver events in all current and future regions. In addition to S3, you can send events to CloudWatch Logs, for custom metrics and alarming, or you can upload the logs to your favorite log management and analysis solutions to perform security analysis and detect user behavior patterns. For rapid response, you can create CloudWatch Events rules to take timely action to specific events. By default, log files are stored securely in Amazon S3, but you can also archive them to Amazon S3 Glacier to help meet audit and compliance requirements. ,QDG2MMU(PXG7VMW([ffDCI)MVgHTIP DERCi&RXG GAKd RJVb feature to collect and monitor system, application, and custom log files from your EC2 instances and other sources in near -real time. For example, you can monitor your web server's log files for invalid user messages to detect unauthorized login attempts to your guest OS. AWS Trusted Advisor Security Checks The AWS Trusted Advisor customer support service not only monitors for cloud performance and resiliency, but also cloud security. Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may exist to save money, improve system performance, or close security gaps. It provides alerts on several of the most common security misconfigu rations that can occur, including leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to create IAM accounts for your internal users, allowing public access to Amazon S3 buckets, not turning on user activity logging (AWS CloudTrail), or not using MFA on your root AWS Account. You also have the option for a Security contact at your aws Q Wi I ' 111 ■ Page 20 Amazon Web Services Amazon Web Services: Overview of Security Processes organization to automatically receive a weekly email with an updated status of your Trusted Advisor security checks. The AWS Trusted Advisor service provides four checks at no additional charge to all users, including three important security checks: specific ports unrestricted, IAM use, and MFA on root account. When you sign up for Business- or Enterprise -level AWS Support, you receive full access to all Trusted Advisor checks. AWS Config Security Checks AWS Config is a continuous monitoring and assessment service that records changes to the configuration of your AWS resources. You can view the current and historic configurations of a resource and use this information to troubleshoot outages, conduct security attack analysis, and much more. You can view the configuration at any point in time and use that information to re -configure your resources and bring them into a steady state during an outage situation. Using AWS Config Rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance regimes such as PCI/HIPAA. For example, AWS Config provides a managed AWS Config Rules to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom AWS Config Rule to I-M/I-ISI3FRQlLLERXLF7Z Q-FRISRIID►vfdA-FXIMR&-LM/--II -I: 6 A RCJ U IRXI dY-DC)I time when a resource is misconfigured, or when a resource violates a particular security policy. AWS Service -Specific Security Not only is security built into every layer of the AWS infrastructure, but also into each of the services available on that infrastructure. AWS services are architected to work efficiently and securely with all AWS networks and platforms. Each service provides extensive security features to enable you to protect sensitive data and applications. Compute Services Amazon Web Services provides a variety of cloud -based computing services that include a wide selection of compute instances that can scale up and down automatically to meet the needs of your application or enterprise. aW '01-01M 111 ■ Page 21 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon Elastic Compute Cloud (Amazon EC2) Security Amazon Elastic Compute Cloud (Amazon ( & ❑F1VMAHFffW SRC UP DSI❑ Infrastructure -as -a -Service (laaS), providing resizable computing capacity using server LQ LCF : 6VTDDfHCWAYMPD7FCK & ❑A/1 -G -W CH DNH2 F E- scale computing easier by enabling you to obtain and configure capacity with minimal friction. You create and launch instances, which are collections of platform hardware and software. Multiple Levels of Security Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls. Each of these items builds on the capabilities of the others. The goal is to prevent data contained within Amazon EC2 from being intercepted by unauthorized systems or users and to provide Amazon EC2 instances themselves that are as secure as possible without sacrificing the flexibility in configuration that customers demand. Hypervisor Amazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because para-virtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The CPU provides four separate privilege modes: 0-3, called rings. Ring 0 is the most privileged and 3 the least. The host OS executes in Ring 0. However, rather than executing in Ring 0 as most operating systems do, the guest OS runs in a lesser -privileged Ring 1 and applications in the least privileged Ring 3. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Traditionally, hypervisors protect the physical hardware and bios, virtualize the CPU, storage, networking, and provide a rich set of management capabilities. With the Nitro System, we are able to break apart those functions, offload them to dedicated hardware and software, and reduce costs by delivering all of the resources of a server to your instances. The Nitro Hypervisor provides consistent performance and increased compute and memory resources for EC2 virtualized instances by removing host system software components. It allows AWS to offer larger instance sizes (like c5.18xlarge) that provide practically all of the resources from the server to customers. Previously, C3 and C4 instances each eliminated software components by moving VPC and EBS functionality aws Q Il I ' 111 ■ Page 22 Amazon Web Services Amazon Web Services: Overview of Security Processes to hardware designed and built by AWS. This hardware enables the Nitro Hypervisor to be very small and uninvolved in data processing tasks for networking and storage. Nevertheless, as AWS expands its global cloud infrastructure, Amazon ( &❑VXVHIIMW Xen-based hypervisor will also continue to grow. Xen will remain a core component of EC2 instances for the foreseeable future. Instance Isolation Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which provides awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual LD,PoIIDDFHW(MDFN-W P XWSDM/CPQJZYJ KANLV ® HVLQ—U KERW KDYH❑ no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets HYI-U-1 E(DFNII AAR IDtJ HI X�E1W1JFXV AP CI-IfXV AP HIJV GIDUVIC-MHY unintentionally exposed to another. In addition, memory allocated to guests is scrubbed (set to zero) by the hypervisor when it is unallocated to a guest. The memory is not returned to the pool of free memory available for new allocations until the memory scrubbing is complete. AWS recommends customers further protect their data using appropriate means. One common solution is to run an encrypted file system on top of the virtualized disk device. aws 01-01M 111 ■ Page 23 Amazon Web Services Amazon Web Services: Overview of Security Processes Customer 1 Customer 2 ... Customer n Figure 2: Amazon EC2 multiple layers of security Host Operating System: Administrators with a business need to access the management plane are required to use multi- factor authentication to gain access to purpose-built administration hosts. These administrative hosts are systems that are specifically designed, built, configured, and hardened to protect the management plane of the cloud. All such access is logged and audited. When an employee no longer has a business need to access the management plane, the privileges and access to these hosts and relevant systems can be revoked. Guest Operating System: Virtual instances are completely controlled by you, the customer. You have full root access or administrative control over accounts, services, and applications. AWS does not have any access rights to your instances or the guest OS. AWS recommends a base set of security best practices to include disabling password -only access to your guests, and utilizing some form of multi -factor authentication to gain access to your instances (or at a minimum certificate -based SSH Version 2 access). Additionally, you should employ a privilege escalation mechanism with logging on a per -user basis. For example, if the guest OS is Linux, after hardening your instance you should utilize certificate- based SSHv2 to access the virtual instance, disable remote root login, use command-Qll dAYJJ Ed LIDQQXNF-111VXCR_4RWSIJinM H-1 escalation. You should generate your own key pairs in order to guarantee that they are unique, and not shared with other customers or with AWS. aws '01-01M 111 ■ Page 24 Amazon Web Services Amazon Web Services: Overview of Security Processes AWS also supports the use of the Secure Shell (SSH) network protocol to enable you to log in securely to your UNIX/Linux EC2 instances. Authentication for SSH used with AWS is via a public/private key pair to reduce the risk of unauthorized access to your instance. You can also connect remotely to your Windows instances using Remote Desktop Protocol (RDP) by utilizing an RDP certificate generated for your instance. You also control the updating and patching of your guest OS, including security updates. Amazon -provided Windows and Linux -based AMIs are updated regularly with the latest patches, so if you do not need to preserve data or customizations on your running Amazon AMI instances, you can simply relaunch new instances with the latest updated AMI. In addition, updates are provided for the Amazon Linux AMI via the Amazon Linux yum repositories. Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny -all mode and Amazon EC2 customers must explicitly open the ports needed to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter -Domain Routing (CIDR) block). The firewall can be configured in groups permitting different classes of instances to have different rules. Consider, for example, the case of a traditional three -tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only I U; P APAJ TXV RP HIMFRISRUAH_a4Z RLKL+ U KO__I_VI-FXWDSS(FDBCVFDC� EH _HG_i using this expressive mechanism. See the following figure. aws '01-01M 111 ■ Page 25 Amazon Web Services EC2 Ports 80 and 443 only open to the Internet -� Engineering staff have ssh access to the App Tier, which acts as Bastion Authorized 3f1 parties can be granted ssh access to select AWS resources, such as the Data ba se Tier Amazon Web Services: Overview of Security Processes Web Tier AWS employs a private network with ssh support for secure access between tiers and is con hgurable to limit access between tiers Application Tier EC2 %r Database Tier a EC2 All other Internet parts blocked by default EBS Volume Amazon EC2 Security Group Firewall Figure 3: Amazon EC2 security group firewall 7 KHdllll-Q D RQAM G MRYJ KMQ-ILJ XIMM/2 6 ADM1MWXUVLRU LLI❑❑❑ certificate and key to authorize changes, thus adding an extra layer of security. AWS supports the ability to grant granular access to different administrative functions on the instances and the firewall, therefore enabling you to implement additional security through separation of duties. The level of security afforded by the firewall is a function of which ports you open, and for what duration and purpose. The default state is to deny all incoming traffic, and you should plan carefully what you will open when building and securing your applications. Well- informed traffic management and security design are still required on a per- instance basis. AWS further encourages you to apply additional per- instance filters with host -based firewalls such as IPtables or the Windows Firewall and VPNs. This can restrict both inbound and outbound traffic. API Access: API calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by your Amazon Secret Access Key, which could be either the AWS Accounts Secret Access Key or the Secret Access key of a user created with AWS IAM. Without access to your Secret Access Key, Amazon EC2 API calls cannot be made on your behalf. In addition, API calls can be encrypted with SSL to maintain confidentiality. Amazon recommends always using SSL -protected API endpoints. Permissions: AWS IAM also enables you to further control what APIs a user has permissions to call. aws Q Il I ' 111 ■ Page 26 Amazon Web Services Amazon Web Services: Overview of Security Processes Elastic Block Storage (Amazon EBS) Security Amazon Elastic Block Storage (Amazon EBS) allows you to create storage volumes from 1 GB to 16 TB that can be mounted as devices by Amazon EC2 instances. Storage volumes behave like raw, unformatted block devices, with user supplied device names and a block device interface. You can create a file system on top of Amazon EBS volumes, or use them in any other way you would use a block device (like a hard drive). Amazon EBS volume access is restricted to the AWS Account that created the volume, and to the users under the AWS Account created with AWS IAM if the user has been granted access to the EBS operations, thus denying all other AWS Accounts and users the permission to view or access the volume. Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability. For customers who have architected complex transactional databases using EBS, it is recommended that backups to Amazon S3 be performed through the database management system so that distributed transactions and logs can be checkpointed. AWS does not perform backups of data that are maintained on virtual disks attached to running instances on Amazon EC2. You can make Amazon EBS volume snapshots publicly available to other AWS Accounts to use as the basis for creating your own volumes. Sharing Amazon EBS volume snapshots does not provide other AWS Accounts with the permission to alter or delete the original snapshot, as that right is explicitly reserved for the AWS Account that created the volume. An EBS snapshot is a block -level view of an entire EBS volume. Note that data that is not visible through the file system on the volume, such as files that have been deleted, may be present in the EBS snapshot. If you want to create shared snapshots, you should do so carefully. If a volume has held sensitive data or has had files deleted from it, a new EBS volume should be created. The data to be contained in the shared snapshot should be copied to the new volume, and the snapshot created from the new volume. Amazon EBS volumes are presented to you as raw unformatted block devices that have been wiped prior to being made available for use. Wiping occurs immediately before reuse so that you can be assured that the wipe process completed. If you have procedures requiring that all data be wiped via a specific method, such as those detailed in NIST 800-❑❑E1�11XLCFi X HQD6 IOYHV&i[DEL ❑ aW Q Il I ' 111 ■ Page 27 Amazon Web Services Amazon Web Services: Overview of Security Processes so on Amazon EBS. You should conduct a specialized wipe procedure prior to deleting the volume for compliance with your established requirements. Encryption of sensitive data is generally a good security practice, and AWS provides the ability to encrypt EBS volumes and their snapshots with AES -256. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage. In order to be able to do this efficiently and with low latency, the EBS encryption feature is only available on EC2's more powerful instance types (e.g., M3, C3, R3, G2). Auto Scaling Security Auto Scaling allows you to automatically scale your Amazon EC2 capacity up or down according to conditions you define, so that the number of Amazon EC2 instances you are using scales up seamlessly during demand spikes to maintain performance, and scales down automatically during demand lulls to minimize costs. Like all AWS services, Auto Scaling requires that every request made to its control API be authenticated so only authenticated users can access and manage Auto Scaling. Requests are signed with an HMAC-SHA1 signature calculated from the request and \NH F HE11+ RZ H+LM RUU & ❑ M/ ®XM<I-G-1 with Auto Scaling can be challenging for large or elastically scaling fleets. To simplify this process, you can use roles within IAM, so that any new instances launched with a role will be given credentials automatically. When you launch an EC2 instance with an IAM role, temporary AWS security credentials with permissions specified by the role are securely provisioned to the instance and are made available to your application via the Amazon EC2 Instance Metadata Service. The Metadata Service makes new temporary security credentials available prior to the expiration of the current active credentials, so that valid credentials are always available on the instance. In addition, the temporary security credentials are automatically rotated multiple times per day, providing enhanced security. You can further control access to Auto Scaling by creating users under your AWS Account using AWS IAM, and controlling what Auto Scaling APIs these users have permission to call. For more information about using roles when launching instances, see Identity and Access Management for Amazon EC2. Networking Services Amazon Web Services provides a range of networking services that enable you to create a logically isolated network that you define, establish a private network awS '01-01M 111 ■ Page 28 Amazon Web Services Amazon Web Services: Overview of Security Processes connection to the AWS cloud, use a highly available and scalable DNS service and deliver content to your end users with low latency at high data transfer speeds with a content delivery web service. Elastic Load Balancing Security Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all availability zones within a region. Elastic Load Balancing has all the advantages of an on -premises load balancer, plus several security benefits: ❑ Takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer ❑ Offers clients a single point of contact, and can also serve as the first line of defense against attacks on your network F When used in an Amazon VPC, supports creation and management of security groups associated with your Elastic Load Balancing to provide additional networking and security options L Supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use secure HTTP (HTTPS) connections. When TLS is used, the TLS server certificate used to terminate client connections can be managed centrally on the load balancer, rather than on every individual instance. HTTPS/TLS uses a long-term secret key to generate a short-term session key to be used between the server and the browser to create the ciphered (encrypted) message. Elastic Load Balancing configures your load balancer with a pre -defined cipher set that is used for TLS negotiation when a connection is established between a client and your load balancer. The pre -defined cipher set provides compatibility with a broad range of clients and uses strong cryptographic algorithms. However, some customers may have requirements for allowing only specific ciphers and protocols (such as PCI, SOX, etc.) from clients to ensure that standards are met. In these cases, Elastic Load Balancing provides options for selecting different configurations for TLS protocols and ciphers. You can choose to enable or disable the ciphers depending on your specific requirements. To help ensure the use of newer and stronger cipher suites when establishing a secure connection, you can configure the load balancer to have the final say in the cipher suite selection during the client -server negotiation. When the Server Order Preference option is selected, the load balancer selects D-FLSKHIJVXMIEDVHGRQIPQFi IIOV-SURlI DAZQ a1S '01-01M 111 ■ Page 29 Amazon Web Services Amazon Web Services: Overview of Security Processes RI RS 1FQHQuL"[,QVJ LYhM EWFP R01 FRQ3VIYHM ❑ security that clients use to connect to your load balancer. For even greater communication privacy, Elastic Load Balancing allows the use of Perfect Forward Secrecy, which uses session keys that are ephemeral and not stored anywhere. This prevents the decoding of captured data, even if the secret long-term key itself is compromised. Elastic Load Balancing allows you to identify the originating IP address of a client FRQC F1= KHMICRXLMLX LQ1 ❑# 7 7 3 6 LRR & 3 BUGIEDOC RU ILI] Typically, client connection information, such as IP address and port, is lost when requests are proxied through a load balancer. This is because the load balancer sends requests to the server on behalf of the client, making your load balancer appear as though it is the requesting client. Having the originating client IP address is useful if you need more information about visitors to your applications in order to gather connection statistics, analyze traffic logs, or manage whitelists of IP addresses. Elastic Load Balancing access logs contain information about each HTTP and TCP request processed by your load balancer. This includes the IP address and port of the requesting client, the backend IP address of the instance that processed the request, the size of the request and response, and the actual request line from the client (for example, GET http://www.example.com: 80/HTTP/1.1). All requests sent to the load balancer are logged, including requests that never made it to backend instances. Amazon Virtual Private Cloud (Amazon VPC) Security Normally, each Amazon EC2 instance that you launch is randomly assigned a public IP address in the Amazon EC2 address space. Amazon VPC enables you to create an isolated portion of the AWS cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses in the range of your choice (e.g., 10.0.0.0/16). You can define subnets within your VPC, grouping similar kinds of instances based on IP address range, and then set up routing and security to control the flow of traffic in and out of the instances and subnets. AWS offers a variety of VPC architecture templates with configurations that provide varying levels of public access: ❑ VPC with a single public subnet only. Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet. Network ACLs and security groups can be used to provide strict control over inbound and outbound network traffic to your instances. aws Q Wi I ' 111 ■ Page 30 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ VPC with public and private subnets. In addition to containing a public subnet, this configuration adds a private subnet whose instances are not addressable from the Internet. Instances in the private subnet can establish outbound connections to the Internet via the public subnet using Network Address Translation (NAT). L VPC with public and private subnets and hardware VPN access. This configuration adds an IPsec VPN connection between your Amazon VPC and your data center, effectively extending your data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC. In this configuration, customers add a VPN appliance on their corporate data center side. F- VPC with private subnet only and hardware VPN access. Your instances run in a private, isolated section of the AWS cloud with a private subnet whose instances are not addressable from the Internet. You can connect this private subnet to your corporate data center via an IPsec VPN tunnel. You can also connect two VPCs using a private IP address, which allows instances in the two VPCs to communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. Security features within Amazon VPC include security groups, network ACLs, routing tables, and external gateways. Each of these items is complementary to providing a secure, isolated network that can be extended through selective enabling of direct Internet access or private connectivity to another network. Amazon EC2 instances running within an Amazon VPC inherit all of the benefits described below related to the guest OS and protection against packet sniffing. Note, however, that you must create VPC security groups specifically for your Amazon VPC; any Amazon EC2 security groups you have created will not work inside your Amazon VPC. Also, Amazon VPC security groups have additional capabilities that Amazon EC2 security groups do not have, such as being able to change the security group after the instance is launched and being able to specify any protocol with a standard protocol number (as opposed to just TCP, UDP, or ICMP). Each Amazon VPC is a distinct, isolated network within the cloud; network traffic within each Amazon VPC is isolated from all other Amazon VPCs. At creation time, you select an IP address range for each Amazon VPC. You may create and attach an Internet aws '01-01M 111 ■ Page 31 Amazon Web Services Amazon Web Services: Overview of Security Processes gateway, virtual private gateway, or both to establish external connectivity, subject to the controls below. API Access: Calls to create and delete Amazon VPCs, change routing, security group, and network ACL parameters, and perform other functions are all signed by your ❑P DERG6 HFUM/V1FFHWb HL[IZ KLFK[FRXG-EH E: 6 miFFRXQ/W-6 HFUI-WFFHW Key or the Secret Access key of a user created with AWS IAM. Without access to your Secret Access Key, Amazon VPC API calls cannot be made on your behalf. In addition, API calls can be encrypted with SSL to maintain confidentiality. Amazon recommends always using SSL -protected API endpoints. AWS IAM also enables a customer to further control what APIs a newly created user has permissions to call. Subnets and Route Tables: You create one or more subnets within each Amazon VPC; each instance launched in the Amazon VPC is connected to one subnet. Traditional Layer 2 security attacks, including MAC spoofing and ARP spoofing, are blocked. Each subnet in an Amazon VPC is associated with a routing table, and all network traffic leaving the subnet is processed by the routing table to determine the destination. Firewall (Security Groups): Like Amazon EC2, Amazon VPC supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter -Domain Routing (CIDR) block). 7 KHALIHZ DMA ffRQA93G\P6(l9ZX I K[9i1JXFM 6 ADM-LM*DQEHP RGILH��Cl K the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the firewall, therefore enabling you to implement additional security through separation of duties. The level of security afforded by the firewall is a function of which ports you open, and for what duration and purpose. Well-informed traffic management and security design are still required on a per -instance basis. AWS further encourages you to apply additional per -instance filters with host -based firewalls such as IP tables or the Windows Firewall. aws '01-01M 111 ■ Page 32 Amazon Web Services AM Customer Gateway Customer Data Center BID - CustorneReQonal Office 0.0 Internet Amazon Web Services: Overview of Security Processes Virtual Private Gateway Amazon S3 AvailabilityZoneA I I Primate Suboet I J Router NAT Y Pubic Subset I Availability Zane B M 8 Amazon SES DynamoDB AWS Region Figure 4: Amazon VPC network architecture Network Access Control Lists: To add a further layer of security within Amazon VPC, you can configure network ACLs. These are stateless traffic filters that apply to all traffic inbound or outbound from a subnet within Amazon VPC. These ACLs can contain ordered rules to allow or deny traffic based upon IP protocol, by service port, as well as source/destination IP address. Like security groups, network ACLs are managed through Amazon VPC APIs, adding an additional layer of protection and enabling additional security through separation of duties. The diagram below depicts how the security controls above inter -relate to enable flexible network topologies while providing complete control over network traffic flows. Page 33 3 DU HED❑ Amazon Web Services Amazon Web Services: Overview of Security Processes VPC 10.0.0.0116 Virtual Private Gateway Internet Gateway Figure 5: Flexible network topologies Virtual Private Gateway: A virtual private gateway enables private connectivity between the Amazon VPC and another network. Network traffic within each virtual private gateway is isolated from network traffic within all other virtual private gateways. You can establish VPN connections to the virtual private gateway from gateway devices at your premises. Each connection is secured by a pre -shared key in conjunction with the IP address of the customer gateway device. Internet Gateway: An Internet gateway may be attached to an Amazon VPC to enable direct connectivity to Amazon S3, other AWS services, and the Internet. Each instance desiring this access must either have an Elastic IP associated with it or route traffic through a NAT instance. Additionally, network routes are configured (see above) to direct traffic to the Internet gateway. AWS provides reference NAT AMIs that you can extend to perform network logging, deep packet inspection, application -layer filtering, or other security controls. This access can only be modified through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the Internet gateway, therefore enabling you to implement additional security through separation of duties. You can use a network address translation (NAT) aws Q Wi I ' 111 ■ Page 34 Amazon Web Services Amazon Web Services: Overview of Security Processes gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. Dedicated Instances: Within a VPC, you can launch Amazon EC2 instances that are physically isolated at the host hardware level (i.e., they will run on single -tenant KDU2 DLHFMFCiIDP DERG9 3 & EDD--EHCFld-DW31Z L1KH&K3 FD\K; C FM%RXVM instances launched into the Amazon VPC use this feature. Alternatively, an Amazon 93&IB DLLEHfLd-CJhG-Z—LI, LGHI DXGWdC0CFy, but you can specify dedicated tenancy for particular instances launched into it. Elastic Network Interfaces: Each Amazon EC2 instance has a default network interface that is assigned a private IP address on your Amazon VPC network. You can create and attach an additional network interface, known as an elastic network interface, to any Amazon EC2 instance in your Amazon VPC for a total of two network interfaces per instance. Attaching more than one network interface to an instance is useful when you want to create a management network, use network and security appliances in your Amazon VPC, or create dual -homed instances with workloads/roles on distinct subnets. A network interface's attributes, including the private IP address, elastic IP addresses, and MAC address, follows the network interface as it is attached or detached from an instance and reattached to another instance. For more information about Amazon VPC, see Amazon Virtual Private Cloud. Additional Network Access Control with EC2-VPC If you launch instances in a Region where you did not have instances before AWS launched the new EC2-VPC feature (also called Default VPC), all instances are automatically provisioned in a ready -to -use default VPC. You can choose to create additional VPCs, or you can create VPCs for instances in regions where you already had instances before we launched EC2-VPC. If you create a VPC later, using regular VPC, you specify a CUR block, create subnets, enter the routing and security for those subnets, and provision an Internet gateway or NAT instance if you want one of your subnets to be able to reach the Internet. When you launch EC2 instances into an EC2-VPC, most of this work is automatically performed for you. When you launch an instance into a default VPC using EC2-VPC, we do the following to set it up for you: L Create a default subnet in each Availability Zone aws 01-01M 111 ■ Page 35 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ Create an internet gateway and connect it to your default VPC ❑ Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet to the Internet gateway ❑ Create a default security group and associate it with your default VPC ❑ Create a default network access control list (ACL) and associate it with your default VPC ❑ Associate the default DHCP options set for your AWS account with your default VPC In addition to the default VPC having its own private IP range, EC2 instances launched in a default VPC can also receive a public IP. The following table summarizes the differences between instances launched into EC2- Classic, instances launched into a default VPC, and instances launched into a non - default VPC. Table 2: Differences between different EC2 instances Page 36 3 QJ Ham❑ EC2-VPC Characteristic EC2-Classic (Default VPC) Regular VPC IP address by Unless you specify otherwise default, unless you during launch. specify otherwise during launch. Private IP Your instance Your instance Your instance receives a static address receives a private receives a static private IP address from the IP address from the private IP address address range of your VPC. EC2-Classic range from the address each time it's range of your started. default VPC. Multiple private IP We select a single You can assign You can assign multiple private addresses IP address for your multiple private IP IP addresses to your instance. instance. Multiple addresses to your IP addresses are instance. not supported. Page 36 3 QJ Ham❑ Amazon Web Services Amazon Web Services: Overview of Security Processes Page 37 3 QJ Ham❑ EC2-VPC Characteristic EC2-Classic (Default VPC) Regular VPC Elastic IP address An EIP is An EIP remains An EIP remains associated disassociated from associated with with your instance when you your instance when your instance stop it. you stop it. when you stop it. DNS hostnames DNS hostnames DNS hostnames DNS hostnames are disabled are enabled by are enabled by by default. default. default. Security group A security group A security group A security group can reference can reference can reference security groups for your VPC security groups that security groups for only. belong to other your VPC only. AWS accounts. Security group You must terminate You can change You can change the security association your instance to the security group group of your running change its security of your running instance. group. instance. Security group You can add rules You can add rules You can add rules for inbound rules for inbound traffic for inbound and and outbound traffic. only. outbound traffic. Tenancy Your instance runs You can run your You can run your instance on on shared instance on shared shared hardware or single - hardware; you hardware or tenant hardware. cannot run an single- tenant instance on single- hardware. tenant hardware. Page 37 3 QJ Ham❑ Amazon Web Services Amazon Web Services: Overview of Security Processes Note: Security groups for instances in EC2-Classic are slightly different than security groups for instances in EC2-VPC. For example, you can add rules for inbound traffic for EC2-Classic, but you can add rules for both inbound and outbound traffic to EC2-VPC. In EC2-Classic, LRXFDCM FIM HANHA FXILfVJ LRXSVD AU H[IDI XCFM3TD W in EC2-VPC, you can change security groups assigned to an instance DI X [ffDCACVHAP04 -)(LWJ LRXSV[1FM you've created for use with EC2-Classic with instances in your VPC. You must create security groups specifically for use with instances in your VPC. The rules you create for use with a security group for a VPC can't reference a security group for EC2-Classic, and vice versa. Amazon Route 53 Security Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service that answers DNS queries, translating domain names into IP addresses so computers can communicate with each other. Route 53 can be used to connect user requests to infrastructure running in AWS ❑ such as an Amazon EC2 instance or an Amazon S3 bucket []or to infrastructure outside of AWS. Amazon Route 53 lets you manage the IP addresses (records) listed for your domain names and it answers requests (queries) to translate specific domain names into their corresponding IP addresses. Queries for your domain are automatically routed to a nearby DNS server using anycast in order to provide the lowest latency possible. Route 53 makes it possible for you to manage traffic globally through a variety of routing types, including Latency Based Routing (LBR), Geo DNS, and Weighted Round- Robin (WRR) 2 all of which can be combined with DNS Failover in order to help create a variety of low- latency, fault-tolerant architectures. The failover algorithms implemented by Amazon Route 53 are designed not only to route traffic to endpoints that are healthy, but also to help avoid making disaster scenarios worse due to misconfigured health checks and applications, endpoint overloads, and partition failures. Route 53 also offers Domain Name Registration ❑ you can purchase and manage domain names such as example.com and Route 53 will automatically configure default DNS settings for your domains. You can buy, manage, and transfer (both in and out) domains from a wide selection of generic and country- specific top-level domains (TLDs). During the registration process, you have the option to enable privacy protection for your domain. This option will hide most of your personal information from the public Whois database in order to help thwart scraping and spamming. aW Q Il I ' 111 ■ Page 38 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ P DERQ 5 RX HLL 1VEY,MVU 1H1: 6 V -KU KOIDYDLQTEODQGULIQIDE®ILLa DDV1A1CF1DQ HL7 KH❑ distributed nature of the AWS DNS servers helps ensure a consistent ability to route your end users to your application. Route 53 also helps ensure the availability of your website by providing health checks and DNS failover capabilities. You can easily configure Route 53 to check the health of your website on a regular basis (even secure web sites that are available only over SSL), and to switch to a backup site if the primary one is unresponsive. Like all AWS Services, Amazon Route 53 requires that every request made to its control API be authenticated so only authenticated users can access and manage Route 53. API requests are signed with an HMAC-SHA1 or HMAC- SHA256 signature calculated ILRP V9H[L iTXHVVVQG'MM+W -: 6 -6 HFU MAccess key. Additionally, the Amazon Route 53 control API is only accessible via SSL- encrypted endpoints. It supports both IPv4 and IPv6 routing. You can control access to Amazon Route 53 DNS management functions by creating users under your AWS Account using AWS IAM, and controlling which Route 53 operations these users have permission to perform. Amazon CloudFront Security Amazon CloudFront gives customers an easy way to distribute content to end users with low latency and high data transfer speeds. It delivers dynamic, static, and streaming content using a global network of edge locations. Requests for custoP HWID objects are automatically routed to the nearest edge location, so content is delivered with the best possible performance. Amazon CloudFront is optimized to work with other AWS services, like Amazon S3, Amazon EC2, Elastic Load Balancing, and Amazon Route 53. It also works seamlessly with any non -AWS origin server that stores the original, definitive versions of your files. Amazon CloudFront requires every request made to its control API be authenticated so only authorized users can create, modify, or delete their own Amazon CloudFront distributions. Requests are signed with an HMAC-SHA1 signature calculated from the IIHTXMN`DQGVgHLX��LEONMrTuGaMaDDI NLHI P D[ VXG) LM/fR UFC0 , ML only accessible via SSL -enabled endpoints. There is no guarantee of durability of data held in Amazon CloudFront edge locations. The service may from time to time remove objects from edge locations if those objects are not requested frequently. Durability is provided by Amazon S3, which works as the origin server for Amazon CloudFront holding the original, definitive copies of objects delivered by Amazon CloudFront. a1S 3 DJ H®❑ Page 39 Amazon Web Services Amazon Web Services: Overview of Security Processes If you want control over who is able to download content from Amazon CloudFront, you FDCd-COEE(Blial-Il7l1FHLVSlbDWFRQNCV*D"-7KUtFature has two components: the first controls how content is delivered from the Amazon CloudFront edge location to viewers on the Internet. The second controls how the Amazon CloudFront edge locations access objects in Amazon S3. CloudFront also supports Geo Restriction, which restricts access to your content based on the geographic location of your viewers. To control access to the original copies of your objects in Amazon S3, Amazon &(RXG) 19UADW\/❑RX U-DWRCHRUP RLVH 2 IWLUFFH`W-,G-QWM/❑=associate these with your distributions. When an Origin Access Identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects ILRP -TP D -RQ -6 =RXBDCA IQ-)CVHnP DI RC6 ❑VMI&/ M -D" -[Z KLFK-QP UV access to that Origin Access Identity so the original copy of the object is not publicly readable. To control who is able to download objects from Amazon CloudFront edge locations, the service uses a signed -URL verification system. To use this system, you first create a public-private key pair, and upload the public key to your account via the AWS Management Console. Second, you configure your Amazon CloudFront distribution to indicate which accounts you would authorize to sign requests F you can indicate up to five AWS Accounts you trust to sign requests. Third, as you receive requests you will create policy documents indicating the conditions under which you want Amazon CloudFront to serve your content. These policy documents can specify the name of the object that is requested, the date and time of the request, and the source IP (or CUR range) of the client making the request. You then calculate the SHA1 hash of your policy document and sign this using your private key. Finally, you include both the encoded policy document and the signature as query string parameters when you reference your objects. When Amazon CloudFront receives a request, it will decode the signature using your public key. Amazon CloudFront only serves requests that have a valid policy document and matching signature. Note: Private content is an optional feature that must be enabled when you set up your CloudFront distribution. Content delivered without this feature enabled will be publicly readable. Amazon CloudFront provides the option to transfer content over an encrypted connection (HTTPS). By default, CloudFront accepts requests over both HTTP and HTTPS protocols. However, you can also configure CloudFront to require HTTPS for all requests or have CloudFront redirect HTTP requests to HTTPS. You can even aws '01-01M 111 ■ Page 40 Amazon Web Services Amazon Web Services: Overview of Security Processes configure CloudFront distributions to allow HTTP for some objects but require HTTPS for other objects. CloudFront Amazon 53 HTTPS No ........ HTTP Figure 6: Amazon CloudFront encrypted transmission You can configure one or more CloudFront origins to require CloudFront fetch objects from your origin using the protocol that the viewer used to request the objects. For example, when you use this CloudFront setting and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin. Amazon CloudFront uses the SSLv3 or TLSv1 protocols and a selection of cipher suites that includes the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol on connections to both viewers and the origin. ECDHE allows SSL/TLS clients to provide Perfect Forward Secrecy, which uses session keys that are ephemeral and not stored anywhere. This helps prevent the decoding of captured data by unauthorized third parties, even if the secret long- term key itself is compromised. Note: If you're using your own server as your origin, and you want to use HTTPS both between viewers and CloudFront and between CloudFront and your origin, you must install a valid SSL certificate on the HTTP server that is signed by a third -party certificate authority, for example, VeriSign or DigiCert. By default, you can deliver content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs; for example, https-//dxxxxx.cloudfront.net/image.jpg. If you want to deliver your content over HTTPS using your own domain name and your own SSL certificate, you can use SNI Custom SSL or Dedicated IP Custom SSL. With Server Name Identification (SNI) Custom SSL, CloudFront relies on the SNI extension of the TLS protocol, which is supported by most modern web browsers. However, some users may not be able to access your content aws 01-01M 111 ■ Page 41 Amazon Web Services Amazon Web Services: Overview of Security Processes because some older browsers do not support SNI. (For a list of supported browsers, visit CloudFront FAQs.) With Dedicated IP Custom SSL, CloudFront dedicates IP addresses to your SSL certificate at each CloudFront edge location so that CloudFront can associate the incoming requests with the proper SSL certificate. Amazon CloudFront access logs contain a comprehensive set of information about requests for content, including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer, and the user agent. To enable access logs, just specify the name of the Amazon S3 bucket to store the logs in when you configure your Amazon CloudFront distribution. AWS Direct Connect Security With AWS Direct Connect, you can provision a direct link between your internal network and an AWS region using a high -throughput, dedicated connection. Doing this may help reduce your network costs, improve throughput, or provide a more consistent network experience. With this dedicated connection in place, you can then create virtual interfaces directly to the AWS Cloud (for example, to Amazon EC2 and Amazon S3) and Amazon VPC. With Direct Connect, you bypass internet service providers in your network path. You can procure rack space within the facility housing the AWS Direct Connect location and deploy your equipment nearby. Once deployed, you can connect this equipment to AWS Direct Connect using a cross -connect. Each AWS Direct Connect location enables connectivity to the geographically nearest AWS region as well as access to other US regions. For example, you can provision a single connection to any AWS Direct Connect location in the US and use it to access public AWS services in all US Regions and AWS GovCloud (US). Using industry standard 802.1q VLANs, the dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon VPC using private IP space, while maintaining network separation between the public and private environments. Amazon Direct Connect requires the use of the Border Gateway Protocol (BGP) with an Autonomous System Number (ASN). To create a virtual interface, you use an MD5 cryptographic key for message authorization. MD5 creates a keyed hash using your aW '01-01M 111 ■ Page 42 Amazon Web Services Amazon Web Services: Overview of Security Processes secret key. You can have AWS automatically generate a BGP MD5 key or you can provide your own. Storage Services Amazon Web Services provides low-cost data storage with high durability and availability. AWS offers storage choices for backup, archiving, and disaster recovery, as well as block and object storage. Amazon Simple Storage Service (Amazon S3) Security Amazon Simple Storage Service (Amazon S3) allows you to upload and retrieve data at any time, from anywhere on the web. Amazon S3 stores data as objects within buckets. An object can be any kind of file: a text file, a photo, a video, etc. When you add a file to Amazon S3, you have the option of including metadata with the file and setting permissions to control access to the file. For each bucket, you can control access to the bucket (who can create, delete, and list objects in the bucket), view access logs for the bucket and its objects, and choose the geographical region where Amazon S3 will store the bucket and its contents. Data Access Access to data stored in Amazon S3 is restricted by default; only bucket and object owners have access to the Amazon S3 resources they create (note that a bucket/object owner is the AWS Account owner, not the user who created the bucket/object). There are multiple ways to control access to buckets and objects: L Identity and Access Management (IAM) Policies. AWS IAM enables organizations with many employees to create and manage multiple users under a single AWS Account. IAM policies are attached to the users, enabling centralized control of permissions for users under your AWS Account to access buckets or objects. With IAM policies, you can only grant users within your own AWS account permission to access your Amazon S3 resources. C Access Control Lists (ACLs). Within Amazon S3, you can use ACLs to give read or write access on buckets or objects to groups of users. With ACLs, you can only grant other AWS accounts (not specific users) access to your Amazon S3 resources. aws '01-01M 111 ■ Page 43 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ Bucket Policies. Bucket policies in Amazon S3 can be used to add or deny permissions across some or all of the objects within a single bucket. Policies can be attached to users, groups, or Amazon S3 buckets, enabling centralized management of permissions. With bucket policies, you can grant users within your AWS Account or other AWS Accounts access to your Amazon S3 resources. Table 3: Types of access control Type of Access Control AWS Account Level Control User Level Control IAM Policies AC Ls Bucket Policies IM Yes Yes Yes Yes You can further restrict access to specific resources based on certain conditions. For example, you can restrict access based on request time (Date Condition), whether the LHTXWM DAHIWM 16 6 / M RQM5 C MTDtHTXHMM�3 DG 3 IF] OGLWs Condition), or based on the requester's client application (String Conditions). To identify these conditions, you use policy keys. For more information about action -specific policy keys available within Amazon S3, see the Amazon Simple Storage Service Developer Guide. Amazon S3 also gives developers the option to use query string authentication, which allows them to share Amazon S3 objects through URLs that are valid for a predefined period of time. Query string authentication is useful for giving HTTP or browser access to resources that would normally require authentication. The signature in the query string secures the request. Data Transfer For maximum security, you can securely upload/download data to Amazon S3 via the SSL encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2, so that data is transferred securely both within AWS and to and from sources outside of AWS. Data Storage Amazon S3 provides multiple options for protecting data at rest. For customers who prefer to manage their own encryption, they can use a client encryption library like the Amazon S3 Encryption Client to encrypt data before uploading to Amazon S3. aws Q Il I ' 111 ■ Page 44 Amazon Web Services Amazon Web Services: Overview of Security Processes Alternatively, you can use Amazon S3 Server -Side Encryption (SSE) if you prefer to have Amazon S3 manage the encryption process for you. Data is encrypted with a key generated by AWS or with a key you supply, depending on your requirements. With Amazon S3 SSE, you can encrypt data on upload simply by adding an additional request header when writing the object. Decryption happens automatically when data is retrieved. Note: Metadata, which you can include with your object, is not encrypted. Therefore, AWS recommends that customers not place sensitive information in Amazon S3 metadata. Amazon S3 SSE uses one of the strongest block ciphers available ❑ 256 -bit Advanced Encryption Standard (AES -256). With Amazon S3 SSE, every protected object is encrypted with a unique encryption key. This object key itself is then encrypted with a regularly rotated master key. Amazon S3 SSE provides additional security by storing the encrypted data and encryption keys in different hosts. Amazon S3 SSE also makes it possible for you to enforce encryption requirements. For example, you can create and apply bucket policies that require that only encrypted data can be uploaded to your buckets. For long-term storage, you can automatically archive the contents of your Amazon S3 EXFN : 6 -FD®K1 ❑P DERQ-6 ❑[E] ®FLHIJIEIRX[frDQI<DYHID❑ transferred at specific intervals to Amazon S3 Glacier by creating lifecycle rules in Amazon S3 that describe which objects you want to be archived to Amazon S3 Glacier and when. As part of your data management strategy, you can also specify how long Amazon S3 should wait after the objects are put into Amazon S3 to delete them. When an object is deleted from Amazon S3, removal of the mapping from the public name to the object starts immediately, and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no remote access to the deleted object. The underlying storage area is then reclaimed for use by the system. Data Durability and Reliability Amazon S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 region. To help provide durability, Amazon S3 PUT and COPY operations synchronously store customer data across multiple facilities before returning SUCCESS. Once stored, Amazon S3 helps maintain the durability of aws '01-01M 111 ■ Page 45 Amazon Web Services Amazon Web Services: Overview of Security Processes the objects by quickly detecting and repairing any lost redundancy. Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data. Amazon S3 provides further protection via Versioning. You can use Versioning to preserve, retrieve, and restore every version of every object stored in an Amazon S3 bucket. With Versioning, you can easily recover from both unintended user actions and application failures. By default, requests will retrieve the most recently written version. Older versions of an object can be retrieved by specifying a version in the request. You can further protect versions using Amazon S3 Versioning's MFA Delete feature. Once enabled for an Amazon S3 bucket, each version deletion request must include the six - digit code and serial number from your multi -factor authentication device. Access Logs An Amazon S3 bucket can be configured to log access to the bucket and objects within it. The access log contains details about each access request including request type, the UHTXHWdG UHVRXIFHAP MfrXH\ARU i aDQC AWA& HDQGICMIR WAUff)HW KHC L logging is enabled for a bucket, log records are periodically aggregated into log files and delivered to the specified Amazon S3 bucket. Cross -Origin Resource Sharing (CORS) AWS customers who use Amazon S3 to host static web pages or store objects used by other web pages can load content securely by configuring an Amazon S3 bucket to explicitly enable cross -origin requests. Modern browsers use the Same Origin policy to block JavaScript or HTML5 from allowing requests to load content from another site or domain as a way to help ensure that malicious content is not loaded from a less reputable source (such as during cross -site scripting attacks). With the Cross -Origin Resource Sharing (CORS) policy enabled, assets such as web fonts and images stored in an Amazon S3 bucket can be safely referenced by external web pages, style sheets, and HTML5 applications. Amazon S3 Glacier Security Like Amazon S3, the Amazon S3 Glacier service provides low-cost, secure, and durable storage. But where Amazon S3 is designed for rapid retrieval, Amazon S3 Glacier is meant to be used as an archival service for data that is not accessed often and for which retrieval times of several hours are suitable. a1S '01-01M 111 ■ Page 46 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon S3 Glacier stores files as archives within vaults. Archives can be any data such as a photo, video, or document, and can contain one or several files. You can store an unlimited number of archives in a single vault and can create up to 1,000 vaults per region. Each archive can contain up to 40 TB of data. Data Upload To transfer data into Amazon S3 Glacier vaults, you can upload an archive in a single upload operation or a multipart operation. In a single upload operation, you can upload archives up to 4 GB in size. However, customers can achieve better results using the Multipart Upload API to upload archives greater than 100 MB. Using the Multipart Upload API allows you to upload large archives, up to about 40,000 GB. The Multipart Upload API call is designed to improve the upload experience for larger archives; it enables the parts to be uploaded independently, in any order, and in parallel. If a multipart upload fails, you only need to upload the failed part again and not the entire archive. When you upload data to Amazon S3 Glacier, you must compute and supply a tree hash. Amazon S3 Glacier checks the hash against the data to help ensure that it has not been altered en route. A tree hash is generated by computing a hash for each megabyte -sized segment of the data, and then combining the hashes in tree fashion to represent ever-growing adjacent segments of the data. As an alternate to using the Multipart Upload feature, customers with very large uploads to Amazon S3 Glacier may consider using the AWS Snowball service instead to transfer the data. AWS Snowball facilitates moving large amounts of data into AWS using portable storage devices for transport. AWS transfers your data directly off of storage C-MFHVX% 1 L21P DEFCNNJ K speed internal network, bypassing the Internet. You can also set up Amazon S3 to transfer data at specific intervals to Amazon S3 Glacier. You can create lifecycle rules in Amazon S3 that describe which objects you want to be archived to Amazon S3 Glacier and when. You can also specify how long Amazon S3 should wait after the objects are put into Amazon S3 to delete them. To achieve even greater security, you can securely upload/download data to Amazon S3 Glacier via the SSL -encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2, so that data is transferred securely both within AWS and to and from sources outside of AWS. aws '01-01M 111 ■ Page 47 Amazon Web Services Amazon Web Services: Overview of Security Processes Data Retrieval Retrieving archives from Amazon S3 Glacier requires the initiation of a retrieval job, which is generally completed in 3 to 5 hours. You can then access the data via HTTP GET requests. The data will remain available to you for 24 hours. You can retrieve an entire archive or several files from an archive. If you want to retrieve only a subset of an archive, you can use one retrieval request to specify the range of the archive that contains the files you are interested or you can initiate multiple retrieval requests, each with a range for one or more files. You can also limit the number of vault inventory items retrieved by filtering on an archive creation date range or by setting a maximum items limit. Whichever method you choose, when you retrieve portions of your archive, you can use the supplied checksum to help ensure the integrity of the files provided that the range that is retrieved is aligned with the tree hash of the overall archive. Data Storage Amazon S3 Glacier automatically encrypts the data using AES -256 and stores it durably in an immutable form. Amazon S3 Glacier is designed to provide average annual durability of 99.999999999% for an archive. It stores each archive in multiple facilities and multiple devices. Unlike traditional systems which can require laborious data verification and manual repair, Amazon S3 Glacier performs regular, systematic data integrity checks and is built to be automatically self -healing. When an object is deleted from Amazon S3 Glacier, removal of the mapping from the public name to the object starts immediately, and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no remote access to the deleted object. The underlying storage area is then reclaimed for use by the system. Data Access Only your account can access your data in Amazon S3 Glacier. To control access to your data in Amazon S3 Glacier, you can use AWS IAM to specify which users within your account have rights to operations on a given vault. AWS Storage Gateway Security The AWS Storage Gateway service connects your on -premises software appliance with cloud -based storage to provide seamless and secure integration between your IT environment and the AWS storage infrastructure. The service enables you to securely aws Q Il I ' 111 ■ Page 48 Amazon Web Services Amazon Web Services: Overview of Security Processes XSUEGUMAWU: 61\/FDOE®iUi(DDE®I_ BCWI[MP DdRQ6 ❑V1kIDHL\Mrvice for cost- effective backup and rapid disaster recovery. AWS Storage Gateway transparently backs up data off-site to Amazon S3 in the form of Amazon EBS snapshots. Amazon S3 redundantly stores these snapshots on multiple devices across multiple facilities, detecting and repairing any lost redundancy. The Amazon EBS snapshot provides a point -in -time backup that can be restored on - premises or used to instantiate new Amazon EBS volumes. Data is stored within a single region that you specify. AWS Storage Gateway offers three options: ❑ Gateway -Stored Volumes (where the cloud is backup). In this option, your volume data is stored locally and then pushed to Amazon S3, where it is stored in redundant, encrypted form, and made available in the form of Amazon Elastic Block Storage (Amazon EBS) snapshots. When you use this model, the on - premises storage is primary, delivering low -latency access to your entire dataset, and the cloud storage is the backup. ❑ Gateway -Cached Volumes (where the cloud is primary). In this option, your volume data is stored encrypted in Amazon S3, visible within your enterprise's network via an iSCSI interface. Recently accessed data is cached on- premises for low -latency local access. When you use this model, the cloud storage is primary, but you get low- latency access to your active working set in the cached volumes on premises. F- Gateway -Virtual Tape Library (VTL). In this option, you can configure a Gateway-VTL with up to 10 virtual tape drives per gateway, 1 media changer and up to 1500 virtual tape cartridges. Each virtual tape drive responds to the SCSI command set, so your existing on -premises backup applications (either disk -to - tape or disk -to -disk -to- tape) will work without modification. No matter which option you choose, data is asynchronously transferred from your on - premises storage hardware to AWS over SSL. The data is stored encrypted in Amazon S3 using Advanced Encryption Standard (AES) 256, a symmetric- key encryption standard using 256 -bit encryption keys. The AWS Storage Gateway only uploads data that has changed, minimizing the amount of data sent over the Internet. The AWS Storage Gateway runs as a virtual machine (VM) that you deploy on a host in your data center running VMware ESXi Hypervisor v 4.1 or v 5 or Microsoft Hyper -V (you download the VMware software during the setup process). You can also run within EC2 using a gateway AMI. During the installation and configuration process, you can aws 01-01M 111 ■ Page 49 Amazon Web Services Amazon Web Services: Overview of Security Processes create up to 12 stored volumes, 20 Cached volumes, or 1500 virtual tape cartridges per gateway. Once installed, each gateway will automatically download, install, and deploy updates and patches. This activity takes place during a maintenance window that you can set on a per -gateway basis. The iSCSI protocol supports authentication between targets and initiators via CHAP (Challenge -Handshake Authentication Protocol). CHAP provides protection against man -in -the -middle and playback attacks by periodically verifying the identity of an iSCSI initiator as authenticated to access a storage volume target. To set up CHAP, you must configure it in both the AWS Storage Gateway console and in the iSCSI initiator software you use to connect to the target. After you deploy the AWS Storage Gateway VM, you must activate the gateway using the AWS Storage Gateway console. The activation process associates your gateway with your AWS Account. Once you establish this connection, you can manage almost all aspects of your gateway from the console. In the activation process, you specify the IP address of your gateway, name your gateway, identify the AWS region in which you want your snapshot backups stored, and specify the gateway time zone. AWS Snowball Security AWS Snowball is a simple, secure method for physically transferring large amounts of data to Amazon S3, EBS, or Amazon S3 Glacier storage. This service is typically used by customers who have over 100 GB of data and/or slow connection speeds that would result in very slow transfer rates over the Internet. With AWS Snowball, you prepare a portable storage device that you ship to a secure AWS facility. AWS transfers the data SII I [R V9J-UVRRI HCSI-MFHXVLCIJ [IIIP D��QV-KW K -speed internal network, thus bypassing the Internet. Conversely, data can also be exported from AWS to a portable storage device. Like all other AWS services, the AWS Snowball service requires that you securely identify and authenticate your storage device. In this case, you will submit a job request to AWS that includes your Amazon S3 bucket, Amazon EBS region, AWS Access Key ID, and return shipping address. You then receive a unique identifier for the job, a digital signature for authenticating your device, and an AWS address to ship the storage device to. For Amazon S3, you place the signature file on the root directory of your device. For Amazon EBS, you tape the signature barcode to the exterior of the device. The signature file is used only for authentication and is not uploaded to Amazon S3 or EBS. aws '01-01M 111 ■ Page 50 Amazon Web Services Amazon Web Services: Overview of Security Processes For transfers to Amazon S3, you specify the specific buckets to which the data should be loaded and ensure that the account doing the loading has write permission for the buckets. You should also specify the access control list to be applied to each object loaded to Amazon S3. For transfers to EBS, you specify the target region for the EBS import operation. If the storage device is less than or equal to the maximum volume size of 1 TB, its contents DIIH P D_RQ_(I 0/6 I_ IMSMq W,_I ANHAA IU H_G-MFHVFDSDFW- exceeds 1 TB, a device image is stored within the specified S3 log bucket. You can then create a RAID of Amazon EBS volumes using software such as Logical Volume Manager, and copy the image from S3 to this new volume. For added protection, you can encrypt the data on your device before you ship it to AWS. For Amazon S3 data, you can use a PIN -code device with hardware encryption or TrueCrypt software to encrypt your data before sending it to AWS. For EBS and Amazon S3 Glacier data, you can use any encryption method you choose, including a PIN -code device. AWS will decrypt your Amazon S3 data before importing using the PIN code and/or TrueCrypt password you supply in your import manifest. AWS uses your PIN to access a PIN -code device, but does not decrypt software -encrypted data for import to Amazon EBS or Amazon S3 Glacier. The following table summarizes your encryption options for each type of import/export job. Table 4: Encryption options for impor lexport jobs Import to Amazon S3 Source - Files on a device file system - Encrypt data using PIN - code device and/or TrueCrypt before shipping device Export from Amazon S3 1 Source aws Target ❑ Objects in an existing Amazon S3 bucket - AWS decrypts the data before performing the import Target '01-01M 111 ■ Result ❑ One object for each file. AWS erases your device after every import job prior to shipping Result Page 51 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ Objects in one or more ❑ Files on your storage ❑ One file for each object Amazon S3 buckets device ❑ AWS encrypts your data Provide a PIN code and/or ❑ AWS formats your device prior to shipping password that AWS will ❑ AWS copies your data to ❑ Use PIN -code device use to encrypt your data an encrypted file container and/or TrueCrypt to on your device decrypt the files Import to Amazon S3 Glacier _ Source Target Result ❑ Entire device ❑ One archive in an existing ❑ Device image stored as a ❑ Encrypt the data using the Amazon S3 Glacier vault single archive encryption method of your ❑ AWS does not decrypt ❑ AWS erases your device choice before shipping your device after every import job prior to shipping Import to Amazon EBS (Device Capacity < 1 TB) Source ❑ Entire device ❑ Encrypt the data using the encryption method of your choice before shipping Target One Amazon EBS snapshot AWS does not decrypt yourdevice Import to Amazon EBS (Device Capacity > 1 TB) Source Target ❑ Entire device ❑ Multiple objects in an ❑ Encrypt the data using the existing Amazon S3 buc encryption method of your ❑ AWS does not decrypt choice before shipping your device aws Q W1 I ' 111 ■ Result ❑ Device image is stored a: a single snapshot ❑ If the device was encrypted, the image is encrypted ❑ AWS erases your device after every import job pric to shipping Result ❑ Device image chunked into series of 1 TB snapshots stored as objects in Amazon S3 bucket specified in manifest file ❑ If the device was encrypted, the image is encrypted ❑ AWS erases your device after every import job prior to shipping Page 52 Amazon Web Services Amazon Web Services: Overview of Security Processes After the import is complete, AWS Snowball will erase the contents of your storage device to safeguard the data during return shipment. AWS overwrites all writable blocks on the storage device with zeroes. You will need to repartition and format the device after the wipe. If AWS is unable to erase the data on the device, it will be scheduled for destruction and our support team will contact you using the email address specified in the manifest file you ship with the device. When shipping a device internationally, the customs option and certain required subfields are required in the manifest file sent to AWS. AWS Snowball uses these values to validate the inbound shipment and prepare the outbound customs paperwork. Two of these options are whether the data on the device is encrypted or not and the HCFU-S\&9UARI\ZDUHVLFOMLFD\&'RaT KHCIC <MlQI encrypted data to or from the United States, the encryption software must be classified as 5D992 under the United States Export Administration Regulations. Amazon Elastic File System Security Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon EC2 instances in the AWS Cloud. With Amazon EFS, storage capacity is elastic, growing and shrinking automatically as you add and remove files. Amazon EFS file systems are distributed across an unconstrained number of storage servers, enabling file systems to grow elastically to petabyte- scale and allowing massively parallel access from Amazon EC2 instances to your data. Data Access With Amazon EFS, you can create a file system, mount the file system on an Amazon EC2 instance, and then read and write data from to and from your file system. You can mount an Amazon EFS file system on EC2 instances in your VPC, through the Network File System versions 4.0 and 4.1 (NFSv4) protocol. To access your Amazon EFS file system in a VPC, you create one or more mount targets in the VPC. A mount target provides an IP address for an NFSv4 endpoint. You can then mount an Amazon EFS file system to this end point using its DNS name, which will resolve to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in a region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets, and all EC2 instances in that Availability Zone share that mount target. You aws '01-01M 111 ■ Page 53 Amazon Web Services Amazon Web Services: Overview of Security Processes can also mount an EFS file system on a host in an on -premises datacenter using AWS Direct Connect. When using Amazon EFS, you specify Amazon EC2 security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. Security groups act as a firewall, and the rules you add define the traffic flow. You can authorize inbound/outbound access to your EFS file system by adding rules that allow your EC2 instance to connect to your Amazon EFS file system via the mount target using the NFS port. After mounting the file system via the mount target, you use it like any other POSIX- compliant file system. Files and directories in an EFS file system support standard Unix - style read/write/execute permissions based on the user and group ID asserted by the mounting NFSv4.1 client. For information about NFS- level permissions and related considerations, see Working with Users, Group, and Permissions at the Network File All Amazon EFS file systems are owned by an AWS Account. You can use IAM policies to grant permissions to other users so that they can perform administrative operations on your file systems, LCF®KGQJ [C+I®IM DMBV❑U W SUP RGIEU DR RXQMU MSI❑ security groups. For more information about EFS permissions, see Overview of Managing Access Permissions to Your Amazon EFS Resources. Data Durability and Reliability Amazon EFS is designed to be highly durable and highly available. All data and metadata is stored across multiple Availability Zones, and all service components are designed to be highly available. EFS provides strong consistency by synchronously replicating data across Availability Zones, with read -after -write semantics for most file operations. Amazon EFS incorporates checksums for all metadata and data throughout the service. Using a file system checking process (FSCK), EFS continuously validates a file system's metadata and data integrity. Data Sanitization Amazon EFS is designed so that when you delete data from a file system, that data will never be served again. If your procedures require that all data be wiped via a specific method, such as those detailed in DoD 5220.22-0 ill FFXILM❑ 3 LJRJ LIDP 12 SRDM LO DCXDULIEU , 6 7 LL1❑a ❑❑L13 ❑ XLC3 iQ nRLJ0 HQD 6 DC UMMMEZ HE recommend that you conduct a specialized wipe procedure prior to deleting the file system. aws Q Il I ' 111 ■ Page 54 Amazon Web Services Amazon Web Services: Overview of Security Processes Database Services Amazon Web Services provides a number of database solutions for developers and businesses' from managed relational and NoSQL database services, to in- memory caching as a service and petabyte-scale data -warehouse service. Amazon DynamoDB Security Amazon DynamoDB is a managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables you to offload the administrative burdens of operating and scaling distributed databases to ❑: 6 ❑m/REIRKA'NQ DYHM91Z FU- CDERXVKDISI7 DLH SU?YVRCLU -M-WSZM-FFU W XUMM QT replication, software patching, or cluster scaling. You can create a database table that can store and retrieve any amount of data, and serve any level of request traffic. DynamoDB automatically spreads the data and traffic for the table over a sufficient number of servers to handle the request capacity you specified and the amount of data stored, while maintaining consistent, fast performance. All data items are stored on Solid State Drives (SSDs) and are automatically replicated across multiple availability zones in a region to provide built-in high availability and data durability. You can set up automatic backups using a special template in AWS Data Pipeline that was created just for copying DynamoDB tables. You can choose full or incremental backups to a table in the same region or a different region. You can use the copy for disaster recovery (DR) in the event that an error in your code damages the original table, or to federate DynamoDB data across regions to support a multi -region application. To control who can use the DynamoDB resources and API, you set up permissions in AWS IAM. In addition to controlling access at the resource -level with IAM, you can also control access at the database level' you can create database -level permissions that allow or deny access to items (rows) and attributes (columns) based on the needs of your application. These database level permissions are called fine-grained access controls, and you create them using an IAM policy that specifies under what circumstances a user or application can access a DynamoDB table. The IAM policy can restrict access to individual items in a table, access to the attributes in those items, or both at the same time. a1S 01-01M 111 ■ Page 55 Amazon Web Services Amazon Web Services: Overview of Security Processes y Figure 7: Database -level permissions You can optionally use web identity federation to control access by application users who are authenticated by Login with Amazon, Facebook, or Google. Web identity federation removes the need for creating individual IAM users; instead, users can sign in to an identity provider and then obtain temporary security credentials from AWS Security Token Service (AWS STS). AWS STS returns temporary AWS credentials to the application and allows it to access the specific DynamoDB table. In addition to requiring database and user permissions, each request to the DynamoDB service must contain a valid HMAC-SHA256 signature, or the request is rejected. The AWS SDKs automatically sign your requests; however, if you want to write your own HTTP POST requests, you must provide the signature in the header of your request to Amazon DynamoDB. To calculate the signature, you must request temporary security credentials from the AWS Security Token Service. Use the temporary security credentials to sign your requests to Amazon DynamoDB. Amazon DynamoDB is accessible via TSL/SSL-encrypted endpoints. Amazon Relational Database Service (Amazon RDS) Security Amazon RDS allows you to quickly create a relational database (DB) instance and flexibly scale the associated compute resources and storage capacity to meet application demand. Amazon RDS manages the database instance on your behalf by performing backups, handling failover, and maintaining the database software. Currently, Amazon RDS is available for MySQL, Oracle, Microsoft SQL Server, and PostgreSQL database engines. Amazon RDS has multiple features that enhance reliability for critical production databases, including DB security groups, permissions, SSL connections, automated backups, DB snapshots, and multi -AZ deployments. DB instances can also be deployed in an Amazon VPC for additional network isolation. aws 3 DJ HTFIF] Page 56 Amazon Web Services Amazon Web Services: Overview of Security Processes Access Control When you first create a DB Instance within Amazon RDS, you will create a master user account, which is used only within the context of Amazon RDS to control access to your DB Instance(s). The master user account is a native database user account that allows you to log on to your DB Instance with all database privileges. You can specify the master user name and password you want associated with each DB Instance when you create the DB Instance. Once you have created your DB Instance, you can connect to the database using the master user credentials. Subsequently, you can create additional user accounts so that you can restrict who can access your DB Instance. You can control Amazon RDS DB Instance access via DB Security Groups, which are similar to Amazon EC2 Security Groups but not interchangeable. DB Security Groups act like a firewall controlling network access to your DB Instance. Database Security Fi LRXSV1GHI DX D- IGS lCI- DD-DFFH FP RC3 i' SAW HW FP X\NTSHFIILFDMrDXIPQRI -H network ingress. There are two ways of doing this: authorizing a network IP range or authorizing an existing Amazon EC2 Security Group. DB Security Groups only allow access to the database server port (all others are blocked) and can be updated without restarting the Amazon RDS DB Instance, which allows a customer seamless control of their database access. Using AWS IAM, you can further control access to your RDS DB instances. AWS IAM enables you to control what RDS operations each individual AWS IAM user has permission to call. Network Isolation For additional network access control, you can run your DB Instances in an Amazon VPC. Amazon VPC enables you to isolate your DB Instances by specifying the IP range you wish to use, and connect to your existing IT infrastructure through industry -standard encrypted IPsec VPN. Running Amazon RDS in a VPC enables you to have a DB instance within a private subnet. You can also set up a virtual private gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC. Refer to the Amazon VPC User Guide for more details. For Multi -AZ deployments, defining a subnet for all availability zones in a region will allow Amazon RDS to create a new standby in another availability zone should the need arise. You can create DB Subnet Groups, which are collections of subnets that you may want to designate for your RDS DB Instances in a VPC. Each DB Subnet Group should have at least one subnet for every availability zone in a given region. In this case, when you create a DB Instance in a VPC, you select a DB Subnet Group; Amazon RDS then uses that DB Subnet Group and your preferred availability zone to select a subnet and aws 3 DJ HTFIF] Page 57 Amazon Web Services Amazon Web Services: Overview of Security Processes an IP address within that subnet. Amazon RDS creates and associates an Elastic Network Interface to your DB Instance with that IP address. DB Instances deployed within an Amazon VPC can be accessed from the Internet or from Amazon EC2 Instances outside the VPC via VPN or bastion hosts that you can launch in your public subnet. To use a bastion host, you will need to set up a public subnet with an EC2 instance that acts as an SSH Bastion. This public subnet must have an Internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your Amazon RDS DB instance. DB Security Groups can be used to help secure DB Instances within an Amazon VPC. In addition, network traffic entering and exiting each subnet can be allowed or denied via network ACLs. All network traffic entering or exiting your Amazon VPC via your IPsec VPN connection can be inspected by your on- premises security infrastructure, including network firewalls and intrusion detection systems. Encryption You can encrypt connections between your application and your DB Instance using SSL. For MySQL and SQL Server, RDS creates an SSL certificate and installs the certificate on the DB instance when the instance is provisioned. For MySQL, you launch the mysql client using the --ssl_ca parameter to reference the public key in order to encrypt connections. For SQL Server, download the public key and import the certificate into your Windows operating system. Oracle RDS uses Oracle native network encryption with a DB instance. You simply add the native network encryption option to an option group and associate that option group with the DB instance. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer. You can also require your DB instance to only accept encrypted connections. Amazon RDS supports Transparent Data Encryption (TDE) for SQL Server (SQL Server Enterprise Edition) and Oracle (part of the Oracle Advanced Security option available in Oracle Enterprise Edition). The TDE feature automatically encrypts data before it is written to storage and automatically decrypts data when it is read from storage. aws Note: SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself. 3 DJ HTT Page 58 Amazon Web Services Amazon Web Services: Overview of Security Processes While SSL offers security benefits, be aware that SSL encryption is a compute intensive operation and will increase the latency of your database connection. To learn how SSL works with SQL Server, you can read more in the Amazon Relational Database Service User Guide. Automated Backups and DB Snapshots Amazon RDS provides two different methods for backing up and restoring your DB Instance(s): automated backups and database snapshots (DB Snapshots). Turned on by default, the automated backup feature of Amazon RDS enables point -in - time recovery for your DB Instance. Amazon RDS will back up your database and transaction logs and store both for a user-specified retention period. This allows you to restore your DB Instance to any second during your retention period, up to the last 5 minutes. Your automatic backup retention period can be configured to up to 35 days. During the backup window, storage 1/0 may be suspended while your data is being backed up. This 1/0 suspension typically lasts a few minutes. This 1/0 suspension is avoided with Multi -AZ DB deployments, since the backup is taken from the standby. DB Snapshots are user -initiated backups of your DB Instance. These full database backups are stored by Amazon RDS until you explicitly delete them. You can copy DB \/C[)S\4qWR I_DCENLd-II_DQG_P RYH_W-P EHR HHC DC ffR [ID: 6 IAV SXEI i c regions, or copy the same snapshot to multiple regions simultaneously. You can then create a new DB Instance from a DB Snapshot whenever you desire. DB Instance Replication Amazon cloud computing resources are housed in highly available data center facilities in different regions of the world, and each region contains multiple distinct locations called Availability Zones. Each Availability Zone is engineered to be isolated from failures in other Availability Zones, and to provide inexpensive, low -latency network connectivity to other Availability Zones in the same region. To architect for high availability of your Oracle, PostgreSQL, or MySQL databases, you can run your RDS DB instance in several Availability Zones, an option called a Multi -AZ deployment. When you select this option, Amazon automatically provisions and maintains a synchronous standby replica of your DB instance in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to the standby replica. In the event of DB instance or Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. aws 3 DJ HTFIF] Page 59 Amazon Web Services Amazon Web Services: Overview of Security Processes For customers who use MySQL and need to scale beyond the capacity constraints of a single DB Instance for read -heavy database workloads, Amazon RDS provides a Read Replica option. Once you create a read replica, database updates on the source DB UDA@CFHDLH-IHSgEkhGVdV il_lll-DGUiS(FD_ M IIO E64/ V_CMe, asynchronous replication. You can create multiple read replicas for a given source DB instance and GMAEXW- MDSSQFD\WM CDCGM I IFDP RQJ ISP F-5 I-DG-Ld-IS([EWFDQEH-FU43 VGZ M11 Multi -AZ deployments to gain read scaling benefits in addition to the enhanced database write availability and data durability provided by Multi -AZ deployments. Automatic Software Patching Amazon RDS will make sure that the relational database software powering your deployment stays up-to-date with the latest patches. When necessary, patches are applied during a maintenance window that you can control. You can think of the Amazon RDS maintenance window as an opportunity to control when DB Instance modifications (such as scaling DB Instance class) and software patching occur, in the HA -QM -IID MU-lTXHVkbIGrtRJLHTXWHG❑j IDdP DL H❑HWMC/FI HG*G RlLM LYHCE week, it will be initiated and completed at some point during the 30 -minute maintenance window you identify. The only maintenance events that require Amazon RDS to take your DB Instance offline are scale compute operations (which generally take only a few minutes from start -to - finish) or required software patching. Required patching is automatically scheduled only for patches that are security and durability related. Such patching occurs infrequently (typically once every few months) and should seldom require more than a fraction of your maintenance window. If you do not specify a preferred weekly maintenance window when creating your DB Instance, a 30 -minute default value is assigned. If you wish to modify when maintenance is performed on your behalf, you can do so by modifying your DB Instance in the AWS Management Console or by using the ModifyDBlnstance API. Each of your DB Instances can have different preferred maintenance windows, if you so choose. Running your DB Instance as a Multi -AZ deployment can further reduce the impact of a maintenance event, as Amazon RDS will conduct maintenance via the following steps: 1) Perform maintenance on standby, 2) Promote standby to primary, and 3) Perform maintenance on old primary, which becomes the new standby. When an Amazon RDS DB Instance deletion API (Delete DBInstance) is run, the DB Instance is marked for deletes CFHAMICMLCFHZR[aXQIHWLQQFDM/AG-M J I VOW -L it has been removed. At this point the instance is no longer accessible and unless a final aws 3 DJ HT❑❑ Page 60 Amazon Web Services Amazon Web Services: Overview of Security Processes snapshot copy was asked for, it cannot be restored and will not be listed by any of the tools or APIs. Event Notification You can receive notifications of a variety of important events that can occur on your RDS instance, such as whether the instance was shut down, a backup was started, a failover occurred, the security group was changed, or your storage space is low. The Amazon RDS service groups events into categories that you can subscribe to so that you can be notified when an event in that category occurs. You can subscribe to an event category for a DB instance, DB snapshot, DB security group, or for a DB parameter group. RDS events are published via AWS SNS and sent to you as an email or text message. For more information about RDS notification event categories, refer to the Amazon Relational Database Service User Guide. Amazon Redshift Security Amazon Redshift is a petabyte-scale SQL data warehouse service that runs on highly optimized and managed AWS compute and storage resources. The service has been architected to not only scale up or down rapidly, but to significantly improve query speeds a even on extremely large datasets. To increase performance, Redshift uses techniques such as columnar storage, data compression, and zone maps to reduce the amount of 10 needed to perform queries. It also has a massively parallel processing (MPP) architecture, parallelizing and distributing SQL operations to take advantage of all available resources. When you create a Redshift data warehouse, you provision a single -node or multi -node cluster, specifying the type and number of nodes that will make up the cluster. The node type determines the storage size, memory, and CPU of each node. Each multi -node cluster includes a leader node and two or more compute nodes. A leader node manages connections, parses queries, builds execution plans, and manages query execution in the compute nodes. The compute nodes store data, perform computations, and run queries as directed by the leader node. The leader node of each cluster is accessible through ODBC and JDBC endpoints, using standard PostgreSQL drivers. The compute nodes run on a separate, isolated network and are never accessed directly. After you provision a cluster, you can upload your dataset and perform data analysis queries by using common SQL- based tools and business intelligence applications. aW Page 61 Amazon Web Services Amazon Web Services: Overview of Security Processes Cluster Access By default, clusters that you create are closed to everyone. Amazon Redshift enables you to configure firewall rules (security groups) to control network access to your data warehouse cluster. You can also run Redshift inside an Amazon VPC to isolate your data warehouse cluster in your own virtual network and connect it to your existing IT infrastructure using industry -standard encrypted IPsec VPN. The AWS account that creates the cluster has full access to the cluster. Within your AWS account, you can use AWS IAM to create user accounts and manage permissions for those accounts. By using IAM, you can grant different users permission to perform only the cluster operations that are necessary for their work. Like all databases, you must grant permission in Redshift at the database level in addition to granting access at the resource level. Database users are named user accounts that can connect to a database and are authenticated when they login to Amazon Redshift. In Redshift, you grant database user permissions on a per -cluster basis instead of on a per -table basis. However, a user can see data only in the table rows that were generated by his own activities; rows generated by other users are not IM! RMl!.7MMI The user who creates a database object is its owner. By default, only a superuser or the owner of an object can query, modify, or grant permissions on the object. For users to use an object, you must grant the necessary permissions to the user or the group that contains the user. And only the owner of an object can modify or delete it. Data Backups Amazon Redshift distributes your data across all compute nodes in a cluster. When you run a cluster with at least two compute nodes, data on each node will always be mirrored on disks on another node, reducing the risk of data loss. In addition, all data written to a node in your cluster is continuously backed up to Amazon S3 using snapshots. Redshift stores your snapshots for a user -defined period, which can be from one to thirty-five days. You can also take your own snapshots at any time; these snapshots leverage all existing system snapshots and are retained until you explicitly delete them. Amazon Redshift continuously monitors the health of the cluster and automatically re - replicates data from failed drives and replaces nodes as necessary. All of this happens without any effort on your part, although you may see a slight performance degradation during the re -replication process. aws 3 DJ HTFIF] Page 62 Amazon Web Services Amazon Web Services: Overview of Security Processes You can use any system or user snapshot to restore your cluster using the AWS Management Console or the Amazon Redshift APIs. Your cluster is available as soon as the system metadata has been restored and you can start running queries while user data is spooled down in the background. Data Encryption When creating a cluster, you can choose to encrypt it in order to provide additional protection for your data at rest. When you enable encryption in your cluster, Amazon Redshift stores all data in user -created tables in an encrypted format using hardware - accelerated AES -256 block encryption keys. This includes all data written to disk as well as any backups. Amazon Redshift uses a four -tier, key -based architecture for encryption. These keys consist of data encryption keys, a database key, a cluster key, and a master key: ❑ Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly -generated AES- 256 key. These keys are encrypted by using the database key for the cluster. L The database key encrypts data encryption keys in the cluster. The database key is a randomly -generated AES- 256 key. It is stored on disk in a separate network from the Amazon Redshift cluster and passed to the cluster across a secure channel. ❑ The cluster key encrypts the database key for the Amazon Redshift cluster. You can use either AWS or a hardware security module (HSM) to store the cluster key. HSMs provide direct control of key generation and management, and make key management separate and distinct from the application and the database. ❑ The master key encrypts the cluster key if it is stored in AWS. The master key encrypts the cluster -key -encrypted database key if the cluster key is stored in an HSM. You can have Redshift rotate the encryption keys for your encrypted clusters at any time. As part of the rotation process, keys are also updated for all of the cluster's automatic and manual snapshots. aws Note: Enabling encryption in your cluster will impact performance, even though it is hardware accelerated. Encryption also applies to backups. When restoring from an encrypted snapshot, the new cluster will be encrypted as well. 3DJH ❑❑ Page 63 Amazon Web Services Amazon Web Services: Overview of Security Processes To encrypt your table load data files when you upload them to Amazon S3, you can use Amazon S3 server -side encryption. When you load the data from Amazon S3, the COPY command will decrypt the data as it loads the table. Database Audit Logging Amazon Redshift logs all SQL operations, including connection attempts, queries, and changes to your database. You can access these logs using SQL queries against system tables or choose to have them downloaded to a secure Amazon S3 bucket. You can then use these audit logs to monitor your cluster for security and troubleshooting purposes. Automatic Software Patching Amazon Redshift manages all the work of setting up, operating, and scaling your data warehouse, including provisioning capacity, monitoring the cluster, and applying patches and upgrades to the Amazon Redshift engine. Patches are applied only during specified maintenance windows. SSL Connections To protect your data in transit within the AWS cloud, Amazon Redshift uses hardware - accelerated SSL to communicate with Amazon S3 or Amazon DynamoDB for COPY, UNLOAD, backup, and restore operations. You can encrypt the connection between your client and the cluster by specifying SSL in the parameter group associated with the cluster. To have your clients also authenticate the Redshift server, you can install the public key (pem file) for the SSL certificate on your client and use the key to connect to your clusters. Amazon Redshift offers the newer, stronger cipher suites that use the Elliptic Curve Diffie-Hellman Ephemeral protocol. ECDHE allows SSL clients to provide Perfect Forward Secrecy between the client and the Redshift cluster. Perfect Forward Secrecy uses session keys that are ephemeral and not stored anywhere, which prevents the decoding of captured data by unauthorized third parties, even if the secret long-term key itself is compromised. You do not need to configure anything in Amazon Redshift to enable ECDHE; if you connect from a SQL client tool that uses ECDHE to encrypt communication between the client and server, Amazon Redshift will use the provided cipher list to make the appropriate connection. aws 3 DJ HTFIFI Page 64 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon ElastiCache Security Amazon ElastiCache is a web service that makes it easy to set up, manage, and scale distributed in -memory cache environments in the cloud. The service improves the performance of web applications by allowing you to retrieve information from a fast, managed, in -memory caching system, instead of relying entirely on slower disk -based databases. It can be used to significantly improve latency and throughput for many read -heavy application workloads (such as social networking, gaming, media sharing, and Q&A portals) or compute -intensive workloads (such as a recommendation engine). Caching improves application performance by storing critical pieces of data in memory for low -latency access. Cached information may include the results of 1/0 -intensive database queries or the results of computationally -intensive calculations. The Amazon ElastiCache service automates time-consuming management tasks for in - memory cache environments, such as patch management, failure detection, and recovery. It works in conjunction with other Amazon Web Services (such as Amazon EC2, Amazon CloudWatch, and Amazon SNS) to provide a secure, high-performance, and managed in- memory cache. For example, an application running in Amazon EC2 can securely access an Amazon ElastiCache Cluster in the same region with very low latency. Using the Amazon ElastiCache service, you create a Cache Cluster, which is a collection of one or more Cache Nodes, each running an instance of the Memcached service. A Cache Node is a fixed -size chunk of secure, network- attached RAM. Each Cache Node runs an instance of the Memcached service, and has its own DNS name and port. Multiple types of Cache Nodes are supported, each with varying amounts of associated memory. A Cache Cluster can be set up with a specific number of Cache Nodes and a Cache Parameter Group that controls the properties for each Cache Node. All Cache Nodes within a Cache Cluster are designed to be of the same Node Type and have the same parameter and security group settings. Amazon ElastiCache allows you to control access to your Cache Clusters using Cache Security Groups. A Cache Security Group acts like a firewall, controlling network access to your Cache Cluster. By default, network access is turned off to your Cache Clusters. If you want your applications to access your Cache Cluster, you must explicitly enable access from hosts in specific EC2 security groups. Once ingress rules are configured, the same rules apply to all Cache Clusters associated with that Cache Security Group. To allow network access to your Cache Cluster, create a Cache Security Group and use the Authorize Cache Security Group Ingress API or CLI command to authorize the desired EC2 security group (which in turn specifies the EC2 instances allowed). IP- a1S Page 65 Amazon Web Services Amazon Web Services: Overview of Security Processes range based access control is currently not enabled for Cache Clusters. All clients to a Cache Cluster must be within the EC2 network, and authorized via Cache Security Groups. ElastiCache for Redis provides backup and restore functionality, where you can create a snapshot of your entire Redis cluster as it exists at a specific point in time. You can schedule automatic, recurring daily snapshots or you can create a manual snapshot at any time. For automatic snapshots, you specify a retention period; manual snapshots are retained until you delete them. The snapshots are stored in Amazon S3 with high durability, and can be used for warm starts, backups, and archiving. Application Services Amazon Web Services offers a variety of managed services to use with your applications, including services that provide application streaming, queueing, push notification, email delivery, search, and transcoding. Amazon CloudSearch Security Amazon CloudSearch is a managed service in the cloud that makes it easy to set up, manage, and scale a search solution for your website. Amazon CloudSearch enables you to search large collections of data such as web pages, document files, forum posts, or product information. It enables you to quickly add search capabilities to your website without having to become a search expert or worry about hardware provisioning, setup, and maintenance. As your volume of data and traffic fluctuates, Amazon CloudSearch automatically scales to meet your needs. An Amazon CloudSearch domain encapsulates a collection of data you want to search, the search instances that process your search requests, and a configuration that controls how your data is indexed and searched. You create a separate search domain for each collection of data you want to make searchable. For each domain, you configure indexing options that describe the fields you want to include in your index and how you want to us them, text options that define domain -specific stopwords, stems, and synonyms, rank expressions that you can use to customize how search results are IDCTHG DQGG-DFFHWI SRQF RCMFZCDFFHW RANHIG'RP DLQV Q+FXP HQJDQGA -DIFK endpoints. All Amazon CloudSearch configuration requests must be authenticated using standard AWS authentication. a1S 3 DJ HTFIF] Page 66 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon CloudSearch provides separate endpoints for accessing the configuration, search, and document services: L The configuration service is accessed through a general endpoint: cloudsearch.us-east-1.amazonaws.com ❑ The document service endpoint is used to submit documents to the domain for indexing and is accessed through a domain -specific endpoint: http://doc- domainname-domainid.us -east- 1.cloudsearch.amazonaws.com/ ❑ The search endpoint is used to submit search requests to the domain and is accessed through a domain -specific endpoint: http://search- domainname- domainid. us-east-1.cloudsearch.amazonaws.com Like all AWS Services, Amazon CloudSearch requires that every request made to its control API be authenticated so only authenticated users can access and manage your CloudSearch domain. API requests are signed with an HMAC- SHA1 or HMAC-SHA256 VW CD"FFD0XDNGILRP V&irUff) +AIVQCWiX\4 4 U: 6 [6 HFUFff FFHW FT -1 Additionally, the Amazon CloudSearch control API is accessible via SSL -encrypted endpoints. You can control access to Amazon CloudSearch management functions by creating users under your AWS Account using AWS IAM, and controlling which CloudSearch operations these users have permission to perform. Amazon Simple Queue Service (Amazon SQS) Security Amazon SQS is a highly reliable, scalable message queuing service that enables asynchronous message -based communication between distributed components of an application. The components can be computers or Amazon EC2 instances or a combination of both. With Amazon SQS, you can send any number of messages to an Amazon SQS queue at any time from any component. The messages can be retrieved from the same component or a different one right away or at a later time (within 4 days). Messages are highly durable; each message is persistently stored in highly available, highly reliable queues. Multiple processes can read/write from/to an Amazon SQS queue at the same time without interfering with each other. Amazon SQS access is granted based on an AWS Account or a user created with AWS IAM. Once authenticated, the AWS Account has full access to all user operations. An AWS IAM user, however, only has access to the operations and queues for which they have been granted access via policy. By default, access to each individual queue is restricted to the AWS Account that created it. However, you can allow other access to a queue, using either an SQS-generated policy or a policy you write. a1S 3 DJ HT❑❑ Page 67 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon SQS is accessible via SSL -encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2. Data stored within Amazon SQS is not encrypted by AWS; however, the user can encrypt data before it is uploaded to Amazon SQS, provided that the application utilizing the queue has a means to decrypt the message when retrieved. Encrypting messages before sending them to Amazon SQS helps protect against access to sensitive customer data by unauthorized persons, including AWS. Amazon Simple Notification Service (Amazon SNS) Security Amazon Simple Notification Service (Amazon SNS) is a web service that makes it easy to set up, operate, and send notifications from the cloud. It provides developers with a highly scalable, flexible, and cost-effective capability to publish messages from an application and immediately deliver them to subscribers or other applications. Amazon SNS provides a simple web services interface that can be used to create topics that customers want to notify applications (or people) about, subscribe clients to these topics, publish messages, and have these messages delivered over cILHM_LSU?JFR(R11 choice (i.e., HTTP/HTTPS, email, etc.). 11 DERQ61 6 &QM MQJ D 3SXVK_P HFKDM/P VOMP UMUL U'QFiCWG N_RIPSFMff4 ] -Q CLCI RLP D\5 DQCXSGWM P DERQ[61 6 can be leveraged to build highly reliable, event -driven workflows and messaging applications without the need for complex middleware and application management. The potential uses for Amazon SNS include monitoring applications, workflow systems, time -sensitive information updates, mobile applications, and many others. Amazon SNS provides access control mechanisms so that topics and messages are secured against unauthorized access. Topic owners can set policies for a topic that restrict who can publish or subscribe to a topic. Additionally, topic owners can encrypt transmission by specifying that the delivery mechanism must be HTTPS. Amazon SNS access is granted based on an AWS Account or a user created with AWS IAM. Once authenticated, the AWS Account has full access to all user operations. An AWS IAM user, however, only has access to the operations and topics for which they have been granted access via policy. By default, access to each individual topic is restricted to the AWS Account that created it. However, you can allow other access to SNS, using either an SNS -generated policy or a policy you write. a1S 3 DJ HT❑❑ Page 68 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon Simple Workflow Service (Amazon SWF) Security The Amazon Simple Workflow Service (Amazon SWF) makes it easy to build applications that coordinate work across distributed components. Using Amazon SWF, CRXfDC AAWT\DQl1 0M1'DLIF;XVSU; FRA9X AAM SS(F D ❑ work in distributed applications, and Amazon SWF coordinates these tasks in a reliable and scalable manner. Amazon SWF manages task execution dependencies, VFKHC3K= RC FXUNCFELEHLU DSSGDBZaM lFE17 14-IAHX'lFH11 stores tasks, dispatches them to application components, tracks their progress, and keeps their latest state. Amazon SWF provides simple API calls that can be executed from code written in any language and run on your EC2 instances, or any of your machines located anywhere in the world that can access the Internet. Amazon SWF acts as a coordination hub with which your application hosts interact. You create desired workflows with their associated tasks and any conditional logic you wish to apply and store them with Amazon SWF. Amazon SWF access is granted based on an AWS Account or a user created with AWS IAM. All actors that participate in the execution of a workflow2 deciders, activity workers, workflow administrators2 must be IAM users under the AWS Account that owns the Amazon SWF resources. You cannot grant users associated with other AWS Accounts access to your Amazon SWF workflows. An AWS IAM user, however, only has access to the workflows and resources for which they have been granted access via policy. Amazon Simple Email Service (Amazon SES) Security ❑P DEFZG6 LP Se" P DLOB R 31FHF-6 ( 6 TEXLZQ:[[]P DEFCN I DE0-DMA/FDQE®IF- infrastructure, is a mail service that can both send and receive mail on behalf of your domain. Amazon SES helps you maximize email deliverability and stay informed of the delivery status of your emails. Amazon SES integrates with other AWS services, making it easy to send emails from applications being hosted on services such as Amazon EC2. Unfortunately, with other email systems, it's possible for a spammer to falsify an email header and spoof the originating email address so that it appears as though the email originated from a different source. To mitigate these problems, Amazon SES requires users to verify their email address or domain in order to confirm that they own it and to prevent others from using it. To verify a domain, Amazon SES requires the sender to publish a DNS record that Amazon SES supplies as proof of control over the domain. aws 3 DJ HT❑❑ Page 69 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon SES periodically reviews domain verification status, and revokes verification in cases where it is no longer valid. Amazon SES takes proactive steps to prevent questionable content from being sent, so that ISPs receive consistently high-quality email from our domains and therefore view Amazon SES as a trusted email origin. Below are some of the features that maximize deliverability and dependability for all of our senders: Amazon SES uses content -filtering technologies to help detect and block messages containing viruses or malware before they can be sent. ❑ Amazon SES maintains complaint feedback loops with major ISPs. Complaint feedback loops indicate which emails a recipient marked as spam. Amazon SES provides you access to these delivery metrics to help guide your sending strategy. ❑ ❑ P DLRQ6 (6 MWDMUWRI AFKQTXHVLWP I-D�"V41-i7 PI +DFKXVI W sending. These mechanisms help identify and disable attempts to use Amazon SES for unsolicited mail, and detect other sending patterns that would harm ❑P DLRQ6 ( 6 VJL1-ISX0M2 LKk 6 3\/LLP DL(HR-FSLRYLGAYLDQGDWspam services. ❑ Amazon SES supports authentication mechanisms such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). When you authenticate an email, you provide evidence to ISPs that you own the domain. Amazon SES makes it easy for you to authenticate your emails. If you configure your account to use Easy DKIM, Amazon SES will DKIM-sign your emails on your behalf, so you can focus on other aspects of your email -sending strategy. To ensure optimal deliverability, we recommend that you authenticate your emails. As with other AWS services, you use security credentials to verify who you are and whether you have permission to interact with Amazon SES. For information about which credentials to use, see Using Credentials with Amazon SES. Amazon SES also integrates with AWS IAM so that you can specify which Amazon SES API actions a user can perform. If you choose to communicate with Amazon SES through its SMTP interface, you are required to encrypt your connection using TLS. Amazon SES supports two mechanisms for establishing a TLS -encrypted connection: STARTTLS and TLS Wrapper. If you choose to communicate with Amazon SES over HTTP, then all communication will be SLRAFVoGEET7/ 6 VaRXJKEIIP DERQ6( 6 V+7736 endpoint. When delivering email to its aW 3 DJ H�❑❑ Page 70 Amazon Web Services Amazon Web Services: Overview of Security Processes final destination, Amazon SES encrypts the email content with opportunistic TLS, if supported by the receiver. Amazon Elastic Transcoder Service Security The Amazon Elastic Transcoder service simplifies and automates what is usually a complex process of converting media files from one format, size, or quality to another. The Elastic Transcoder service converts standard -definition (SD) or high-definition (HD) video files as well as audio files. It reads input from an Amazon S3 bucket, transcodes it, and writes the resulting file to another Amazon S3 bucket. You can use the same bucket for input and output, and the buckets can be in any AWS region. The Elastic Transcoder accepts input files in a wide variety of web, consumer, and professional formats. Output file types include the MP3, MP4, OGG, TS, WebM, HLS using MPEG-2 TS, and Smooth Streaming using fmp4 container types, storing H.264 or VP8 video and AAC, MP3, or Vorbis audio. You'll start with one or more input files, and create transcoding jobs in a type of workflow called a transcoding pipeline for each file. When you create the pipeline, you'll specify input and output buckets as well as an IAM role. Each job must reference a media conversion template called a transcoding preset, and will result in the generation of one or more output files. A preset tells the Elastic Transcoder what settings to use when processing a particular input file. You can specify many settings when you create a preset, including the sample rate, bit rate, resolution (output height and width), the number of reference and keyframes, a video bit rate, some thumbnail creation options, etc. A best effort is m DC+ -I KIFKV&iHU4A/XEP LU&G a hard guarantee and jobs typically finish out of order since they are worked on in parallel and vary in complexity. You can pause and resume any of your pipelines if necessary. Elastic Transcoder supports the use of SNS notifications when it starts and finishes each job, and when it needs to tell you that it has detected an error or warning condition. The SNS notification parameters are associated with each pipeline. It can also use the List Jobs by Status function to find all of the jobs with a given status (e.g., "Completed") or the Read Job function to retrieve detailed information about a particular job. Like all other AWS services, Elastic Transcoder integrates with AWS Identity and Access Management (IAM), which allows you to control access to the service and to other AWS resources that Elastic Transcoder requires, including Amazon S3 buckets a1S 3 DJ HTFIF] Page 71 Amazon Web Services Amazon Web Services: Overview of Security Processes and Amazon SNS topics. By default, IAM users have no access to Elastic Transcoder or to the resources that it uses. If you want IAM users to be able to work with Elastic Transcoder, you must explicitly grant them permissions. Amazon Elastic Transcoder requires every request made to its control API be authenticated so only authenticated processes or users can create, modify, or delete their own Amazon Transcoder pipelines and presets. Requests are signed with an HMAC-6+ -1TL\AJCDDQIJHFD®XQ\HG W I0\WJLFiTX 0PDQ DMLLG IIIiYI-IG_ LRP APAJ-IXM-Ili secret key. Additionally, the Amazon Elastic Transcoder API is only accessible via SSL - encrypted endpoints. Durability is provided by Amazon S3, where media files are redundantly stored on multiple devices across multiple facilities in an Amazon S3 region. For added protection against users accidently deleting media files, you can use the Versioning feature in Amazon S3 to preserve, retrieve, and restore every version of every object stored in an Amazon S3 bucket. You can further protect versions using Amazon S3 Versioning's MFA Delete feature. Once enabled for an Amazon S3 bucket, each version deletion request must include the six -digit code and serial number from your multi -factor authentication device. Amazon AppStream 2.0 Security The Amazon AppStream 2.0 service provides a framework for running streaming applications, particularly applications that require lightweight clients running on mobile devices. It enables you to store and run your application on powerful, parallel - processing CPUs in the cloud and then stream input and output to any client device. This can be a pre-existing application that you modify to work with Amazon AppStream 2.0 or a new application that you design specifically to work with the service. The Amazon AppStream 2.0 SDK simplifies the development of interactive streaming applications and client applications. The SDK provides APIs that connect your FX\AW HO/A -MF (IFD\&T4DCi_FDS\XLIHD R(3dDXCRDQGMfl-� stream content across the Internet in near real-time, decode content on client devices, and return user input to the application. Because your application's processing occurs in the cloud, it can scale to handle extremely large computational loads. Amazon AppStream 2.0 deploys streaming applications on Amazon EC2. When you add a streaming application through the AWS Management Console, the service creates the AMI required to host your application and makes your application available a1S 3 DJ HTFIF] Page 72 Amazon Web Services Amazon Web Services: Overview of Security Processes to streaming clients. The service scales your application as needed within the capacity limits you have set to meet demand. Clients using the Amazon AppStream 2.0 SDK automatically connect to your streamed application. , QP RW)FDVHVMI M DQA R_HQVNH H[ 11XQM V0+FQ-IQu(V D ❑ your application before letting him obtain a session ID. We recommend that you use some sort of entitlement service, which is a service that authenticates clients and authorizes their connection to your application. In this case, the entitlement service will also call into the Amazon AppStream 2.0 REST API to create a new streaming session for the client. After the entitlement service creates a new session, it returns the session identifier to the authorized client as a single -use entitlement URL. The client then uses the entitlement URL to connect to the application. Your entitlement service can be hosted on an Amazon EC2 instance or on AWS Elastic Beanstalk. Amazon AppStream 2.0 utilizes an AWS CloudFormation template that automates the process of deploying a GPU EC2 instance that has the AppStream 2.0 Windows Application and Windows Client SDK libraries installed; is configured for SSH, RDC, or VPN access; and has an elastic IP address assigned to it. By using this template to deploy your standalone streaming server, all you need to do is upload your application to the server and run the command to launch it. You can then use the Amazon AppStream 2.0 Service Simulator tool to test your application in standalone mode before deploying it into production. Amazon AppStream 2.0 also utilizes the STX Protocol to manage the streaming of your application from AWS to local devices. The Amazon AppStream 2.0 STX Protocol is a proprietary protocol used to stream high-quality application video over varying network conditions; it monitors network conditions and automatically adapts the video stream to provide a low -latency and high- resolution experience to your customers. It minimizes latency while syncing audio and video as well as capturing input from your customers to be sent back to the application running in AWS. Analytics Services Amazon Web Services provides cloud -based analytics services to help you process and analyze any volume of data, whether your need is for managed Hadoop clusters, real- time streaming data, petabyte scale data warehousing, or orchestration. aW 3 DJ HT❑❑ Page 73 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon EMR Security Amazon EMR is a managed web service you can use to run Hadoop clusters that process vast amounts of data by distributing the work and data among several servers. It utilizes an enhanced version of the Apache Hadoop framework running on the web - scale infrastructure of Amazon EC2 and Amazon S3. You simply upload your input data and a data processing application into Amazon S3. Amazon EMR then launches the number of Amazon EC2 instances you specify. The service begins the job flow execution while pulling the input data from Amazon S3 into the launched Amazon EC2 instances. Once the job flow is finished, Amazon EMR transfers the output data to Amazon S3, where you can then retrieve it or use it as input in another job flow. When launching job flows on your behalf, Amazon EMR sets up two Amazon EC2 security groups: one for the master nodes and another for the slaves. The master security group has a port open for communication with the service. It also has the SSH port open to allow you to SSH into the instances, using the key specified at startup. The slaves start in a separate security group, which only allows interaction with the master instance. By default, both security groups are set up to not allow access from external sources, including Amazon EC2 instances belonging to other customers. Since these are security groups within your account, you can reconfigure them using the standard EC2 tools or dashboard. To protect customer input and output datasets, Amazon EMR transfers data to and from Amazon S3 using SSL. Amazon EMR provides several ways to control access to the resources of your cluster. You can use AWS IAM to create user accounts and roles and configure permissions that control which AWS features those users and roles can access. When you launch a cluster, you can associate an Amazon EC2 key pair with the cluster, which you can then use when you connect to the cluster using SSH. You can also set permissions that allow users other than the default Hadoop user to submit jobs to your cluster. By default, if an IAM user launches a cluster, that cluster is hidden from other IAM users on the AWS account. This filtering occurs on all Amazon EMR interfaces2 the console, CLI, API, and SDKs2 and helps prevent IAM users from accessing and inadvertently changing clusters created by other IAM users. It is useful for clusters that are intended to be viewed by only a single IAM user and the main AWS account. You also have the option to make a cluster visible and accessible to all IAM users under a single AWS account. For an additional layer of protection, you can launch the EC2 instances of your EMR cluster into an Amazon VPC, which is like launching it into a private subnet. This allows aws "I-RIM111■■ Page 74 Amazon Web Services Amazon Web Services: Overview of Security Processes you to control access to the entire subnetwork. You can also launch the cluster into a VPC and enable the cluster to access resources on your internal network using a VPN connection. You can encrypt the input data before you upload it to Amazon S3 using DQE ffW P RQ_C-0►M+UU:SUR0_\hRW SRX IU +SVS -I EHI RUHJ1/XS00ai --I_IRX then need to add a decryption step to the beginning of your job flow when Amazon Elastic MapReduce fetches the data from Amazon S3. Amazon Kinesis Security Amazon Kinesis is a managed service designed to handle real-time streaming of big data. It can accept any amount of data, from any number of sources, scaling up and down as needed. You can use Kinesis in situations that call for large-scale, real-time data ingestion and processing, such as server logs, social media or market data feeds, and web clickstream data. Applications read and write data records to Amazon Kinesis in streams. You can create any number of Kinesis streams to capture, store, and transport data. Amazon Kinesis automatically manages the infrastructure, storage, networking, and configuration needed to collect and process your data at the level of throughput your streaming DSS(1FD%5RQ/_C HGTRXLGRQV KDYHARZ RIJW_1DERX\/)SUM iLRCLQ AG -6 P HDARURQJ RLQJ - maintenance of hardware, software, or other services to enable real-time capture and storage of large-scale data. Amazon Kinesis also synchronously replicates data across three facilities in an AWS Region, providing high availability and data durability. In Amazon Kinesis, data records contain a sequence number, a partition key, and a data blob, which is an un -interpreted, immutable sequence of bytes. The Amazon Kinesis service does not inspect, interpret, or change the data in the blob in any way. Data records are accessible for only 24 hours from the time they are added to an Amazon Kinesis stream, and then they are automatically discarded. Your application is a consumer of an Amazon Kinesis stream, which typically runs on a fleet of Amazon EC2 instances. A Kinesis application uses the Amazon Kinesis Client Library to read from the Amazon Kinesis stream. The Kinesis Client Library takes care of a variety of details for you including failover, recovery, and load balancing, allowing your application to focus on processing the data as it becomes available. After processing the record, your consumer code can pass it along to another Kinesis stream; write it to an Amazon S3 bucket, a Redshift data warehouse, or a DynamoDB table; or simply discard it. A connector library is available to help you integrate Kinesis with other a1S 3 DJ HTFIF] Page 75 Amazon Web Services Amazon Web Services: Overview of Security Processes AWS services (such as DynamoDB, Redshift, and Amazon S3) as well as third -party products like Apache Storm. You can control logical access to Kinesis resources and management functions by creating users under your AWS Account using AWS IAM, and controlling which Kinesis operations these users have permission to perform. To facilitate running your producer or consumer applications on an Amazon EC2 instance, you can configure that instance with an IAM role. That way, AWS credentials that reflect the permissions associated with the IAM role are made available to applications on the instance, which means you G:; U YHARL) I[J QX Q -term AWS security credentials. Roles have the added benefit of providing temporary credentials that expire within a short timeframe, which adds an additional measure of protection. See the AWS Identity and Access Management User Guide for more information about IAM roles. The Amazon Kinesis API is only accessible via an SSL -encrypted endpoint (kinesis.us- east- 1.amazonaws.com) to help ensure secure transmission of your data to AWS. You must connect to that endpoint to access Kinesis, but you can then use the API to direct AWS Kinesis to create a stream in any AWS Region. AWS Data Pipeline Security The AWS Data Pipeline service helps you process and move data between different data sources at specified intervals using data -driven workflows and built-in dependency checking. When you create a pipeline, you define data sources, preconditions, destinations, processing steps, and an operational schedule. Once you define and activate a pipeline, it will run automatically according to the schedule you specified. : M -F: 6 �] D66-3 LSHM-i I II RXFGl4UG1KDYHW-Z RWM DERXVFKF-FNOJ rtiFK/PXLFH-DYDLOEM/V— managing inter -task dependencies, retrying transient failures/timeouts in individual tasks, or creating a failure notification system. AWS Data Pipeline takes care of launching the AWS services and resources your pipeline needs to process your data (e.g., Amazon EC2 or EMR) and transferring the results to storage (e.g., Amazon S3, RDS, DynamoDB, or EMR). When you use the console, AWS Data Pipeline creates the necessary IAM roles and policies, including a trusted entities list for you. IAM roles determine what your pipeline can access and the actions it can perform. Additionally, when your pipeline creates a resource, such as an EC2 instance, IAM roles determine the EC2 instance's permitted resources and actions. When you create a pipeline, you specify one IAM role that governs your pipeline and another IAM role to govern your pipeline's resources (referred to as a "resource role"), which can be the same role for both. As part of the security best aws 3 DJ HTFIFI Page 76 Amazon Web Services Amazon Web Services: Overview of Security Processes practice of least privilege, we recommend that you consider the minimum permissions necessary for your pipeline to perform work and define the IAM roles accordingly. Like most AWS services, AWS Data Pipeline also provides the option of secure (HTTPS) endpoints for access via SSL. Deployment and Management Services Amazon Web Services provides a variety of tools to help with the deployment and management of your applications. This includes services that allow you to create individual user accounts with credentials for access to AWS services. It also includes services for creating and updating stacks of AWS resources, deploying applications on those resources, and monitoring the health of those AWS resources. Other tools help you manage cryptographic keys using hardware security modules (HSMs) and log AWS API activity for security and compliance purposes. AWS Identity and Access Management (IAM) IAM allows you to create multiple users and manage the permissions for each of these users within your AWS Account. A user is an identity (within an AWS Account) with unique security credentials that can be used to access AWS Services. IAM eliminates \NH!C FG-RA/KDLKSDMVZ RG/iRUNHEVEDMP (B RJG�DEOID)O -U /L7 access as appropriate. IAM enables you to implement security best practices, such as least privilege, by granting unique credentials to every user within your AWS Account and only granting permission to access the AWS services and resources required for the users to perform their jobs. IAM is secure by default; new users have no access to AWS until permissions are explicitly granted. IAM is also integrated with the AWS Marketplace, so that you can control who in your organization can subscribe to the software and services offered in the Marketplace. Since subscribing to certain software in the Marketplace launches an EC2 instance to run the software, this is an important access control feature. Using IAM to control access to the AWS Marketplace also enables AWS Account owners to have fine- grained control over usage and software costs. IAM enables you to minimize the use of your AWS Account credentials. Once you create IAM user accounts, all interactions with AWS Services and resources should occur with IAM user security credentials. aW 3 DJ HTFIF] Page 77 Amazon Web Services Amazon Web Services: Overview of Security Processes Roles An IAM role uses temporary security credentials to allow you to delegate access to users or services that normally don't have access to your AWS resources. A role is a set of permissions to access specific AWS resources, but these permissions are not tied to a specific IAM user or group. An authorized entity (e.g., mobile user, EC2 instance) assumes a role and receives temporary security credentials for authenticating to the resources defined in the role. Temporary security credentials provide enhanced security due to their short life- span (the default expiration is 12 hours) and the fact that they cannot be reused after they expire. This can be particularly useful in providing limited, controlled access in certain situations: ❑ Federated (non -AWS) User Access. Federated users are users (or applications) who do not have AWS Accounts. With roles, you can give them access to your AWS resources for a limited amount of time. This is useful if you have non -AWS users that you can authenticate with an external service, such as Microsoft Active Directory, LDAP, or Kerberos. The temporary AWS credentials used with the roles provide identity federation between AWS and your non -AWS users in your corporate identity and authorization system. aW If your organization supports SAML 2.0 (Security Assertion Markup Language 2.0), you can create trust between your organization as an identity provider (IdP) and other organizations as service providers. In AWS, you can configure AWS as the service provider and use SAML to provide your users with federated single - sign on (SSO) to the AWS Management Console or to get federated access to call AWS APIs. Roles are also useful if you create a mobile or web -based application that accesses AWS resources. AWS resources require security credentials for programmatic requests; however, you shouldn't embed long-term security credentials in your application because they are accessible to the application's users and can be difficult to rotate. Instead, you can let users sign in to your application using Login with Amazon, Facebook, or Google, and then use their authentication information to assume a role and get temporary security credentials. Page 78 Amazon Web Services Amazon Web Services: Overview of Security Processes ❑ Cross -Account Access. For organizations who use multiple AWS Accounts to manage their resources, you can set up roles to provide users who have permissions in one account to access resources under another account. For organizations who have personnel who only rarely need access to resources under another account, using roles helps ensures that credentials are provided temporarily, only as needed. Applications Running on EC2 Instances that Need to Access AWS Resources. If an application runs on an Amazon EC2 instance and needs to make requests for AWS resources such as Amazon S3 buckets or a DynamoDB table, it must have security credentials. Using roles instead of creating individual IAM accounts for each application on each instance can save significant time for customers who manage a large number of instances or an elastically scaling fleet using AWS Auto Scaling. The temporary credentials include a security token, an Access Key ID, and a Secret Access Key. To give a user access to certain resources, you distribute the temporary security credentials to the user you are granting temporary access to. When the user makes calls to your resources, the user passes in the token and Access Key ID, and signs the request with the Secret Access Key. The token will not work with different access keys. How the user passes in the token depends on the API and version of the AWS product the user is making calls to. For more information about temporary security credentials, see AWS Security Token Service API Reference. 7 KHX\tH[ R 3P SFMJ:1FU iGH= 'CP [El- FDXVHA:D(n':UM have to manage or distribute long-term credentials to temporary users. In addition, the VPS HA)MAP D1ffD® ODS-IMU HAEM&UH MR❑PX YH❑ to embed them somewhere unsafe like your code. Temporary credentials are automatically rotated or changed multiple times a day without any action on your part, and are stored securely by default. For more information about using IAM roles to auto -provision keys on EC2 instances, see the AWS Identity and Access Management Documentation. Amazon CloudWatch Security Amazon CloudWatch is a web service that provides monitoring for AWS cloud resources, starting with Amazon EC2. It provides customers with visibility into resource utilization, operational performance, and overall demand patterns2 including metrics aws Page 79 Amazon Web Services Amazon Web Services: Overview of Security Processes such as CPU utilization, disk reads and writes, and network traffic. You can set up CloudWatch alarms to notify you if certain thresholds are crossed, or to take other automated actions such as adding or removing EC2 instances if Auto Scaling is enabled. CloudWatch captures and summarizes utilization metrics natively for AWS resources, but you can also have other logs sent to CloudWatch to monitor. You can route your guest OS, application, and custom log files for the software installed on your EC2 instances to CloudWatch, where they will be stored in durable fashion for as long as you'd like. You can configure CloudWatch to monitor the incoming log entries for any desired symbols or messages and to surface the results as CloudWatch metrics. You could, for example, monitor your web server's log files for 404 errors to detect bad inbound links or invalid user messages to detect unauthorized login attempts to your guest OS. Like all AWS Services, Amazon CloudWatch requires that every request made to its control API be authenticated so only authenticated users can access and manage CloudWatch. Requests are signed with an HMAC-SHA1 signature calculated from the IIHTXM VZV0�IMHJ SllUGHMFM, GMfflU V&i-1P D VXG DJ9K-FM5C)D3 , Mi only accessible via SSL- encrypted endpoints. You can further control access to Amazon CloudWatch by creating users under your AWS Account using AWS IAM, and controlling what CloudWatch operations these users have permission to call. AWS CloudHSM Security The AWS CloudHSM service provides customers with dedicated access to a hardware security module (HSM) appliance designed to provide secure cryptographic key storage and operations within an intrusion -resistant, tamper- evident device. You can generate, store, and manage the cryptographic keys used for data encryption so that they are accessible only by you. AWS CloudHSM appliances are designed to securely store and process cryptographic key material for a wide variety of uses such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing. They support some of the strongest cryptographic algorithms available, including AES, RSA, and ECC, and many others. The AWS CloudHSM service is designed to be used with Amazon EC2 and VPC, providing the appliance with its own private IP within a private subnet. You can connect to CloudHSM appliances from your EC2 servers through SSL/TLS, which uses two-way aws 3 DU HTFIF] Page 80 Amazon Web Services Amazon Web Services: Overview of Security Processes digital certificate authentication and 256 -bit SSL encryption to provide a secure communication channel. Selecting CloudHSM service in the same region as your EC2 instance decreases network latency, which can improve your application performance. You can configure a client on your EC2 instance that allows your applications to use the APIs provided by the HSM, including PKCS#11, MS CAR and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). Before you begin using an HSM, you must set up at least one partition on the appliance. A cryptographic partition is a logical and physical security boundary that restricts access to your keys, so only you control your keys and the operations performed by the HSM. AWS has administrative credentials to the appliance, but these credentials can only be used to manage the appliance, not the HSM partitions on the appliance. AWS uses these credentials to monitor and maintain the health and availability of the appliance. AWS cannot extract your keys nor can AWS cause the appliance to perform any cryptographic operation using your keys. The HSM appliance has both physical and logical tamper detection and response mechanisms that erase the cryptographic key material and generate event logs if tampering is detected. The HSM is designed to detect tampering if the physical barrier of the HSM appliance is breached. In addition, after three unsuccessful attempts to access an HSM partition with HSM Admin credentials, the HSM appliance erases its HSM partitions. When your CloudHSM subscription ends and you have confirmed that the contents of the HSM are no longer needed, you must delete each partition and its contents as well as any logs. As part of the decommissioning process, AWS zeroizes the appliance, permanently erasing all key material. AWS Clouffrail Security AWS CloudTrail provides a log of user and system actions affecting AWS resources within your account. For each event recorded, you can see what service was accessed, what action was performed, any parameters for the action, and who made the request. For mutating actions, you can see the result of the action. Not only can you see which one of your users or services performed an action on an AWS service, but you can see whether it was as the AWS root account user or an IAM user, or whether it was with temporary security credentials for a role or federated user. aW 3 QJ HTFIF] Page 81 Amazon Web Services Amazon Web Services: Overview of Security Processes CloudTrail captures information about API calls to an AWS resource, whether that call was made from the AWS Management Console, CLI, or an SDK. If the API request returned an error, CloudTrail provides the description of the error, including messages for authorization failures. It even captures AWS Management Console sign -in events, creating a log record every time an AWS account owner, a federated user, or an IAM user simply signs into the console. Once you have enabled CloudTrail, event logs are delivered about every 5 minutes to the Amazon S3 bucket of your choice. The log files are organized by AWS Account ID, region, service name, date, and time. You can configure CloudTrail so that it aggregates log files from multiple regions and/or accounts into a single Amazon S3 bucket. By default, a single trail will record and deliver events in all current and future regions. In addition to S3, you can send events to CloudWatch Logs, for custom metrics and alarming, or you can upload the logs to your favorite log management and analysis solutions to perform security analysis and detect user behavior patterns. For rapid response, you can create CloudWatch Events rules to take immediate action to specific events. By default, log files are stored indefinitely. The log files are automatically encrypted using Amazon S3's Server Side Encryption and will remain in the bucket until you choose to delete or archive them. For even more security you can use KMS to encrypt the log files using a key that you own. You can use Amazon S3 lifecycle configuration rules to automatically delete old log files or archive them to Amazon S3 Glacier for additional longevity at significant savings. By enabling the optional log file validation, you can validate that logs have not been added, deleted, or tampered with. Like every other AWS service, you can limit access to CloudTrail to only certain users. You can use IAM to control which AWS users can create, configure, or delete AWS CloudTrail trails as well as which users can start and stop logging. You can control access to the log files by applying IAM or Amazon S3 bucket policies. You can also add an additional layer of security by enabling MFA Delete on your Amazon S3 bucket. Mobile Services AWS mobile services make it easier for you to build, ship, run, monitor, optimize, and scale cloud -powered applications for mobile devices. These services also help you authenticate users to your mobile application, synchronize data, and collect and analyze application usage. aws 3 DJ HTFIF] Page 82 Amazon Web Services Amazon Web Services: Overview of Security Processes Amazon Cognito Amazon Cognito provides identity and sync services for mobile and web -based applications. It simplifies the task of authenticating users and storing, managing, and syncing their data across multiple devices, platforms, and applications. It provides temporary, limited -privilege credentials for both authenticated and unauthenticated users without having to manage any backend infrastructure. Amazon Cognito works with well-known identity providers like Google, Facebook, and Amazon to authenticate end users of your mobile and web applications. You can take advantage of the identification and authorization features provided by these services instead of having to build and maintain your own. Your application authenticates with RC HIR 40- N/hl 01DNVS19MG4YXQl W1Sl9Z &LW6' . LL2 GFH�HNQGM-I ZL authenticated with the provider, an OAuth or OpenlD Connect token returned from the provider is passed by your application to Cognito, which returns a new Amazon Cognito ID for the user and a set of temporary, limited -privilege AWS credentials. To begin using Amazon Cognito, you create an identity pool through the Amazon Cognito console. The identity pool is a store of user identity information that is specific to your AWS account. During the creation of the identity pool, you will be asked to create a new IAM role or pick an existing one for your end users. An IAM role is a set of permissions to access specific AWS resources, but these permissions are not tied to a specific IAM user or group. An authorized entity (e.g., mobile user, EC2 instance) assumes a role and receives temporary security credentials for authenticating to the AWS resources defined in the role. Temporary security credentials provide enhanced security due to their short life -span (the default expiration is 12 hours) and the fact that they cannot be reused after they expire. The role you select has an impact on which AWS services your end users will be able to access with the temporary credentials. By default, Amazon Cognito creates a new role with limited permissions ❑ end users only have access to the Amazon Cognito Sync service and Amazon Mobile Analytics. If your application needs access to other AWS resources such as Amazon S3 or DynamoDB, you can modify your roles directly from the IAM management console. : 1.W1111P DE RJ Q1Pd[V6-LII-I M3YU3M: 6 IDFFRXQA RJHYen IAM DFFRXQNUUHfflYERCHR TRXIZ F E R REI0[DSS VH)3D -WW[Z your AWS resources. In conjunction with IAM roles, mobile users can securely access AWS resources and application features, and even save data to the AWS cloud without having to create an account or log in. However, if they choose to do this later, Amazon Cognito merges data and identification information. Because Amazon Cognito stores data locally as well as in the service, your aws Page 83 Amazon Web Services Amazon Web Services: Overview of Security Processes end users can continue to interact with their data even when they are offline. Their offline data may be stale, but anything they put into the dataset, they can immediately retrieve whether they are online or not. The client SDK manages a local SQLite store so that the application can work even when it is not connected. The SQLite store functions as a cache and is the target of all read and write operations. Cognito's sync facility compares the local version of the data to the cloud version, and pushes up or pulls down deltas as needed. Note that in order to sync data across devices, your identity pool must support authenticated identities. Unauthenticated identities are tied to the device, so unless an end user authenticates, no data can be synced across multiple devices. With Amazon Cognito, your application communicates directly with a supported public identity provider (Amazon, Facebook, or Google) to authenticate users. Amazon Cognito does not receive or store user credentials2 only the OAuth or OpenlD Connect token received from the identity provider. Once Amazon Cognito receives the token, it returns a new Amazon Cognito ID for the user and a set of temporary, limited -privilege AWS credentials. Each Amazon Cognito identity has access only to its own data in the sync store, and this data is encrypted when stored. In addition, all identity data is transmitted over HTTPS. The unique Amazon Cognito identifier on the device is stored in the appropriate secure location on iOS for example, the Amazon Cognito identifier is stored in the iOS NHS XWM 4 / M DVH2 L-I[D6SG: sandbox; if you require additional security, you can encrypt this identity data in the local cache by implementing encryption in your application. Amazon Mobile Analytics Amazon Mobile Analytics is a service for collecting, visualizing, and understanding mobile application usage data. It enables you to track customer behaviors, aggregate metrics, and identify meaningful patterns in your mobile applications. Amazon Mobile Analytics automatically calculates and updates usage metrics as the data is received from client devices running your app and displays the data in the console. You can integrate Amazon Mobile Analytics with your application without requiring users of your app to be authenticated with an identity provider (like Google, Facebook, or Amazon). For these unauthenticated users, Mobile Analytics works with Amazon Cognito to provide temporary, limited -privilege credentials. To do this, you first create an identity pool in Amazon Cognito. The identity pool will use IAM roles, which is a set of permissions not tied to a specific IAM user or group but which allows an entity to access aws Page 84 Amazon Web Services Amazon Web Services: Overview of Security Processes specific AWS resources. The entity assumes a role and receives temporary security credentials for authenticating to the AWS resources defined in the role. By default, Amazon Cognito creates a new role with limited permissions ❑ end users only have access to the Amazon Cognito Sync service and Amazon Mobile Analytics. If your application needs access to other AWS resources such as Amazon S3 or DynamoDB, you can modify your roles directly from the IAM management console. You can integrate the AWS Mobile SDK for Android or iOS into your application or use the Amazon Mobile Analytics REST API to send events from any connected device or service and visualize data in the reports. The Amazon Mobile Analytics API is only accessible via an SSL -encrypted endpoint (https://mobileanalVtics.us-east- 1.amazonaws.com). Applications AWS applications are managed services that enable you to provide your users with secure, centralized storage and work areas in the cloud. Amazon WorkSpaces Amazon WorkSpaces is a managed desktop service that allows you to quickly provision cloud -based desktops for your users. Simply choose a Windows 7 bundle that best meets the needs of your users and the number of WorkSpaces that you would like to launch. Once the WorkSpaces are ready, users receive an email informing them where they can download the relevant client and log into their WorkSpace. They can then access their cloud -based desktops from a variety of endpoint devices, including PCs, laptops, and mobile devices. + RZ HM -LL WCM [I IMuser device because Amazon WorkSpaces uses PC -over -IP (P_C_oI_P), which provides an interactive video stream without transmitting actual data. The ISLRWFURP SUV+KVHCFLMV0MHCFRGWAW T SAG -r M HESHLUCFHDQGMDQR V ■:, ■ Y Qo]■n ��■ �t C U-lffRlJ4VRJHlQ& user In order to access their WorkSpace, users must sign in using a set of unique credentials or their regular Active Directory credentials. When you integrate Amazon WorkSpaces with your corporate Active Directory, each WorkSpace joins your Active Directory domain and can be managed just like any other desktop in your organization. This P F lDWVVA 5DQ"1111F01-IC7 Llld MJ= LPVS13 DC DJ HAMA -WE aws "Ill:lll■■ Page 85 Amazon Web Services Amazon Web Services: Overview of Security Processes WorkSpaces to specify configuration options that control the desktop. If you choose not to use Active Directory or other type of on -premises directory to manage your user WorkSpaces, you can create a private cloud directory within Amazon WorkSpaces that you can use for administration. To provide an additional layer of security, you can also require the use of multi- factor authentication upon sign in in the form of a hardware or software token. Amazon WorkSpaces supports MFA using an on -premise Remote Authentication Dial in User Service (RADIUS) server or any security provider that supports RADIUS authentication It currently supports the PAP, CHAP, MS- CHAP1, and MS-CHAP2 protocols, along with RADIUS proxies. Each Workspace resides on its own EC2 instance within a VPC. You can create WorkSpaces in a VPC you already own or have the WorkSpaces service create one for you automatically using the WorkSpaces Quick Start option. When you use the Quick Start option, WorkSpaces not only creates the VPC, but it performs several other provisioning and configuration tasks for you, such as creating an Internet Gateway for the VPC, setting up a directory within the VPC that is used to store user and WorkSpace information, creating a directory administrator account, creating the specified user accounts and adding them to the directory, and creating the WorkSpace instances. Or the VPC can be connected to an on -premises network using a secure VPN connection to allow access to an existing on -premises Active Directory and other intranet resources. You can add a security group that you create in your Amazon VPC to all the WorkSpaces that belong to your Directory. This allows you to control network access from Amazon WorkSpaces in your VPC to other resources in your Amazon VPC and on -premises network. Persistent storage for WorkSpaces is provided by Amazon EBS and is automatically backed up twice a day to Amazon S3. If WorkSpaces Sync is enabled on a WorkSpace, the folder a user chooses to sync will be continuously backed up and stored in Amazon S3. You can also use WorkSpaces Sync on a Mac or PC to sync documents to or from your WorkSpace so that you can always have access to your data regardless of the desktop computer you are using. °/d-FDXVHVV DFP DMU HGA4-L 1F 171: 6 'LNH\/-FDIIH-RI A/HYIA�XLL DM -P SIF - tasks like daily backups and patching. Updates are delivered automatically to your WorkSpaces during a weekly maintenance window. You can control how patching is FRCS W XLHG 1 RUDE/ : R M SDFH1&LIGHI DXGW 03:?Z Vr8SGD\NItrXS HG -EXW- RX have the ability to customize these settings, or use an alternative patch management approach if you desire. For the underlying OS, Windows Update is enabled by default aws 3 DJ HTFIF] Page 86 Amazon Web Services Amazon Web Services: Overview of Security Processes on WorkSpaces, and configured to install updates on a weekly basis. You can use an alternative patching approach or to configure Windows Update to perform updates at a time of your choosing. You can use IAM to control who on your team can perform administrative functions like creating or deleting WorkSpaces or setting up user directories. You can also set up a WorkSpace for directory administration, install your favorite Active Directory administration tools, and create organizational units and Group Policies in order to more easily apply Active Directory changes for all your WorkSpaces users. Amazon WorkDocs Amazon WorkDocs is a managed enterprise storage and sharing service with feedback capabilities for user collaboration. Users can store any type of file in a WorkDocs folder and allow others to view and download them. Commenting and annotation capabilities work on certain file types such as MS Word, and without requiring the application that was used to originally create the file. WorkDocs notifies contributors about review activities and deadlines via email and performs versioning of files that you have synced using the WorkDocs Sync application. User information is stored in an Active Directory -compatible network directory. You can either create a new directory in the cloud, or connect Amazon WorkDocs to your on- SIJI P KHQT RXfL C7WFD- F(PJC ff RLN RFV TXLFNVLW setup, it also creates a directory administrator account with the administrator email as the username. An email is sent to your administrator with instructions to complete registration. The administrator then uses this account to manage your directory. When you create a cloud directory using : RLH RFVITXLFN_V1UI"S_L1D@R_Fld-CIW and configures a VPC for use with the directory. If you need more control over the directory configuration, you can choose the standard setup, which allows you to specify your own directory domain name, as well as one of your existing VPCs to use with the directory. If you want to use one of your existing VPCs, the VPC must have an Internet gateway and at least two subnets. Each of the subnets must be in a different Availability Zone. Using the Amazon WorkDocs Management Console, administrators can view audit logs to track file and user activity by time, IP address, and device, and choose whether to allow users to share files with others outside their organization. Users can then control who can access individual files and disable downloads of files they share. aW 3 DJ HTFIF] Page 87 Amazon Web Services Amazon Web Services: Overview of Security Processes All data in transit is encrypted using industry -standard SSL. The WorkDocs web and mobile applications and desktop sync clients transmit files directly to Amazon WorkDocs using SSL. WorkDocs users can also utilize Multi -Factor Authentication, or MFA, if their organization has deployed a Radius server. MFA uses the following factors: username, password, and methods supported by the Radius server. The protocols supported are PAP, CHAP, MS-CHAPv1, and MS- CHAPv2. u RXLFKRRVHViH_L : 6 -5HJ ff; Z I<"+-DFKIL RLN RFVA1k V10UDWAAFa HG M1P DERC E WorkDocs is currently available in the US -East (Virginia), US -West (Oregon), and EU (Ireland) AWS Regions. All files, comments, and annotations stored in WorkDocs are automatically encrypted with AES -256 encryption. Document Revisions Date March 2020 February 2019 December 2018 Description Updated compliance certifications, hypervisor, AWS Snowball. Added information about deleting objects in Amazon S3 Glacier. Edit made to the Amazon Redshift Security topic. May 2017 Added section on AWS Config Security Checks. April 2017 Added section on Amazon Elastic File System. March 2017 Migrated into new format. January 2017 Updated regions. aws 3 DJ HTFIF] C1a1!W9t0J7 Memo If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 To: Mayor Foster and Members of Council Andy Allison, CAO From: George Acorn, Director of Community Services Date: May 22, 2020 Subject: CSD -004-20 Community Grant Requests File: During the deliberations of the above noted Report at the May 11, 2020 General Government Committee, the following was carried; That Resolution #GG -092-20 be referred to the Council meeting of May 25th for Staff to report on whether any of the capital item requested by the hall boards would fall within 1ID1110 ❑❑i[SDIIEHRIE[I DMJRI=❑SRLIF7❑1ID❑IGIU envelope. Each year as we review the grant request applications, we share the information received from all Hall Boards with the Operations Department. The purpose is to determine if any of the items requested would be considered capital expenses, and therefore would be the responsibility of the Municipality. All capital related requests would be deemed ineligible under the Community Grant Program. Staff have again reviewed all Community Hall requests and confirmed they do not include any capital relate G[SEF?VF1 D❑CSDEHd1FG H(DILE(N4R-UR❑CFL0[[FR❑dL3IDJBZ T Specifically, the request from the Tyrone Community Centre is for portable air conditioning units that are classified as an operating expense. Subsequent to the above direction, Resolution #GG -097-20 was carried, as follows: That the remaining Grant Requests listed in Report CSD -004-20, be referred to the Regular General Government Committee Meeting dated June 22, 2020. We will be providing a subsequent report that will be on the agenda for the June 22 meeting. I trust this memorandum provides some clarity for Council to assist their future deliberations of this item. Regards, George Acorn Director of Community Services Page 11 The Corporation of the Municipality of Clarington 40 Temperance Street, Bowmanville ON L1 C 3A6 1905-623-3379 3DJH rn Clatiagton Memo Planning Services Department If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 To: Mayor and Members of Council Cc: CAO and Department Heads From: Carlo Pellarin, Manager, Development Review Date: May 22, 2020 Subject: Report PSD -015-020 — Proposed Official Plan Amendment and Rezoning to Implement the Bowmanville Neighbourhood Character Study While discussing Report PSD -015-020 at the Planning and Development Committee Meeting on May 19, 2020, Staff agreed to provide Council with a memo, including illustrations to show how garages and parking can be accommodated based on the proposed regulations contained in the Zoning By-law amendment. This memo also addresses a question that came up about porch depths and comments provided by delegates regarding height. Attached are illustrations of 9 metre (29.5 foot) semi-detached dwelling lots and 12 (39.3 ft), 15 (49.2 ft) and 16 (52.4 ft) metre lots for single detached dwellings. Different scenarios are provided to depict how parking spaces can be accommodated with attached, detached and no garages. Most garages have been shown with a double car depth, which is a design option that can provide either two parking spaces or storage and a parking space. A 30 metre (98.4ft) lot depth was assumed. This is a conservative depth measurement for the area which has lots averaging depths of 40 metres. Each scenario complies with the proposed lot coverage, landscape open space, side and rear yard setbacks and size of garage doors in relation to the lot frontage. Front yard setbacks can vary in the subject area as the minimum setback is proposed to be within two metres of the established building line, or the average house setback generally for the block. An illustration is also provided depicting a porch. The General Provisions of Zoning By- law 84-63 allow for porches and steps to project into the front yard by 1.5 metres (4.9 ft). The proposed zoning allows for a house to be set back an additional 2 metres (6.5 ft) from the established building line, therefore there would be the potential depth of 3.5 metres (11.4 ft) for a porch. In greenfield areas the Zoning By-law allows for a setback of 2 metres (6.5 ft) to a porch. It must be recognized that a projection is from the minimum front yard setback, if a dwelling is setback further it can still project 1.5 m into the yard. The delegates commented that an 8 metre maximum height makes it difficult to construct a 2 -storey dwelling, while staff believe it is possible to construct a 2 -storey dwelling with a 8 m maximum height, to provide more flexibility, the by-law has been amended to permit a maximum height of 8.5 metres for all three study areas. This The Corporation of the Municipality of Clarington 40 Temperance Street, Bowmanville ON L1 C 3A6 1905-623-3379 3DJH rn Page 12 would still maintain the intent of the zoning amendment. A second modification is to replace the term "street line" with "front line" in the new definition of fixed grade used for measuring building height. This ensures that on a corner lot, height is always measured from the front lot line and not the exterior lot line. We were not proposing any additional changes to the proposed zoning by-law amendment at this time. Rather we reaffirm that the recommendations are based on the work done by MHBC, the comments we heard from the public through the walking tours, open houses and the public meeting. The proposed regulations are intended to balance maintaining character while allowing investment and redevelopment that fits with the existing neighbourhood. Staff will monitor the implementation of the regulations to determine if revisions are necessary to strike a better balance going forward. If that is the case, staff can either initiate an amendment, or incorporate revisions into the new Zoning By-law through the ZONE Clarington project. Sincerely, Carlo Pellarin 3 QJ Ham❑❑ Corporation of the Municipality of Clarington By-law Number 20 being a By-law to amend By-law 84-63, the Comprehensive Zoning By-law for the Corporation of the Municipality of Clarington Whereas the Council of the Corporation of the Municipality of Clarington deems it advisable to amend By-law 84-63, as amended, of the Corporation of the Municipality of Clarington for ZBA 2019-0019; Now Therefore Be It Resolved That, the Council of the Corporation of the Municipality of Clarington enacts as follows: Section 12. Urban Residential Type One (R1) Zone is amended by adding a new section 12.2.1 as follows: "12.2.1 Neighbourhood Character Overlay The following alternate regulations shall apply to the "Urban Residential Type One (R1) Residential Zone" and all special exceptions to that zone located within the Neighbourhood Character Overlay identified on Schedule `3': a. For the purpose of Section 12.2.1, the term: i) Height of Dwelling means the vertical distance, measured between the lowest fixed grade, and a) In the case of a flat roof, the highest point of the roof surface, b) In the case of a mansard roof, the deck roof line, and c) In the case of a gable, hip or gambrel roof, the average height between the eaves and the ridge. ii) Established building line means the average yard setback from the street line to existing principal buildings on one side of the street measured a minimum of four lots on either side of the lot within the same zone category. iii) Fixed grade means the elevation of the ground at the front line measured at the midpoint of a lot. iv) Soft landscaping means the portion of a lot comprised of any combination of flowers, grass, shrubs, sod, trees or other horticultural elements that is not covered with impervious surfaces. It does not include any buildings or structures, any hard surface areas such as, but not limited to, driveways, parking areas, decorative stonework, walkways, patios, screening or other landscape architectural elgTj_fiq"oF] 01 C. 0 Yard Requirements i) Front Yard and Exterior Side Yard a) 6.0 metres minimum to the garage or carport b) Minimum to the dwelling is the established building line c) Maximum to the dwelling is 2.0 metres from the established building line ii) Interior Side Yard (minimum) a) 3.0 metres on one side where there is no attached garage; b) 1.2 metres for dwellings 1.5 storeys or less; and C) 1.8 metres for dwellings greater than 1.5 storeys Lot Coverage (maximum) i) For dwellings 1.5 storeys or less 35 percent ii) For dwellings greater than 1.5 storeys 30 percent iii) A covered and unenclosed porch/balcony having no habitable floor space above it is excluded from the maximum lot coverage subject to the following: a) In the case of an interior lot, the maximum total area of 12.0 square metres is permitted within the front yard. b) In the case of an exterior lot, the maximum total area of 20.0 square metres is permitted within the front yard and/or exterior side yard. Landscaped Open Space (minimum) i) Overall ii) Front yard e. Building Height (maximum) f. Special Regulations 40 percent 50 percent, which must be soft landscaping 8.5 metres i) The maximum permitted width of a garage door is 3 metres and the combined width of garage doors on an attached garage shall not exceed 6 metres and the following, whichever is less: a) Where facing the exterior side lot line for all dwellings 25 percent of the exterior side lot line b) Where facing the front lot line for single detached dwellings 25 percent of the front lot line c) Where facing the front lot line for semi-detached dwellings 35 percent of the front lot line ii) A garage or carport doorseenn gs shall be setback a minimum of 1.0 metres from the front ore i e wall of the dwelling. iii) Height of floor deck of an unenclosed porch above finished grade must not exceed 1.0 metres. iv) Entrances for an apartment -in-house can be in the front yard through a common entrance with the principal dwelling. Where a separate entrance is provided it must be in the side or rear yard. g. Exceptions i) Minimum front yard setback for a garage at 73 and 74 Lambs Lane is 9.8 metres. ii) Maximum lot coverage for a single detached dwelling at 79 Division Street is 43 percent. iii) Notwithstanding 12.2.1 b. i) c., c.i), d. ii), and f. ii), 10 Victoria Street shall be subject to the following zone regulations: a. Front yard setback (maximum) 6.5 metres b. Lot coverage (maximum) 43 percent C. Front yard landscape open space (minimum) 35 percent d. A garage door may not extend in front of the front wall of the dwelling. 2. Section 26 is amended by adding a new section 26.8 as follows: "26.8 Overlay Zones In addition to the permitted uses and zoning regulations for each zone there are Overlay Zones. Where applied the Overlay Zones are read together with the zone regulations. In the event of conflict, the more restrictive regulation applies except in the case of a special exception. The Overlay Zones are shown on the Schedules to this By-law." 3. Schedule '3' to By-law 84-63, as amended, is hereby further amended by adding the "Neighbourhood Character Overlay" as illustrated on the attached Schedule 'A' hereto. 4. Schedule 'A' attached hereto shall form part of this By-law. 5. This By-law shall come into effect on the date of the passing hereof, subject to the provisions of Section 34 of the Planning Act. By -Law passed in open session this day of , 20 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3 DJ HTFIF] This is Schedule "A" to By-law 2020- passed this day of 2020 A.D. EJ r N N /I,-- Z 'ZI K E F_— Neighbourhood Character Overlay Commercial E. EP Industrial Residential Bowmanville - ZBA 2019-0019 - Schedule 3 Adrian Foster, Mayor C. Arne Greentrac Municipal Clark 3 DJ H—FT] 12.0 m 2 storey (1.8m setbacks) with attached garage E [Interior 12m Lot] `O Building Area: 109.8019 Lot Cov: 29.5% , Garage Door Width: 25% 1.8 m r 8.4 m 0.5 0 CO E 3.0CIO m u� --� �-0.3 m j 1.8 m� 4.8 m 0 Sidew 3 GU 12.0 m m m E 1.5 storey (1.2m setbacks) with attached garage [Interior 12m Lot] Rijildinn Arp-;;- 1?9 6 STREET LINE E m 1.8 m 0 N E C6 E 12.0 m CO [O 0.3 m 2 story (1.8m setbacks) with 2 -car detached garage [Interior 12m Lot] Building Area: 69.93 + 41.4 = 111.33 Lot Coverage: X9.9°/0 6.3 m 0.6 0.6 m Sidewalk 3 QJ H®❑❑ 12.0 m F�; 1.2 m 0.3 1.5 storey (1.2m setbacks) with 2 -car detached garage [Interior 12m Lot] E Building Area: C9 88.32 + 41.4 = 129.72 N 'rom Lot Coverage: 34.8% 0 co 3.0 m WE 0.6 m 0 CO 1 E 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 15.0 m 2 storey (1.8m setbacks) with detached garage [Interior 15m Lot] Building Area: 117.18 + 21.6= 138.78 Lot Coverage %-. 29.8°/0 9.3 m D (D 1.2 m L 0.6 X0.3 m I 3.0 m 1 r 0.6 m 0 CO N Sidewalk F CD 3DJH 15-.0 m O [D 0.6 m 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 i i i i i 0.6 m STREET LINE 15.0 m 1 l 1.5 storey (1.2m setbacks) with tandem 2 -car garage I [Interior 15m Lot] 9-5 m Building Area -0 160.6485 Lot Coverage %: 34.5°/o I Large Door Width = 20% 10.6 m I I 1.2 m I i I I I I I I I I I I I I I � I I 1 I I r I I C� ELO I 1 I I � 0 LO 3.0 m 0.3 I I I I I I I I � I I 1 I I I I I I 1 I 1 I 1 r I I I I 1 I 1 � I 1 I I I 1.017.0 m m 177 I 6.0 PL l I I I Sidewalk 3 11 H-ULL] 15.0 m i 2 storey (1.8m setbacks) , with tandem 2 -car garage [Interior 15m Lot] Building Area: 139.4375 i 11.5 m Lot Coverage %-. 29.98% Garage Door Width: 20% ; 1 1 1.8 m A P% if% 2.6 m 0.3 m 1 1 1 1 1 1 1 1 STREET LINE Garage Door Width = 33°/0 Lot Coverage = 23.9% Lot Area - I Garage Door Width = 33% Lot Coverage = 29.6% Garage Door Width = 33°/o Garage door Width = 33°/0 Lot Coverage = 29.4% Lot Coverage = X5.8°/a L41 I Z10:1 a 41 10 1 A E� , Irma 6.6 m 6.0 I'"1'1 L41 I Z10:1 a 41 10 1 A Attached Garage Addition STREET 3 QJ H®❑❑ 58.5% L.O.S. 7.5 m Shed Established Building Line Maximum 1..1r:, Porch Proiec1 Front Wall of Dwelling Maximum 2.0 m from Established Building Leine 11 ""N 5.2 m t Interior Lot Porch Pr( % Porch Coverage = 12 s s 11 0.9 m ■ ■ NNW.. *91 3 LU HIE[11] v1�_.au1%_. IL ii 1. May 13, 2020 The Honourable Bill Morneau Minister of Finance House of Commons Ottawa, ON K1A OA6 via email: Bill.Morneau@parl.gc.ca Dear Honourable Sir: Re: Resolution Requesting Grant Support for Municipalities The Corporation of The Township of Brock 1 Cameron St. E., P.O. Box 10 Cannington, ON LOE 1E0 705-432-2355 Please be advised that the Council of the Township of Brock, at their meeting held on May 11, 2020, upon consideration of the attached report, the loss of investment revenue with respect to the Covid-19 pandemic, and the anticipated cost sharing from the upper tier municipality which would affect future municipal budgets, adopted the following resolution: Resolution Number 16-4 MOVED by Walter Schummer and SECONDED by W.E. Ted Smith That staff Report: 2020 -CO - 12, COVID-19 Financial Impact in the First Six Weeks be received; And further, that Council request that the federal and provincial governments provide operating support for municipalities through municipality -specific grants. MOTION CARRIED Should you have any concerns, please do not hesitate to contact the undersigned. Yours truly, THE TOWNSHIP OF BROCK Becky Jamieson Municipal Clerk BJ: dh Encl. If this information is required in an accessible format please contact the Township at 705-432-23 cc. The Honourable Rod Philips, Minister of Finance via email: Minister.fin(a-)-ontario.ca The Honourable Laurie Scott, MPP, Kawartha Lakes-Haliburton-Brock via email: laurie.scottco(cbpc.ola.org Jamie Schmale, MP, Kawartha Lakes-Haliburton-Brock Jamie. Schmale. C1 C(a)-parl.gc.ca Durham Region Municipalities 3 QJ HEE❑❑ 516/20 3breathe it in. THE CORPORATION OF THE TOWNSHIP OF BROCK Finance Department Treasurer to Council Report: 2020 -CO -12 Date: May 11, 2020 SUBJECT COVID-19 — Financial Impact in the First Six Weeks RECOMMENDATION 1. That staff report 2020 -CO -12, COVID-19 Financial Impacts in the First Six Weeks be received; 2. And further, that Council request the federal and provincial governments provide operating support for municipalities through municipality -specific grants. ATTACHMENTS None REPORT Background The following is a recap of 2020 key dates and actions associated with the emergence of the COVID-19 public health emergency in Canada and Ontario: January 30 - The World Health Organization declares the outbreak of COVID-19 a public health event of international concern. March 11 - The World Health Organization declares the global outbreak of COVID-19 a pandemic. March 13 - The Province of Ontario announces the closure of all public schools for two weeks after March Break, and the Government of Canada recommends against non- essential travel outside of Canada (including the United States), and self -isolation for 14 days upon return. This report is available in alternate formats. Please contact the Clerk's Department at 705-432-2355. 3DJH rn March 13 — The Township's senior management staff including the Executive Director of the Township of Brock Public Library met with Mayor Debbie Bath -Hadden to discuss the Township's response to the pandemic. The group made the decision to cancel the March Break Day Camp Program; cancel Library programing for three weeks; cancel recreation programing; close all public facilities and arenas for three weeks. Closures were to take effect immediately and stay in place until April 6. Refunds were to be processed for any rentals or programs that would be cancelled due to the closing of these facilities and cancelation of these programs. March 16 — The Township's offices were closed to the public with staff practicing social distancing while in the building and Council meeting briefly to pass a motion allowing the CAO and Mayor the authority to make certain decisions during this time without the need of a council meeting. March 17 - The Government of Ontario announced it was declaring an emergency in the Province under section 7.0.1(1) of the Emergency Management and Civil Protection Act and has implemented measures to control the spread of COVID19. The Province has since issued orders under the Emergency Management and Civil Protection Act (EMPCA) that impact the Township. These include (1) the closure of all facilities providing indoor recreation programs, including community centres and libraries; (2) the closure of all non-essential businesses (not municipalities); (3) a prohibition of organized events and social gathering of more than five people; (4) closure of all outdoor playgrounds and recreational areas; and (5) granting provincial offences officers including Municipal Law Enforcement Officers the ability to enforce provincial orders. March 24—The Regional Municipality of Durham and the Township of Brock both officially declared a state of emergency. The Township's Emergency Operational Centre was official opened with regular virtual meetings being held to discuss the ongoing emergency and authorize actions need. The Township has adapted the delivery of services across the Corporation to ensure compliance with the Orders. The adaptations include the following: - Closure of all community buildings until further notice; - Closure of playgrounds and outdoor amenities; - Installation of signage specific to the closures in all locations impacted; - Partnership with Durham Regional Police Services (DRPS) and By -Law Enforcement Officers to enforce Provincial Orders; - Re -deploying full time staff to other locations to facilitate social distancing; - Lay off of casual staff and part time staff not required due to facility closures; - Adjustment to levels of service in response to COVID-19 related closures; - Limiting the number of staff in the Administration building to allow for social distancing; - Allowing administration staff to work from home when possible; - Implementation of a complete burn ban in the Township; - Livestreaming Council meeting to ensure public access; and Page 2 of 6 3DJH rn Implementing a new website section for communicating information related to COVID-19 and the Township's response to the public. Engagement with the Community The Township has made communications and engagement a priority from the outset of this pandemic in response, staff immediately implemented a two-pronged emergency communications strategy utilizing both electronic and traditional tactics. The Township started providing specific COVID-19 Updates via our e -newsletter which were shared on our website and social media platforms (twitter and facebook) as well as advertised through the Brock Voice. In order to ensure we were reaching those residents who do not have access to technology, we have been utilizing our bi-weekly advertisement in the Brock Citizen to provide COVID specific updates to residents and posted posters in prominent places. A dedicated COCID-19 landing page has been created on our website (www.townshipofbrock.ca/COVID-19) and just recently, we launched a dedicated COVID- 10 newsfeed which residents can subscribe too. Several public engagement initiatives and communications have been developed including: - Notice to Seasonal Residents and tourists; - Videos from the Mayor on COVID-19 specific topics; - Brock ... We are in This Together Say At Home handout; - Regional #DurhamStrong campaign; - #BeKind Social Media Campaign; - Regional #StayHome Campaign; - Fraudster Information; and - Brock ... A Community That Cares Weekly Communication (first one was shared over 10,000 times). The Township continues to engage with our counterparts in other levels of government, as well as the Region of Durham and area municipalities and share important information to our residents. Staff will continue to work with our counterparts to ensure all relevant information is disseminated to our community. Staffing Resources In response to decisions made by the upper levels of government and public health authorities, the Township implemented certain measures to protect staff while maintaining critical services. These measures include the implementing of systems to encourage social distancing and providing the technology for staff to work from home when possible. Management met with the Union to develop a plan to keep all full time unionized staff working by redeploying some to assist with arena maintenance while those still in the works depot were assigned vehicles where it was possible for each employee to ride alone rather than in pairs. This plan allows for proper social distancing while allowing staff to continue to address essential tasks. Page 3 of 6 3 DJ Ham❑❑ Management also worked with Information Technology (IT) staff to set up devises that would allow staff working in the Municipal Administration building to work remotely. The building is staffed most days with one person from each department. This person deals with issues that cannot be dealt with remotely and is able to practice proper social distancing due to the limited number of coworkers present. By proving secure VPN access to the internal IT networks and the use of Township spare cell phones staff have been able to effectively continue their regular work remotely. Measures and actions have also been taken to take every reasonable precaution for the protection of our employees as required by the Occupational Health & Safety Act. These include limiting the access by the public or third parties to Township facilities. The installation of a door bell unit allows for deliveries or critical prearranged appointment to continue in a controlled setting. Additional personal protective equipment and supplies have been ordered for the use of front lines staff. Stations have been set up for staff to allow for self -temperature testing and sanitizing. These practices along with a reporting protocol for illness are intended to ensure the safety of workers. In an effort to allow for proper social distancing and keep controllable costs to a minimum it was necessary to lay off casual, contract and temporary part time staff in most departments. This included 8 Crossing Guards not required due to school Closures; 5 Casual Labourers working in the arenas that were closed before the end of the normal ice season; 9 Rink workers that were not needed once the arenas were closed; 1 Cleaner who was not required for a closed rental facility; and 6 part time Library employees that were not required with the facilities closed. While some of these employees would have been laid off at the end of the season they were let go ahead of time due to the facility closures. In addition to the layoffs related to closures there were three employees who left the Township's employ during this period. The vacancies created in these positions are currently not being filled however senior management is constantly monitoring staff levels and may have to fill one or more of these vacancies depending on the length of the state of emergency. The Township's Senior Management Team continues to closely track the availability of meaningful work to ensure our staffing response is appropriate. This is being done with consideration to the Township's fiduciary responsibility to taxpayers. Financial Implications The Township continues to monitor and track the financial impacts and pressures from the COVID-19 pandemic. It must be stated, financial goals are secondary to following direction and advice from public health officials regarding the health and safety of the community and residents. Due to the cost control measures taken by the Township early in this emergency, immediate financial impacts in the first six weeks appear minimal. The loss in revenues associated with the early closure of the Arenas is offset by the saving realized due to the layoff of casual/part time staff. The cancellation of the March Break Day Camp Program Page 4 of 6 3DJH rn allowed the Township to avoid the cost of hiring part time staff to run the camp with no impact to the budget. In looking at the overall payroll related accounts, the Township was able to save almost $150,000 in total costs when compared to the same time in 2019. Part of these savings relates to the COVID-19 layoffs and part to the change in staffing complement compared to 2019. These savings will help offset the added cost incurred by the Township for enforcement of the closures ordered by the Province, additional signage to help keep the public informed of closures, personal protective equipment and cleaning supplies and improvements to the IT infrastructure necessary to facilitate working from home. Should the closures remain in effect for another six weeks it is anticipated that it will have the following effects: - Loss of Investment revenue — April was already showing a significant decline with revenue posted being one third that reported in the March. To date the loss over last year is just over $14,000. - Loss in Interest and Penalty Revenue — Although the amount shown at the end of April is about $12,000 lower than last year this is due to improved collection of outstanding taxes. The May 1 st penalty of just over $35,000 was waived by Council in an effort to assist property owners through this emergency. It is anticipated that the June 1 st waiver could be close to the same amount. - Treasury staff reports that an additional $500 in service fees mostly related to NSF charges have been waived to assist taxpayers. The number of these waived fees is expected to continue to increase as the duration of the emergency is extended. - A delay in hiring casual staff for summer maintenance (grass cutting and outdoor maintenance) has the potential of saving the Township approximately $5,000 per week however the work normally performed by these casuals would need to be done by the Township's full time staff. Any delay in hiring has the potential of impacting the completion of projects planned for 2020. When compared to other municipalities in the Region of Durham, the Township's impact to date is relatively minor. Most other locals are dealing with significant financial costs associated with having year round recreation facilities offering a much higher level of programing being closed to the public. The Region of Durham is also dealing with significant financial costs for the added levels of service required during the pandemic in the areas related to Public Health, Long Term Care, Social Services, Policing, Transit etc. These additional costs will be shared by all the lower tier municipalities in subsequent year's budgets if additional funding from the Province and the Federal government is not made available. Management for the Township of Brock has taken measures to limit spending when possible and is tracking the costs directly related to the emergency. The Township is also proceeding with many of the capital projects approved in the 2020 budget in an effort to help stimulate the economy. The management group continues to look at ways to further support property owners while providing services essential to the community. Conclusion Page 5 of 6 3DJH rn The Township, as are all other municipalities in Canada, is dealing with the financial realities of the COVID-19 virus. Management will continue to act swiftly and decisively in response to the important directives of the government and public health officials. Respectfully submitted, /Laur . B , CPA, CMA Treasurer Reviewed by, Robert Lamb Ec.D., CEcD Chief Administrative Officer/Deputy Clerk Page 6 of 6 3DJH rn OSHAWA ONTARIO, CANADA MAYOR DAN CARTER May 11, 2020 Honourable Doug Ford Premier of Ontario Legislative Building Queen's Park Toronto ON M7A 1 Al OFFICE OF THE MAYOR CITY OF OSHAWA 50 CENTRE STREET SOUTH OSHAWA, ONTARIO L1H 3Z7 TELEPHONE (905) 436-5611 FAX (905) 436-5642 E-MAIL: mayor(a)oshawaxa RE: Request for Financial Assistance to Municipalities as a result of COVID-19 Dear Premier, The current COVID-19 pandemic is an unprecedented challenge for all levels of government. The strong leadership from the Province to limit the spread of the virus, manage the disease, and provide stability and reassurance during a difficult and unpredictable time is most appreciated. The pandemic has, however, negatively impacted our economies, businesses, workers and communities. It has also had a major impact on the finances of municipal governments. The Province has made a number of funding announcements to provide financial support to municipalities related to the COVID-19 pandemic. The City appreciates this financial support. However, the impact to the City's bottom line is significant due to lost revenues and increased unexpected expenditures. In addition to losses and costs already incurred, municipalities face unknowns when the pandemic curve is flattened and physical distancing measures are lessened or no longer in place. For example, will the public return to municipal facilities and enroll in programming and how many people will default on their property taxes or other payments? As you know, municipalities budget for the costs to provide services and programming for the year ahead. Municipalities are not legally permitted to run 3 DJ H11❑❑ deficits, nor do they have the borrowing capacity or the revenue tools of senior levels of government. I do not support running any deficit at the local level. A deficit simply puts the problem off for another year, which may result in the reduction of vital services. The alternative would be a double-digit property tax increase in 2021, which property tax payers could not absorb given the current economic climate. The City's request is for the Province to establish a straightforward, direct and flexible municipal financial assistance program to cover the additional costs and loss in revenue experienced by municipalities as a result of the COVID-19 pandemic. Such a program is urgently needed and would be an investment in essential front-line services that help keep the economy running and advance the Province's economic recovery. Thank you for your time and consideration. I would be pleased to answer any questions you may have. Sincerely, Dan Carter Mayor cc: Hon. Rod Phillips, Ontario Minister of Finance Hon. Steve Clark, Minister of Municipal Affairs and Housing Jennifer French, MPP Lindsey Park, MPP Chair John Henry, Region of Durham Oshawa City Council Paul Ralph, Chief Administrative Officer, City of Oshawa Jamie McGarvey, President, Association of Municipalities of Ontario Durham Area Municipalities (Clerks) Large Urban Mayors' Caucus of Ontario (LUMCO) 2 3 DJ HTFIFI OSHAWA ONTARIO, CANADA MAYOR DAN CARTER May 11, 2020 Honourable Justin Trudeau Prime Minister House of Commons Ottawa, ON K1A OA2 OFFICE OF THE MAYOR CITY OF OSHAWA 50 CENTRE STREET SOUTH OSHAWA, ONTARIO L1H 3Z7 TELEPHONE (905) 436-5611 FAX (905) 436-5642 E-MAIL: mayor(a)oshawaxa RE: Request for Financial Assistance to Municipalities as a result of COVID-19 Dear Prime Minister, The current COVID-19 pandemic is an unprecedented challenge for all levels of government. The strong leadership from the federal government to limit the spread of the virus, manage the disease, and provide stability and reassurance during a difficult and unpredictable time is most appreciated. The pandemic has, however, negatively impacted our economies, businesses, workers and communities. It has also had a major impact on the finances of municipal governments, the front-line service provider and the backbone of our communities. The federal government has made a number of funding announcements to provide financial support related to the COVID-19 pandemic. The City appreciates these efforts to support our community. However, the impact to the City's bottom line is significant due to lost revenues and increased unexpected expenditures. In addition to losses and costs already incurred, municipalities face unknowns when the pandemic curve is flattened and physical distancing measures are lessened or no longer in place. For example, will the public return to municipal facilities and enroll in programming and how many people will default on their property taxes or other payments? 3 DJ HTFIF] As you know, municipalities budget for the costs to provide services and programming for the year ahead. Municipalities are not legally permitted to run deficits, nor do they have the borrowing capacity or the revenue tools of senior levels of government. I do not support running a deficit at the local level. A deficit simply puts the problem off for another year, which may result in a reduction of vital services. The alternative would be a double-digit property tax increase in 2021, which property tax payers could not absorb given the current economic climate. The City's request is for the Federal Government to establish a straightforward, direct and flexible municipal financial assistance program to cover the additional costs and loss in revenue experienced by municipalities as a result of the COVID-19 pandemic. The funding would be an investment in essential front-line services and ensure that municipalities will be well placed to help drive Canada's economic recovery. Thank you for your time and consideration. I would be pleased to answer any questions you may have. Regards, (Y Dan Carter Mayor cc: Hon. Bill Morneau, Minister of Finance Hon. Chrystia Freeland, Deputy Prime Minister and Minister of Intergovernmental Affairs Hon. Omar Alghabra, Parliamentary Secretary to the Prime Minister (Public Service Renewal) and to the Deputy Prime Minister and Minister of Intergovernmental Affairs Erin O'Toole, MP Colin Carrie, MP Chair John Henry, Region of Durham Oshawa City Council Paul Ralph, Chief Administrative Officer, City of Oshawa Bill Karsten, President, Federation of Canadian Municipalities Durham Area Municipalities (Clerks) Large Urban Mayors' Caucus of Ontario (LUMCO) Association of Municipalities of Ontario (AMO) 2 3 DJ H11❑❑ Oakville Economic Task Force oo�E HARKERR HgRBOUR OAKVILLE COTMExcE VILLAGE �_�,LJ- Friday May 8, 2020 Hon. Bill Morneau 430 Parliament Street Toronto, Ontario M 5A 3A2 Dear Minister Morneau, X.. =3 write to you today on behalf of the Oakville Economic Task Force. The Task Force F_ comprising \NH7RZC RI2 D YLfflVVL❑FRCP LFAF-IYHMP HWHSDAR FKVW&i2 DLYUIe Chamber of Commerce, Oakville Business Improvement Associations, and myself continues to engage our business community to understand what support is needed to ensure local businesses are able to survive this period of uncertainty and are in a position to play a role in the recovery of our local economy. The Task Force is encouraged by the cooperation between the Federal and Provincial government to develop the Ontario -Canada Emergency Commercial Rent Assistance Program. While we recognize rent is a provincial concern and we are grateful for the federal government partnering with provinces, it is important to keep in mind that in order to work the program needs to address certain points that both levels of government need to be aware of in order to collaborate successfully, such as: ❑ Many landlords have declined to apply and others face the onerous process of having to apply for each commercial unit where they own many ❑ Many tenants cannot benefit from the program or qualify and are facing eviction. We appreciate the Canada Mortgage and Housing Corporation indicating that they will address the issue of landlords with no P RIVVDd-M LQWHU-DAEW1 1I E❑VXFP HARKI)CJO/facing eviction do not have very much time to wait for a new program. The feedback we are hearing from the local business community indicates that, based on the current program details, there are many businesses who will be unable to benefit from the program as -is and will face eviction. Therefore, we are proposing the following changes to the program: 1. Suspend evictions of commercial tenants for a minimum of 6 months 2. Allow tenants to make an application for the rent assistance if the property owner does not want to apply or is ineligible 3DH rn Oakville Economic Task Force OAKVILLE �• visit CHAMBER OAKVILLE KERR LL . Lo -'L L Oakville UR OA K V I LLE COMMERCE VILLAGS wu�by_ '.e- 3. Allow property owners to make one application for all of their properties rather than individual applications 4. Lower the 70% revenue decline threshold for tenants I urge to you consider these proposed changes as you develop and roll out the program details. Without changes, an increasingly large number of small businesses will be put in a position where they may be faced with permanent closure. We look forward to continuing to work together with you in supporting the Oakville business community. Sincerely, Mayor Rob Burton Oakville Economic Task Force 3 QJ Ham❑❑ Oakville Economic Task Force oo�E KERR „AR oUOAKVILLE COTMExcE V11,LpGS ,. Friday May 8, 2020 Hon. Rod Phillips Ministry Office, Ministry of Finance Frost Building South, 7'" Floor ❑V[ JH- CAGI DFFF� ERV Toronto, Ontario M7A 1Y7 Dear Minister Phillips, X.. =1 write to you today on behalf of the Oakville Economic Task Force. The Task Force comprising \NH7RZQRI2 D YLfflVVL❑FRCP LFAHYHMP HWHV16' FKVW&i2 DLYLLIe Chamber of Commerce, Oakville Business Improvement Associations, and myself ❑ continues to engage our business community to understand what support is needed to ensure local businesses are able to survive this period of uncertainty and are in a position to play a role in the recovery of our local economy. The Task Force is encouraged by the cooperation between the Federal and Provincial government to develop the Ontario -Canada Emergency Commercial Rent Assistance Program. While we recognize rent is a provincial concern and we are grateful for the federal government partnering with provinces, it is important to keep in mind that in order to work the program needs to address certain points that both levels of government need to be aware of in order to collaborate successfully, such as: Many landlords have declined to apply and others face the onerous process of having to apply for each commercial unit where they own many F- Many tenants cannot benefit from the program or qualify and are facing eviction. We appreciate the Canada Mortgage and Housing Corporation indicating that they will address the issue of landlords with no P R[WDd-N_1Q19HX1-DAEWF -LTE❑1R&RP HAh1TC JDFLQ❑ _V do not have very much time to wait for a new program. The feedback we are hearing from the local business community indicates that, based on the current program details, there are many businesses who will be unable to benefit from the program as -is and will face eviction. Therefore, we are proposing the following changes to the program: 1. Suspend evictions of commercial tenants for a minimum of 6 months 3DH rn Oakville Economic Task Force COT KERR HAR o�Oakville OAKVILLE MExcE VILLAGE ..� -0 ,_..,q. 2. Allow tenants to make an application for the rent assistance if the property owner does not want to apply or is ineligible 3. Allow property owners to make one application for all of their properties rather than individual applications 4. Lower the 70% revenue decline threshold for tenants I urge to you consider these proposed changes as you develop and roll out the program details. Without changes, an increasingly large number of small businesses will be put in a position where they may be faced with permanent closure. We look forward to continuing to work together with you in supporting the Oakville business community. Sincerely, Mayor Rob Burton Oakville Economic Task Force 3 DJ H CF] Clatiagton Memo Planning Services Department If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 To: Mayor and Members of Council Cc: CAO and Department Heads From: Carlo Pellarin, Manager, Development Review Date: May 22, 2020 Subject: Modified condition of Draft Approval Brookfield Residential (Ontario) Ltd. File No: S -C 2005-0004, ZBA 2020-0002 At the Planning and Development Committee meeting Tuesday evening, there were questions regarding sidewalk and bicycle access from the development to North Street, Regional Road 17. The proposed revisions to Draft Approval eliminated two walkways in favour of window streets which typically provide better egress from the arterial road to the subdivision and local street. As the revised development will have a 5.0 metre wide grading buffer block, members of Council asked whether sidewalk and cycling access from Regional Road 17 to the subdivision would be available. Although maintaining access was always the intent, staff have modified the conditions of Draft Approval to specifically to speak to such a connection Sincerely, Carlo Pellarin Attachment 1: Revised Conditions of Draft Approval The Corporation of the Municipality of Clarington 40 Temperance Street, Bowmanville ON L1 C 3A6 1905-623-3379 3DJH rn AMENDMENT TO THE CONDITIONS OF DRAFT APPROVAL DRAFT PLAN OF SUBDIVISION S -C 2005-004 (Brookfield Homes) Issued for Review: March 24, 2020 Notice of Decision: Amendment Aaaroved: 1. The Conditions of Draft Approval dated October 19, 2012 and as amended on May 7, 2018, are hereby amended as set out below. "1 . Plan Identification shall be removed in its entirety and replaced with the following: The Owner shall have the final plan prepared on the basis of approved draft plan of subdivision S -C 2005-0004, prepared by Candevcon East Limited, identified as Project Number E19044, original submission dated March 2011 by Sernas and Associates identified as Project Number 04320 and draft approved by the Ontario Municipal Board on October 19, 2013, now illustrates 268 residential units consisting of 150 single detached units, 62 semi-detached units, 56 street townhouse units, parkette, 0.3 metre reserves, grading buffer strip. 2. Deleted the following bullet from condition 10: "proposed walkway (Block 194) is required for overland flow" 3. That Condition 23 i) be modified by adding the following after the words Urban Area: ", including sidewalk/multi-purpose trail from the Regional Road 17 to the two window streets"; 4. Delete Conditions 41 and 42 in their entirety. 3DJH rn This transfer has not been done yet. To be done after completion of year-end audit. IL 2/17/20 See next page, for board approved motion. A-- H- :.rtr Clarington Museums & Archives Special Meeting of the Board: October 16 th 2019 MAC Meeting Room 1A, 163 Church Street, Bowmanville, Ontario Present: G. Anderson, A. Foster, S. Middleton, S. Reiner, K. Warren, H. Ridge (ED), Guest: L. Wheller, Human Resources Manager, Municipality of Clarington Regrets: M. Morawetz, M. Ross 1. Call to Order: K. Warren, Chair of the Board, called the meeting to order at 7:06 pm 2. Adoption of Agenda: Moved by: S. Middleton Seconded by: A. Foster THAT: The agenda be approved. MOTION CARRIED 3. Disclosure of Interests: None 4. Museum Budget Report H. Ridge circulated the "Draft 2020 Budget Planning", "Museum Estimates Costing for 2020", "Current Museum Positions", "2019 Budget Expected Deficit" and the "October 2019 Special Budget Report" to the board. Discussions were held on how best to balance the 2020 budget and using funds from the reserves to cover the 2019 deficit. 5. In Camera: Moved by: A. Foster Seconded by: S. Middleton THAT: in accordance with Section 239 (2) of the Municipal Act, 2001, as amended, the meeting be closed for the purpose of discussing the following matter: b) a matter that deals with personal matters about an identifiable individual, including municipal or local board employees. MOTION CARRIED 3DJH CF] 1of2 H. Ridge left the room at 8:25 pm. O The meeting resumed in open session at 8:55 PM. One item was discussed in "closed" session in accordance with Section 239(2) of the Municipal Act, 2001 and one resolution was passed to provide direction to Staff. H. Ridge returned to the room. Moved by: A. Foster Seconded by: S. Middleton THAT: The adjusted Museum budget for 2020 be provided to the Library Board with the Museum Board's recommendation as soon as possible. MOTION CARRIED Moved by: A. Foster Seconded by: G Anderson THAT: The Board authorizes the transfer from the Museum Reserves Funds to cover the operational deficit in 2019. MOTION CARRIED 6. Adjournment: Moved by: S. Middleton Seconded by: A. Foster a THAT: The meeting be adjourned at 9:05 pm. MOTION CARRIED Minutes for the meeting of the Clarington Museums and Archives Board have been accepted and approved on N 00 i-�, 2 o 19 n Chair, Executive Director, Clarington Museums and Archives Board Clarington Museums and Archives 101 3 QJ HTFIF] 2 of 2 Agricultural Advisory Committee of Clarington Meeting Thursday, April 9, 2020 Members Present: Eric Bowman John Cartwright Jennifer Knox Ted Watson Tom Barrie Don Rickard Richard Rekker Brenda Metcalf Les Caswell Henry Zekveld Councillor Zwart Regrets: Ben Eastman Staff: Amy Burke and Faye Langmaid - Planning Services; Sean Bagshaw and Ron Albright — Engineering Services Guests: Mayor Foster; Stacey Jibb and Allison Brown, Region of Durham Planning and Economic Development; Carolyn Puterbough, OMAFRA Due to COVID 19 restrictions and to ensure social distancing, the meeting was held via conference call. Eric welcomed all to the meeting, with introductions. Roundtable of information sharing with members of the Committee providing their perspectives on the experience and/or anticipated impacts of the COVID-19 Pandemic on local agricultural operations (summary attached). Declarations of pecuniary interests - Don Rickard and Les Caswell each noted a potential conflict with capital projects included in the 2020 Capital Projects listed provided to Committee members and expected guests prior to the meeting. Adoption of Agenda 020-09 Moved by Don Rickard, seconded by Tom Barrie That the Agenda for April 9, 2020 be adopted. Carried Approval of Minutes Amendment to March 12, 2020 minutes identified. John Cartwright to be added to the list of individuals interested to participate in a working group for consultation by the Clerks Department / Municipal By-law Enforcement on the development of an on-farm special events by-law. Agricultural Advisory Committee of Claringto9 DJHIILIIEI April 9, 2020 020-10 Moved by John Cartwright, seconded by Ted Watson That the minutes of the March 12, 2020 meeting be approved, as amended. Carried Presentation MPP David Piccini (Northumberland — Peterborough South) — Postponed (date to be determined). Sean Bagshaw, Engineering Services — 2020 Capital Projects A list of capital projects planned for initiation in 2020 was circulated to the committee members prior to the meeting. Sean provided an overview of the rural area projects and addressed questions from Committee members. The placement of guide rails was amongst the topics further discussed by the Committee. Provincial standards have been amended to allow for wider placement of guide rails to accommodate farming equipment. In the rural area, Engineering Services will use the new Provincial standard (21') as a minimum and will add additional width, where possible. Engineering Services will also reach out to appropriate Committee members to review preliminary design plans for a couple of projects and seek some additional feedback (e.g. guide rail project planned for Bragg Road at the CPR line and the review of a potential pinch point). Ron Albright, Engineering Services — Enniskillen Traffic Calming Pilot Project Ron provided an update on the Enniskillen traffic calming pilot project and the new measures to be implemented for trial in 2020. The bollard arrangement trialed in 2019 will be replaced with a two-step approach involving i) semi-permanent installation of a larger speed/radar message board north of the school zone to remind drivers entering the area of their speed and the speed limit; and ii) the installation of temporary speed cushions (seasonally installed outside of winter and shoulder seasons). Photos of the products were circulated to the committee members prior to the meeting. Information is also available on the product website: https://trafficlogix.com/speed- cushions/?qclid=EAlalQobChMlwPTtrNW46AIVCLbICh1akgwtEAAYASAAEgiYt D Bw E Prior to the installation, Engineering Services is seeking a participant from the area for a demonstration / trail with farming equipment. This would involve setting up the speed cushions in a municipal parking lot and having one or several pieces of farm equipment and implements drive over the speed cushions and provide feedback. Interested individuals can contact Ron at ralbright(@clarington.net Delegations None. Agricultural Advisory Committee of Claringto9 DJ 1111111 April 9, 2020 Business Arising from Minutes On-farm Special Events By-law: Comment deadline extended to April 30, 2020. Clerks will be reaching out directly to the individuals who volunteered to participate in a working group for further discussion relating to the development of the by-law. To learn more about the proposed rules, visit https://www.clarington.net/en/town- hall/proposed-on-farm-special-events-by-law.asp, email bylawenforcement(a-clarington.net, or contact Duncan Anderson at 905-623-3379 ext. 2110. Correspondence, Council Items and Referrals None. Liaison Reports Durham Agriculture Advisory Committee: Meetings cancelled until further notice. Durham Region Federation of Agriculture: Richard provided an update from the March 18 DRFA meeting in his e-mail to all prior to the meeting. No further questions from Committee members. Durham Farm Connections: Program and event cancellations and postponements occurring in response to COVID 19 measures. Clarington Board of Trade: CBOT is actively reaching out to members / local businesses to better understand the impacts that are being felt as a result of COVID 19 and the support and resources that are needed. A virtual Town Hall event with Mayor Foster scheduled for April 3. Regional Chair John Henry will host a virtual Town Hall on Wednesday April 22. New Business Highway 407 Materials Clean-up: Committee members commented that a number of metal bases from temporary construction signs and sandbags remain along the roadsides and within the roadside ditches in the vicinity of the 407, which may be difficult for Municipal mowing equipment to see in the coming months. Ron Albright will submit a request to Blackbird Construction for the roadsides to be checked and all remaining signage and other equipment removed. Bowmanville REKO Network: This is a Facebook-based network for direct sales of farm products from producers to customers. Sales are done online and pick-up occurs at a pre -determined location on a weekly basis. A new Bowmanville REKO group is starting up and involves many vendors from the Newcastle Farmers Market. The local coordinator is consulting with Engineering Services and Community Services regarding the use of the Garnet B. Rickard parking lot for a weekly, one-hour curbside pick-up window beginning in May. Agricultural Advisory Committee of Claringto9 DJHIILIIEI April 9, 2020 Next Meeting Thursday, May 14, 2020 @ 7:30 pm Kathy Macpherson, The Greenbelt Foundation Future Agendas: David Piccini, MPP, Northumberland — Peterborough South Philip Lawrence, MP, Northumberland -Peterborough South Hon. Erin O'Toole, MP, Durham Region of Durham Works re: 2020 capital projects Clarington Engineering Services (Building Division) re: National Building Code changes for farm structures anticipated for 2020 (once the changes have been confirmed) Brianna Ames of Fairlife (Coca-Cola) Simon Gill, Durham Region Economic Development & Tourism re: an update on the Durham Region Agricultural Strategy and Durham Region Broadband Strategy Agricultural Advisory Committee of Claringto9 DJHIILIIEI April 9, 2020 Aocultural Advisory Committee of Claringtor Agricultural Advisory Committee of Clarington Meeting Note: April 9, 2020 Summary of Experienced and/or Anticipated Impacts of COVID-19 Pandemic on Local Aqricultural Operations x Uncertainty regarding whether new farm building construction projects can proceed or whether projects underway will be shut down prior to completion. Foreign supplied component parts (e.g. cages for chickens) no longer have an assured delivery date. Farmers have already purchased and scheduled the delivery of poultry / livestock. x Equipment installation may require labour/ trades/ specialists from the manufacturer which is a company with employees from outside of Canada. x Longer lead times for the ordering of parts and arranging for / making product deliveries. x Livestock sale barns seeing decreased attendance and are being held less frequently. Risk of livestock processing plant closures due to COVID-19 outbreaks. Resulting backlog of livestock in the supply chain contributing to lower sale prices, increased costs to farmers, risk of culling and delay in getting beef and pork supply on the shelves for consumers. x Beef farm -to -table sales have increased and several new customers. New call ahead, no -contact curbside pick-up procedure developed. x Increased farm gate egg sales and local retailer egg sales. x Dumping of milk necessary as an emergency measure due to the shutdown of food service providers and the hospitality industry. x Change in milk product type/size demands - more household sized bags and cartons and less 250 ml and 20 L cartons. This results in the need for processing line changes, both now and when regular operations resume in the future, which take time and have associated costs. Wholesale plant supply operations severely impacted by the cancellation or significant reduction in orders from large retailers, such as Costco and Canadian Tire. Input costs had already been incurred with plant production well underway before the pandemic was declared. With diminishing opportunities to sell, the potential loss is significant ($millions). x Production chain for products, such as turkey, which begin today or in the coming weeks to be sale- ready by fall, halted; the full effect will be not realized by the consumer until the product is needed on the grocery store shelf and the reason for the supply shortage may not be realized by the customer. Agricultural Advisory Committee of Clarington 3DJH rn xRestrictions and limitations at International borders and flight restrictions, combined with mandatory quarantine periods result in a shortage of needed migrant workers. The window for some types of work to be done may be closed or closing quicker than the limited number of workers available can reasonably do. x Pick -your -own component of farm market operations likely not able to open in 2020. Large annual seed purchases for pick -your -own products planted each year (e.g. pumpkins) will be a loss. x Potential loss of employment opportunity for local students employed at many local farm operations. x Closure of local farmers markets has lead to the start up of a REKO network in Durham Region where food producers advertise their good through a social media group, customers pre -order what they want online, and a curbside pick up date is set at a location in the community. Circulation: Agricultural Advisory Committee of Clarington Members & Advisors Mayor and Members of Council MPP David Piccini (Northumberland — Peterborough South) MPP Lindsey Park (Durham) Agricultural Advisory Committee of Clarington 3 DJ HTFIF] Clarftwn Clarington Diversity Advisory Committee Thursday, April 23, 2020, 7:00 PM Microsoft Teams If this information is required in an alternate format, please contact the Accessibility Coordinator at 905-623-3379 ext 2131 Present: Ashfaque Choudhry Councillor Ron Hooper Sajida Kadri Derryck Lamptey Meera McDonald Rajeshwari Saharan John Sawdon Laila Shafi Rachel Traore Also Present: Erica Mittag ❑ Community Development Coordinator The meeting called to order at 7:07 p.m. 1. Land Acknowledgement 2. Adoption of Agenda Moved by Meera McDonald, seconded by Ashfaque Choudhry That the agenda of the meeting of April 23, 2020 be approved. Carried 3. Adoption of Minutes Moved by Councillor Hooper, seconded by Rachel Traore That the minutes of the meeting of February 27, 2020 be approved. Carried 3DJH rn 4. Communications -1 Received for Information or Direction a) Request from '1D1❑JVUEH7R❑1L1P __iGy RETT1T1RP P L\MH-to collaborate on a diversity photo library is currently on hold due to the pandemic. 5. Community Updates Erica Mittag shared: a) The Municipality of Clarington hosted a virtual event on Wednesday April 22 for local non -profits which included speakers from Durham and Clarington. b) The Municipality of Clarington has signed on as an Employer Partner with the Canadian Centre for Diversity and Inclusion (CCDI) which provides benefits such as knowledge resources, webinars and training opportunities for our staff. 6. Council Updates Councillor Hooper shared: a) Much of Council business is being conducted virtually. Next meeting of General Government Committee will be combined with Planning Committee on Monday, April 27. Next Council meeting is May 4. 7. Diversity Lens Members brought back comments on various diversity lens models and shared summaries of the strengths and challenges of each model with the Committee. Erica Mittag will consolidate the summaries for the next meeting. Erica will reach out to City of Hamilton for an update on their draft diversity and inclusion lens. 8. Annual Update to Council A staff report has been drafted to present to Council at an upcoming General Government Committee meeting (date to be confirmed). 9. Other Business Derryck Lamptey shared a message of best wishes to all who are commemorating for Ramadan (Islam), Yom Hazikaron (Judaism) and Akshaya Tritiya (Hinduism). The meeting was adjourned at 8:13 p.m. Moved by Laila Shafi seconded by Ashfaque Choudhry 3DJH rn That the meeting be adjourned. Carried Next meeting: Thursday, May28, 2020, 7:00 p.m. Virtually Microsoft Teams 3DJH rn Clarington Committee Report to Council If this information is required in an alternate accessible format, please contact the Accessibility Coordinator at 905-623-3379 ext. 2131. Report To: Council Date of Meeting: May 25, 2020 Report Number: GGR-008-20 Report Subject: General Government Committee Meeting of May 11, 2020 Recommendations: 1. Receive for Information (a) 9.1 Geoff Gordon, Vegetation Management Specialist, Canadian Pacific, Regarding Canadian Pacific 2020 Vegetation Control Program (b) 9.2 Larry Wheeler, Deputy Clerk, Township of Mapleton, Regarding Request the Province of Ontario to Review the Farm Property Class Tax Rate Programme in Light of Economic Competitiveness Concerns between Rural and Urban Municipalities (c) 10.4 Ibi Biesenthal, PI TOOL Limited, Regarding Award of Contract CL2019-37 - Courtice Court Servicing (d) FND-011-20 Financial Update as at December 31, 2019 (e) FND-012-20 2019 Annual Statement for Cash -in -Lieu of Parkland (f) FND-013-20 2019 Building Permit Fees Annual Report 2. Support for VIA Rail Service Whereas the Corporation of the Municipality of Clarington supports the National Transportation Policy and Section 5 of the Canada Transportation Act, S.C. 1996, c. 10 (as amended), which states in part: a competitive, economic and efficient national transportation system that meets the highest practicabljaj-W�and security standards and contributes Municipality of Clarington Resort GGR-008-20 Page 2 to a sustainable environment, makes best use of all modes of transportation at the lowest cost is essential to serve the needs of its users, advance the well-being of Canadians, enable competitiveness and economic growth in both urban and rural areas throughout Canada. Those objectives are achieved when: (a) competition and market forces among modes of transportation, are prime agents in providing viable and effective transportation services; (b) regulation and strategic public intervention are used to achieve economic, safety, security, environmental or social outcomes (c) rates and conditions do not constitute an undue obstacle to the movement of traffic within Canada or to the export of goods from Canada; (d) the transportation system is accessible without undue obstacle to the mobility of persons, including persons with disabilities; and (e) governments and the private sector work together for an integrated transportation system. ■e111 / U -TIT 111 'l■ Ci II` t IT FKDEJ HADDGIAP DLWIEHM H[7WL1LIN"MI31FRE11FR&RE1FW ' ■■ ►, 111 11111 HIIII Is continue to work with communities and invest in the infrastructure they need today DJG12RV9H1 VA.HM And whereas Abacus data has indicated that Canadians are focused on building transit to reduce congestion and connect communities; And whereas the Canadian Transport Commission main finding at public hearings in 1977 was that there should be no further reductions to passenger rail services; And whereas the frequency of VIA trains running in Canada has been reduced significantly since 1977, causing a subsequent significant drop in ridership; And whereas there is a need for balanced transportation with more using transit and less using automobiles; And whereas the changing demographic relating to house prices, housing affordability will require further expansions of transit; And whereas there is a need to visit tourist sites located along rail lines; And whereas the annual cost of congestion to the Greater Toronto Hamilton Area economy alone is between $7.5 and $11 billion; And whereas there are 10 million more vehicles on the road today than there were in 2000; 3DJH rn Municipality of Clarington Resort GGR-008-20 Page 3 And whereas the Municipality of Clarington requests the support of this resolution from all communities served by VIA; Therefore be it resolved that the Council of the Corporation of Clarington recommends to the Government of Canada to adequately fund and fully support VIA Rail Canada in increasing the frequency, reliability, ticket cost and speed of VIA rail service in 2020 and successive years. 3. High Speed Internet Connectivity in Rural Ontario Whereas the COVID-19 pandemic has upended traditional means of business and put unprecedented strain on our broadband networks, as well as shed light onto both the gaps in coverage and areas plagued by unreliability; And whereas COVID-19 and other factors have driven a rise in work from home arrangements, a trend likely to continue into the future; And whereas quick and coordinated investment to build up our network is critically important to the health and viability of our community as well as our ability to be economically competitive; And whereas Clarington has worked closely with both large and small scale Internet Service Providers to provide coverage to our residents, but full-scale reliable connectivity is not happening as quickly as it should; And whereas more resources from all levels of government must be provided, especially to make small rural build outs economically viable. Now therefore be it resolved: 1. That broadband must be treated as critical infrastructure in support of our new economy, as Clarington works towards its goal of 100% reliable connectivity; 2. That the Federal, Provincial and Regional governments be requested to coordinate their efforts and increase the funds available to drive this important initiative ahead; and T7 IDQI lll012 7 RR0110 3 111] ELKDP E13 KUMIt D❑ L HIIIFHA 3 d R WFP ER D G Peterborough South), Lindsey Park (MPP Durham), David Piccini (MPP Northumberland -Peterborough South) and the Region of Durham be notified of & R❑ L 3DJH rn Municipality of Clarington Resort GGR-008-20 Page 4 Kirby4. - •Subdivision, 1 ■■■■11 ► R [ S D.■ III Related Works That Report EGD -008-20 be received; That the Director of Engineering SerdFF\/LEH LDF-&HL\J FDH-R F- $ FFHS\O❑FHA:UN ) LM RNM KFKIL-FOGWILOWM H works constructed within Plan 40M-2480; That Council approve the by-law attached to Report EGD -008-20 assuming certain streets within Plan 40M-2480 as public highways; and That all interested parties listed in Report EGD-008-❑❑[EHZGI-K3RI&R-IuFLWI decision. 5. 2020 Community Grant Requests That Report CSD -004-20 be received; and That all interested parties listed in Report CSD -004-20 and any delegations be DG-11I-IGR A RLLFLQ/_ FLYIR_IIEEAN-ILL HSDLW HEW 6. Grant Requests Deemed to be Denied That if, during the consideration of the 2020 Spring Community Grants Requests, a specific resolution is not put forward by a Committee member on a grant request, the grant request is deemed to be denied. 7. Newtonville Community Hall That the Grant Application #20-01, from Newtonville Community Hall, be approved in the amount of $5000.00. 3DJH rn Municipality of Clarington Resort GGR-008-20 8. Joint Health & Safety Committee 112019 Summary That Report COD -015-20 be received; and That the updated Policy #E-5 Workplace Harassment and the Health & Safety Policy Statement be endorsed. 9. Roadside Protection ❑ Liberty Street That Report COD -017-20 be received; Page 5 That Real Landscaping Plus. Inc. with a total bid amount of $359,957.77 (Net HST Rebate) being the lowest compliant bidder meeting all terms, conditions and specifications of tender CL2020-4 be awarded the contract for Roadside Protection Liberty Street as required by the Engineering Services Department; That total funds required for this project in the amount of $406,000.00 (Net HST Rebate), which includes the construction cost of $359,957.77(Net HST Rebate) and other costs including material testing, permits fees and contingencies in the amount of $46,042.23 (Net HST Rebate) is in the approved budget allocation as provided and will be funded from the following accounts; and Description Account Number Amount Pavement Rehabilitation Program 110-32-330-83212-7401 $332,000 (2019) Roadside Protection Program 110-32-330-83338-7401 74,000 (2019) That all interested parties listed in Report COD -017-20 and any delegations be DG1VFiGR A RLLFLOt-G-FUR- 3DJH rn Municipality of Clarington Page 6 Report GGR-008-20 10. Scheduling of Committee Meetings during COVID-19 Pandemic That, during the Covid Emergency, there be one joint meeting of General Government Committee and Planning and Development Committee, to take place during the normal schedule for the Planning meeting unless the Mayor determines that it would be better to do otherwise. 11. Cedar Crest Beach Update - Beach Erosion/Property Loss Study That Report PSD -012-20 be received; That, in accordance with the Purchasing By-law, the lower of the bids from the qualified consultants will be awarded the consulting contract, to the maximum of the $30,000 budget for the completion of the Cedar Crest Beach Erosion/Property Loss Study; That Staff report back to Council with the results of the study, once completed; and That all interested parties listed in Report PSD -012-20, including all landowners in V9H13 RLW DQL11J WEA F HWV<RUH❑U-DFKID❑QD❑_ G-lW CJS-/ EHDGEM-lG-Rl A R❑LRCVC decision. 3DJH TOO Clarington Committee Report to Council If this information is required in an alternate accessible format, please contact the Accessibility Coordinator at 905-623-3379 ext. 2131. Report To: Council Report Number: PDR -005-20 Date of Meeting: May 25, 2020 Report Subject: Planning and Development Committee Meeting of May 19, 2020 Recommendations: 1. Proposed Official Plan Amendment and Rezoning to Implement the Bowmanville Neighbourhood Character Study That Report PSD -015-20 be received; That the Official Plan Amendment contained in Attachment 1 of Report PSD -015-20 be approved; That the Zoning By-law Amendment contained in Attachment 2 of Report PSD -015-20, be approved; That in accordance with Section 45(1.4) of the Planning Act, Council permit minor variance applications to be submitted for the lands subject to the Zoning By-law Amendment contained in Attachment 2, provided the application is accompanied by a character analysis; That a By-law to repeal Interim Control By-law 2018-083 be forwarded to Council for adoption once the Zoning By -Law Amendment contained in Attachment 2 is in full force and effect; That the Durham Regional Planning and Economic Development Department, the Ministry of Municipal Affairs and Housing and the Municipal Property Assessment Corporation be forwarded a copy of Report PSD -015-20; and That all interested parties listed in Report PSD -015-20 and any delegations be DFELH [RIR❑❑ 3DJH rn Municipality of Clarington Page 2 Report PDR -005-20 2. Applications by Brookfield Residential (Ontario) Ltd. For a Redline Revision to a Draft Approved Plan of Subdivision and Rezoning, east side of Regional Road 17, Newcastle That Report PSD -014-20 be received; That the application for redline revision to Draft Approved Plan of Subdivision submitted by Brookfield Residential (Ontario) Limited for lot adjustments be supported subject to conditions as contained in Attachment 2 of Report PSD -014-20; That the Zoning By-law Amendment application submitted by Brookfield Residential (Ontario) Limited be approved and that the Zoning By-law as contained in Attachment 3 of Report PSD -014-20 be passed; That once all conditions contained in the Clarington Official Plan with respect to the removal of the (H) Holding Symbol are satisfied, the By-law authorizing the removal of the (H) Holding Symbol be approved; That the Durham Regional Planning and Economic Development Department and Municipal Property Assessment Corporation be forwarded a copy of Report PSD-014-111][ID❑❑IIII R❑EFLOEIMFFLdR❑a1D That all interested parties listed in Report PSD -014-20 and any delegations be advised of Council's decision. 3DJH rn Clarington Staff Report If this information is required in an alternate accessible format, please contact the Accessibility Coordinator at 905-623-3379 ext. 2131. Report To: Council Date of Meeting: May 25, 2020 Reviewed By: Andrew C. Allison, CAO File Number: Report Number: CAO -015-20 By-law Number: Resolution#: Report Subject: COVID-19 Business Continuity Planning Update Recommendation: 1. That Report CAO -015-20 be received for information. 3DJH rn Municipality of Clarington Report CAO -015-20 Report Overview Page 2 Report CAO -011-20 identified the need to prepare business continuity plans to respond to the COVID-19 pandemic. Staff prepared those plans, and through Report CAO -012-20, Council was provided with information regarding the level of staffing required to maintain services that were deemed essential by the Province during the pandemic. This report provides a further update on these issues. 1. Background 1.1 In Report CAO -010-20 dated March 13, 2020, Council was advised of the initial changes to Municipal services and programs that staff were undertaking to respond to the COVID-19 pandemic. 1.2 In Report CAO -011-20 dated March 23, 2020, staff identified the need to assess and respond to service level adjustments by establishing business continuity plans. Over the next several weeks, those plans were developed. 1.3 Through Report CAO -012-20 dated April 14, 2020, Council was advised of the steps taken by staff to allow Municipal services deemed by the Province to be essential (as at April 9, 2020) to continue to be provided during the pandemic. This report provides an update to much of the information contained in Report CAO -012-20. 2. Business Continuity Emergency Closures 2.1 The Provincial government ordered its first emergency closures on March 17. Additional businesses were ordered to be closed on March 23, and a final round of business closures was ordered on April 4. As well, outdoor recreational facilities were ordered closed on March 30. However, more recently some of these restrictions have begun to be lifted and some businesses and facilities have been permitted to reopen. 2.2 Municipal services and activities that were primarily impacted by the closures included recreational facilities, libraries, and some municipal construction projects. 2.3 Indoor recreational facilities are currently to remain closed. Libraries also remain closed except that as of May 19 they are permitted to provide curb side pick-up and delivery of library materials. Additionally, those municipal infrastructure construction projects that had been halted were permitted to resume on May 4. 3DJH rn Municipality of Clarington Page 3 Report CAO -015-20 2.4 Many retail business establishments have experienced a gradual reopening. Hardware stores and safety supply stores were fully reopened on May 9, subject to physical distancing requirements. Garden centres and nurseries were also permitted to reopen on May 9. Beginning on May 11, retail store locations that have a street entrance were permitted to reopen provided they make use of an alternate method of sale such as curb side pick-up or delivery. On May 19, these retail stores were permitted to fully reopen on the condition that customers maintain a physical distance of at least 2 metres from each other at all times. 2.5 Additional businesses were permitted to reopen on May 19, including: businesses that sell motorhomes, watercraft, or other motorized vehicles; and businesses that provide pet grooming, pet sitting, pet walking, and pet training. 2.6 Construction projects have also been gradually permitted to resume. On May 11, all residential construction was authorized to continue. On May 19, all remaining construction was authorized, subject to strict health and safety protocols. Many municipal tenders for regular maintenance and repair were unaffected and continued as much as possible throughout this period. 2.7 The Province has also begun to loosen restrictions on certain outdoor recreational facilities. Allotment gardens/community gardens were authorized to reopen on April 24. On May 16, boarding kennels, marinas, seasonal campgrounds, golf courses, and outdoor driving ranges were permitted to reopen. Also, beginning on May 19, some outdoor sports facilities, picnic sites, and off -leash dog parks were permitted to reopen, subject to the requirement that users of the facility maintain a physical distance of at least two metres from any other person. The outdoor sports facilities (e.g. baseball diamonds, soccer fields, tennis courts, skateboard parks) are subject to the additional requirements that team sports are not permitted. 2.8 The Provincial government has indicated that we are currently in Stage 1 of a three - stage process to reopen the economy. No firm date has yet been identified for the implementation of stages 2 and 3, but the Provincial government has tentatively suggested a range of 2 to 4 weeks between each stage, dependent on COVID-19 infection rates. 2.9 Although many retail businesses have reopened, many other business establishments remain closed. These include restaurants, personal services (e.g. hairdressers), and retail stores that lack direct street access. 2.10 Schools have been ordered to remain closed for the remainder of the academic year and organized public events, and social gatherings continue to be limited to no more than 5 persons. 3 QJ HTFIFI Municipality of Clarington Report CAO -015-20 Continuity Plans Page 4 2.11 In early April, staff prepared business continuity plans for each department. These plans were based on the premise that most municipal services can and should continue, subject only to our ability to maintain safe and healthy workplaces. 2.12 In Report CAO -012-20, Council was advised that as part R +-DFE]nHSDLW HE1V/E continuity plan there was an attempt to determine the level of staffing required to maintain services until the end of April (Phase 1), end of May (Phase 2), and June 30 (Phase 3). As a result of recent Provincial orders to reopen, the only area of the corporation where service levels remain impacted and staffing levels continue to be monitored is Community Services. Other departments have remained at, or are returning to, normal service levels which will require a return to budgeted staffing levels. Staffing Levels 2.13 Current Levels E In Report CAO -012-20, Council was advised that staffing levels throughout the corporation are already below normal levels. As of the date of this report, that remains the same. As compared to April 9 (the date on which Report CAO - 012 -20 numbers were generated), current staffing levels are even lower. On March 26, 2020, 339 part-time staff were placed on Declared Emergency Leaves (DELs). All these staff remain on DELs. On March 26, 2020, 339 part-time staff were placed on Declared Emergency Leaves (DELs). All these staff remain on DELs. One part-time employee in Community Services has returned to offer lunchtime virtual fitness classes to staff two days each week (her DEL status is not affected). The following staffing positions identified as vacant in Report CAO -012-20 remain vacant (on hold) at this time: (a) 7 full-time pending the roll-out of the reorganization; (b) 3 full-time equivalents approved in the 2020 budget; (c) 3 full-time retirements; (d) 1 full- time maternity leave; (e) 5 full-time seasonal hires; (f) 6 full-time long-term sick leave vacancies; and (g) 1 full-time voluntary leave of absence. Since April 9, we have had 1 additional full-time retirement (effective May 31), 1 net additional full-time sick leave vacancy and 1 full-time voluntary DEL. These 29 positions represent approximately 10.8E iRI EEiGUEJUREVECRIP DCEEMime labour force (excluding Emergency and Fire Services) which is 269 employees. Of the 29 full-time positions described above that are currently vacant (on hold), 8 are in the Community Services. Another employee in Community Services will be on maternity leave later this summer. The overall impact is a shortage of 9 full-time positions in Community Services. 3DJH rn Municipality of Clarington Report CAO -015-20 Page 5 The estimated savings (salary and benefits) for vacant (on hold) full-time positions across the entire corporation for the month of May is $191,150. The estimated savings associated with the part-time staff placed on DELs for the month of May is $242,704. The total savings in the month of May is therefore $433,854. 2.14 Summer Students []Staff applied ❑LLC3-IlA�vH) FiGiJX)L RdRJ-P H VVLLuD❑DCD-6 P P HIJ_ Jobs Program to receive wage subsidies (at $14 per hour) for a total of 59 summer students. We have not yet been officially advised of the status of our application, but unofficially we have been told to expect that 27 positions will receive the subsidy which results in an estimated $105,840 11$181,440 coming to the Municipality (depending on which positions are approved). The 2020 budget did not include any revenue amount for wage subsidies under this Program because it is not guaranteed. 2.15 Projected Workforce Absenteeism ❑ From March 14 (the date that we closed our recreation facilities to the public) until April 9, Clarington experienced a total of 115 lost days as a direct result the COVID-19 pandemic. Since April 9, we have only had a total of 8 lost days directly related to the pandemic. This is good news. 2.16 Social Distancing ❑ In order to protect our staff, we have implemented strict physical distancing measures in the workplace. This continues to result in some inefficiencies that are unavoidable. An example of this was shown in the Workplans for the Roads and Parks Divisions of the Operations Department sent by the Acting Director to Council on May 11. It highlights the challenges of limiting the number of employees travelling in a municipal vehicle. 2.17 Redeployment Opportunities ❑ In Report CAO -012-20, it was stated that there is ample redeployable work to keep staff meaningfully occupied and engaged. This remains the case as of the date of this report. A total of 18 affiliated staff have been redeployed from Community Services into the Operations Department (16) and the Clerks Department (2). The Workplans sent by the Acting Director of Operations to Council on May 11 show where the 16 employees redeployed to Operations have been assigned. The 2 employees redeployed into the Clerks Department have assisted with records management. The details of all staffing issues impacting the Community Services Department (including redeployment) are set out in a confidential memorandum from the Director of Community Services dated May 22, 2020 (Attachment 1 to this Report). 2.18 Labour Implications The labour relations issues respecting any reduction in staffing were discussed in a confidential memorandum from Hicks Morley LLP dated April 9, 2020 (Attachment 2 to Report CAO -012-20). The issues identified in this memorandum remain relevant today. 3DJH rn Municipality of Clarington Page 6 Report CAO -015-20 2.19 Other Municipalities ❑ GULUW❑VDSSLFDF❑:tb staffing, and redeployment in particular, remains consistent with most GTA area municipalities and generally aligns with the Provincial and FedHJDOL R_H_ P H_1VLFRP P L1F6' HEVIWM+ISL:J:EL\ALH\/\/es and the economy intact as much as possible. One municipality has taken the initiative of establishing a top -up plan to support employees on a DEL. 3. Financial Implications 3.1 Estimates of service provision revenues lost through to the end of May 2020 were provided in section 3.0 of Report CAO -012-20. The disruption to normal operations in Community Services was estimated to result in a loss of approximately $1 million due to cancelled program registrations, daily admissions, facility rental permits and fitness/swimming memberships. As the closure orders from the Province continue and further cancellations are required, the impact to revenues will increase, however, the net levy impact will be minimized with the corresponding savings in staffing costs. The cashflow analysis prepared by the Director of Finance / Treasurer through Report FND- 010-20 showed that the Municipality had sufficient cash resources assuming zero summer program and facility revenue. 3.2 Until there is greater certainty on what recreation programming will be permitted by the Province, it is difficult to gauge the impact of summer cancellations at this time. Based on recent indications regarding modified summer camp program delivery, Community Services staff are planning alternative camp programs that could conform to the expected strict health and safety guidelines. 4. Conclusion 4.1 The recommended course of action in this report is based on information available as at May 22, 2020. 4.2 It is respectfully recommended that this report be received for information. Staff Contact: Staff Contact: Andy Allison, CAO, 905-623-3379 ext. 2002 or aallison(a)_clarington.net Attachment: Attachment 1: Confidential Memo from the Director of Community Services dated May 22, 2020 (Distributed Under Separate Cover) 3 DJ HT❑❑ Clarftwn Memo Planning Services Department If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 To: Mayor and Members of Council From: Faye Langmaid, Acting Director of Planning Services Department Date: May 21, 2020 Subject: North Newcastle Village Secondary Plan ❑ Milestones / Timelines File: PLN 41.14 On May 19, 2020, the Planning and Development Committee received a delegation from the owner of 3574 Concession Road 3. He expressed concern that the North Newcastle Village Secondary Plan would proceed without effective consultation on how to mitigate the impacts of residential development near agricultural operations. In response, Planning Staff are to prepare a report on the background to the urban boundary expansion the Region approved in 1993. To determine when this report should come back to Council an outline of the milestones for the North Newcastle Village Secondary Plan was requested. The North Newcastle Village Secondary Plan was initiated in 2019 with an initial completion date expected in late Spring of 2021. At this time, it is anticipated that this timeframe may grow longer depending on the ongoing impacts from COVID-19. A Public Meeting was held on April 1, 2019, to present the Terms of Reference and receive Council approval to proceed (PSD -019-19). The public notice for this meeting was sent to all property owners within the North Village Secondary Plan area as well as all property owners within 120 metres. This circulation area included 3574 Concession Road 3. The first Public Information Centre (PIC) was held on November 21, 2019, which was an open house to introduce the project to the public and begin generating feedback. Work is underway on Phase One of the background studies for the Secondary Plan including technical reports and an illustrated analysis of opportunities and constraints. A second PIC had been tentatively scheduled for late Spring; however, in light of COVID-19, the second PIC has now been rescheduled for the Fall of 2020. Included in the background technical reports is an Agricultural Impact Assessment (AIA). The intent of this report is to: ❑ Determine any potential adverse physical and operational impacts of the proposed uses described in the Secondary Plan; ❑ An assessment of potential alternatives to land use configurations that avoid/mitigate impacts to OP designated agricultural areas; and The Corporation of the Municipality of Clarington 40 Temperance Street, Bowmanville ON L1 C 3A6 1905-623-3379 3DJH rn Page 12 ❑ Recommendations for mitigation/avoidance measures that are to be incorporated within the Secondary Plan. The initial AIA will contain a review of agricultural land uses surrounding the Study Area, and applicable planning policies and regulations. The report will continue to be updated throughout the course of the Secondary Plan to respond to the specific land use plans as they are developed. When completed, all reports will be posted to the project webpage ❑www.Clarington.net/NorthVillage. Over the course of the Secondary Plan several events will be held where staff will actively seek public input. These events include: ❑ Initial Public Meeting -]Authorize to commence project ❑Completed ❑ Public Information Centre #1 ❑ Introduce the project and goals ❑ Completed ❑ Public Information Centre #2 ❑ Present technical background reports ❑ Fall 2020 ❑ Public Information Centre #3 ❑ Present alternative land use plans -TBD ❑ Open House ❑ Present preferred land use plan ❑ Statutory Public Meeting ❑ Present draft secondary plan In addition to the events listed above, public comments can be submitted at any time by contacting Paul Wirch or Carlos Salazar at NorthVillage(a-)-Clarington.net or 905-623- 3379. I trust that this information will be of benefit to Council. Faye Langmaid, Acting Director Planning Services Department cc: Carlos Salazar, Manager, Community Planning & Design Branch Paul Wirch, Senior Planner, Community Planning & Design Branch I:\^Department\PLN Files\PLN 41 Sec. Plans\PLN 41.14 - North Village Newcastle\MEMO-MMC_Milestones_May2020.docx 3 DJ H11❑❑ If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 The Corporation of the Municipality of Clarington By-law 2020-031 Being a By-law to amend By-law 84-63, the Comprehensive Zoning By-law for the Corporation of the Municipality of Clarington Whereas the Council of the Corporation of the Municipality of Clarington deems it advisable to amend By-law 84-63, as amended, of the Corporation of the Municipality of Clarington to permit the development of 83 link townhouse dwellings on the subject lands (ZBA2013-0003); Now Therefore Be It Resolved That the Council of the Corporation of the Municipality of Clarington enacts as follows: 1. 6 F❑HG❑0-3F❑ Bowmanville❑AR [' —law 84-63, as amended, is hereby further amended by changing the zone designation from: ARCH❑❑❑ Urban Residential Exception ((H)R3-26❑❑REH LE❑❑[5 H[[-I❑WtO Exception (R3-26FiMREHL �■r, nn� taxi ■ em "m■■c�»' �ti. ■ � ��►�i m ■ . 3. This By-law shall come into effect on the date of passing hereof, subject to the provisions of Sections 34 and 36 of the Planning Act. Passed in Open Council this 25th day of May, 2020 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3DJH rn This is Schedule "A" to By-law 2020- 031 , passed this 25thday of May , 2020 A.D. 111 112 26 27 20 0 19 107 „ 30 Im 31 24 a 23 lCd 105 104 34 n 35 28 u 27 Id. 103 101 100 38 9 39 32 o 31 s7 96 42 to 43 � 36 35 E 0 ;�O V 39 OD� O cfl N H tim O3004 ca oo 43 11 Bill=H.u.tcliinson_Crescen � 47 Concession Rd -3 55 ti 42 39 51 "'38 N 35 47 N 34 31 43 39 30 27 35 26 23 31 ` !V 27 n 22 19 29 m 18 �0 15 15 I� 14 Im 11 11 N 10 r O O f.0 CD CO (fl M N N 00 6 1 m CD CC O O Cn O 5Cr N t u7 2 iiockley_Avenue Courtney _Street Y CaGrtney"Stre'et t { M CA U-) f� M 67 LOr 0) In ti MM Ln 00 ~ CS) Cp Ln Lf) M C 3 M IN. r r O O M r f d IL X'j)) w Lf) O iosso � N M M C) ONNt Ch ti � Q0 CNO rn f7 � LA 1Colo Avenue- CCo.lville_Avenue_ ��� c� CA LO CO N N _ O Zoning Change From '(H)R3-26' To'R3-26' w s Adrian Foster, Mayor Bowmanville • ZBA 2013-0003 • Schedule 3 C. Anne Greentree, Municipal Clerk 3 DJ H CFI If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 The Corporation of the Municipality of Clarington By-law 2020-032 Being a By-law to amend By-law 84-63, the Comprehensive Zoning By-law for the Corporation of the Municipality of Clarington Whereas the Council of the Corporation of the Municipality of Clarington deems it advisable to amend By-law 84-63, as amended, of the Corporation of the Municipality of Clarington to permit the development of the East Penn battery distribution centre and national head office on the subject lands (ZBA2019-0016); Now Therefore Be It Resolved That the Council of the Corporation of the Municipality of Clarington enacts as follows: 1. 6 FCHGEOAF--(1CourticeT -law 84-63, as amended, is hereby further amended by changing the zone designation from: [I[IFZCEFIh Energy Park Prestige Exception ((H)MO2-1) Zonenergy Park Prestige Exception (MO2-1) Zone_ • ■ C■I. 1111111111 �'dl ■ li "111■■(liJl'li h.■\�C+ DDI 3. This By-law shall come into effect on the date of passing hereof, subject to the provisions of Sections 34 and 36 of the Planning Act. Passed in Open Council this 25th day of May, 2020 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3DJH rn This is Schedule "A" to By-law 2020- 032 , passed this 25t"day of May , 2020 A.D. ein.e-R- XdL [Litt 4 2 1 1 &H-rh �Y�4p=� X40v N �ghwa _ ega \\== Energy Drive 250 m o yd4� R0' 180 72 194 71 81 188 175 �---Cragg=Road Zoning Change From '(H)M02-1' To 'MO2-1' s� Courtice • ZBA 2019-0016 • Schedule 4 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3DJH CFI If this information is required in an alternate format, please contact the Accessibility Co-ordinator at 905-623-3379 ext. 2131 The Corporation of the Municipality of Clarington By-law 2020-033 Being a By-law to amend By-law 84-63, the Comprehensive Zoning By-law for the Corporation of the Municipality of Clarington Whereas the Council of the Corporation of the Municipality of Clarington deems it advisable to amend By-law 84-63, as amended, of the Corporation of the Municipality of Clarington to permit the development of 333 townhouse dwellings on the subject lands (ZBA2017-0019); Now Therefore Be It Resolved That the Council of the Corporation of the Municipality of Clarington enacts as follows: 1. 6 F❑HG❑0-3F❑ Bowmanville❑AR [' —law 84-63, as amended, is hereby further amended by changing the zone designation from: ARCH❑❑❑ Urban Residential Exception ((H)R3-43❑❑REH LE❑❑[5 H[[-I❑WtO Exception (R3-43FiMREHL as illustrated on the LMVFEFIG[6FE G❑(BIIMfl[M+i1MR_1 3. This By-law shall come into effect on the date of passing hereof, subject to the provisions of Sections 34 and 36 of the Planning Act. Passed in Open Council this 25th day of May, 2020 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3DJH rn This is Schedule "A" to By-law 2020- 033, passed this 25t"day of May , 2020 A.D. ake_R cl rd�_ h v° 322 m C C C n d7 m 314 313 R i t]C �J 2765 R O fY .tea 1 & _ ' y,19 22 •31 � 34 ^. 7Z7! 4] �mJ 273�nROr7 �P_Olt d D.a[fington_Road 274 � �Port,4ar/ ngrOn-Roam R 0 m m c m 2 Zoning Change From '(H)R3-43' To'R3-43' w s� Bowmanville • ZBA 2017-0019 • Schedule 3 Adrian Foster, Mayor C. Anne Greentree, Municipal Clerk 3DJH CFI