AWS Security and Encryption

Editor's Notes

• #5: Lots of options to give you full control and flexibility, from fully managed solutions to solutions where you bring your own key and encrypt data before its sent to AWS. s2n is the open source TLS implementation that’s now handling 100% of traffic for S3
• #6: Covered in depth in the Best practices webinar
• #7: All AWS service endpoints are HTTPS When looking at connectivity for management or data transfer to and from your VPC consider using a VPN to secure communications If you have applications that send data between them You should use TLS to secure the connection. AWS Certificate Manager = ACM can generate , deploy and manage certs for you You can also secure external communications into you applications via ELB/ALB and CloudFront and use ACM to manage the certificate. It’s also possible to bring your own SSL cert and key to use.
• #9: Elastic Load Balancers, Amazon CloudFront distributions, or APIs for Amazon API Gateway. AWS Certificate Manager also works with AWS Elastic Beanstalk and AWSCloudFormation to help you manage certificates and use them with yourapplications in the AWS Cloud.
• #11: Organizational policies, or industry or government regulations, might require the use of encryption at rest to protect your data. The flexible nature of Amazon Web Services(AWS) allows you to choose from a variety of different options that meet your needs.
• #12: Encryption requires three components Data to encrypt An encryption algorithm (such as AES) Encryption keys to be used in conjunction with the data and algorithm Choosing the right algorithm is important but storing the keys safely and securely and protecting them from unauthorized use is critical Managing keys is often done using KMI. It has two main components, a storage layer to protect the plain text keys and a management layer that authorizes key usage
• #13: AWS gives you flexibility for encryption and its important to understand who has access to what. This means you can use different methods depending on data classification and either leverage the tool set AWS offers or bring your own. Lets look at three different models of encryption on AWS Model A: Bring your own encryption, full control doesn’t have to exist inside AWS (onprem) Model B: You use cloudHSM to store the keys but in your software you control the management of the keys and the encryption method Model C: AWS handles the heavy lifting of KMI systems for you via AWS Key Management Service KMS
• #14: This physical location of the KMI and the encryption method can be outside of AWS or in an Amazon Elastic Compute Cloud (Amazon EC2) instance you own. The encryption method can be a combination of open-source tools, AWS SDKs, or third-party software and/or hardware. You have full control over the KMI and the encryption method, AWS has no access and can not perform encryption or decryption on your behalf. Lets look how you’d use this model with different AWS servcies
• #15: You encrypt data using any method you want before you upload it to amazon S3 Many languages include many cryptographic libs (bouncy castle and open SSL are two common ones) AWS also has an alternative: Amazon S3 encryption client which is an open source set of API’s embedded in the AWS SDK. It allows you to supply the key from your KMI to encrypt and decrypt the data. If you are using the AWS encryption client on premise AWS never has access to your Keys or unencrypted data.
• #16: You encrypt data using any method you want before you upload it to amazon S3 Many languages include many cryptographic libs (bouncy castle and open SSL are two common ones) AWS also has an alternative: Amazon S3 encryption client which is an open source set of API’s embedded in the AWS SDK. It allows you to supply the key from your KMI to encrypt and decrypt the data. If you are using the AWS encryption client on premise AWS never has access to your Keys or unencrypted data.
• #18: Consider how you want data queries to work Design your data so that range data for searches doesn’t look up encrypted data in order to get useful results
• #19: CipherCloud Voltage Security
• #22: An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device. An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized use. A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys within the HSM. AWS CloudHSM – fully managed (patching, HA, backups) - $1.47 per hour you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs flexibility to integrate with your applications using industry-standardAPIs, such as PKCS#11, Java Cryptography Extensions (JCE), and MicrosoftCryptoNG (CNG) libraries CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs
• #23: AWS CloudHSM – fully managed (patching, HA, backups) - $1.47 per hour you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs flexibility to integrate with your applications using industry-standardAPIs, such as PKCS#11, Java Cryptography Extensions (JCE), and MicrosoftCryptoNG (CNG) libraries CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs A HSM can store key material and perform encryption and decryption
• #24: Apps must be able to access the CLoudHSM in the VPC For the highest level of HA we recommend deploying multiple CLoudHSM’s across AZ’s or with an on prem SafeNet Luna appliance. AWS manages and monitors the HSM appliances, but does not have access to the keys. In fact, if you lose the access to your credentials, AWS can’t help you recover your key material. You can recover from your own backup if you have a backup with the required credentials.
• #26: Master keys are provisioned like in HSM’s and are never exported from the service New!!!!! KMS is now fips 140-2 validated https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/
• #27: A data key is generated by the AWS service at the time you request your data to be encrypted.
• #28: Data key is used to encrypt your data
• #29: The data key is then encrypted with a key-encrypting key unique to the service storing your data.
• #30: The encrypted data key and encrypted data are then stored by the AWS storage service on your behalf The key-encrypting keys are storage and managed separately from the data and data keys Strict access controls are placed on encryption keys designed to prevent unauthorized use by AWS employees. When you decrypt the reverse or the above process is started,
• #31: Server-side encryption: set an API flag and data is encrypted by AWS before its written to disk, bonus is that keys are periodically rotated and managed by S3. NO EXTRA cost Server-side encryption customer keys: Use your own generated AES-256 key, S3 encrypts the data and store the encrypted file and deletes the key from its systems. You need to supply the key when retrieving the data. Server-side encryption with KMS: By selecvting a KMS master key KMS generates a data encryption key (example above). S3 encrypts the object by requesting the plaintext object key from KMS and once its finishes deletes the key. The encrypted object and encrypted data key are then stored in S3
• #32: Volume key is returned in plain text to ec2 instance