Data Protection: Encryption, Availability, Resiliency, and Durability (SEC325-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Protection: Encryption, Availability,
Resiliency, and Durability
Ken Beer
General Manager
AWS Key Management Service
S E C 3 2 5
Peter M. O’Donnell
Senior Solutions Architect
Strategic Accounts

Agenda
• Tenets for data protection
• AWS Identity & Access Management – understanding access policies
• Protecting data in:
• AWS database & analytical services
• AWS Secrets Manager
• AWS storage services
• AWS Key Management Service - encryption as another data protection
mechanism

Confidentiality, Integrity, Availability
Confidentiality
Controlled, authorized access
Preventing exposure, leakage, and theft
Integrity
Trustworthy, coherent data
Preventing corruption and unauthorized
modification
Availability
Reliable, timely access
Preventing denial of service at the data layer

Least Privilege
Security best practice
Start with a minimum set of permissions
Grant additional permissions as necessary
Define only the required set of permissions
What actions a particular service supports
What collection of API actions are required for the specific task
What permissions are required to perform those actions

AWS Identity & Access Management overview
Identities
- Identity of actors, known as principals (users, groups, roles)
- AWS IAM/Directory can manage cloud identities or you can federate through
your own identity provider
API Actions
- What does the API do or how does it respond?
Resources
- AWS resources that IAM actions apply to
- Some resource types support resource policies that further define
allowed actions
Conditions
- Precisely define required characteristics of identities, actions, resources,
and other requests parameters to allow an action

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"],
"Resource":
"arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals":
{"ec2:ResourceTag/department": "dev"}
}}
]}
User policy
AWS IAM example policies

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"],
"Resource":
"arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals":
{"ec2:ResourceTag/department": "dev"}
}}
]}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource":
"arn:aws:s3:::bucket/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true
}}
}
]}
User policy
AWS IAM example policies
Resource policy

Data in AWS database & analytical services

Access control of resources vs. data
• Management of resource actions via AWS IAM
• Snapshots for durability in-region, snapshot
copies for durability out of region
• Maintain copies of data in separate AWS
accounts for maximum isolation
• Access to data itself governed by the database;
MySQL & PostgreSQL can integrate with AWS
IAM to generate credentials
• Essential to carefully manage database
credentials – including rotation!

AWS Secrets Manager
• Integrated with AWS IAM and services
• Controlling access to secrets is often the
same as controlling access to the data
• Too many humans handling secrets
creates risk and vulnerability
• Automated secret rotation provides
security and availability
• Integrates with Amazon RDS to update both clients
and database server with new credentials

AWS Secrets Manager Features
Logging and
monitoring

Data in AWS storage services

Protecting data in AWS storage services
Confidentiality: tag-based IAM policies
Durability: share snapshots between accounts and copy between AWS regions
Integrity: block integrity automatically provided
Confidentiality: IAM policies for attachment; POSIX permission for files / directories
Durability: share snapshots between accounts and copy between AWS regions
Integrity: file integrity automatically provided
Confidentiality: read/write object permissions (IAM and bucket resource policies);
MFA for deleting data
Durability: S3 cross-region replication; versioning allows recovery of deleted objects
Integrity: object integrity automatically provided

Amazon S3 security enhanced with VPC endpoints
S3 VPC EndpointRole S3 Bucket
IAM Policy VPCe Policy Bucket Policy

Using IAM policies with Amazon S3
• “Which S3 API actions can this IAM
user/role perform under which
conditions?”
• Access control policy managed within
the IAM environment and set by IAM
administrators
• Optional: can specify buckets and
prefixes in the Resource portion of the
IAM policy
S3 VPC
Endpoint
Role S3 Bucket

Using IAM policies with Amazon S3
{ "Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::reinventbucket/*"
}
]}
S3 VPC
Endpoint
Role S3 Bucket

Using bucket resource policies with Amazon S3
S3 VPC
Endpoint
Role S3 Bucket
• “Which IAM users/roles can access this
S3 bucket?”
• Policies are attached directly to the
Amazon S3 bucket
• Simple way to grant cross-account
access to your S3 environment without
using IAM policies

Using bucket resource policies with Amazon S3
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource":
"arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": { "Null": {
"aws:MultiFactorAuthAge": true }}
}
]
}
S3 VPC
Endpoint
Role S3 Bucket

Amazon VPC endpoint policy
• “Which IAM users/roles can connect to
which S3 buckets using this VPC?”
• Policies are attached directly to the VPC
endpoint
• Does not provide access to the bucket
by itself – IAM or bucket policies must
also allow S3 API actions
S3 VPC
Endpoint
Role S3 Bucket

Amazon VPC endpoint policy{
"Version": "2012-10-17",
"Statement": [{
"Sid": ”block-non-org",
"Effect": ”Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {"StringNotEquals":
{"aws:PrincipalOrgID":["o-2ex82pk2ma"]}
}
},
{ "Sid": "Access-to-specific-bucket-only",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*”,
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
}
S3 VPC
Endpoint
Role S3 Bucket

Amazon S3 bucket policy and VPC endpoints
• “Which VPC/VPC endpoints must be
used to access this S3 buckets?”
• Use policy to Deny all actions to
users/roles that are not coming from
specific VPCs or VPC endpoints
S3 VPC
Endpoint
Role S3 Bucket

Amazon S3 bucket policy && VPC endpoints
{
"Version": "2012-10-17",
"Id": "Policy1415115909153",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::examplebucket",
"arn:aws:s3:::examplebucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22”
},
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]}
S3 VPC
Endpoint
Role S3 Bucket

Default encryption for an Amazon S3 bucket
• “Any object placed into this
bucket must be encrypted with
a specific key.”
• Works with either S3-managed
keys or KMS master keys
• Ensures encryption if the client
calling s3 PUT forgets to set
encryption as a parameter
PUT /?encryption HTTP/1.1
Host: examplebucket.s3.amazonaws.com
Date: Monday, 26 Nov 2018 12:00:00 GMT
Authorization: authorization string
Content-Length: length
<ServerSideEncryptionConfiguration xmlns=
"http://s3.amazonaws.com/doc/2006-03-01/">
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>aws:kms</SSEAlgorithm>
<KMSMasterKeyID>
arn:aws:kms:us-east-1:123456789012:key-
alias/example
</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>

Why encrypt in the cloud?
What everyone says:
• Compliance
• Best practice in security
• Protect myself from my cloud
provider’s other customers
• Protect myself from my cloud provider
What everyone means:
• I have control of the keys needed for decryption
• Prevent unauthorized physical access to plaintext data
S3 VPC
Endpoint
Role S3 Bucket
IAM Policy VPCe Policy Bucket Policy KMS key
policy
KMS CMK

Ken Beer
General Manager
AWS Key Management Service

Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master keySymmetric
data key
?
?
“I have control of the keys needed for decryption”
Plaintext keys need to exist somewhere

Where might the necessary plaintext keys exist?
On-premises in your HSM
• Pro: You control the device,
authentication, authorization
• Pro: looks familiar to your auditors
• Con: Latency, availability, durability,
scalability is your responsibility
• Con: Limited integration with cloud
managed services

In the cloud in your HSM (e.g. AWS CloudHSM)
• Pro: You control the authentication, authorization
• Pro: Lower latency to your apps in the cloud
• Pro: AWS makes it easy to have higher availability,
durability, and scalability
• Pro: looks familiar to your auditors
• Con: Limited integration with cloud managed services

In the cloud in a managed HSM (e.g. AWS KMS)
• Pro: You control authentication and authorization
• Pro: Lower latency to your apps in the cloud
• Pro: AWS owns availability, durability, and scalability
• Pro: integration with cloud managed services
• Con: Looks unfamiliar to your auditors

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security controls enforced by KMS HSMs
When operational with key material provisioned:
• No AWS operator access to HSM; no software updates allowed
After reboot and in a non-operational state:
• No key material on host
• Software can only be updated:
• After multiple AWS employees have reviewed the code
• Under quorum of multiple authenticated KMS operators
3rd party verified evidence
• FIPS 140-2 Level 2 overall with Level 3 Physical Security, Design
Assurance, Cryptography
• SOC 1 – Control 4.5: Customer master keys used for cryptographic
operations in KMS are logically secured so that no single AWS
employee can gain access to the key material.

“I have control of the keys needed for decryption”
Each Customer Master Key (CMK) has a resource policy to define permissions
Sample permissions on a key:
• Can only be used for encryption and decryption by <these users and roles> in
<these accounts>
• Can be used by application A to encrypt and only used by application B to
decrypt
• Can be managed only by this set of administrator IAM users or IAM roles
• Can be used by <these external accounts>, but only for encryption/decryption,
not administrative tasks
Uses the same policy syntax as AWS IAM user/role policies

AWS KMS Key Policy
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/AdminUser1"},
"Action": [
"kms:Create*",
"kms:Describe*", "kms:List*", "kms:Get*",
"kms:Enable*", "kms:Disable*",
“kms:Put*",
"kms:Update*",
"kms:Revoke*", "kms:Delete*",
"kms:TagResource","kms:UntagResource",
"kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"
],
"Resource": "*"
}
KMS key
policy
KMS CMK

AWS KMS Key Policy
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/IAMRole"},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*“
}
KMS key
policy
KMS CMK

Your encrypted data
in AWS services
Your
applications
in your data
center
Your key
management
infrastructure in EC2
AWS
Encryption SDK
Your key management
infrastructure
Your application
in EC2
Your encrypted data in
AWS services
Client-side encryption
Encrypt data before you give it to an AWS service
AWS
KMS
AWS
CloudHSM
Corporate
data center
Data
Data

Your
applications
in your data
center
AWS servicesAWS SDK
Your application
in EC2
AWS services
Server-side encryption
Ask the AWS service to encrypt data after you’ve uploaded it
AWS
KMS
Corporate
data center
Data
Data

AWS KMS custom key store
Clients
AWS
Services

Old ways to use AWS KMS
or AWS CloudHSM
VPC
CloudHSM Cluster
Custom
clients using
PKCS#11, JCE, CNG
Customers’
applications
via AWS SDKs
KMS Standard
Key Store
AWS KMS
KMS Endpoint
KMS HSM Fleet
50+ AWS
Services
AWS Cloud

VPC
CloudHSM Cluster
Customers’
applications
via AWS SDKs
KMS Standard
Key Store
AWS KMS
KMS Endpoint
KMS Custom Key Store
KMS HSM Fleet
50+ AWS
Services
AWS Cloud
Custom Key Store
‘Connector”
Custom
clients using
PKCS#11, JCE, CNG

Custom Key Store in new AWS KMS console

Is KMS custom key store right for you?
https://aws.amazon.com/blogs/security/are-kms-
custom-key-stores-right-for-you/
Search on “AWS Security Blog”

Summary
• Data protection in AWS is mostly about access control -
understand your IAM, resource, and network VPC policies
• If you allow AWS to manage the physical security of your keys
in FIPS 140-2 validated HSMs, encryption and key management
become yet another access control exercise

Related breakouts
SEC329 - AWS Encryption SDK: The Busy Engineer's Guide to
Client-Side Encryption
SEC353 Keeping Secrets: Securing Your Data with AWS Cryptography
Friday, Nov 30, 9:15 AM - 10:15 AM | Venetian, Level 2, Veronese 2402
SEC358 - Deep Dive on AWS CloudHSM
Wednesday, Nov 28, 4:45 PM - 5:45 PM | Venetian, Level 2, Veronese 2402
Friday, Nov 30, 9:15 AM - 10:15 AM | Venetian, Level 2, Veronese 2402
SEC325 – [REPEAT} Data Protection: Encryption, Availability, Resiliency, and Durability
KMS Custom Key Store at AWS Launchpad
Thursday, Nov 29, 12 PM | Venetian, Level 2, Expo, AWS Launchpad Stage

Thank you!
Ken Beer
kenbeer@amazon.com
Peter M. O’Donnell
pmod@amazon.com

Data Protection: Encryption, Availability, Resiliency, and Durability (SEC325-R1) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

More from Amazon Web Services

More from Amazon Web Services (20)

Data Protection: Encryption, Availability, Resiliency, and Durability (SEC325-R1) - AWS re:Invent 2018