Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Encryption for Everyone - AWS Summit Sydney 2018

332 views

Published on

Encryption for Everyone

Powerful encryption capabilities are available in the core services of the AWS cloud. AWS continues to innovate and release enhancements to encryption-specific services, and expand the encryption capabilities in new services to make encryption easy for everyone. Learn how to take advantage of these services and features to protect and secure your data in the cloud.

Aurelian Requiem, Associate Solutions Architect, Amazon Web Services

  • Be the first to comment

  • Be the first to like this

Encryption for Everyone - AWS Summit Sydney 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Aurelien Requiem Solutions Architect, Amazon Web Services Encryption For Everyone
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption Services AWS Certificate Manager (ACM) AWS Key Management Service (KMS)
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service Data Information Business Logic Data Encryption Key Encrypted data + Encrypted data key AWS KMS
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Certificate Manager Customers Employees Customer Environment on AWS Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager AWS KMS
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Workload On AWS
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Static content in Amazon S3 Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Customer content in Amazon EBS Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Network communication Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances Multitier Workload on AWS
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket properties S3 Bucket EC2 instances
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 KMS Key permissions for the EC2 role S3 Bucket EC2 instances
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Command: aws s3 cp /space/data/hr-confidential-report.pdf s3://sydsummit18/hr-confidential-report.pdf Output: upload: /space/data/hr-confidential-report.pdf to s3://sydsummit18/hr-confidential-report.pdf S3 Bucket EC2 instances
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public What if… S3 Bucket Policy • Bucket public read • Bucket public write
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write Denied Denied
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Reason • Require KMS Key permission
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS)EC2 instances Protecting Your Content In Amazon EBS
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS How EC2 and EBS work together EC2 Instance EBS Volume(s) Compute layer Storage layer
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Full disk encryption, in the past: • Have the data encryption key stored in plain-text • Manually enter the encryption key passphrase
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Creating an encrypted EBS volume
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • Data at rest in the EBS volume • Data moving between EBS and EC2 • Underlying server performs encryption/decryption EC2 Instance EBS Volume Compute layer Storage layer
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • All snapshots created from the EBS volume • All EBS volumes created from those snapshots EBS VolumeEBS Volume EBS Snapshot
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS VolumeEBS Volume EBS Snapshot Use KMS and never risk exposing your backups with the world
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS Snapshot Public What if… EBS Snapshot permissions • Snapshot public read
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Results: • Copy snapshot • Create volume Denied Denied EBS Snapshot Public
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Reason: • Require KMS Key permissions EBS Snapshot Public
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Volume RDS Instance EBS Volume EC2 Instance Amazon RDS takes advantage of EBS volumes for its storage layer. This enables you to get the same security benefits when encrypting your data at rest using KMS.
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Snapshot AWS Regions AWS Account When using KMS with integrated services, you enforce where to data copy is allowed and who you share your data with.
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront Login/Password Personal information Payment details Confidential data Company data
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reasons: • Assure data communication integrity • Protect against eavesdropping • Create trust online “Dance like no one is watching, encrypt like everyone is.” Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Requesting a certificate
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Deploying a certificate in Amazon CloudFront
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit What if…? • You forget to renew the certificate? Visitors / Users Elastic Load Balancing Amazon CloudFront
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Features • Automated certificate renewal • Automated deployment Visitors / Users Elastic Load Balancing Amazon CloudFront
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit ACM the service that also keeps on giving Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager Other integrated services: • AWS Elastic Beanstalk • AWS CloudFormation
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Security is our top priority AWS Key Management Service (KMS) AWS Certificate Manager Internal features 1. Certificate and private key encrypted with data key 2. Data key encrypted with KMS master key
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Multitier Workload On AWS EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • How do you track actions performed on your data? • How do you record actions that used your KMS keys? • How do you prove it’s really working?
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Records of all AWS API requests • Supports filtering rules • JSON format • Integrated with Amazon Athena • CloudTrail Processing Library for JavaAWS CloudTrail Reading CloudTrail logs is easy as “The rule of 6 W” • What happened? • When did it happen? • Which action and service? • Where to? • Who did it? • Where from?
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal",
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened?
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • When did it happen?
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • Which action and service? • When did it happen?
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen?
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen? • Where from?
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Who did it? "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Did We Learn? Encryption for everyone Broad range of integrated services Strong controls and visibility of your data
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Much Does It Cost? AWS Certificate Manager AWS Key Management Service SSL/TLS certificates are free when provisioned through AWS Certificate Manager 1 Customer Managed Key (CMK) when creating 250 EBS volumes per month 3 API requests to create and provision unique data key for each EBS volume $1.00 $0.00 CMK 0 request (750 requests – 20000 free tier requests) $0.00 $1.00
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where Should You Start? Configure CloudTrail to save CloudTrail logs in your S3 bucket Amazon S3AWS CloudTrail Enable encryption at rest with KMS Amazon S3 Amazon EBS Amazon RDS
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 Services Integrated With KMS Amazon S3 Amazon EBS Amazon RDS Amazon Systems Manager AWS Import/Export Snowball AWS Storage Gateway Amazon EFS Amazon DynamoDB AWS Database Migration Service Amazon Lightsail AWS Lambda Amazon Redshift AWS CodeCommit AWS CodeBuild AWS CodeDeploy AWS CodePipeline AWS Cloud9 AWS CloudTrail Amazon CloudWatch Logs Amazon EMR Amazon Kinesis Firehose Amazon Kinesis Streams Amazon Elastic Search Amazon Athena Amazon Elastic Transcoder Amazon SES Storage & Content Delivery Amazon SQS Amazon WorkSpaces Amazon WorkMail AWS Certificate Manager Alexa for Business Amazon SageMaker Databases Developer tools Compute Analytics Enterprise Applications Application Services Management tools Security, Identity & Compliance Machine learning Business productivity Amazon Connect Contact Center Media Services Amazon Kinesis Video Streams
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. References https://docs.aws.amazon.com /AmazonS3/latest/dev/bucke t-encryption.html https://docs.aws.amazon.com/ kms/latest/developerguide/ser vices-ebs.html https://aws.amazon.com/blog s/security/
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You

×