Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014

6,588 views

Published on

Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.

Published in: Technology

(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014

  1. 1. November 12, 2014 Las Vegas, NV Ken Beer, AWS Identity and Access Management Todd Cignetti, AWS Security
  2. 2. Plaintext Data Hardware/ Software Encrypted Data Encrypted Data in Storage Encrypted Data Key Symmetric Data Key Master KeySymmetric Data Key ? Key Hierarchy ?
  3. 3. Your encryption client application Your key management infrastructure Your applications in your data center Your application in Amazon EC2 Your key management infrastructure in EC2 Your Encrypted Data in AWS Services …
  4. 4. Your key management infrastructure Your applications in your data center Your key management infrastructure in EC2 Your Encrypted Data in Amazon S3 Your application in Amazon EC2 AWS SDK with S3 Encryption Client
  5. 5. Plaintext Data Encrypted Data Customer Provided KeyAmazon S3 Web Server HTTPS Customer Data Amazon S3 Storage Fleet • Key is used at Amazon S3 webserver, then deleted • Customer must provide same key when downloading to allow Amazon S3 to decrypt data Customer Provided Key
  6. 6. Your encryption client application Your applications in your data center Your application in Amazon EC2 Your Encrypted Data in AWS Services … Partner KMI Partner KMI
  7. 7. • Two-tiered key hierarchy using envelope encryption • Unique data key encrypt customer data • AWS KMS master keys encrypt data keys • Benefits of envelope encryption: • Limits risk of a compromised data key • Better performance for encrypting large data • Easier to manage a small number of master keys than millions of data keys Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
  8. 8. AWS Key Management Service ReferenceArchitecture Application or AWS Service + Data Key Encrypted Data Key Encrypted Data Master Key(s) in Customer’s Account AWS Key Management Service 1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account. 2. Client request is authenticated based on whether they have access to use the master key. 3. A new data encryption key is created and a copy of it is encrypted under the master key. 4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data and then deleted as soon as is practical. 5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be decrypted.
  9. 9. AWS Key Management Service Providing security for your keys
  10. 10. Todd Cignetti, AWS Security
  11. 11. HSM
  12. 12. dedicated access • Only you have access to your keys and operations on the keys AWS CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Amazon Virtual Private Cloud
  13. 13. SafeNet ProtectV Manager and Virtual KeySecure in Amazon EC2 SafeNet ProtectV Client AWS CloudHSM Your encrypted data in Amazon EBS Your applications in Amazon EC2 ProtectV Client • Encrypts I/O from Amazon EC2 instances to Amazon EBS volumes • Includes pre-boot authentication
  14. 14. Your applications in Amazon EC2 Amazon Redshift Cluster Your encrypted data in Amazon Redshift AWS CloudHSM
  15. 15. AWS CloudHSM Your database with TDE in Amazon EC2 Master key is created in the HSM and never leaves Your applications in Amazon EC2
  16. 16. DIY AWS Marketplace Partner Solution AWS CloudHSM AWS Key Management Service Where are keys generated and stored Your network or in AWS Your network or in AWS In AWS, on an HSM that you control AWS Where keys are used Your network or your EC2 instance Your network or your EC2 instance AWS or your applications AWS services or your applications How to control key use Config files, Vendor-specific management Vendor-specific management Customer code + Safenet APIs Policy you define; enforced in AWS Responsibility for Performance/Scale You You You AWS Integration with AWS services? Limited Limited Limited Yes Pricing model Variable Per hour/per year Per hour Per key/usage
  17. 17. https://aws.amazon.com/kms – https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf https://aws.amazon.com/cloudhsm/ https://aws.amazon.com/whitepapers/ http://aws.amazon.com/articles/2850096021478074 http://www.aws-partner-directory.com/ http://blogs.aws.amazon.com/security
  18. 18. http://bit.ly/awsevals

×