Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Block storage in AWS • Local Instance Storage • Elastic Block Store (EBS) • EBS Snapshots • Encryption • Local Instance Storage, EBS, Snapshots • Launching Encrypted Volumes from Unencrypted Snapshots / AMIs • Sharing Encrypted Snapshots / AMIs across Account • Account Level Encryption by Default

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Block Storage Offerings sc1st1 Amazon EBS HDD- backed volumes Amazon EBS Snapshots Amazon EC2 instance store HDDSSD Amazon EBS SSD- backed volumes io1gp2

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EC2 instance store? • Local to instance • Non-persistent data store • Data not replicated (by default) • No snapshot support • SSD or HDD Amazon EC2 instances Physical Host InstanceStore or

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network Amazon EC2 instance Amazon EBS volume

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network != Amazon EC2 instance Amazon EBS volume

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes persist independent of Amazon EC2 • Select storage and compute based on your workload • Detach and attach between instances within the same Availability Zone Amazon EC2 instance Availability Zone AWS Region Amazon EC2 instance Amazon EBS volume

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes attach to one instance • Many volumes can attach to an instance • Separate boot and data volumes Availability Zone AWS Region Amazon EC2 instance EBS volume EBS volume EBS volume

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS use cases HDDSSD Relational Databases MySQL, SQL Server, PostgreSQL, SAP, Oracle NoSQL Databases Cassandra, MongoDB, CouchDB Big Data , Analytics Kafka, Splunk, Hadoop, Data Warehousing File / Media CIFS/NFS, Transcoding, Encoding, Rendering

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: General Purpose SSD gp2 Throughput: Up to 250 MiB/s Latency: Single-digit ms Capacity: 1 GiB to 16 TiB Baseline: 100 to 16,000 IOPS; 3 IOPS per GiB Burst: 3,000 IOPS (for volumes up to 1,000 GiB) General Purpose SSD Great for boot volumes, low-latency applications, and bursty databases

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Provisioned IOPS io1 Baseline: 100 – 64,000 IOPS Throughput: Up to 1,000 MiB/s Latency: Single-digit ms Capacity: 4 GiB to 16 TiB Ideal for critical applications and databases with sustained IOPS Provisioned IOPS

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Throughput Optimized Baseline: 40 MiB/s per TiB up to 500 MiB/s Capacity: 500 GiB to 16 TiB Burst: 250 MiB/s per TiB up to 500 MiB/s Ideal for large-block, high-throughput sequential workloads st1 Throughput Optimized HDD

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Cold HDD Baseline: 12 MiB/s per TB up to 192 MiB/s Capacity: 500 GiB to 16 TiB Burst: 80 MiB/s per TB up to 250 MiB/s Ideal for sequential throughput workloads, such as logging and backup sc1 Cold HDD

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Snapshots • Copy of Amazon EBS volumes stored on Amazon S3 • Snapshots are Regional • First snapshot is a full copy • Subsequent snapshots are incremental • Snapshots can be shared / copied • Create volumes from Snapshots EC2 instance EBS volume Availability Zone Region

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – NVMe Local Instance Storage Instances: C5d, I3, I3en, F1, M5ad, P3dn.24xlarge, R5d, R5ad, Z1d • Drives are always encrypted – cannot be disabled • You cannot change encryption keys • Encryption uses XTS-AES-256 block cipher • Implemented on HW module on instance – keys unique to each NVMe instance storage device • Keys destroyed on instance stop/terminate Instance

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – Amazon EBS Integrates with Amazon Key Management Service (KMS) – AES-256 Encryption Uses Customer Master Keys (CMKs) Encrypted EBS volume implies the following are encrypted: • Data at rest inside the volume • Data moving between the volume and instance • Snapshots created from the volume • Volumes created from such snapshots Amazon EC2 instance Amazon EBS volume Availability Zone

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Create a new AWS KMS master key for Amazon EBS • Define key rotation policy • Enable AWS CloudTrail auditing • Control who can use key • Control who can administer key

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs $> aws ec2 run-instances –image-id ami-b42209de –count 1 – instance-type m4.large –region us-east-1 –block-device- mappings file://mapping.json mapping.json { "DeviceName": "/dev/sda1", "Ebs": { "DeleteOnTermination": true, "VolumeSize": 100, "VolumeType": "gp2", "Encrypted": true, "kmsKeyID": "arn:aws:kms:us-east-1:012345678910:key/abcd1234- a123-456a-a12b-a123b4cd56ef" } }

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume 1AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Data key 1 Data key 2 Data key 3 Amazon EBS volume 2 Amazon EBS volume 3

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key • Limits exposure risk • Performance • Simplifies key management Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Optimized Performance and Encryption Does choosing encryption reduce Amazon EBS Optimized Performance? • Amazon EBS Optimized Performance is the same with and without encryption for the ‘4’ and ‘5’ family of instances • In other words, encryption does not reduce the rated performance of an instance in the ‘4’ or ‘5’ family EC2 instance EBS volume Availability Zone

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS snapshot encryption • Snapshots of encrypted volumes are automatically encrypted • Volumes created from encrypted snapshots are automatically encrypted • You can encrypt an unencrypted snapshot when you copy a snapshot • You can re-encrypt a snapshot you own with a different key when you copy a snapshot https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Snapshots different from volumes / instance storage Snapshots can be shared across accounts Snapshots can be copied across accounts Snapshots can be copied within accounts Snapshots can be copied across regions Snapshots are used to create AMIs EC2 instance EBS volume Availability Zone Region

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs aws ec2 describe-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission aws ec2 modify-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission { "SnapshotId": "snap-00d820abc6be8d639", "CreateVolumePermissions": [] }

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs Public sharing: Reasonable use case for AMIs – AWS Marketplace AMIs Share non-AMI snapshots with specific accounts To launch a volume from a snapshot, you need a copy of snapshot in-region

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume Amazon S3 AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots Amazon S3 Encryption protects snapshots in-transit during the copy operation Unencrypted snapshots can be encrypted during copy Encrypted snapshots can be re-encrypted during copy First copy across regions is a full copy Snapshots are incremental after first copy - Same CMK needed on both ends to support incremental copies

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots: encrypt or re-encrypt aws ec2 copy-snapshot --source-snapshot-id snap-010bb9c48a9a4c237 --destination-region us-west-1 --encrypted --kms-key-id key/1234abcd-12ab-34cd-56ef-1234567890ab

40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions Copy Snapshots across accounts across regions Lock down resource level permissions on target snapshot copy Multi-region = Protection against regional events Permission lock down = malicious or unintentional deletes of data Availability Zone Region Region

41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three new features to make encryption easier • Launch encrypted volumes from unencrypted snapshots / AMIs • Launch volumes encrypted with different CMK from encrypted snapshots / AMIs • Share snapshots encrypted with custom CMKs across accounts • Encryption By Default for EBS for an account in a region with a single setting

43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Unencrypted Snapshot / AMI Encrypted Snapshot / AMI Encrypted Amazon EBS Volumes Copy and encrypt Create volume

46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this aws ec2 create-volume --snapshot- id snap-010bb9c48a9a4c237 -- availability-zone us-west-2a -- encrypted --volume-type gp2

47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes Compatible: Enables introducing encryption even while using unencrypted AMIs Saves time Less cost – no need to create and save copies of snapshots for launch

49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Snapshot / AMI encrypted with custom CMK Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2

51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ReEncrypt*", "kms:CreateGrant", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east- 1:<111111111111>:key/<key-id of cmkSource>" ] } ] }

52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this $> aws ec2 run-instances --image-id ami-XXXXX --count 1 --instance-type m4.large --region us-east-1 --subnet-id subnet-aec2fc86 --key-name 2016KeyPair --security-group-ids sg-f7dbc78e subnet-id subnet-aec2fc86 --block-device-mappings file://mapping.json [ { "DeviceName": "/dev/xvda", "Ebs": { "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east- 1:<999999999999>:key/<abcd1234-a123- 456a-a12b-a123b4cd56ef>" } } ]

53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes from snapshots encrypted by custom CMK Saves time Less cost – no need to create and save copies of snapshots for launch

55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously … Unencrypted Snapshot / AMI Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2

61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Easy to ensure compliance without change to workflows Compatible: Enables introducing encryption even while using unencrypted snapshots and AMIs