SlideShare a Scribd company logo

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

Want to simplify the process of meeting compliance goals in a world of increasing data regulation? AWS customers run mission-critical workloads—SQL and NoSQL databases, business applications, data analytics, log analysis—on Amazon EC2, backed by Amazon EBS and EC2 instance storage. Securing data content and storage access is critical to maintaining uptime and meeting compliance needs. In this session, we discuss data security and review the security capabilities of Amazon EBS and EC2 instance storage. Learn how you can benefit from new Amazon EBS features such as encryption by default, launch of encrypted instances from unencrypted AMIs, and simplified sharing of encrypted AMIs.

1 of 63
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing your block storage on AWS
Ashish Palekar
Director, Product Management
Elastic Block Store
@logicalblock
G R C 2 0 7
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Block storage in AWS
• Local Instance Storage
• Elastic Block Store (EBS)
• EBS Snapshots
• Encryption
• Local Instance Storage, EBS, Snapshots
• Launching Encrypted Volumes from Unencrypted Snapshots / AMIs
• Sharing Encrypted Snapshots / AMIs across Account
• Account Level Encryption by Default
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Block Storage Offerings
sc1st1
Amazon EBS HDD-
backed volumes
Amazon EBS
Snapshots
Amazon EC2
instance store
HDDSSD
Amazon EBS SSD-
backed volumes
io1gp2
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EC2 instance store?
• Local to instance
• Non-persistent data store
• Data not replicated (by default)
• No snapshot support
• SSD or HDD
Amazon EC2 instances
Physical Host
InstanceStore
or
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
Amazon
EC2
instance
Amazon
EBS
volume
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
!=
Amazon
EC2
instance
Amazon
EBS
volume

Recommended

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 

More Related Content

What's hot

Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Amazon Web Services
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 

What's hot (20)

Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...Unify security, compliance, and finance teams with governance at scale - GRC2...
Unify security, compliance, and finance teams with governance at scale - GRC2...
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
 

Similar to Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018
Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018
Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018Amazon Web Services
 
Armazenamento em Amazon Web Service para Setor Publico
 Armazenamento em Amazon Web Service para Setor Publico  Armazenamento em Amazon Web Service para Setor Publico
Armazenamento em Amazon Web Service para Setor Publico Amazon Web Services LATAM
 
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019Amazon Web Services
 
Amazon Elastic Block Store for Application Storage
Amazon Elastic Block Store for Application StorageAmazon Elastic Block Store for Application Storage
Amazon Elastic Block Store for Application StorageAmazon Web Services
 
Pitt Immersion Day Module 2 - ec2 overview
Pitt Immersion Day Module 2 - ec2 overviewPitt Immersion Day Module 2 - ec2 overview
Pitt Immersion Day Module 2 - ec2 overviewEagleDream Technologies
 
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...Amazon Web Services
 
Pitt Immersion Day Module 4 - storage in AWS
Pitt Immersion Day Module 4 - storage in AWSPitt Immersion Day Module 4 - storage in AWS
Pitt Immersion Day Module 4 - storage in AWSEagleDream Technologies
 
AWS storage solutions for business-critical applications - STG301 - Chicago A...
AWS storage solutions for business-critical applications - STG301 - Chicago A...AWS storage solutions for business-critical applications - STG301 - Chicago A...
AWS storage solutions for business-critical applications - STG301 - Chicago A...Amazon Web Services
 
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...Amazon Web Services
 
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS Cloud
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS CloudAWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS Cloud
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS CloudAmazon Web Services
 
AWSome Day Online 2020_Modul 2: Memulai dengan Cloud
AWSome Day Online 2020_Modul 2: Memulai dengan CloudAWSome Day Online 2020_Modul 2: Memulai dengan Cloud
AWSome Day Online 2020_Modul 2: Memulai dengan CloudAmazon Web Services
 
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...Amazon Web Services
 
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Amazon Web Services
 
Best Practices running SQL Server on AWS
Best Practices running SQL Server on AWSBest Practices running SQL Server on AWS
Best Practices running SQL Server on AWSAmazon Web Services
 
Design, Deploy, and Optimize Microsoft SQL Server on AWS
Design, Deploy, and Optimize Microsoft SQL Server on AWSDesign, Deploy, and Optimize Microsoft SQL Server on AWS
Design, Deploy, and Optimize Microsoft SQL Server on AWSAmazon Web Services
 
Relational Database Services on AWS
Relational Database Services on AWSRelational Database Services on AWS
Relational Database Services on AWSAmazon Web Services
 
Module 2: Getting started with the cloud - AWSome Day Online Conference 2019
 Module 2: Getting started with the cloud - AWSome Day Online Conference 2019 Module 2: Getting started with the cloud - AWSome Day Online Conference 2019
Module 2: Getting started with the cloud - AWSome Day Online Conference 2019Amazon Web Services
 
SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS
 SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS
SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDSAmazon Web Services
 

Similar to Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 (20)

Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018
Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018
Backing Up Amazon EC2 with Amazon EBS Snapshots (CMP301-R1) - AWS re:Invent 2018
 
Armazenamento em Amazon Web Service para Setor Publico
 Armazenamento em Amazon Web Service para Setor Publico  Armazenamento em Amazon Web Service para Setor Publico
Armazenamento em Amazon Web Service para Setor Publico
 
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019
Solutions for Storage and Data Migrations | AWS Summit Tel Aviv 2019
 
Amazon Elastic Block Store for Application Storage
Amazon Elastic Block Store for Application StorageAmazon Elastic Block Store for Application Storage
Amazon Elastic Block Store for Application Storage
 
Webinar AWS: Desmistificando a Nuvem
Webinar AWS: Desmistificando a NuvemWebinar AWS: Desmistificando a Nuvem
Webinar AWS: Desmistificando a Nuvem
 
Pitt Immersion Day Module 2 - ec2 overview
Pitt Immersion Day Module 2 - ec2 overviewPitt Immersion Day Module 2 - ec2 overview
Pitt Immersion Day Module 2 - ec2 overview
 
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
 
Amazon EBS: Deep Dive
Amazon EBS: Deep DiveAmazon EBS: Deep Dive
Amazon EBS: Deep Dive
 
Pitt Immersion Day Module 4 - storage in AWS
Pitt Immersion Day Module 4 - storage in AWSPitt Immersion Day Module 4 - storage in AWS
Pitt Immersion Day Module 4 - storage in AWS
 
AWS storage solutions for business-critical applications - STG301 - Chicago A...
AWS storage solutions for business-critical applications - STG301 - Chicago A...AWS storage solutions for business-critical applications - STG301 - Chicago A...
AWS storage solutions for business-critical applications - STG301 - Chicago A...
 
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...
Design, Deploy, and Optimize Microsoft SQL Server on AWS (WIN324-R1) - AWS re...
 
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS Cloud
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS CloudAWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS Cloud
AWSome Day Online 2020_โมดูล 2: เริ่มต้นใช้งานบน AWS Cloud
 
AWSome Day Online 2020_Modul 2: Memulai dengan Cloud
AWSome Day Online 2020_Modul 2: Memulai dengan CloudAWSome Day Online 2020_Modul 2: Memulai dengan Cloud
AWSome Day Online 2020_Modul 2: Memulai dengan Cloud
 
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...
STG330_Case Study How Experian Leverages Amazon EC2, EBS, and S3 with Clouder...
 
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
 
Best Practices running SQL Server on AWS
Best Practices running SQL Server on AWSBest Practices running SQL Server on AWS
Best Practices running SQL Server on AWS
 
Design, Deploy, and Optimize Microsoft SQL Server on AWS
Design, Deploy, and Optimize Microsoft SQL Server on AWSDesign, Deploy, and Optimize Microsoft SQL Server on AWS
Design, Deploy, and Optimize Microsoft SQL Server on AWS
 
Relational Database Services on AWS
Relational Database Services on AWSRelational Database Services on AWS
Relational Database Services on AWS
 
Module 2: Getting started with the cloud - AWSome Day Online Conference 2019
 Module 2: Getting started with the cloud - AWSome Day Online Conference 2019 Module 2: Getting started with the cloud - AWSome Day Online Conference 2019
Module 2: Getting started with the cloud - AWSome Day Online Conference 2019
 
SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS
 SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS
SRV310 Optimizing Relational Databases on AWS: Deep Dive on Amazon RDS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing your block storage on AWS Ashish Palekar Director, Product Management Elastic Block Store @logicalblock G R C 2 0 7
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Block storage in AWS • Local Instance Storage • Elastic Block Store (EBS) • EBS Snapshots • Encryption • Local Instance Storage, EBS, Snapshots • Launching Encrypted Volumes from Unencrypted Snapshots / AMIs • Sharing Encrypted Snapshots / AMIs across Account • Account Level Encryption by Default
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Block Storage Offerings sc1st1 Amazon EBS HDD- backed volumes Amazon EBS Snapshots Amazon EC2 instance store HDDSSD Amazon EBS SSD- backed volumes io1gp2
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EC2 instance store? • Local to instance • Non-persistent data store • Data not replicated (by default) • No snapshot support • SSD or HDD Amazon EC2 instances Physical Host InstanceStore or
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network Amazon EC2 instance Amazon EBS volume
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network != Amazon EC2 instance Amazon EBS volume
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? Amazon EC2 instance Amazon EBS volume
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes persist independent of Amazon EC2 • Select storage and compute based on your workload • Detach and attach between instances within the same Availability Zone Amazon EC2 instance Availability Zone AWS Region Amazon EC2 instance Amazon EBS volume
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes attach to one instance • Many volumes can attach to an instance • Separate boot and data volumes Availability Zone AWS Region Amazon EC2 instance EBS volume EBS volume EBS volume
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types Hard disk drives (HDD)Solid-state drives (SSD)
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types HDDSSD Provisioned IOPS SSD io1 General Purpose SSD gp2 Throughput Optimized HDD st1 sc1 Cold HDD
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS use cases HDDSSD Relational Databases MySQL, SQL Server, PostgreSQL, SAP, Oracle NoSQL Databases Cassandra, MongoDB, CouchDB Big Data , Analytics Kafka, Splunk, Hadoop, Data Warehousing File / Media CIFS/NFS, Transcoding, Encoding, Rendering
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: General Purpose SSD gp2 Throughput: Up to 250 MiB/s Latency: Single-digit ms Capacity: 1 GiB to 16 TiB Baseline: 100 to 16,000 IOPS; 3 IOPS per GiB Burst: 3,000 IOPS (for volumes up to 1,000 GiB) General Purpose SSD Great for boot volumes, low-latency applications, and bursty databases
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Provisioned IOPS io1 Baseline: 100 – 64,000 IOPS Throughput: Up to 1,000 MiB/s Latency: Single-digit ms Capacity: 4 GiB to 16 TiB Ideal for critical applications and databases with sustained IOPS Provisioned IOPS
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Throughput Optimized Baseline: 40 MiB/s per TiB up to 500 MiB/s Capacity: 500 GiB to 16 TiB Burst: 250 MiB/s per TiB up to 500 MiB/s Ideal for large-block, high-throughput sequential workloads st1 Throughput Optimized HDD
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Cold HDD Baseline: 12 MiB/s per TB up to 192 MiB/s Capacity: 500 GiB to 16 TiB Burst: 80 MiB/s per TB up to 250 MiB/s Ideal for sequential throughput workloads, such as logging and backup sc1 Cold HDD
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Snapshots • Copy of Amazon EBS volumes stored on Amazon S3 • Snapshots are Regional • First snapshot is a full copy • Subsequent snapshots are incremental • Snapshots can be shared / copied • Create volumes from Snapshots EC2 instance EBS volume Availability Zone Region
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – NVMe Local Instance Storage Instances: C5d, I3, I3en, F1, M5ad, P3dn.24xlarge, R5d, R5ad, Z1d • Drives are always encrypted – cannot be disabled • You cannot change encryption keys • Encryption uses XTS-AES-256 block cipher • Implemented on HW module on instance – keys unique to each NVMe instance storage device • Keys destroyed on instance stop/terminate Instance
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – Amazon EBS Integrates with Amazon Key Management Service (KMS) – AES-256 Encryption Uses Customer Master Keys (CMKs) Encrypted EBS volume implies the following are encrypted: • Data at rest inside the volume • Data moving between the volume and instance • Snapshots created from the volume • Volumes created from such snapshots Amazon EC2 instance Amazon EBS volume Availability Zone
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Create a new AWS KMS master key for Amazon EBS • Define key rotation policy • Enable AWS CloudTrail auditing • Control who can use key • Control who can administer key
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs $> aws ec2 run-instances –image-id ami-b42209de –count 1 – instance-type m4.large –region us-east-1 –block-device- mappings file://mapping.json mapping.json { "DeviceName": "/dev/sda1", "Ebs": { "DeleteOnTermination": true, "VolumeSize": 100, "VolumeType": "gp2", "Encrypted": true, "kmsKeyID": "arn:aws:kms:us-east-1:012345678910:key/abcd1234- a123-456a-a12b-a123b4cd56ef" } }
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume 1AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Data key 1 Data key 2 Data key 3 Amazon EBS volume 2 Amazon EBS volume 3
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key • Limits exposure risk • Performance • Simplifies key management Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Optimized Performance and Encryption Does choosing encryption reduce Amazon EBS Optimized Performance? • Amazon EBS Optimized Performance is the same with and without encryption for the ‘4’ and ‘5’ family of instances • In other words, encryption does not reduce the rated performance of an instance in the ‘4’ or ‘5’ family EC2 instance EBS volume Availability Zone
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS snapshot encryption • Snapshots of encrypted volumes are automatically encrypted • Volumes created from encrypted snapshots are automatically encrypted • You can encrypt an unencrypted snapshot when you copy a snapshot • You can re-encrypt a snapshot you own with a different key when you copy a snapshot https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Snapshots different from volumes / instance storage Snapshots can be shared across accounts Snapshots can be copied across accounts Snapshots can be copied within accounts Snapshots can be copied across regions Snapshots are used to create AMIs EC2 instance EBS volume Availability Zone Region
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs aws ec2 describe-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission aws ec2 modify-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission { "SnapshotId": "snap-00d820abc6be8d639", "CreateVolumePermissions": [] }
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs Public sharing: Reasonable use case for AMIs – AWS Marketplace AMIs Share non-AMI snapshots with specific accounts To launch a volume from a snapshot, you need a copy of snapshot in-region
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume Amazon S3 AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots Amazon S3 Encryption protects snapshots in-transit during the copy operation Unencrypted snapshots can be encrypted during copy Encrypted snapshots can be re-encrypted during copy First copy across regions is a full copy Snapshots are incremental after first copy - Same CMK needed on both ends to support incremental copies
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots: encrypt or re-encrypt aws ec2 copy-snapshot --source-snapshot-id snap-010bb9c48a9a4c237 --destination-region us-west-1 --encrypted --kms-key-id key/1234abcd-12ab-34cd-56ef-1234567890ab
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions Copy Snapshots across accounts across regions Lock down resource level permissions on target snapshot copy Multi-region = Protection against regional events Permission lock down = malicious or unintentional deletes of data Availability Zone Region Region
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three new features to make encryption easier • Launch encrypted volumes from unencrypted snapshots / AMIs • Launch volumes encrypted with different CMK from encrypted snapshots / AMIs • Share snapshots encrypted with custom CMKs across accounts • Encryption By Default for EBS for an account in a region with a single setting
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Unencrypted Snapshot / AMI Encrypted Snapshot / AMI Encrypted Amazon EBS Volumes Copy and encrypt Create volume
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Unencrypted Snapshot / AMI Encrypted Amazon EBS Volumes Launch encrypted volume
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this aws ec2 create-volume --snapshot- id snap-010bb9c48a9a4c237 -- availability-zone us-west-2a -- encrypted --volume-type gp2
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes Compatible: Enables introducing encryption even while using unencrypted AMIs Saves time Less cost – no need to create and save copies of snapshots for launch
  • 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Snapshot / AMI encrypted with custom CMK Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2
  • 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Snapshot / AMI encrypted with custom CMK Share snapshots across accounts Account 1 Account 2 Account 1 Account 2
  • 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ReEncrypt*", "kms:CreateGrant", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east- 1:<111111111111>:key/<key-id of cmkSource>" ] } ] }
  • 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this $> aws ec2 run-instances --image-id ami-XXXXX --count 1 --instance-type m4.large --region us-east-1 --subnet-id subnet-aec2fc86 --key-name 2016KeyPair --security-group-ids sg-f7dbc78e subnet-id subnet-aec2fc86 --block-device-mappings file://mapping.json [ { "DeviceName": "/dev/xvda", "Ebs": { "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east- 1:<999999999999>:key/<abcd1234-a123- 456a-a12b-a123b4cd56ef>" } } ]
  • 53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes from snapshots encrypted by custom CMK Saves time Less cost – no need to create and save copies of snapshots for launch
  • 54. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously … Unencrypted Snapshot / AMI Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2
  • 56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Unencrypted Snapshot / AMI Share snapshots across accounts Account 1 Account 2 Account 1 Account 2
  • 57. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously … Region Set IAM policies Account 1 Region Account 1
  • 59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now … Region Account Level Regional Setting Account 1 Region Account 1
  • 60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this
  • 61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Easy to ensure compliance without change to workflows Compatible: Enables introducing encryption even while using unencrypted snapshots and AMIs
  • 62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Level EncryptionMonitor access In Closing …
  • 63. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ashish Palekar @logicalblock