Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

195 views

Published on

Want to simplify the process of meeting compliance goals in a world of increasing data regulation? AWS customers run mission-critical workloads—SQL and NoSQL databases, business applications, data analytics, log analysis—on Amazon EC2, backed by Amazon EBS and EC2 instance storage. Securing data content and storage access is critical to maintaining uptime and meeting compliance needs. In this session, we discuss data security and review the security capabilities of Amazon EBS and EC2 instance storage. Learn how you can benefit from new Amazon EBS features such as encryption by default, launch of encrypted instances from unencrypted AMIs, and simplified sharing of encrypted AMIs.

  • Be the first to comment

  • Be the first to like this

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing your block storage on AWS Ashish Palekar Director, Product Management Elastic Block Store @logicalblock G R C 2 0 7
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Block storage in AWS • Local Instance Storage • Elastic Block Store (EBS) • EBS Snapshots • Encryption • Local Instance Storage, EBS, Snapshots • Launching Encrypted Volumes from Unencrypted Snapshots / AMIs • Sharing Encrypted Snapshots / AMIs across Account • Account Level Encryption by Default
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Block Storage Offerings sc1st1 Amazon EBS HDD- backed volumes Amazon EBS Snapshots Amazon EC2 instance store HDDSSD Amazon EBS SSD- backed volumes io1gp2
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EC2 instance store? • Local to instance • Non-persistent data store • Data not replicated (by default) • No snapshot support • SSD or HDD Amazon EC2 instances Physical Host InstanceStore or
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network Amazon EC2 instance Amazon EBS volume
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Block storage as a service • Create, attach volumes through an API • Service accessed over the network != Amazon EC2 instance Amazon EBS volume
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? Amazon EC2 instance Amazon EBS volume
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes persist independent of Amazon EC2 • Select storage and compute based on your workload • Detach and attach between instances within the same Availability Zone Amazon EC2 instance Availability Zone AWS Region Amazon EC2 instance Amazon EBS volume
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Amazon EBS? • Volumes attach to one instance • Many volumes can attach to an instance • Separate boot and data volumes Availability Zone AWS Region Amazon EC2 instance EBS volume EBS volume EBS volume
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types Hard disk drives (HDD)Solid-state drives (SSD)
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types HDDSSD Provisioned IOPS SSD io1 General Purpose SSD gp2 Throughput Optimized HDD st1 sc1 Cold HDD
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS use cases HDDSSD Relational Databases MySQL, SQL Server, PostgreSQL, SAP, Oracle NoSQL Databases Cassandra, MongoDB, CouchDB Big Data , Analytics Kafka, Splunk, Hadoop, Data Warehousing File / Media CIFS/NFS, Transcoding, Encoding, Rendering
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: General Purpose SSD gp2 Throughput: Up to 250 MiB/s Latency: Single-digit ms Capacity: 1 GiB to 16 TiB Baseline: 100 to 16,000 IOPS; 3 IOPS per GiB Burst: 3,000 IOPS (for volumes up to 1,000 GiB) General Purpose SSD Great for boot volumes, low-latency applications, and bursty databases
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Provisioned IOPS io1 Baseline: 100 – 64,000 IOPS Throughput: Up to 1,000 MiB/s Latency: Single-digit ms Capacity: 4 GiB to 16 TiB Ideal for critical applications and databases with sustained IOPS Provisioned IOPS
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Throughput Optimized Baseline: 40 MiB/s per TiB up to 500 MiB/s Capacity: 500 GiB to 16 TiB Burst: 250 MiB/s per TiB up to 500 MiB/s Ideal for large-block, high-throughput sequential workloads st1 Throughput Optimized HDD
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume types: Cold HDD Baseline: 12 MiB/s per TB up to 192 MiB/s Capacity: 500 GiB to 16 TiB Burst: 80 MiB/s per TB up to 250 MiB/s Ideal for sequential throughput workloads, such as logging and backup sc1 Cold HDD
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Snapshots • Copy of Amazon EBS volumes stored on Amazon S3 • Snapshots are Regional • First snapshot is a full copy • Subsequent snapshots are incremental • Snapshots can be shared / copied • Create volumes from Snapshots EC2 instance EBS volume Availability Zone Region
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – NVMe Local Instance Storage Instances: C5d, I3, I3en, F1, M5ad, P3dn.24xlarge, R5d, R5ad, Z1d • Drives are always encrypted – cannot be disabled • You cannot change encryption keys • Encryption uses XTS-AES-256 block cipher • Implemented on HW module on instance – keys unique to each NVMe instance storage device • Keys destroyed on instance stop/terminate Instance
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption – Amazon EBS Integrates with Amazon Key Management Service (KMS) – AES-256 Encryption Uses Customer Master Keys (CMKs) Encrypted EBS volume implies the following are encrypted: • Data at rest inside the volume • Data moving between the volume and instance • Snapshots created from the volume • Volumes created from such snapshots Amazon EC2 instance Amazon EBS volume Availability Zone
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Create a new AWS KMS master key for Amazon EBS • Define key rotation policy • Enable AWS CloudTrail auditing • Control who can use key • Control who can administer key
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Volume encryption Amazon EBS encryption: data volumes
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS encryption: data volumes RunInstances with custom CMKs $> aws ec2 run-instances –image-id ami-b42209de –count 1 – instance-type m4.large –region us-east-1 –block-device- mappings file://mapping.json mapping.json { "DeviceName": "/dev/sda1", "Ebs": { "DeleteOnTermination": true, "VolumeSize": 100, "VolumeType": "gp2", "Encrypted": true, "kmsKeyID": "arn:aws:kms:us-east-1:012345678910:key/abcd1234- a123-456a-a12b-a123b4cd56ef" } }
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS volume 1AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Data key 1 Data key 2 Data key 3 Amazon EBS volume 2 Amazon EBS volume 3
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Envelope encryption Amazon EBS encryption: How it works EBS master key • Limits exposure risk • Performance • Simplifies key management Amazon EBS volume 1 Amazon EBS volume 2 Amazon EBS volume 3
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS Optimized Performance and Encryption Does choosing encryption reduce Amazon EBS Optimized Performance? • Amazon EBS Optimized Performance is the same with and without encryption for the ‘4’ and ‘5’ family of instances • In other words, encryption does not reduce the rated performance of an instance in the ‘4’ or ‘5’ family EC2 instance EBS volume Availability Zone
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EBS snapshot encryption • Snapshots of encrypted volumes are automatically encrypted • Volumes created from encrypted snapshots are automatically encrypted • You can encrypt an unencrypted snapshot when you copy a snapshot • You can re-encrypt a snapshot you own with a different key when you copy a snapshot https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Snapshots different from volumes / instance storage Snapshots can be shared across accounts Snapshots can be copied across accounts Snapshots can be copied within accounts Snapshots can be copied across regions Snapshots are used to create AMIs EC2 instance EBS volume Availability Zone Region
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs aws ec2 describe-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission aws ec2 modify-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute createVolumePermission { "SnapshotId": "snap-00d820abc6be8d639", "CreateVolumePermissions": [] }
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharing Snapshots and AMIs Public sharing: Reasonable use case for AMIs – AWS Marketplace AMIs Share non-AMI snapshots with specific accounts To launch a volume from a snapshot, you need a copy of snapshot in-region
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume Amazon S3 AWS Region Amazon EBS snapshot Availability Zone Amazon EBS volume
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots Amazon S3 Encryption protects snapshots in-transit during the copy operation Unencrypted snapshots can be encrypted during copy Encrypted snapshots can be re-encrypted during copy First copy across regions is a full copy Snapshots are incremental after first copy - Same CMK needed on both ends to support incremental copies
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots: encrypt or re-encrypt aws ec2 copy-snapshot --source-snapshot-id snap-010bb9c48a9a4c237 --destination-region us-west-1 --encrypted --kms-key-id key/1234abcd-12ab-34cd-56ef-1234567890ab
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Copy Snapshots across regions Copy Snapshots across accounts across regions Lock down resource level permissions on target snapshot copy Multi-region = Protection against regional events Permission lock down = malicious or unintentional deletes of data Availability Zone Region Region
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three new features to make encryption easier • Launch encrypted volumes from unencrypted snapshots / AMIs • Launch volumes encrypted with different CMK from encrypted snapshots / AMIs • Share snapshots encrypted with custom CMKs across accounts • Encryption By Default for EBS for an account in a region with a single setting
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Unencrypted Snapshot / AMI Encrypted Snapshot / AMI Encrypted Amazon EBS Volumes Copy and encrypt Create volume
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Unencrypted Snapshot / AMI Encrypted Amazon EBS Volumes Launch encrypted volume
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this aws ec2 create-volume --snapshot- id snap-010bb9c48a9a4c237 -- availability-zone us-west-2a -- encrypted --volume-type gp2
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes Compatible: Enables introducing encryption even while using unencrypted AMIs Saves time Less cost – no need to create and save copies of snapshots for launch
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously ... Snapshot / AMI encrypted with custom CMK Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2
  50. 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Snapshot / AMI encrypted with custom CMK Share snapshots across accounts Account 1 Account 2 Account 1 Account 2
  51. 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:ReEncrypt*", "kms:CreateGrant", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east- 1:<111111111111>:key/<key-id of cmkSource>" ] } ] }
  52. 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this $> aws ec2 run-instances --image-id ami-XXXXX --count 1 --instance-type m4.large --region us-east-1 --subnet-id subnet-aec2fc86 --key-name 2016KeyPair --security-group-ids sg-f7dbc78e subnet-id subnet-aec2fc86 --block-device-mappings file://mapping.json [ { "DeviceName": "/dev/xvda", "Ebs": { "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east- 1:<999999999999>:key/<abcd1234-a123- 456a-a12b-a123b4cd56ef>" } } ]
  53. 53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Single step to launch encrypted volumes from snapshots encrypted by custom CMK Saves time Less cost – no need to create and save copies of snapshots for launch
  54. 54. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  55. 55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously … Unencrypted Snapshot / AMI Copy snapshots across accounts Account 1 Account 2 Account 1 Account 2 Create Volumes Account 1 Account 2
  56. 56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now ... Unencrypted Snapshot / AMI Share snapshots across accounts Account 1 Account 2 Account 1 Account 2
  57. 57. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  58. 58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Previously … Region Set IAM policies Account 1 Region Account 1
  59. 59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Now … Region Account Level Regional Setting Account 1 Region Account 1
  60. 60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to do this
  61. 61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits Simple: Easy to ensure compliance without change to workflows Compatible: Enables introducing encryption even while using unencrypted snapshots and AMIs
  62. 62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Level EncryptionMonitor access In Closing …
  63. 63. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ashish Palekar @logicalblock

×