SID329-A Deep Dive into AWS Encryption Services

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
re:Invent
A Deep Dive into AWS Encryption
Services
Ken Beer – GM, AWS Key Management Service
SID329
November 27, 2017

What to expect from this session
Learn how AWS thinks about encryption
Understand which AWS encryption and key management features are
available to protect customer data in transit and at rest
Learn how to trust AWS with your keys

Why encrypt in the cloud?
What everyone says:
• Compliance
• Best practice in security
• Protect myself from my cloud provider’s other customers
• Protect myself from my cloud provider
What everyone means:
• Minimizing unauthorized physical access to data
• Minimizing unauthorized logical access to data
• Confidentiality, Integrity, Availability

Minimizing unauthorized physical
access to data in the cloud
Data in transport
• On the wire – Datacenter physical security, TLS, IPsec, MACsec to
prevent sniffers
• On disk on a truck – Courier/device security (e.g., AWS
Snowball/Snowmobile)
Data at rest
• Datacenter physical security
• Encryption - Block, file, directory, file system, full disk
Data in use
• Datacenter physical security

Minimizing unauthorized logical
access to data in the cloud
Data in transport
• Networking access controls (Security Groups, VPC) you control
• Encryption on the wire – TLS, IPsec, MACsec with keys you control
Data at rest
• Access controls on data resource
• Encryption - Block, file, directory, file system, full disk with keys you
control
Data in use
• Access controls to prevent unauthorized memory reads/dumps
• Encrypt in memory ?

Who cares most about controlling access?
IT Security
Manages
key access
policies
Software
Developer
Compliance
Verifies
configuration and
historical access
Uses keys
to protect
data

Control – What should it mean to you?
Data access control
• You own the physical security of your access credentials (password, MFA,
API signing keys)
• You alone can create/modify/delete resource permissions
Encryption keys under your control
• Physical keys are durable
• You trust your cloud provider to not lose them
• Or, you have a secured copy outside the cloud
• Keys are highly available
• Keys never leave your datacenter
• You alone can create/modify/delete permissions to use keys
• You have a record every time keys are used

AWS Data in Transport Security

Virtual Private Networking
AWS managed VPN
IPsec VPN connection between your VPC and your single remote network. A virtual
private gateway provides two VPN endpoints (tunnels) for automatic failover.
AWS VPN CloudHub
AWS managed VPN connections via your virtual private gateway to enable
communication between multiple remote networks.
Third party software VPN appliance
VPN connection to your remote network by using an Amazon EC2 instance in your
VPC that's running a third party software VPN appliance.

Using TLS for data confidentiality
and integrity
You can import your own certificates when using:
Your own applications running in Amazon EC2
Elastic Load Balancing (NLB/ALB)
Amazon CloudFront
Amazon API Gateway

AWS Certificate Manager (ACM)
Provision TLS certificates for use with external-facing AWS resources:
• Elastic Load Balancing (NLB/ALB)
• Amazon CloudFront
• Amazon API Gateway
AWS handles the painful parts of PKI
• Key pair and Certificate Signing Request generation
• Encryption and secure storage of private keys
• Managed renewal and deployment
Domain validation (DV) through DNS validation/email

Making TLS work better
• A TLS library designed by AWS to help your developers implement
transport security with faster performance
• Avoids implementing rarely used TLS options and extensions; ~6,000
lines of code
• Used by many AWS services and available as open source
https://github.com/awslabs/s2n

Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master keySymmetric
data key
? Key hierarchy
Key management
?
Data at Rest Encryption primer

Options for data-at-rest encryption in AWS
Client-side encryption
• You encrypt your data before submitting to an AWS service
• You supply encryption keys OR use keys in AWS Key Management Service under
your control
• Tools: AWS Encryption SDK, S3 Encryption Client, EMRFS Client, DynamoDB
Encryption Client
Server-side encryption
• AWS encrypts data on your behalf after it is received by the service
• 43 services including Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift,
Amazon WorkSpaces, Amazon Kinesis Streams, AWS CloudTrail…
• Integrated with AWS Key Management Service so that you control the keys

Your
applications
in your data
center
Your key
management
infrastructure in EC2
Encryption
client application
Your key management
infrastructure
Your application
in EC2
Your encrypted data in AWS services
Client-side encryption in AWS
A W S E n c r y p t i o n S D K , S 3 / E M R F S / D y n a m o D B c l i e n t s , c u s t o m e r - s u p p l i e d
AWS
KMS
AWS
CloudHSM

AWS Encryption SDK
M a k i n g C l i e n t - S i d e E n c r y p t i o n S a f e r a n d E a s i e r
In order to encrypt, developers have to keep track of only two things:
• The message/file/stream they want to encrypt
• An identifier that points to the source of their keys (i.e. key provider)
Advanced users can customize the SDK in multiple ways
• Encrypt under different keys in different regions
• Cache data keys for re-use to minimize call rate to KMS for better performance
Available in Java, Python, CLI
http://docs.aws.amazon.com/encryption-sdk/latest/developer-
guide/introduction.html

Server-Side Encryption in AWS
Two-tiered key hierarchy using envelope encryption
• Unique data key encrypts customer data
• Customer Master Keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master
keys than billions of data keys
• Centralized access and audit of key activity
Customer master
keys
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
KMS

How AWS Services Use Data Keys
The EC2/EBS model
• Unique data keys per resource from KMS are stored in hypervisor volatile memory for as
long as your resource is attached
• Permissions exist for AWS to re-provision data keys to volatile memory in cases of AWS-
caused events
• Examples: EBS, RDS, Redshift, WorkSpaces, Amazon Lightsail
The S3 model
• Data keys from KMS are only used in volatile memory of service hosts for an API
transaction
• Permissions may exist to use keys in response to asynchronous events related to your data
in other services
• Examples: S3, EMR, CloudTrail, Amazon Athena, Amazon Kinesis, Amazon SQS,
Amazon CloudWatch

Stored by KMS
AWS KMS Key Hierarchy
KMS-managed
• All Hardened Security Appliances (HSA) in a Region self-
generate keys in memory when provisioned. Private keys
never leave the HSA.
Encrypted by
Keys on HSAs in a Region
Customer-managed
• 256-bit symmetric Customer Master Key generated in HSA or
imported by customer.
• Stored in encrypted form in several locations by KMS.
Plaintext version used only in memory on HSAs on demand.Encrypted by
Customer Master
Key
Customer-managed or AWS service-managed
• 256-bit symmetric key returned to client by
KMS to use for encrypting bulk data.
Data Key

Security controls enforced by KMS
When operational with keys provisioned:
• No AWS operator can access a host
• No software updates allowed
After reboot and in a non-operational state:
• No key material on host
• Software can only be updated:
• After multiple AWS employees have reviewed the code
• Under quorum of multiple KMS operators with valid credentials
3rd Party Evidence
• SOC 1 – Control 4.5: Customer master keys used for cryptographic operations in
KMS are logically secured so that no single AWS employee can gain access to the
key material.
Keys on HSAs in a Region

You control how your KMS keys are used
Each Customer Master Key has a resource policy which defines permissions for use
Sample permissions on a key:
• Can only be used for encryption and decryption by <these users and roles> in
<these accounts>
• Can be used by application A to encrypt data and only used by application B to
decrypt data
• Can be managed only by this set of administrator users or roles
• Can be used by <these external accounts>, but only for encryption/decryption,
not administrative tasks
Fully integrated with AWS Identity and Access Management

Audit KMS usage with AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", ….at this time
"RequestParameters":
"{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
“{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account

Alternatives to KMS
D i f f e r e n t c o n t r o l s o v e r t h e s e c u r i t y o f y o u r k e y s
AWS CloudHSM
AWS Partner solutions
Do it yourself

AWS CloudHSM
• Hardware/service APIs managed by AWS
• Automatic patching, backup, HA
• HSMs are inside your Amazon VPC—
isolated from the rest of the network
• Uses 3rd party hardware with FIPS 140-2
level 3 validation
• Billed by the hour
• Only you have access to your keys and
operations using the keys
• AuthN and AuthZ are specific to the HSM –
not integrated with AWS
CloudHSM
AWS administrator—
Manages the hardware/APIs
You—Control keys and
crypto operations
Amazon VPC

Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where master keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where data keys are
used
AWS services or your
applications
Your network or your
EC2 instance
EC2 instance
EC2 instance
How to control key use AWS policies you
define
HSM-specific access
controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS AWS/You Partner/You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Per hour Variable Variable

Ubiquitous encryption
Amazon EBS
Amazon RDS
Amazon
Redshift
Amazon S3
Amazon
Glacier
Encrypted in transit
AWS CloudTrail
IAM
Auditable
Restricted access
Data sources Applications
and at rest
Fully managed
keys in AWS KMS
Imported
keys
Your KMI

AWS KMS Cryptographic Details
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-
Details.pdf

AWS KMS Best Practices Whitepaper
https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

AWS KMS Compliance Reports
https://aws.amazon.com/artifact/

Other re:Invent Sessions of Interest
SID330: Best Practices for Using AWS Key Management
Services
SID339: Deep Dive on AWS CloudHSM
SID345: AWS Encryption SDK: The Busy Engineer’s Guide
to Client-Side Encryption

PLEASE FILL OUT THE SURVEY!

THANK YOU!
C L I C K T O A D D T E X T
C L I C K T O A D D T E X T

SID329-A Deep Dive into AWS Encryption Services

Recommended

Recommended

More Related Content

More from Amazon Web Services

More from Amazon Web Services (20)

SID329-A Deep Dive into AWS Encryption Services