Do you want to find out how to use encryption to secure your data on AWS? Download our presentation and learn important tips on how to protect your data in the cloud! You can also find online workshop on our YouTube channel: https://on.zenbit.tech/opixfl During this workshop, our knowledgeable CTO Liudmyla Dziubynska walks you through the process of putting encryption techniques in place to protect your sensitive data. You will learn about various encryption techniques, such as: — Client-side encryption; — Server-side encryption; — Encryption on flight (SSL). We also have a Software Development Blog: https://on.zenbit.tech/jful7v Take advantage of this chance to learn how to safeguard your data on Amazon.

1. Protect your
Data on AWS
using the
Encryption
method

2. About Speaker
Liudmyla Dziubynska
CTO at Zenbit Tech
Expert in full-stack development and AWS
Proficient in modern technologies including ReactJS, NodeJS, GraphQL,
TypeScript
In-depth knowledge of cloud cost optimization techniques and strategies
Proven experience in cloud migration and deployment
Skilled in cloud security and data management
Familiar with cloud monitoring and analytics tools, such as Amazon CloudWatch
Knowledge of cloud resource management tools, such as AWS Auto Scaling or
Kubernetes
Experienced with cloud-based storage solutions, such as Amazon S3 or Google
Cloud Storage

3. Encryption on flight protect
against MITM (man in the
middle atack)
Encryption types
Encryption on flight (ssl)
1.
Data encrypted before
sending to server and
decrypted on server side
Ssl certificates help with
encryptions

4. Encryption and decryption key
should be managed somewhere
It stored in encrypted format thanks
to the key
Decrypted before send back to client
Encryption types
2. Server-side encryption on rest
Data is encrypted by received by server

5. Could leverage Envelope
encryption
Encryption types
3. Client-side encryption
Decrypted on the client side,
never decrypted by server-side

6. AWS KMS
It fully integrated with IAM for authorisation
You can audit KMS API calls with Cloud Trail
KMS manage encryption key for us
01 Symetryc(AES-256)
02
Asymmetric(RSA&ECC
keypairs)
KMS key types:

7. AWS managed key (free to
use) - aws/serwise-name,
example aws/rds
Customer manage key
(CMK) - 1$/m
CMS imported(should be
256 symmetric key) - 1$/m
3 types of KMS keys:

8. Default - created if you dont provide custom
policy, default give access to everyone in your
account to access the key
KMS Policies
If you will not provide right policy KMS key will not be accesseble
Custom - define users, roles who can have
accessto key, define who can administer the
key

9. EBS
gp2/gp3 (SSD): General purpose SSD volume
that balances price and performance for a
widevarietyofworkloads
iol / io2 (SSD): Highest-performance SSD
volume for mission-critical low-latency or
high-throughputworkloads
stl (HDD): Low cost HDD volume designed for
frequently accessed, throughput-intensive
workloads
scl (HDD): Lowest cost HDD volume designed
forlessfrequentlyaccessedworkloads
EBS Volumes come in 6 types

10. Data at rest is encrypted inside the volume
All the data in flight moving between the
instance and the volume is encrypted
All snapshots are encrypted
All volumes created from the snapshot
Encryption and decryption are handled
transparently
WhenyoucreateanencryptedEBSvolume,you
getthefollowing:
Create an EBS snapshot of the volume
Encrypt the EBS snapshot ( using copy)
Create new ebs volume from the snapshot ( the
volume will also be encrypted)
Attach the encrypted volume to the original
instance
StepstoencryptanunencryptedEBSvolume:
EBS Encryption

11. 01
Server-Side Encryption with Amazon S3-Managed
Keys (SSE-S3) - Encrypts S3 objects using keys
handled,managed,andownedbyAWS
03
02
04
S3 encryption
Client-SideEncryption
Server-Side Encryption with KMS Keys stored in AWS
KMS (SSE-KMS) - Leverage AWS Key Management
Service(AWSKMS)tomanageencryptionkeys
Server-Side Encryption with Customer-Provided
Keys (SSE-C) - When you want to manage your
ownencryptionkeys

12. Amazon S3 Encryption — SSE-S3
User
HTTP(S) + Header
*Encryptionusingkeyshandled,managed,andownedbyAWS
*Objectisencryptedserver-sidebyAWS
*EncryptiontypeisAES-256
*Mustsetheader"x-amz-server-side-encryption":"AES256"
Object
S3 Owner Key
Encryption
S3 Bucket
Amazon S3

13. Amazon S3 Encryption — SSE-KMS
HTTP(S) + Header
User
*EncryptionusingkeyshandledandmanagedbyAWSKMS(KeyManagementService)
*KMSadvantages:usercontrol+auditkeyusageusingCloudTrail
*Objectisencryptedserverside
*Mustsetheader"x-amz-server-side-encryption":"aws:kms"
Object
KMS Key
Encryption
S3 Bucket
AWS KMS
Amazon S3

14. If you use SSE-KMS, you may be impacted by the
KMS limits
When you download, it calls the Decrypt KMS API
Count towards the KMS quota per second (5500,
10000, 30000 req/s based on region)
SSE-KMS Limitation
When you upload, it calls the GenerateDataKey
KMS API

15. Amazon S3 Encryption — SSE-C
User
HTTPSONLY
*Server-SideEncryptionusingkeysfullymanagedbythecustomeroutsideofAWS
*AmazonS3doesNOTstoretheencryptionkeyyouprovide
*HTTPSmustbeused
*EncryptionkeymustprovidedinHTTPheaders,foreveryHTTPrequestmade
Object
Client-Provided Key
Encryption
S3 Bucket
Amazon S3
upload
+ Key in Header

16. Amazon S3 Encryption — Client-Side Encryption
*UseclientlibrariessuchasAmazonS3Client-SideEncryptionLibrary
*ClientsmustencryptdatathemselvesbeforesendingtoAmazonS3
*ClientsmustdecryptdatathemselveswhenretrievingfromAmazonS3
*Customerfullymanagesthekeysandencryptioncycle
Encryption
File
S3 Bucket
Amazon S3
Client Key
HTTP(S)
File
(Encrypted)
upload

17. When it comes to encryption in AWS, compliance
is a critical consideration.
The GDPR does not specify a particular type of
encryption that organizations must use. Instead,
the GDPR requires that organizations implement
appropriate technical and organizational
measures to ensure a level of security
appropriate to the risks presented by the
processing of personal data.
AWS offers a range of compliance certifications,
including SOC 2, SOC 3, ISO 27001, PCI DSS, HIPAA,
and many others.
Compliance considerations

18. Join our Cloud Solutions Hub LinkedIn Group!
Contact us
We will be glad to answer on any questions!
Liudmyla Dziubynska
CTO at Zenbit Tech
Scan the QR-Code to get Lyudmila's
contacts and link to our Cloud
Solutions Hub LinkedIn Group!