AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and manage the encryption keys used to encrypt your data. In this session, we will dive deep into best practices learned by implementing AWS KMS at AWS’ largest enterprise clients. We will review the different capabilities described in the AWS Cloud Adoption Framework (CAF) Security Perspective and how to implement these recommendations using AWS KMS. In addition to sharing recommendations, we will also provide examples that will help you protect sensitive information on the AWS Cloud.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices for Implementing Your Encryption
Strategy Using AWS Key Management Service
Matt Bretan – Principal Security Consultant
S I D 3 3 0
AWS re:Invent
N o v e m b e r 2 9 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Adoption Framework
5 Core Security Capabilities
Infrastructure Security
Identity and Access Management
Detective Controls
Data Protection
Incident Response

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The AnyCompany

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany Bank

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany Stakeholders
Sally
Software
Developer
Paul
IT Security
Engineer
Vatsan
Compliance
Officer

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany Bank App

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany Current Requirements
Protect data at rest and in motion
Select a secure key management infrastructure
Ensure least privilege access to PII
Log all action to a central repository
Automate the identification and response to high risk events

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure Controls

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS Controls
•Sensitive cryptographic materials are only
stored in volatile memory
•TLS Perfect Forward Secrecy on all KMS APIs
•No tooling available to access a clear text copy
of a Customer Master Key (CMK)

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CMK Types
AWS-managed CMK Customer-managed CMK
Creation AWS generated on customer’s behalf Customer generated
Rotation Once every three years automatically
Once a year automatically through opt-in or
on-demand manually
Deletion Can’t be deleted Can be deleted
Scope of use Limited to a specific AWS service Controlled via KMS/IAM policy

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account Strategy
Security Account
111111111111
Analytics Account
333333333333
Application Account
222222222222
Bank App CMK Analytics CMK

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Creation & Management
DO:
• Segment keys based upon business unit, data
classification, environment, etc.
• Create keys within the account where the data
exists if possible
• Rotate keys

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity and Access Management

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Policies
• IAM policies are NOT sufficient to allow access to a CMK
• Edit the default CMK policy to align with your
organization’s best practices for least privilege!

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CMK — Least Privilege
• Separate keys per business unit and data classification
• Separate CMK admins from users
• Limit KMS actions within IAM policies (No kms:*)
• Cross Account Delegation
• Account Root Principal  allows target account to
further delegate permissions
• Explicit management of principals within key policy

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CMK Policy
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root”
},
"Action": "kms:*",
"Resource": "*"
}

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CMK Policy
{
"Sid": ”CMKAdmin Breakglass Role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:role/CMKAdmin”
},
"Action": "kms:*",
"Resource": "*"
}

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CMK Policy
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:role/CMKAdmin-Bank-App"
},
"Action": [
"kms:Create*",
"kms:Describe*",
…
"kms:Enable*",
],
"Resource": "*"
},

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ViaService and Grants
• Grants:
• Delegate a subset of permissions to AWS services/other
principals so that they can use the CMK on the customer’s
behalf
• ViaService:
• Scope down API calls to a CMK based on the AWS Service
from which it is called

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Sid": "Allow use of CMK via RDS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:role/MortgageApp”,
},
"Action" : [ "kms:ListGrants", "kms:Decrypt", "kms:CreateGrant", "kms:GenerateDataKey*",
"kms:ReEncrypt*", "kms:DescribeKey", "kms:Encrypt" ],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:CallerAccount" : ”222222222222",
"kms:ViaService" : "rds.us-west-1.amazonaws.com"
}
}
},

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detective Controls

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Security Account
111111111111
Analytics Account
333333333333
Application Account
222222222222
AWS
CloudTrail
AWS
CloudTrail
AWS
CloudTrail

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 Bucket Policy — Old Method
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"aws:kms”
}
}
} ]
}

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 Bucket Policy — Improved Method

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detailed Inventory Reporting

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Protection

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Design
Amazon
RDS

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Design
Amazon
RDS

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Design
Amazon
RDS
Amazon S3

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Design
Amazon
RDS
Encrypted
RDS
Snapshots
AWS
Encryption
SDK
Data Lake

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption Context
Key-value pair of additional data that you want associated with
AWS KMS-protected information
• Enforce tighter controls for your encrypted resources
• Insight into the usage of your keys from an audit perspective
Encryption Context is logged in clear text within CloudTrail

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Design
Analytics Account
333333333333
Application Account
222222222222
Amazon S3
Amazon S3

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Incident Response

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch Rules

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch Rules

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany Current Requirements
Protect data at rest and in motion
Select a hardened key management infrastructure
Ensure least privilege access to PII
Log all action to a central repository
Automate the identification and response to high risk events

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS Cryptographic Details Whitepaper
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS Best Practices Whitepapers
https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS Compliance Reports
https://aws.amazon.com/kms/details/#compliance

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other re:Invent Sessions of Interest
SID329: A Deep Dive into AWS Encryption Services
SID339: Deep Dive on AWS CloudHSM
SID345: AWS Encryption SDK: The Busy Engineer’s Guide
to Client-Side Encryption

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PLEASE FILL OUT THE SURVEY!

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!