SlideShare a Scribd company logo

Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019

Amazon Web Services
Amazon Web Services

In this hands-on workshop, we use the AWS Cloud9 IDE to learn about data encryption services, such as AWS Key Management Service (KMS) and AWS Certificate Manager (ACM). We also explore various aspects of AWS KMS and AWS ACM private certificate authority.

1 of 29
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data encryption and certificate management concepts in AWS Ram Ramani Solutions Architect, Security Specialist AWS F N D 3 0 2
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS console access (requires hash code) Workshop environment setup Presentation on encryption Hands-on Workshop 1: Server-side encryption Presentation on certificate management Hands-on Workshop 2: Private certificate authority (CA) Q&A
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshops Key workshop tools • Python 2.7 • Python boto3 library Key AWS services • AWS Key Management Service (AWS KMS) • AWS Certificate Manager (ACM) • AWS Cloud9 IDE Region: us-east-2 (Ohio)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop GitHub page: https://bit.ly/2HunMm7 Console login: https://bit.ly/2W93MwS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud encryption requirements Access control to keys Minimized key management burden Ensured security of keys Ensured durability of keys API-driven encryption for automation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Envelope encryption Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • AWS KMS master keys encrypt data keys Benefits • Limited risk of compromised data key • Better performance for encrypting large data • Easier to manage (small number of master keys vs. billions of data keys) • Centralized access and audit of key activity Customer master keys (CMKs) Data Key 1 Amazon S3 object Amazon EBS volume Amazon Redshift cluster Data Key 2 Data Key 3 Data Key 4 Custom application AWS KMS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Master key generation and storage options in AWS Your applications AWS services Authentication authorization logging Your on- premises HSM BYOK Imported to AWS KMS Native AWS KMS Shared HSM AWS KMS custom key store Your AWS CloudHSM cluster
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Plaintext data Server-side encryption in Amazon S3 Amazon S3 service Encrypt process 1 Decrypt process Encrypted data in storage Amazon S3 service 5 Encrypted data key 6 Plaintext data Decrypt 8 Data key 7 Encrypted data key Data key 3 CMK AWS KMS Generate data key request 2 Encrypted data in storage Encrypt 4
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: Instruct the AWS service to encrypt data after you’ve uploaded it Your applications in your data center Your encrypted data in AWS servicesAWS SDK Your application in Amazon EC2 Your encrypted data in AWS services AWS KMS AWS Cloud Corporate data center Data Data
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your encrypted data in AWS services Your applications in your data center Your key management infrastructure in Amazon EC2 AWS encryption SDK Your key management infrastructure Your application in Amazon EC2 Your encrypted data in AWS services AWS KMS AWS CloudHSM AWS Cloud Data Data Client-side encryption: Encrypt data before you give it to an AWS service Corporate data center
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: https://bit.ly/2HLvYf8 20 minutes
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop recap Step 1 Create key with policy Create alias Step 2 Create bucket Upload file and verify encryption Download file and verify decryption Step 3 Clean up: delete key and delete alias
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: https://bit.ly/2HLvYf8 Workshop quiz • Where in the Amazon S3 console do you see the encrypted status? • Can you view the actual encrypted content of the file? • Can you view the actual key material of the CMK? • To give someone access to the encrypted file, what policies need to be adjusted? • Can you access the data key associated with the file?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a CA? subject = { 'Country': 'US', 'Organization': 'My Org', 'OrganizationalUnit': 'My Dept', 'State': 'New York', 'CommonName': '*.myorg.biz', 'SerialNumber':'0DADDBAE7F', 'Locality': 'New York' } Certificate Private and public keys
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use SSL/TLS private certificates? • Verifies that the intranet site is valid • Enforces encryption in transit • Provides full control over certificate hierarchy • Controls validation period of certificates
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Accessing a private website in your intranet VPC VPC Corporate Data center Website Website VPN AWS Direct Connect Users
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The old way: How to generate and manage private certificates • Purchase and manage HSM • Build and maintain private CA • Implement certificate monitoring mechanism • Manually create certificates and signing requests using OpenSSL commands • Retrieve certificates from the CA • Install certificates • Maintain certificate expiration schedule • Renew certificates before they expire
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ACM Private CA (ACM PCA) Managed private CA service that helps you easily and securely manage the lifecycle of your private certificates
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What can ACM PCA do for you? • Create a private CA with a few clicks • Issue private certificates with a few clicks • Secure the certificate keys in a FIPS-validated HSM • Deploy the certificate (as easy as making a selection from a pull-down menu) • Automatically renew certificates • Provide a centralized dashboard for certificate monitoring • Provide integrated auditing with AWS CloudTrail • Provide access control with AWS Identity and Access Management (IAM)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CA hierarchy in organizations Root CA Intermediate CA Issuing CA Certificates
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Certificate hierarchy for this workshop: pathlen = 0 Root CA Subordinate CA Self-signed CA Subordinate ACM PCA Production Workshop In production, a root CA should be managed by a dedicated security team
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Route 53 Application Load Balancer AWS Lambda AWS Cloud9 ACM Private CA https://alb.workshop.com 192.168.0.70 Invoke <html>…</html> Certificate Workshop: Using private certificates with a load balancer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 minutes Creating private certificates using ACM PCA: https://bit.ly/2LZOmGQ
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Certificate management: https://bit.ly/2LZOmGQ Workshop quiz • What is the CA hierarchy used for? • Can you use an intermediate CA to sign the ACM PCA? • What is the advantage of using your organization’s root or intermediate certificate to sign the ACM PCA?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop recap • Step 1: Configure infrastructure (security group, AWS Lambda, AWS Cloud9, Amazon EC2 host) • Step 2: Create a subordinate PCA using ACM • Step 3: Create a root CA • Step 4: Sign subordinate PCA using the root CA • Step 5: Import CA-signed certificate and certificate chain into ACM • Step 6: Issue certificate for the alb.workshop.com private DNS domain, and add the certificate to the application load balancer • Steps 7 and 8: Validate the https requests, and ensure that the certificate validation is successful • Step 9: Clean up
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ram Ramani ramanira@amazon.com

Recommended

An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 

Recommended

An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Amazon Web Services
 
A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
Amazon Web Services
 
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Amazon Web Services
 
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
Amazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
Amazon Web Services
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
Amazon Web Services
 

More Related Content

What's hot

Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Amazon Web Services
 
A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
Amazon Web Services
 
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Amazon Web Services
 
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
Amazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 

What's hot (20)

Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
 
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
Privacy, ethics, and engineering in emerging technology - SEP204 - AWS re:Inf...
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
Using AWS WAF to protect against bots and scrapers - SDD311 - AWS re:Inforce ...
 
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 

Similar to Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019

SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
Amazon Web Services
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
Amazon Web Services
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Amazon Web Services
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Amazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Amazon Web Services
 
AWS
AWSAWS
AWS
Rajendra Kundapur
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Amazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
Amazon Web Services
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Amazon Web Services
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
Amazon Web Services
 
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
Amazon Web Services
 
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
Bhuvaneswari Subramani
 

Similar to Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 (20)

SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS Summit
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
 
AWS
AWSAWS
AWS
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
 
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
 
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
CI CD using AWS Developer Tools @ AWS Community Day Chennai 2019
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data encryption and certificate management concepts in AWS Ram Ramani Solutions Architect, Security Specialist AWS F N D 3 0 2
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS console access (requires hash code) Workshop environment setup Presentation on encryption Hands-on Workshop 1: Server-side encryption Presentation on certificate management Hands-on Workshop 2: Private certificate authority (CA) Q&A
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshops Key workshop tools • Python 2.7 • Python boto3 library Key AWS services • AWS Key Management Service (AWS KMS) • AWS Certificate Manager (ACM) • AWS Cloud9 IDE Region: us-east-2 (Ohio)
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop GitHub page: https://bit.ly/2HunMm7 Console login: https://bit.ly/2W93MwS
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud encryption requirements Access control to keys Minimized key management burden Ensured security of keys Ensured durability of keys API-driven encryption for automation
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Envelope encryption Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • AWS KMS master keys encrypt data keys Benefits • Limited risk of compromised data key • Better performance for encrypting large data • Easier to manage (small number of master keys vs. billions of data keys) • Centralized access and audit of key activity Customer master keys (CMKs) Data Key 1 Amazon S3 object Amazon EBS volume Amazon Redshift cluster Data Key 2 Data Key 3 Data Key 4 Custom application AWS KMS
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Master key generation and storage options in AWS Your applications AWS services Authentication authorization logging Your on- premises HSM BYOK Imported to AWS KMS Native AWS KMS Shared HSM AWS KMS custom key store Your AWS CloudHSM cluster
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Plaintext data Server-side encryption in Amazon S3 Amazon S3 service Encrypt process 1 Decrypt process Encrypted data in storage Amazon S3 service 5 Encrypted data key 6 Plaintext data Decrypt 8 Data key 7 Encrypted data key Data key 3 CMK AWS KMS Generate data key request 2 Encrypted data in storage Encrypt 4
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: Instruct the AWS service to encrypt data after you’ve uploaded it Your applications in your data center Your encrypted data in AWS servicesAWS SDK Your application in Amazon EC2 Your encrypted data in AWS services AWS KMS AWS Cloud Corporate data center Data Data
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your encrypted data in AWS services Your applications in your data center Your key management infrastructure in Amazon EC2 AWS encryption SDK Your key management infrastructure Your application in Amazon EC2 Your encrypted data in AWS services AWS KMS AWS CloudHSM AWS Cloud Data Data Client-side encryption: Encrypt data before you give it to an AWS service Corporate data center
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: https://bit.ly/2HLvYf8 20 minutes
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop recap Step 1 Create key with policy Create alias Step 2 Create bucket Upload file and verify encryption Download file and verify decryption Step 3 Clean up: delete key and delete alias
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Server-side encryption: https://bit.ly/2HLvYf8 Workshop quiz • Where in the Amazon S3 console do you see the encrypted status? • Can you view the actual encrypted content of the file? • Can you view the actual key material of the CMK? • To give someone access to the encrypted file, what policies need to be adjusted? • Can you access the data key associated with the file?
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a CA? subject = { 'Country': 'US', 'Organization': 'My Org', 'OrganizationalUnit': 'My Dept', 'State': 'New York', 'CommonName': '*.myorg.biz', 'SerialNumber':'0DADDBAE7F', 'Locality': 'New York' } Certificate Private and public keys
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use SSL/TLS private certificates? • Verifies that the intranet site is valid • Enforces encryption in transit • Provides full control over certificate hierarchy • Controls validation period of certificates
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Accessing a private website in your intranet VPC VPC Corporate Data center Website Website VPN AWS Direct Connect Users
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The old way: How to generate and manage private certificates • Purchase and manage HSM • Build and maintain private CA • Implement certificate monitoring mechanism • Manually create certificates and signing requests using OpenSSL commands • Retrieve certificates from the CA • Install certificates • Maintain certificate expiration schedule • Renew certificates before they expire
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ACM Private CA (ACM PCA) Managed private CA service that helps you easily and securely manage the lifecycle of your private certificates
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What can ACM PCA do for you? • Create a private CA with a few clicks • Issue private certificates with a few clicks • Secure the certificate keys in a FIPS-validated HSM • Deploy the certificate (as easy as making a selection from a pull-down menu) • Automatically renew certificates • Provide a centralized dashboard for certificate monitoring • Provide integrated auditing with AWS CloudTrail • Provide access control with AWS Identity and Access Management (IAM)
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CA hierarchy in organizations Root CA Intermediate CA Issuing CA Certificates
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Certificate hierarchy for this workshop: pathlen = 0 Root CA Subordinate CA Self-signed CA Subordinate ACM PCA Production Workshop In production, a root CA should be managed by a dedicated security team
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Route 53 Application Load Balancer AWS Lambda AWS Cloud9 ACM Private CA https://alb.workshop.com 192.168.0.70 Invoke <html>…</html> Certificate Workshop: Using private certificates with a load balancer
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 minutes Creating private certificates using ACM PCA: https://bit.ly/2LZOmGQ
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Certificate management: https://bit.ly/2LZOmGQ Workshop quiz • What is the CA hierarchy used for? • Can you use an intermediate CA to sign the ACM PCA? • What is the advantage of using your organization’s root or intermediate certificate to sign the ACM PCA?
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop recap • Step 1: Configure infrastructure (security group, AWS Lambda, AWS Cloud9, Amazon EC2 host) • Step 2: Create a subordinate PCA using ACM • Step 3: Create a root CA • Step 4: Sign subordinate PCA using the root CA • Step 5: Import CA-signed certificate and certificate chain into ACM • Step 6: Issue certificate for the alb.workshop.com private DNS domain, and add the certificate to the application load balancer • Steps 7 and 8: Validate the https requests, and ensure that the certificate validation is successful • Step 9: Clean up
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ram Ramani ramanira@amazon.com