Introduction of AWS KMS
•Download as PPTX, PDF•
1 like•1,921 views
This document discusses encryption options when using AWS, focusing on the AWS Key Management Service (KMS). KMS allows users to simplify the creation, control, rotation and use of encryption keys in AWS services like S3, EBS, RDS, Redshift and others. It addresses key storage, access and usage considerations. KMS uses symmetric AES-256 encryption for data keys and allows granular IAM control over who can create, enable/disable, use and audit keys. The presentation demonstrates how to create and use customer master keys in KMS and integrate encryption with S3 and EBS volumes.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to Introduction of AWS KMS
Similar to Introduction of AWS KMS (20)
Recently uploaded
Recently uploaded (20)
Introduction of AWS KMS
- 1. ENCRYPTION WITH AWS KMS Key Management Service
- 2. # whoami DevOps Engineer | Brazilian Enjoys security and cloud automation 2015 was a big year au.linkedin.com/in/ricardoxmit
- 3. What to expect today? • Understand options for protecting your data • Understand how KMS works • Services that KMS is integrated with • S3 and KMS • EBS and KMS • Demo
- 4. What’s the main problem?
- 5. Options for encryption 1. Do it yourself 2. AWS Marketplace -> partner solutions 3. Use AWS KMS 4. HSM - Hardware Security Module
- 6. If you don't use a service to manage your keys… • Keys that live in config files are exposed - Application vulnerabilities, OS vulnerabilities, staff turnover • It’s hard to track how the keys are being used • Rotating keys can be painful
- 7. AWS Key Management Service (KMS) • Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications • Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, WorkMail, Amazon WorkSpaces, CloudTrail, and Amazon Elastic Transcoder
- 8. "Keys" considerations with any solution • Where are the keys stored? • Where are keys used? • Who has access to the keys? • How can you make sure keys are being used for the correct people/applications?
- 9. Type of keys • Symmetric key -> same key to encrypt and decrypt. • Asymmetric key -> public / private key concept. KMS uses Symmetric Encryption -> 256-bit AES for master key
- 10. Options to encrypt you data using KMS 1. Client-side encryption - you encrypt your data BEFORE data submitted to service. 2. Server-side encryption - AWS encrypts data on your behalf AFTER data is received by service.
- 11. AWS KMS gives you control You define who can: • create key • use a key • enable/disable keys • audit use of keys using cloudtrail
- 12. How do I use KMS? Create Keys in KMS • Give a name and description to the key • Choose the IAM users and roles that can administer this key • Choose the IAM users and roles that can use this key to encrypt and decrypt data • A new policy will be created
- 13. KMS with EBS
- 14. KMS with S3
- 15. Considerations about KMS • Keys are regionals. Re-encrypt your data with you move date between regions. • Direct encryption is limited to 4k of data to optimize latency. • Use envelope encryption with data keys for larger messages.
- 16. DEMO
Editor's Notes
- Introduction of KMS
- 15+ years working in IT. 2015 -> spend a month taking cyber security courses + took 2 aws exams
- This is a 20 minutes talk + demo. You will understand how the services works but you must read all the documentation.
- - I have data that I want to encrypt. - To do that, I generate a key. In this case, a Symmetric key and encrypt the data. You can store the encryption data anywhere as you can only decrypt it using the key. What we want to show is the key management is not that easy.
- I have seen people storing the keys in S3, GIT repositories. It is hard to protect it and keep track of what happened
- Hardware you own or hardware the cloud owns? client side or server side?
- Demo is about option 2 1. BEFORE: Encryption is implemented in your code and you can use your keys from your aws account. 2. AFTER: aws encrypts data on your behalf AFTER data is received by service. encryption is handled automatically.
- S3 will decrypt the object for anyone with permission to access this object. S3 will decrypt the object for anyone with permission to access this object and permission to use the master key. Amazon S3 requests a plaintext data key and a copy of the key encrypted by using the specified customer-managed master key or the AWS-managed master key. AWS KMS creates a data key, encrypts it by using the master key, and sends both the plaintext data key and the encrypted data key to Amazon S3. Amazon S3 encrypts the data using the data key and removes the plaintext key from memory as soon as possible after use. Amazon S3 stores the encrypted data key as metadata with the encrypted data.
- When you upload an object to a bucket you have 2 options: S3 will decrypt the object for anyone with permission to access this object. S3 will decrypt the object for anyone with permission to access this object and permission to use the master key.