Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.

1. November 12, 2014 Las Vegas, NV
Ken Beer, AWS Identity and Access Management
Todd Cignetti, AWS Security

4. Plaintext
Data
Hardware/
Software
Encrypted
Data
Encrypted
Data in Storage
Encrypted
Data Key
Symmetric
Data Key
Master KeySymmetric
Data Key
? Key Hierarchy
?

6. Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your Encrypted Data in AWS Services
…

7. Your key management
infrastructure
Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your Encrypted Data in Amazon S3
Your application in
Amazon EC2
AWS SDK with
S3 Encryption Client

8. Plaintext
Data
Encrypted
Data
Customer
Provided KeyAmazon S3 Web
Server
HTTPS
Customer
Data
Amazon S3
Storage Fleet
• Key is used at Amazon S3 webserver, then deleted
• Customer must provide same key when downloading to
allow Amazon S3 to decrypt data
Customer
Provided Key

12. Your encryption
client application
Your
applications
in your data
center
Your application in
Amazon EC2
Your Encrypted Data in AWS Services
…
Partner KMI
Partner KMI

19. • Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
• Benefits of envelope encryption:
• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master
keys than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS

20. AWS Key Management Service
ReferenceArchitecture
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a
reference to a master key under the account.
2. Client request is authenticated based on whether they have access to use the master key.
3. A new data encryption key is created and a copy of it is encrypted under the master key.
4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt
customer data and then deleted as soon as is practical.
5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data
needs to be decrypted.

21. AWS Key Management Service
Providing security for your keys

22. Todd Cignetti, AWS Security

23. HSM

24. dedicated access
• Only you have access to your keys and
operations on the keys
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud

26. SafeNet ProtectV Manager
and Virtual KeySecure
in Amazon EC2
SafeNet
ProtectV
Client
AWS
CloudHSM
Your encrypted data
in Amazon EBS
Your applications
in Amazon EC2
ProtectV Client
• Encrypts I/O from
Amazon EC2
instances to Amazon
EBS volumes
• Includes pre-boot
authentication

27. Your
applications
in Amazon
EC2
Amazon Redshift
Cluster
Your encrypted data
in Amazon Redshift
AWS CloudHSM

28. AWS
CloudHSM
Your database
with TDE in
Amazon EC2
Master key is created in
the HSM and never
leaves
Your applications
in Amazon EC2

32. DIY
AWS Marketplace
Partner Solution
AWS CloudHSM
AWS Key
Management
Service
Where are keys
generated and
stored
Your network or in
AWS
Your network or in
AWS
In AWS, on an
HSM that you
control
AWS
Where keys are
used
Your network or
your EC2 instance
Your network or
your EC2 instance
AWS or your
applications
AWS services or
your applications
How to control key
use
Config files,
Vendor-specific
management
Vendor-specific
management
Customer code +
Safenet APIs
Policy you define;
enforced in AWS
Responsibility for
Performance/Scale
You You You AWS
Integration with
AWS services?
Limited Limited Limited Yes
Pricing model Variable Per hour/per year Per hour Per key/usage

33. https://aws.amazon.com/kms
– https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/whitepapers/
http://aws.amazon.com/articles/2850096021478074
http://www.aws-partner-directory.com/
http://blogs.aws.amazon.com/security

34. http://bit.ly/awsevals