(SEC301) Strategies for Protecting Data Using Encryption in AWS

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ken Beer
Principal Product Manager, AWS Cryptography Services
October 2015
SEC301
Strategies for Protecting Data
Using Encryption in AWS

What to expect from this session
• Understand your options for protecting your data with encryption
in AWS
• Understand how AWS Key Management Service (KMS) can
simplify encryption
• Understand alternatives such as AWS CloudHSM and partner
solutions
• Hear from Adobe Systems about their use of KMS

Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master keySymmetric
data key
? Key hierarchy
?
Encryption primer

Where are keys stored?
• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?
• Client software you control?
• Server software the cloud provider controls?
Who can use the keys?
• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are there for proper security around keys?
“Key” questions to consider with any solution

Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• Amazon S3, Amazon EMR File System (EMRFS), Amazon DynamoDB
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• Integrated services:
• S3, Amazon EBS, Amazon RDS, Amazon Redshift, Amazon WorkMail/WorkSpaces, AWS
CloudTrail, Amazon Simple Email Service, Amazon Elastic Transcoder, AWS Import/Export
Snowball, Amazon Kinesis Firehose
Options for using encryption in AWS

Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in EC2
Your encrypted data in select AWS services
Client-side encryption in AWS
S3/EMRFS and DynamoDB encryption clients in AWS SDKs

Amazon S3 Web
Server
HTTPS
Customer
Data
Amazon S3
Storage Fleet
Key is used at S3 web server, and then deleted.
Customer must provide same key when
downloading to allow S3 to decrypt data.
Customer-
provided key
Server-side encryption in AWS
S3 server-side encryption with customer-provided encryption keys (SSE-C)
Plaintext
Data
Encrypted
Data
Customer-
provided key

Server-side encryption in AWS
S3 (SSE-KMS)

AWS Key Management Service (KMS)
• Managed service that simplifies creation, control, rotation, and use
of encryption keys in your applications
• Integrated with AWS server-side encryption
• S3, EBS, RDS, Amazon Aurora, Amazon Redshift, WorkMail,
Amazon WorkSpaces, CloudTrail, and Amazon Elastic Transcoder
• Integrated with AWS client-side encryption
• AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB
encryption client
• Integrated with CloudTrail to provide auditable logs of key usage for
regulatory and compliance activities
• Available in all commercial regions except China

AWS KMS
Integrated with AWS Identity and Access Management (IAM) console

How clients and AWS services typically integrate with KMS
Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large
data
• Easier to manage small number of
master keys than millions of data keys
• Centralized access and audit of key
activity
Customer master
keys
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
KMS

Your application or
AWS service
+
Data key Encrypted data key
Encrypted
data
Master keys in
customer’s account
KMS
How AWS services use your KMS keys
1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your
account.
2. Client request is authenticated based on permissions set on both the user and the key.
3. A unique data encryption key is created and encrypted under the KMS master key.
4. The plaintext and encrypted data key is returned to the client.
5. The plaintext data key is used to encrypt data and is then deleted when practical.
6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.

create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id
<value>] --availability-zone <value> [--volume-type <value>] [--iops <value>]
[--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>]
[--generate-cli-skeleton]
Console
AWS CLI/SDK
Interfaces to select KMS keys in AWS services

You control how and when your KMS keys can
be used and by whom
Sample permissions on a key:
• Can only be used for encryption and decryption by <these users and
roles> in <this account>
• Can only be used by application A to encrypt data, but only used by
application B to decrypt data
• Can only be used to decrypt data if the service resource is active and
additional parameters about the resource are passed in the call
• Can be managed only by this set of administrator users or roles
Fully integrated with AWS Identity and Access Management

Rotating keys in KMS
What key rotation means:
• A new version of a master key is created, but mapped to the same
key ID or alias
• All new encryption requests use the new version
• All previous versions of keys are kept to perform decryption on
older ciphertexts
There is nothing users/applications need to do after a rotation –
the same keyID or alias just works
AWS CLI
enable-key-rotation --key-id <value>
Console (Key Summary Page)

Auditability of KMS key usage through
AWS CloudTrail
"EventName":"DecryptResult", This KMS API was called…
"EventTiime":"2014-08-18T18:13:07Z", ….at this time
"RequestParameters":
"{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":"42.23.141.114 ", …from this IP address
"UserIdentity":
“{"arn":"arn:aws:iam::957737256530:user/User123“} …by this AWS user in this account

KMS APIs to build your own applications
Example management APIs
• CreateKey, CreateAlias
• DisableKey
• EnableKeyRotation
• PutKeyPolicy
• ListKeys, DescribeKey
Example data APIs
• Encrypt
• Decrypt
• ReEncrypt
• GenerateDataKey
26 APIs and growing
http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html

KMS assurances
Why should you trust AWS with your keys?
• There are no tools in place to access your physical key material.
• Your plaintext keys are never stored in nonvolatile memory.
• You control who has permissions to use your keys.
• Separation of duties between systems that use master keys and
ones that use data keys.
• Multiparty controls for all maintenance of KMS systems that use
your master keys.
• Third-party evidence of these controls:
• Service Organization Control (SOC 1)
• PCI-DSS
• See AWS Compliance packages for details

Pricing for KMS
$1/key version/month
$0.03 per 10,000 API requests
• 20,000 free requests per month

Alternatives to KMS
In order to have different controls over the security of your keys
1. AWS CloudHSM
2. AWS Partner Solutions
3. Do it yourself

AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your keys and
operations on the keys
• HSMs are inside your Amazon VPC –
isolated from the rest of the network
• Uses SafeNet Luna SA HSM appliances
CloudHSM
AWS administrator –
Manages the appliance
You – Control keys and
crypto operations
Amazon Virtual Private Cloud

AWS CloudHSM
Available in seven regions worldwide
• US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt)
and Asia Pacific (Sydney, Tokyo, Singapore)
Compliance
• Included in AWS PCI DSS and SOC-1 compliance packages
• FIPS 140-2 level 2 (maintained by Gemalto/SafeNet)
Typical use cases
• Use with Redshift, RDS for Oracle
• Integrate with third-party software (Oracle, SQL Server, Apache,
SafeNet)
• Build your own custom applications

SafeNet ProtectV manager
and Virtual KeySecure
in EC2
EBS volume encryption with CloudHSM and
SafeNet Software
SafeNet ProtectV with Virtual KeySecure
CloudHSM stores the master key
SafeNet
ProtectV
client
CloudHSM
Your encrypted data
in EBS
Your applications
in EC2
ProtectV client
• Encrypts I/O from
EC2 instances to EBS
volumes
• Includes preboot
authentication

Pricing for CloudHSM
HSM provisioned in any region has a $5,000 one-time charge
Starting at $1.88/hour metered charge after setup
• Hourly rate varies by region
As low as $21,500 in year one; $16,500 in subsequent years
Requests not billed; limited only by the device capacity
• Varies depending on algorithm and key size

Comparing CloudHSM with KMS
CloudHSM
• Dedicated access to one or more HSM
devices that complies with government
standards (e.g., FIPS 140-2, Common
Criteria)
• You control all access to your keys and
the application software that uses them
• Supported applications:
• Your custom software
• Third-party software
• AWS services: Redshift, RDS for Oracle
KMS
• Highly available and durable key storage,
management, and auditable service
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:
• Your custom software built with AWS SDKs/CLI
• AWS services (S3, EBS, RDS, Aurora, Redshift,
WorkMail, WorkSpaces, CloudTrail, Elastic
Transcoder)

Partner solutions in AWS Marketplace
• Browse, test, and buy encryption and key management solutions
• Pay-by-the-hour, monthly, or annual
• Software fees added to AWS bill
• Bring Your Own License

Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application
in EC2
Your key
management
infrastructure in EC2
Your encrypted data in AWS services
…
DIY key management in AWS
Encrypt data client-side and send ciphertext to AWS storage services

KMS AWS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
EC2 instance
How to control key use Policy you define;
enforced by AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of key management options

KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
that you control
Your network or in
AWS
Your network or in
AWS
applications
AWS or your
applications
EC2 instance
EC2 instance
enforced by AWS
Customer code +
SafeNet APIs
Vendor-specific
management
specific management
Responsibility for
performance/scale
AWS You You You
services?

Customer success story
Frank Wiebe – Principal Scientist, Adobe Systems

Adobe use case
• Mobile app built using the CreativeSDK makes API
requests to purchase billable content
• Mobile application generates an HMAC signature
using a secret associated with app’s API key
• The HMAC signature is used to validate the
identity of the mobile app that will be connecting
• This approach is used to securely identify the
mobile app to avoid fraudulent charges against a
customer’s account
Adobe
KMS
AWS KMS

Adobe use case (cont’d)
• API Gateway needed the capability to retrieve and securely store the secret
associated with the API key in a cache.
• We wanted to minimize the time plaintext sensitive data remained in cache and
avoid storing the sensitive data on disk.
• Using the combination of AWS KMS and Amazon ElastiCache for Redis met
our requirements.
• This approach was used to securely store the API key’s secret used to
validate the digital signature of an API request processed by the adobe.io
API Gateway.

Adobe requirements
• Symmetric encryption
• We needed a secure method for sharing a secret that could be used by both the
mobile app and the API Gateway to validate an HMAC signature.
• High availability and durability with low management overhead and cost
• As a DevOps focused on API management, we did not have the time or the staff
to build and deploy our own key management solution that would meet with the
approval of Adobe Security.
• Audit trail of and strong controls to manage use of encryption keys
• We needed to control which EC2 instances could access keys.
• Log the storage and retrieval of keys.
• Fast deployment
• Following the acquisition of Aviary by Adobe, we had less than 2 months to
design, build, and deploy an approved solution to support the integration of the
Aviary APIs within the CreativeSDK.

How AWS KMS meets Adobe requirements
• Symmetric encryption
• 256-bit AES-GCM for KMS master key
• High availability and durability
• Consistent with our experience of AWS as a whole
• Audit trail of and strong controls to manage use of encryption keys
• Integration with IAM policies
• Ability to separate permission to encrypt from permission to decrypt using IAM roles for EC2
to acquire temporary security credentials to access KMS for 24 hours
• CloudTrail shows us all use of KMS master keys
• Fast deployment
• Solution was designed, built, tested, and approved by Adobe Security within 4 weeks

1. Client makes an API request to Adobe.io with API key and an
object signed using the API key secret (“digital signature”).
2. API Gateway validates digital signature. How this works:
• If the secret for validation is not in the NGINX shared cache, retrieve
the secret (in plaintext) from the Adobe key management API and
encrypt by sending to AWS KMS.
• API Gateway calls AWS KMS to generate a data encryption key (DEK)
for the secret using the GenerateDataKey API.
• Encrypt the secret with the DEK using an AES-256 CBC SHA512
algorithm, and store the ciphertext blob versions of the DEK and secret in
the shared cache with a TTL.
• If secret for validation is in the NGINX shared cache, API Gateway
makes a request to AWS KMS using the Decrypt API to retrieve the
DEK (in plaintext form), which is then used to decrypt the ciphertext
blob containing the secret.
Adobe
KMS
AWS KMS
API request flow

NGINX – AWS SDK – Setup
function _M:new(o)
local o = o or {}
setmetatable(o, self)
self.__index = self
if not o.___super then
printInitObject(o)
self:throwIfInitParamsInvalid(o)
self.kmsService = KmsService:new({
aws_region = o.aws_region,
aws_secret_key = o.aws_secret_key, – Optional. The code will automatically look for an IAM user.
aws_access_key = o.aws_access_key, – Optional. The code will automatically look for an IAM user.
aws_iam_user = o.aws_iam_user, – Optional. But it's more performant to provide it.
security_credentials_host = o.security_credentials_host,
security_credentials_port = o.security_credentials_port,
aws_debug = o.aws_debug, – Print warn level messages on the nginx logs.
aws_conn_keepalive = o.aws_conn_keepalive, – How long to keep the sockets used for AWS alive.
aws_conn_pool = o.aws_conn_pool, – The connection pool size for sockets used to connect to AWS.
shared_cache_dict = o.shared_cache_dict – Shared dict to keep IAM credentials cached for performance improvements.
})
end
return o
end
Adobe has implemented an AWS SDK for NGINX that has
been open sourced. This is the configuration of AWS KMS
within the SDK.
This SDK is available at https://github.com/adobe-
apiplatform/api-gateway-aws

NGINX – Secret Reader integrated with AWS KMS
-- Encrypts the plain_text returning a pair of ( cipher_text, seed_cipher ). Use this pair to call
the decrypt method.
-- @param plain_text The Text to encode
--
function _M:encrypt(plain_text)
local DEK_plain_text – the DEK plain text
local seed_cipher – in the DEK cipher text blob
local cipher, status, body = self.kmsService:generateDataKey(self.aws_key_id, "AES_256")
if (cipher == nil) then
ngx.log(ngx.WARN, "Could not GenerateDataKey. AWS Status:", tostring(status), ", Body:",
tostring(body))
return nil, nil
end
seed_cipher = cipher.CiphertextBlob
DEK_plain_text = cipher.Plaintext -- this is the plaintext of the DEK
local cipher_text = self:encryptText(plain_text, DEK_plain_text) -- encrypt API Key secret
return cipher_text, seed_cipher -- return the encrypt API Key secret & ciphertext blob
End
+
function _M:encryptText(plain_text, seed_text)
local aes_256_cbc_sha512x5 = aes:new(seed_text,
”—insert—your—salt—here--",
aes.cipher(256, "cbc"),
aes.hash.sha512, 5)
local encrypted =
aes_256_cbc_sha512x5:encrypt(plain_text)
return encrypted
end
The SDK generates a data encryption key
(DEK), and then uses the DEK to
encrypt/decrypt data locally using the
encryptText function (at right).

Operational experience post-deployment
• No operational or performance-related issues since it
was launched
• 100% availability over the past 10 months
• After initial design discussion with AWS Solutions
Architect and KMS Product Manager, we haven’t opened
an AWS Support case for this application

Wish list for KMS
Cross-region replication of encrypted AWS resources
• Can’t move KMS master keys between regions, but the process of
re-encrypting data between regions could be easier

Resources
KMS
• https://aws.amazon.com/kms
Whitepaper on KMS cryptographic details
• https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
CloudHSM
• https://aws.amazon.com/cloudhsm/
Whitepaper on data-at-rest encryption and key management in AWS
• https://aws.amazon.com/whitepapers/
S3 encryption client
• http://aws.amazon.com/articles/2850096021478074
AWS Partner Network
• http://www.aws-partner-directory.com/
AWS Security Blog
• http://blogs.aws.amazon.com/security

Related Sessions
• SEC401: Encryption Key Storage at Okta
• Pallazzo K at 4:15 P.M. today
• STG402: Amazon EBS Deep Dive
• BDT314: Running a Big Data and Analytics Application
on Amazon EMR and Amazon Redshift with a Focus on
Security

Remember to complete
your evaluations!

(SEC301) Strategies for Protecting Data Using Encryption in AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to (SEC301) Strategies for Protecting Data Using Encryption in AWS

Similar to (SEC301) Strategies for Protecting Data Using Encryption in AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

(SEC301) Strategies for Protecting Data Using Encryption in AWS