Encryption & Data Protection

AWS Security Workshop

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon
Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Confidential Encryption & Data Protection AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Agenda

• Encryption at rest
• Encryption in transit
• Data protection considerations

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Goals

• Understand customer responsibility for data in AWS

• Learn how encryption is done in AWS
• Consider your own encryption requirements

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
It is always YOUR data!

• Customers choose where to place their data

• AWS regions are geographically isolated by design
• Data is not replicated to other AWS regions and does not
move unless the customer tell us to do so
• Customer always own their data, the ability to encrypt it,
move it, and delete it

AWS Customer Agreement

https://aws.amazon.com/agreement/
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Data Protection In-Transit and At-Rest

Encryption In-Transit Encryption At-Rest

SSL/TLS Object
Database
SSH
Filesystem
VPN/IPSEC Disk

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
 Ubiquitous Encryption
Encrypted
Encryption at Rest secrets management
Restrict Access

Glacier
Secrets Manager
EBS AWS IAM
Encryption in transit
S3
Fully managed
keys
ELB EC2 Encryption in Process KMS
Certificate management

EMR Redshift

Amazon AWS CloudTrail

Certificate
Manager (ACM) Full auditability
RDS DynamoDB
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – S3
AWS Cloud

Availability Zone 1
VPC
S3 Server Side Client Side Encryption
Encryption (SSE-S3)
Subnet Subnet

S3 Server Side
Encryption with KMS
(SSE-KMS)

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – EBS
AWS Cloud

Availability Zone 1
VPC
OS Tools
Subnet Subnet

EBS
Encryption

Marketplace
Solution
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Databases
AWS Cloud

Availability Zone 1
Transparent RDS EBS
VPC Database Volume
Encryption (TDE) Encryption

Subnet Subnet

Client Side
Encryption
DynamoDB Redshift
Encryption Encryption
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Envelope Encryption Primer

Hardware/ Symmetric Plaintext Encrypted

Software Data Key Data Data

Encrypted
Data in Storage

?
Symmetric Master Key Encrypted
Data Key Data Key

Plain text keys need to exist somewhere

Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Key Considerations

• Where are keys stored?

• Hardware you own?
• Hardware the cloud provider owns?

• Where are keys used?

• Client software you control?
• Server software the cloud provider controls?

• Who can use the keys?

• Users and applications that have permissions?
• Cloud provider applications you give permissions?

• What assurances are there for proper security around keys?

Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Option in AWS

Client-side encryption
• You encrypt your data before data submitted to the service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK

Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• Services with integrated encryption include S3, Snowball, EBS, RDS,
Amazon Redshift, WorkSpaces, Amazon Kinesis Firehose, CloudTrail, EMR,
DynamoDB, CodePipeline, AWS Secrets Manager, AWS Backup
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS Key Management Service

• Managed service that simplifies creation, control, rotation,

deletion, and use of encryption keys in your applications
• FIPS 140-2 validated hardware security modules (HSM) and
support for FIPS 140-2 validated endpoints
• Integrated with over 50 AWS services for server-side encryption
• Integrated with AWS service clients/SDKs
• S3, EMRFS, DynamoDB, AWS Encryption SDK
• Integrated with CloudTrail to provide auditable logs of key usage
for regulatory and compliance activities
• Available in all commercial regions except China
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS Key Management Service

AWS Key Management Service Hierarchy

• Two-tiered key hierarchy using envelope AWS Key Management Service (KMS)

encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
Customer Master Customer Master Customer Master Customer Master
• KMS master keys never leave the KMS HSM Key (CMK) Key (CMK) Key (CMK) Key (CMK)

unencrypted

Benefits
Data Key Data Key Data Key Data Key
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master
keys than millions of data keys
• Centralized access and audit of key activity S3 Object EBS Volume Redshift
Custom
Application
Cluster
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS Key Management Service
Auditing key usage with AWS CloudTrail

"EventName":"DecryptResult", This KMS API action was called …

"EventTime":"2014-08-18T18:13:07Z", … at this time

"RequestParameters":
"{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, … in reference to this key

"EncryptionContext":"volumeid-12345", … to protect this AWS resource

"SourceIPAddress":" 203.0.113.113", … from this IP address

"UserIdentity":
"{"arn":"arn:aws:iam:: 111122223333:user/User123"} … by this AWS user in this account

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS Key Management Service
Bring Your Own Key Material to KMS
• You control how master keys are generated
• You store the master copy of the keys
• You import the key into KMS as key material and set an optional
expiration time in the future
• Generate CMKs based on the imported key material
• You can use imported key material with all KMS-integrated services
• You can delete and re-import the key material at any time to control when
AWS can use it to encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure, such as
Thales e-Security
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Bring Your Own Key Material
Creates
Create customer master key (CMK)
container
AWS Key Management Empty CMK container with unique
Service (KMS) key ID
Download
Download a public wrapping key

RSA public key

AWS Key Management
Service (KMS)

Export
Export your key material encrypted
under the public wrapping key
Your key management Your 256-bit key material
infrastructure encrypted with KMS public key
Import
Import the encrypted key material
under the KMS CMK key ID; set optional
Your key material protected in
expiration period
AWS KMS
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
 Encryption at Rest – Ubiquitous Encryption
Encrypted
Encryption at Rest secrets management
Restrict Access

Glacier
Secrets Manager
EBS AWS IAM
Encryption in transit
S3
Fully managed
keys
ELB EC2 Encryption in Process KMS
Certificate management

EMR Redshift

Amazon AWS CloudTrail

Certificate
Manager (ACM) Your key management Full auditability
RDS DynamoDB infrastructure
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – KMS CMK Types
AWS Owned CMK AWS Managed CMK Customer Managed CMK

Creation AWS generated AWS generated on Customer generated

customer’s behalf

Rotation Once every three years Once every three years Once a year automatically
automatically automatically through opt-in or
manually on-demand

Deletion Can’t be deleted Can’t be deleted Can be deleted

Visible within your AWS No Yes Yes

account

Scope of Use Not limited to your AWS Limited to a specific AWS Controlled via KMS/IAM
account service within your AWS policies
account

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – CloudHSM

• Dedicated access to HSM appliances AWS Cloud

• HSMs located in AWS data centers VPC
• Managed and monitored by AWS
• Only you have access to your keys
and operations on the keys
• HSMs are inside your Amazon
VPC, isolated from the rest of the
network
• FIPS 140-2 level 3 certified

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – CloudHSM

• Setup from the AWS Management AWS Cloud

Console or CLI
VPC
• Load balanced & synchronized
• Clusters can scale to meet
demand
• Industry standard API’s available
for developers to get started
• MFA authentication available
• Capability of snapshotting
CloudHSM clusters

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS KMS Custom Key Store

Clients AWS Services

• Use CloudHSM as the key store for

KMS
• Combining the key management
capabilities of KMS with the key AWS Key Management
storage capabilities of CloudHSM Service (KMS)

• Use the standard KMS API’s and

native service integration offered
by KMS
AWS CloudHSM

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS KMS Custom Key Store
AWS Cloud

50+ AWS
Services
Customers’
Custom
applications
clients using
via AWS SDKs
PKCS#11, JCE, CNG

Custom Key Store

‘Connector”
KMS Endpoint

VPC

KMS Standard Key Store

KMS HSM Fleet

CloudHSM Cluster AWS KMS

Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS KMS Custom Key Store

When to use AWS KMS Custom Key Store?

You have keys that are required to be:

• protected in a single-tenant HSM or in an HSM over
which you have direct control
• stored in an HSM validated at FIPS 140-2 level 3
overall
• replicated across multiple AWS regions
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – AWS KMS vs CloudHSM
AWS CloudHSM AWS Key Management Service

• Dedicated access to HSM that complies
with government standards (e.g. FIPS
140-2 Level 3, Common Criteria)
• High-performance in-VPC cryptographic
acceleration
• You control your keys and the application
software that uses them
• Supported applications:
• Your custom software
• Third party software
• Symmetric or asymmetric encryption
• Highly available and durable key storage,
management, and auditable solution
(FIPS 140-2 Level 2 HSM’s and support
for FIPS 140-2 Level 2 endpoints)
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:
• Your custom software (AWS SDK)
• Symmetric encryption
• Integrated with multiple AWS services

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Resources - Whitepapers

AWS Key Management Service Cryptographic Details

https://d0.awsstatic.com/whitepapers/KMS-
Cryptographic-Details.pdf

AWS Key Management Service Best Practices

https://d0.awsstatic.com/whitepapers/aws-kms-best-
practices.pdf

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Resources - Blogs

How to use KMS and IAM to enable independent security controls for
encrypted data in S3
https://aws.amazon.com/blogs/security/how-to-use-kms-and-iam-
to-enable-independent-security-controls-for-encrypted-data-in-s3/

Are KMS custom key stores right for you?

https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-
right-for-you/

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – APN Partner Solutions

• You can browse, test, and buy encryption and key management solutions
via the AWS Marketplace
• Pricing models vary: pay-by-the-hour, monthly, or annual
• The software fees are simply added to your AWS bill
• Some solutions offer a bring-your-own-license option

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption at Rest – Solution Comparison
AWS KMS AWS KMS with AWS CloudHSM AWS Marketplace DIY
Custom Key Store Partner Solution

Where keys are
generated and stored
Where keys are used
AWS KMS FIPS 140-2
Level 2 HSM’s (with
level 3 for several
other categories)
AWS services or your
applications using the
AWS SDK’s
AWS CloudHSM FIPS AWS CloudHSM FIPS Your network or EC2 Your network or EC2
140-2 Level 3 HSM’s 140-2 Level 3 HSM’s instance instance
AWS services or your AWS or your Your network or EC2 Your network or EC2
applications using the applications using the instance instance
AWS SDK’s HSM specific SDK

How to control key Policies you define; Policies you define; HSM-specific access Vendor-specific access You implement access
usage enforced by AWS enforced by AWS – controls controls controls
Only for keys made
available through KMS
Responsibility for AWS AWS (API’s) Customer Customer Customer
performance/scale Customer (Key Store)

Integration with AWS Yes Yes Limited Limited Limited

services?

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

What is VPC (review)?

• Virtual Private Cloud

• Logically isolated portion of the AWS infrastructure
• Allows you to extend your existing data center network to the Cloud
• Can be considered as private network by PCI compliance
• Audited & Certified on SOC1/2, ISO27001, FedRAMP, HIPAA BAA, PCI
• Protected against most of L2/L3 attacks (multicast, IP/MAC/ARP
spoofing, sniffing)

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud Corporate data

center
VPC

Private subnet Public subnet

APP WEB
? ?
? VPN
?
APP WEB

10.0.32.0/20 10.0.48.0/21

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – TLS with Amazon ELB

You can use the ELB for HTTPS termination with

unencrypted communication to back-end instances on
port 80.

HTTPS HTTP
Encrypted Unencrypted

Elastic Load EC2 Instance with

Balancer Security Group

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud Corporate data

TLS terminated at center
VPC the load balancer

Private subnet Public subnet

APP WEB

VPN

APP WEB
Incoming TLS
session
10.0.32.0/20 10.0.48.0/21

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – TLS with Amazon ELB

You can use the ELB for HTTPS termination with

encrypted communication to back-end instances on port
443.

HTTPS HTTPS
Encrypted Encrypted

Elastic Load EC2 Instance with

Balancer Security Group

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud Corporate data

TLS terminated at center
VPC the load balancer

Private subnet Public subnet

APP WEB

VPN

APP WEB
Incoming TLS
session
10.0.32.0/20 10.0.48.0/21

New TLS session is

established with back-end
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – TLS with Amazon ELB

Alternatively, you can use the Classic Load Balancer and

Network Load Balancer in a TCP pass-through mode to
terminate TLS connections on your EC2 instances
TCP Pass-Through

Encrypted Encrypted

Elastic Load EC2 Instance with

Balancer Security Group

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud Corporate data

CLB or NLB (Layer 4) hands center
VPC off TCP downstream

Private subnet Public subnet

APP WEB

VPN

APP WEB
Incoming TLS
session
10.0.32.0/20 10.0.48.0/21

TLS session terminates on

back end
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – ELB Options
Classic Load Balancer Application Load Network Load Balancer
Balancer

Protocols TCP, SSL/TLS, HTTP, HTTPS HTTP, HTTPS TCP, TLS

Network Layer L4 – L7 L7 L4

Integration with ACM

Back-end TLS authentication

based on public-key

Server Name Indication (SNI)

Multiple security policies

Custom security policy

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
TLS Security Policies on Classic ELB

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-
policy-table.html
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
TLS Security Policies on ALB & NLB

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-
https-listener.html#describe-ssl-policies
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit

Amazon was able to provide same-day mitigation for :

• Heartbleed
• POODLE
• LogJam

https://aws.amazon.com/security/security-bulletins/
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – TLS with Amazon ELB Recap

HTTPS HTTP
Encrypted Unencrypted

Elastic Load EC2 Instance

Balancer with Security
Group

HTTPS HTTPS
Encrypted Encrypted

TCP Pass-Through Elastic Load EC2 Instance

Balancer with Security
Group
Encrypted Encrypted

Elastic Load EC2 Instance

Balancer with Security
Group

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud Corporate data

center
VPC Internal ELB

Private subnet Public subnet

APP WEB

VPN

APP WEB

10.0.32.0/20 10.0.48.0/21

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud

VPC Public key per

database engine

Private subnet Private subnet Public subnet

DB APP WEB

APP WEB

10.0.0.0/19 10.0.32.0/20 10.0.48.0/21

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Inside the VPC

AWS Cloud
TLS terminates at the
VPC CloudFront Edge

Private subnet Private subnet Public subnet

DB APP WEB

Amazon
CloudFront
APP WEB

10.0.0.0/19 10.0.32.0/20 10.0.48.0/21

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
Encryption in Transit – Amazon Certificate Manager

• Provision trusted SSL/TLS certificates from AWS for use with AWS
resources:
• Elastic Load Balancing
• Amazon CloudFront distributions

• AWS handles the muck

• Key pair and CSR generation
• Managed renewal and deployment

• Domain validation (DV) through email or DNS (Route 53)

• Available through AWS Management Console, AWS Command Line

Interface (AWS CLI), or API
Amazon Confidential AWS Security Workshop v5.1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection
 Questions?

Amazon Confidential AWS Security Workshop v5.1

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption & Data Protection