Chapter 10

Data Protection at Rest and in Transit

This chapter covers the following official AWS Certified SysOps Administrator - Associate (SOA-C02) exam
domain:

Domain 4: Security and Compliance

(For more information on the official AWS Certified SysOps Administrator - Associate [SOA-C02] exam topics, see the
Introduction.)

In this chapter, you learn how to use AWS features to protect data at rest or in transit. You first learn about the different
encryption techniques and then learn how the AWS Key Management Service (KMS) can help you manage your
encryption keys.

Next, you learn about data classifications and the role of a certificate authority (CA). In that section, you learn how the AWS
Certificate Manager (ACM) can be used to manage your public and private certificates.

This chapter ends with a collection of important security tools: AWS Secrets Manager, Amazon GuardDog, Amazon
Inspector, and AWS Security Hub.

Protecting Data

This section covers the following official AWS Certified SysOps Administrator - Associate (SOA-C02) exam topic for
Domain 4: Security and Compliance:

4.2 Implement data and infrastructure protection strategies

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in
this section and then completing the Cram Quiz at the end of the section.

1. Besides data at rest and data in transit, what is another form of data that needs to be protected?

2. To determine that a web server is valid, a _____ from a CA can be used.

Answers

1. Answer: Data in use

2. Answer: Certificate

Encryption

Encryption is the process of transforming data from its original form to a form that, when viewed, does not reveal the
original data. There are three different forms of encryption:

Data at rest: Data is encrypted when it is stored. Either you can encrypt the data prior to uploading the data to
storage, or in some cases, a function that is provided by the cloud provider can perform this method. When you
perform the data encryption, it is your responsibility to decrypt the data when the original data is needed. When the
cloud provider encrypts the data, the decryption process must be performed by the cloud provider.

Data in transit: Data is encrypted before it is sent and decrypted when received. This form of encryption could
involve several different techniques, but in most cases for cloud computing environments, it means that the data is
encrypted by a network device that then sends the data across the network.

1/7
 Data in use: Data is encrypted when being actively used, which typically means while it is stored in random-access
memory (RAM). Because some exploits may make data in RAM vulnerable, this form of encryption may be very
important to ensuring data integrity.

Many different technologies can be used to encrypt data, and which technology you use will depend on several factors,
including which cloud provider you utilize. These technologies fall into one of two methods of encryption:

Symmetric encryption: With this method, you use the same key (a unique value of some sort) to both encrypt and
decrypt the data.

Asymmetric encryption: With this method, you use a different key to encrypt and decrypt the data. One key is
referred to as the public key, and the other is called the private key. An example of using this encryption method
would be if you wanted someone to send data to you across the network. You provide the public key to this person,
and this person then encrypts the data. The only way to decrypt the data is to use the private key, which you would
never share with anyone else.

AWS Key Management Service

The Key Management Service (KMS) allows you to create encryption keys and control their access. Both symmetric and
asymmetric keys can be created, as you can see in Figure 10.1.

FIGURE 10.1 KMS

Key features of AWS KMS include

The ability to create, view, and edit keys

Use policies to control access to keys

The ability to disable (and enable) keys

Automatic key rotation

Key use monitoring

Data Classification

Consider how you would treat data that contains credit card information compared to how you would treat data that
contains comments that have been made regarding your company website. The data that contains credit card information
is much more sensitive than the data that contains customer comments, so you would want to treat the data differently.

In this situation, data classification becomes important. With data classification, you place data into different categories
depending on how you want to treat the data. These categories can be based on rules related to how sensitive the data is,
who should be able to read the data, who should be able to modify the data, and how long the data should be available.

2/7
Unless you are storing data that is related to compliance regulations (like SOC 2, GDPR, PCI-DSS, or HIPAA), the data
classification criteria are up to you.

For example, you might consider classifying data based on who is permitted to access it. In this case, you might use the
following commonly used categories:

Public: This data is available to anyone, including those who are not a part of your organization. This typically
includes information found on your public website, announcements made on social media sites, and data found in
your company press releases.

Internal: This data should be available only to members of your organization. An example of this data would be
upcoming enhancements to a software product that your organization creates.

Confidential: This data should be available only to select individuals who have the need to access this information.
This could include personally identifiable information (PII), such as an employee Social Security number. Often the
rules for handling this data are also governed by compliance regulations.

Restricted: This data may seem similar to confidential data, but it is normally more related to proprietary
information, company secrets, and in some cases, data that is regarded by the government as secret.

In the cloud, there are different techniques to handle different types of data. These techniques could include placing
different types of data into different storage locations.

Certificate Management

Consider a situation in which you want to log in to your bank’s website and transfer some money. You open a web browser,
type in the URL of your bank (or use a browser bookmark), and then log in to the bank. But how do you know that it is
really your bank?

It is possible that your browser has been directed to a website that isn’t your bank. This redirection might have been done
by an individual or group that is trying to steal your login information to gain access to your bank account. You might even
have seen this attempt in action. Figure 10.2 shows a message that your web browser will display if it appears that the
server you are trying to connect to really isn’t the correct server.

FIGURE 10.2 Invalid certificate warning

This discussion brings up another question: how does your web browser know that you are potentially communicating with
a rogue server? The answer is by its certificate.

When you communicate using the HTTPS protocol (note that this does not apply to HTTP; the S must be in the URL), your
browser knows that it must verify the validity of the web server’s certificate. It does this by querying a certificate authority
(CA), which is a trusted third-party organization that can look at a web server’s certificate and verify that it is really the
correct web server. You can look at your browser’s settings and see a list of the CAs that your browser uses, as shown in
Figure 10.3.

3/7
 FIGURE 10.3 List of CAs on a Google Chrome Browser

Note that these certificates are also commonly called SSL/TLS certificates in context to HTTP services and functions, and
they are based on the public key infrastructure (PKI).

PKI is a standard that defines how digital certificates are created, revoked, managed, stored, used, and distributed. It
utilizes a pair of cryptographic keys (public and private), which not only allows the creation and verification of certificates
but also provides a way to encrypt the data that is transported between the client and the server.

For the certification exam, you don’t need to know all of the details of PKI, but you do need to know some key terms:

Digital certificate: A unique value that contains a collection of data that is used to identify an entity (that is, a server).
For example, think of certificates in your browser store.

CA: Certificate authority; an entity that validates, signs, and issues the digital certificates. For example, Verisign CA
and GeoTrust CA are public CAs. Note that AWS provides a tool called AWS Certificate Manager that can manage
both public and private certificates.

Public key: A unique cryptographic key that is publicly shared. Data encrypted by the public key can be decrypted
only by the corresponding private key.

Private key: A unique cryptographic key that is never shared. It is used to decrypt data that was encrypted by the
corresponding public key.

CRL: Certificate revocation list; a list that defines the certificates that the CA no longer considers valid. For
example, a certificate that was deemed to be no longer secure but is valid can be declared as void in the CRL.

CSR: Certificate signing request; a request to a CA to generate a digital certificate. The CSR must contain specific
information, including the public key for the organization, and must be “signed,” a process verifying that the
organization making the CSR possessed the private key.

AWS Certificate Manager

The AWS Certificate Manager (ACM) allows you to manage certificates. This service provided by AWS allows you to
perform the following primary tasks:

4/7
 Request a certificate: This option allows you to request a public certificate from Amazon. If you have configured
your AWS account with your organization’s CA, you can also request a private certificate from your CA.

Import a certificate: If you have a certificate that was created with a non-AWS CA, you can import that certificate
into AWS.

Create a private certificate: Private certificates are typically used to secure the AWS services and resources within
your AWS infrastructure. This feature allows you to create a private certificate.

ExamAlert

A key difference between a public certificate and a private certificate is that public certificates are normally trusted
automatically by applications because these applications also trust the public CA. Private certificates are not normally
automatically trusted, requiring manual configuration on the application side.

Several AWS services can make use of ACM certificates, including the following:

Elastic Load Balancing

Amazon CloudFront

Amazon API Gateway

AWS Elastic Beanstalk

AWS CloudFormation

AWS App Runner

AWS Nitro Enclaves

ACM certificates are also often used with applications, like web servers, that you deploy on EC2 instances and containers.

ExamAlert

ACM certificates are regional resources and must be imported into each region in which they are used.

AWS Secrets Manager

“Three may keep a secret, if two of them are dead.”

—Benjamin Franklin, Poor Richard’s Almanack

While a bit dramatic, this quote from hundreds of years ago illustrates that the importance of keeping a secret can’t be
overstated. The AWS Secrets Manager is designed to store and manage credential data. This includes several different
credential types, including the following AWS services:

AWS RDS databases

AWS DocumentDB databases

AWS Redshift clusters

The AWS Secrets Manager can also be used to manage other types of credentials that are not directly associated with
AWS. This includes the following:

Non-AWS databases, including MariaDB, MySQL, PostgreSQL, Oracle database, and Microsoft SQL Server

Application programming interface (API) keys

OAuth tokens

Secure Shell (SSH) keys

5/7
You can enable access to secrets by creating an IAM policy that permits an application or resource to access the secret.
The technique that is used to access the secret is via the Secrets Manager API.

The AWS Secrets Manager works with encryption keys provided by the AWS Key Management Service to ensure the
security of the secrets by encrypting them at rest. You can also configure the AWS Secrets Manager to rotate secrets to
provide better security.

By default, secrets are region-based resources. AWS provides a feature called multi-region secrets to allow you to replicate
secrets across multiple regions. This feature also allows you to manage these replicated secrets, including deleting
secretes in specific regions.

Amazon GuardDuty

Amazon GuardDuty is a tool that performs threat detection functions in your AWS infrastructure. This optional service is not
turned on in your AWS account by default.

When GuardDuty is enabled, it actively monitors the following:

AWS CloudTrail management events

AWS CloudTrail S3 data events

VPC flow logs

DNS logs

ExamAlert

A feature called GuardDuty for S3 also can be enabled for an additional cost. To enable this feature, you must also enable
the standard GuardDuty. However, because GuardDuty can access S3 logs that are stored in CloudTrail, this extra
protection may not be necessary.

Costs for GuardDuty are based on the number of events (per million) that are monitored. For logs, the cost is based on per
gigabyte per month.

There are several key features for Amazon GuardDuty, including the following:

Account-level threat detection to determine whether AWS accounts may have been compromised

The ability to create automated threat response actions

Monitoring of potential reconnaissance attempts

Monitoring of possible EC2 instance compromises

Monitoring of possible S3 bucket compromises

Amazon Inspector

Amazon Inspector is a tool that helps you determine security vulnerabilities on applications that you deploy on an EC2
instance within AWS. For example, you might deploy an application on an EC2 instance and want to know whether your
application has any potential security risks.

To use Amazon Inspector, you first install an agent on the EC2 instance. Two types of assessments can be configured:
network assessments and host assessments. Network assessments are used to determine which network ports of your
instance are available from outside of your VPC. Host assessments include the following:

Assessments based on Common Vulnerabilities and Exposures (CVEs)

Assessments based on host-hardening benchmarks from the Center for Internet Security (CIS)

Assessments based on security best practices, such as whether a root login via SSH is permitted or password
complexity rules are in place

6/7
ExamAlert

You do not need to install the Inspector Agent on the EC2 instance if you just want to perform network assessments.
However, if you do, the corresponding service that uses the port is reported.

The Amazon Inspector assessment checks report issues based on how severe they are. The following severity levels are
used:

High: An alert that indicates a problem that is very likely to result in a security vulnerability. An example would be
incorrect permissions on system directories.

Medium: An alert that is not critical but still urgent enough to warrant a review. An example would be not having
password complexity rules in place.

Low: An alert that is not as urgent but should be addressed soon. The recommended way of handling these alerts
is to address them the next time the service is updated.

Informational: Occasionally, Amazon Inspector provides an information alert. This doesn’t indicate a current issue
with the security of your system but might be something to consider when your security policy is reviewed.

AWS Security Hub

The AWS Security Hub allows you to execute security checks across your AWS environment automatically. It also allows
you to gather alerts from the following security policies into a central view:

Amazon GuardDuty

Amazon Inspector

IAM Access Analyzer

Amazon Macie

IAM Firewall Manager

Amazon System Manager

ExamAlert

In-depth knowledge of some of the services that the AWS Security Hub can gather alerts from, such as Amazon Macie, are
not specific exam requirements. However, you should be aware that the AWS Security Hub can gather alerts from these
services.

What Next?

If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the
Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the
Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.

7/7