03-Deep Dive Data Protection

Deep Dive: Data Protection
Agenda
• Encryption at rest
• Encryption in transit
• Data protection considerations
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
It is always YOUR data!
• Customers choose where to place their data
• AWS regions are geographically isolated by design
• Data is not replicated to other AWS regions and does not move unless the
customer tell us to do so
• Customer always own their data, the ability to encrypt it, move it, and delete it
AWS Customer Agreement

https://aws.amazon.com/agreement/
Data Protection In-Transit and At-Rest
Encryption In-Transit Encryption At-Rest
SSL/TLS Object
Database
VPN / IPSEC
Filesystem
SSH Disk
Ubiquitous Encryption
Encrypted at rest
Restricted access
Amazon
S3
Fully managed
Encrypted in transit Amazon keys
Glacier
Amazon AWS IAM

EBS
Encrypted in process
Amazon Amazon
Redshift
EMR
AWS CloudTrail
Fully auditable
Amazon
Amazon
DynamoDB
RDS
Encryption at rest
Encryption Options – Amazon S3
Amazon S3
Server Side Client side
Encryption (SSE) encryption
Amazon S3 SSE
with Customer Availability Zone A
Availability Zone B
Keys Availability Zone C
Encryption Options – EBS
OS tools
EBS
encryption
Availability Zone A
MarketplaceAvailability
solution Zone B
Availability Zone C
Encryption Options – Databases
TDE (Oracle, MS SQL)
Amazon RDS
volume
encryption
Availability Zone A
Availability Zone B Redshift encryption
Availability Zone C
Envelope Encryption Primer
Hardware/
Software
Symmetric
Data Key
Plaintext
Data
Encrypted
Data
?
Encrypted
Data in Storage
? Symmetric Master Key Encrypted

Key Hierarchy
Data Key Data Key
AWS KMS Key Hierarchy
Two-tiered key hierarchy using envelope AWS KMS
encryption Customer master
keys
• Unique data key encrypts customer data

• AWS KMS master keys encrypt data keys
Benefits Data key 1 Data key 2 Data key 3 Data key 4
• Limits risk of compromised data key

• Better performance for encrypting large data
• Easier to manage small number of master
keys than millions of data keys
• Centralized access and audit of key activity
Amazon S3 Amazon EBS Amazon Redshift Custom
object volume cluster application
AWS Key Management Service
• Managed service that simplifies creation, control, rotation, deletion, and
use of encryption keys in your applications
• Integrated with many AWS services for server-side encryption
• Integrated with AWS service clients/SDKs
• Amazon S3, Amazon EMRFS, Amazon DynamoDB, AWS Encryption SDK
• Integrated with AWS CloudTrail to provide auditable logs of key usage for
regulatory and compliance activities
• Available in all commercial regions except China
Auditing key usage with AWS
CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", …at this time
"RequestParameters":
"{\"keyId\":\"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
“{\"arn\":\"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
Bring Your Own Key to AWS KMS
• You control how master keys are generated

• You store the master copy of the keys
• You import the key into AWS KMS and set an optional expiration
time in the future
• You can use imported keys with all AWS KMS-integrated services
• You can delete and re-import the key at any time to control when
AWS can use it to encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure,
including SafeNet Gemalto and Thales e-Security
Bring Your Own Key
Creates
Create customer master key
(CMK) container
AWS Empty CMK container
KMS with unique key ID
Download
Download a public
wrapping key
RSA public key
AWS
KMS
Export
Export your key material encrypted
under the public wrapping key
Your key Your 256-bit key
management material encrypted
infrastructure under KMS public key
Import encrypted key material Import

under the KMS CMK key ID; set
optional expiration period
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential. Your key material
protected in KMS
Ubiquitous Encryption
Encrypted at rest
Restricted access
Amazon
S3
Fully managed
Encrypted in transit Amazon keys
Glacier
Amazon AWS IAM

EBS
Encrypted in process
AWS KMS
Amazon Amazon
Redshift
EMR Imported AWS CloudTrail
keys
Fully auditable
Amazon
Amazon
DynamoDB
RDS
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential. Your KMI
CMK Types
AWS-managed CMK Customer-managed CMK
Creation AWS generated on customer’s behalf Customer generated
Rotation Once a year automatically through opt-in or

Once every three years automatically
on-demand manually
Deletion Can’t be deleted Can be deleted
Scope of use Limited to a specific AWS service Controlled via AWS KMS/IAM policy
AWS CloudHSM
• Single-tenant access to tamper-resistant
HSMs that comply with the U.S.
Government’s FIPS 140-2 Level 3
standard for cryptographic modules.
• Open Standard offering interoperability
with other commercial HSM solutions
• Quorum authentication for critical
administrative and key management
functions.
• Clustered, managed service that
automates time-consuming
administrative tasks, such as hardware
provisioning, software patching, high
availability, and backups.
AWS CloudHSM
• A: AWS manages the hardware
security module (HSM) appliance, but
does not have access to your keys
• B: You control and manage your own
keys
• C: Application performance improves
(due to close proximity with AWS
Workloads)
• D: Secure key storage in tamper-
resistant hardware available in
multiple Availability Zones (AZs)
• E: Your HSMs are in your Virtual
Private Cloud (VPC) and isolated from
other AWS networks.
Comparing CloudHSM with AWS KMS
AWS CloudHSM AWS Key Management Service
• Dedicated access to HSM that • Highly available and durable key

complies with government standards storage, management, and auditable
(FIPS 140-2 Level 3) solution (FIPS 140-2 Level 2)
• You control your keys and the • Easily encrypt your data across AWS
application software that uses them services and within your own
• Supported applications: applications based on policies you
• Your custom software
define
• Third party software • Supported applications:
• Symmetric or asymmetric encryption • Your custom software (AWS SDK)
• Integrated with Amazon Redshift, Amazon • Symmetric encryption
RDS for Oracle • Integrated with multiple AWS services
Comparison of key management options
AWS Marketplace
KMS CloudHSM DIY
Partner Solutions
Where keys are AWS, or imported by In AWS, on a FIPS Your network or in Your network or in
generated and stored you validated HSM that Amazon EC2 instance Amzon EC2 instance
you control
Where keys are used AWS services or your AWS or your Your network or your Your network or your
applications applications Amazon EC2 instance Amazon EC2 instance
How to control key use Policy you define; HSM-specific access Vendor-specific You implement
enforced by AWS controls access controls access controls
Responsibility for AWS You You You

performance/scale
Integration with AWS Yes Limited Limited Limited

services?
Encryption in Transit
Assumptions
Assumptions are on recommended best practices that and are
considered within the customer environment.
Type Scope Control

At rest All Encrypted at rest
In transit On-prem → Amazon VPC Connection done through IPsec VPN
Encrypted in transit
In transit AWS API endpoints Enforced HTTPS with IAM policies
Encrypted in transit
What about within Amazon VPC?
Encryption in transit inside the Amazon VPC
?
?
?
VPN
?
connection Public subnet Private subnet Sensitive subnet
Availability Zone A
✔ Availability Zone B
Availability Zone C
corporate data center
What is Amazon VPC (review)?
• Amazon Virtual Private Cloud (Amazon VPC)
• Logically isolated portion of the AWS infrastructure
• Allows you to extend your existing data center network to the Cloud
• Can be considered as private network by PCI compliance
• Audited & Certified on SOC1/2, ISO27001, FedRAMP, HIPAA BAA, PCI
• Protected against most of L2/L3 attacks (multicast, IP/MAC/ARP spoofing, sniffing)
TLS with Amazon Elastic Load Balancing (ELB)
• You can use the ELB for HTTPS termination with unencrypted
communication to back-end instances on port 80.
HTTPS HTTP
EC2
Encrypted Unencrypted
Security Group
Elastic Load
Balancing
(Terminate TLS)
Terminating TLS
TLS terminates at the load balancer
Incoming TLS
session
VPN
Availability Zone A
Availability Zone C

Transport Layer Security (TLS) with Amazon ELB
• You can use the ELB for HTTPS termination with encrypted
communication to back-end instances on port 443.
• You can optionally enable authentication of the back-end instances by
specifying a public key.
HTTPS HTTPS
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(Terminate TLS &
Re-negotiate)
Terminating TLS
TLS terminates at the load balancer
Incoming TLS
session
VPN
New TLSAvailability
sessionZone is A
established with back Zone
Availability endC
SSL/TLS Security Policies on Amazon ELB
SSL/TLS Security Policies on Amazon ELB
• Amazon was able to provide:

• Same-day mitigation for Heartbleed
• Same-day mitigation for POODLE
• Same-day mitigation for LogJam
https://aws.amazon.com/security/security-bulletins/
TLS with Amazon ELB
• Alternatively, you can use the ELB in a TCP pass-through mode to
terminate TLS connections on your EC2 instances
TCP Pass Through
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(no termination)
Terminating TLS
NLB (layer 4) hands off TCP downstream
Incoming TLS
session
VPN
TLS sessionAvailability
terminates Zone Aon
✔ backAvailability
end Zone B
Availability Zone C

Recap: TLS options with Amazon ELB
HTTPS HTTP HTTPS HTTPS

EC2 EC2
Encrypted Unencrypted Encrypted Encrypted
Security Group Security Group
Elastic Load Elastic Load
Balancing Balancing
(Terminate TLS) (Terminate TLS &
Re-negotiate)
TCP Pass Through
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(no termination)
Terminating TLS
VPN
Availability Zone A
Internal load balancer
Availability Zone C

Terminating TLS
VPN
connection Public subnet Private subnet Public
Sensitivekey per
subnet
database engine
Availability Zone A
Availability Zone C

Terminating TLS
TLS terminates at the

CloudFront edge
CloudFront
Public subnet Private subnet Sensitive subnet
Availability Zone A
Availability Zone B
Availability Zone C
AWS Certificate Manager (ACM)
• Provision trusted SSL/TLS certificates from AWS for use with AWS resources:
• Elastic Load Balancing
• Amazon CloudFront distributions
• AWS handles the muck

• Key pair and CSR generation
• Managed renewal and deployment
• Domain validation (DV) through email
• Available through AWS Management Console, AWS Command Line Interface

(AWS CLI), or API
Data Protection
Amazon Macie
Data visibility : Use natural language processing (NLP) methods to understand data
Macie Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys
Macie Data Sources

• S3 objects
• S3 object-level API activity
• Cloudtrail event logs
Currently, supported in:

US East (N. Virginia)
US West (Oregon)
Amazon Macie
User behavior analytics Alert Categories
Amazon Macie – use cases
• Req. 3.1: “A quarterly process for identifying and • Req. 12.3.1: “retention periods for backup data.”
securely deleting stored cardholder data that
exceeds defined retention.”
PCI DSS 3.2 Compliance ISO 27017:2015
How to build a reliable data validation program with Amazon Macie
Identify credit cards

stored in plain text
How long they have

been stored in S3
Set up alerts to notify

or trigger actions
Amazon Macie
• Cost simulation:
• S3 objects to be classified:
• 15 Amazon S3 buckets with total 100GB.
• 6GB of new data every month.
• Total: 118GB of classified data in 3 months.
• CloudTrail events per month:

• 1M CloudTrail management events
• 1,1M CloudTrail S3 obj-level API events
• Extended retention : 90 days.
* The content classification engine processes up to the first 20 MB of an S3 object, and S3 objects less than 1 KB in size are charged as 1 KB.
* A charge of $0.05 per GB processed for each month beyond the initial 30 days.
https://aws.amazon.com/macie/pricing/
Thank You!
© 2018 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

03-Deep Dive Data Protection

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03-Deep Dive Data Protection

Uploaded by

Copyright:

Available Formats

Deep Dive: Data Protection

AWS Customer Agreement

Encryption In-Transit Encryption At-Rest

Amazon AWS IAM

TDE (Oracle, MS SQL)

? Symmetric Master Key Encrypted

• Unique data key encrypts customer data

Benefits Data key 1 Data key 2 Data key 3 Data key 4

• Limits risk of compromised data key

"EventTiime":"2014-08-18T18:13:07Z", …at this time

“EncryptionContext":"volumeid-12345", …to protect this AWS resource

"SourceIPAddress":" 203.0.113.113", …from this IP address

• You control how master keys are generated

Import encrypted key material Import

Amazon AWS IAM

AWS-managed CMK Customer-managed CMK

Creation AWS generated on customer’s behalf Customer generated

Rotation Once a year automatically through opt-in or

Deletion Can’t be deleted Can be deleted

AWS CloudHSM AWS Key Management Service

• Dedicated access to HSM that • Highly available and durable key

Responsibility for AWS You You You

Integration with AWS Yes Limited Limited Limited

Type Scope Control

What about within Amazon VPC?

corporate data center

TLS terminates at the load balancer

corporate data center

• Amazon was able to provide:

TCP Pass Through

corporate data center

HTTPS HTTP HTTPS HTTPS

TCP Pass Through

corporate data center

corporate data center

TLS terminates at the

Public subnet Private subnet Sensitive subnet

• AWS handles the muck

• Domain validation (DV) through email

• Available through AWS Management Console, AWS Command Line Interface

Macie Data Sources

Currently, supported in:

User behavior analytics Alert Categories

How to build a reliable data validation program with Amazon Macie

Identify credit cards

How long they have

Set up alerts to notify

• CloudTrail events per month:

• Extended retention : 90 days.

You might also like