Professional Documents
Culture Documents
Agenda
• Encryption at rest
• Encryption in transit
• Data protection considerations
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
It is always YOUR data!
• Customers choose where to place their data
• AWS regions are geographically isolated by design
• Data is not replicated to other AWS regions and does not move unless the
customer tell us to do so
• Customer always own their data, the ability to encrypt it, move it, and delete it
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Data Protection In-Transit and At-Rest
SSL/TLS Object
Database
VPN / IPSEC
Filesystem
SSH Disk
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Ubiquitous Encryption
Encrypted at rest
Restricted access
Amazon
S3
Fully managed
Encrypted in transit Amazon keys
Glacier
Encrypted in process
Amazon Amazon
Redshift
EMR
AWS CloudTrail
Fully auditable
Amazon
Amazon
DynamoDB
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
RDS
Encryption at rest
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Encryption Options – Amazon S3
Amazon S3
Server Side Client side
Encryption (SSE) encryption
Amazon S3 SSE
with Customer Availability Zone A
Availability Zone B
Keys Availability Zone C
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Encryption Options – EBS
OS tools
EBS
encryption
Availability Zone A
MarketplaceAvailability
solution Zone B
Availability Zone C
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Encryption Options – Databases
Amazon RDS
volume
encryption
Availability Zone A
Availability Zone B Redshift encryption
Availability Zone C
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Envelope Encryption Primer
Hardware/
Software
Symmetric
Data Key
Plaintext
Data
Encrypted
Data
?
Encrypted
Data in Storage
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS KMS Key Hierarchy
Two-tiered key hierarchy using envelope AWS KMS
encryption Customer master
keys
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Key Management Service
• Managed service that simplifies creation, control, rotation, deletion, and
use of encryption keys in your applications
• Integrated with many AWS services for server-side encryption
• Integrated with AWS service clients/SDKs
• Amazon S3, Amazon EMRFS, Amazon DynamoDB, AWS Encryption SDK
• Integrated with AWS CloudTrail to provide auditable logs of key usage for
regulatory and compliance activities
• Available in all commercial regions except China
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Auditing key usage with AWS
CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"RequestParameters":
"{\"keyId\":\"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
"UserIdentity":
“{\"arn\":\"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Bring Your Own Key to AWS KMS
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Bring Your Own Key
Creates
Create customer master key
(CMK) container
AWS Empty CMK container
KMS with unique key ID
Download
Download a public
wrapping key
RSA public key
AWS
KMS
Export
Export your key material encrypted
under the public wrapping key
Your key Your 256-bit key
management material encrypted
infrastructure under KMS public key
Restricted access
Amazon
S3
Fully managed
Encrypted in transit Amazon keys
Glacier
Encrypted in process
AWS KMS
Amazon Amazon
Redshift
EMR Imported AWS CloudTrail
keys
Fully auditable
Amazon
Amazon
DynamoDB
RDS
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential. Your KMI
CMK Types
Scope of use Limited to a specific AWS service Controlled via AWS KMS/IAM policy
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS CloudHSM
• Single-tenant access to tamper-resistant
HSMs that comply with the U.S.
Government’s FIPS 140-2 Level 3
standard for cryptographic modules.
• Open Standard offering interoperability
with other commercial HSM solutions
• Quorum authentication for critical
administrative and key management
functions.
• Clustered, managed service that
automates time-consuming
administrative tasks, such as hardware
provisioning, software patching, high
availability, and backups.
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS CloudHSM
• A: AWS manages the hardware
security module (HSM) appliance, but
does not have access to your keys
• B: You control and manage your own
keys
• C: Application performance improves
(due to close proximity with AWS
Workloads)
• D: Secure key storage in tamper-
resistant hardware available in
multiple Availability Zones (AZs)
• E: Your HSMs are in your Virtual
Private Cloud (VPC) and isolated from
other AWS networks.
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Comparing CloudHSM with AWS KMS
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Comparison of key management options
AWS Marketplace
KMS CloudHSM DIY
Partner Solutions
Where keys are AWS, or imported by In AWS, on a FIPS Your network or in Your network or in
generated and stored you validated HSM that Amazon EC2 instance Amzon EC2 instance
you control
Where keys are used AWS services or your AWS or your Your network or your Your network or your
applications applications Amazon EC2 instance Amazon EC2 instance
How to control key use Policy you define; HSM-specific access Vendor-specific You implement
enforced by AWS controls access controls access controls
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Encryption in Transit
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Assumptions
Assumptions are on recommended best practices that and are
considered within the customer environment.
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Encryption in transit inside the Amazon VPC
?
?
?
VPN
?
connection Public subnet Private subnet Sensitive subnet
Availability Zone A
✔ Availability Zone B
Availability Zone C
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
What is Amazon VPC (review)?
• Amazon Virtual Private Cloud (Amazon VPC)
• Logically isolated portion of the AWS infrastructure
• Allows you to extend your existing data center network to the Cloud
• Can be considered as private network by PCI compliance
• Audited & Certified on SOC1/2, ISO27001, FedRAMP, HIPAA BAA, PCI
• Protected against most of L2/L3 attacks (multicast, IP/MAC/ARP spoofing, sniffing)
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
TLS with Amazon Elastic Load Balancing (ELB)
• You can use the ELB for HTTPS termination with unencrypted
communication to back-end instances on port 80.
HTTPS HTTP
EC2
Encrypted Unencrypted
Security Group
Elastic Load
Balancing
(Terminate TLS)
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Terminating TLS
Incoming TLS
session
VPN
connection Public subnet Private subnet Sensitive subnet
Availability Zone A
✔ Availability Zone B
Availability Zone C
• You can use the ELB for HTTPS termination with encrypted
communication to back-end instances on port 443.
• You can optionally enable authentication of the back-end instances by
specifying a public key.
HTTPS HTTPS
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(Terminate TLS &
Re-negotiate)
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Terminating TLS
TLS terminates at the load balancer
Incoming TLS
session
VPN
connection Public subnet Private subnet Sensitive subnet
New TLSAvailability
sessionZone is A
✔ Availability Zone B
established with back Zone
Availability endC
corporate data center
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
SSL/TLS Security Policies on Amazon ELB
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
SSL/TLS Security Policies on Amazon ELB
https://aws.amazon.com/security/security-bulletins/
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
TLS with Amazon ELB
• Alternatively, you can use the ELB in a TCP pass-through mode to
terminate TLS connections on your EC2 instances
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(no termination)
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Terminating TLS
NLB (layer 4) hands off TCP downstream
Incoming TLS
session
VPN
connection Public subnet Private subnet Sensitive subnet
TLS sessionAvailability
terminates Zone Aon
✔ backAvailability
end Zone B
Availability Zone C
EC2
Encrypted Encrypted
Security Group
Elastic Load
Balancing
(no termination)
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Terminating TLS
VPN
connection Public subnet Private subnet Sensitive subnet
Availability Zone A
✔ Availability Zone B
Internal load balancer
Availability Zone C
VPN
connection Public subnet Private subnet Public
Sensitivekey per
subnet
database engine
Availability Zone A
✔ Availability Zone B
Availability Zone C
CloudFront
Availability Zone A
Availability Zone B
Availability Zone C
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Certificate Manager (ACM)
• Provision trusted SSL/TLS certificates from AWS for use with AWS resources:
• Elastic Load Balancing
• Amazon CloudFront distributions
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon Macie
Data visibility : Use natural language processing (NLP) methods to understand data
Macie Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon Macie
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon Macie – use cases
• Req. 3.1: “A quarterly process for identifying and • Req. 12.3.1: “retention periods for backup data.”
securely deleting stored cardholder data that
exceeds defined retention.”
PCI DSS 3.2 Compliance ISO 27017:2015
• S3 objects to be classified:
• 15 Amazon S3 buckets with total 100GB.
• 6GB of new data every month.
• Total: 118GB of classified data in 3 months.
* The content classification engine processes up to the first 20 MB of an S3 object, and S3 objects less than 1 KB in size are charged as 1 KB.
* A charge of $0.05 per GB processed for each month beyond the initial 30 days.
https://aws.amazon.com/macie/pricing/
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Thank You!
© 2018 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.