Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit

© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T
Data protection using encryption in AWS
Richard Moulds
Principal Product Manager
AWS Key Management Service
S E C 2 0 1
Richard Crowley
Principal Engineer
Slack

Encrypt, where?
Client InstancesHTTPS
Application code
Data in motion
Network encryption
Data at rest
Storage encryption
Data in use
Application level encryption
Client-side encryption = You encrypt
Server-side encryption = AWS encrypts
S3 bucket EBS volume

Defense in depth
KMS key
policy
KMS keyRole
IAM policy
S3 VPC endpoint
VPCe policy
S3 bucket
Bucket policy
Users Documents

Traditional reasons to not encrypt
Performance Complexity Availability
Latency overhead
Crypto acceleration
Fragmented systems
Inconsistent controls
Loss of keys
Key provisioning

Encryption in AWS
Audit
Access controls
Encrypting services
Secondary
storage
Client
Corporate data
center
AWS Cloud

AWS KMS integration
AWS offering
category
AWS services integrated with AWS KMS for customer owned keys
Compute Amazon EC2 - AWS Lambda - Amazon Lightsail*
Storage Amazon EBS - Amazon EFS - Amazon FSx for Windows File Server - Amazon S3 Glacier - Amazon S3 - AWS Storage Gateway
Databases Amazon Aurora - Amazon DynamoDB* - Amazon DynamoDB Accelerator (DAX)* - Amazon Neptune - Amazon Redshift - Amazon RDS
Analytics
Amazon Athena - Amazon Elasticsearch Service - Amazon EMR - AWS Glue - Amazon Kinesis Data Firehose - Amazon Kinesis Data
Streams - Amazon Managed Streaming for Kafka (Amazon MSK)
Machinelearning Amazon Comprehend* - Amazon Lex - Amazon SageMaker - Amazon Translate
Application services Amazon Elastic Transcoder - Amazon Simple Email Service (Amazon SES) - Amazon Simple Queue Service (Amazon SQS)
Migration& transfer AWS Snowball - AWS Snowball Edge - AWS Snowmobile - AWS Database Migration Service
Developer tools AWS Cloud9 - AWS CodeBuild - AWS CodeCommit* - AWS CodeDeploy - AWS CodePipeline - AWS X-Ray
Managementtools AWS CloudTrail - Amazon CloudWatch Logs - AWS Systems Manager
Media services Amazon Kinesis Video Streams
Security & identity AWS Certificate Manager* - AWS Secrets Manager
Enterprise applications Amazon WorkMail - Amazon WorkSpaces
Business productivity Alexa for Business*
Contact center Amazon Connect
*Supports only AWS managed KMS keys.

KMS key hierarchy
Two-tiered hierarchy for keys
• Data keys used to encrypt customer data
• Customer master keys (CMKs) protect data keys
• CMK policies control access to data
• All activity associated with CMKs is logged
Benefits
• Envelope encryption avoids managing data keys
• Encrypted data keys stored with encrypted objects
• Well suited to encrypting large data objects
• Enables local key caching for high I/O operations
Customer
master key
S3 bucket EBS volume RDS
instance
CMK
Data key Data key Data key
Key Management Service

Envelope encryption
Example: S3 server-side encryption
Plaintext
data
Encrypt process
Encrypted
data key
3
Data key
Data key
7
Data key
Encrypted
data key
6 Data key
Generate data key request
2
CMK
1
Amazon S3
Encrypt
Encrypted
data and
data key in
S3 bucket
4
Data key
Decrypt process
5
Encrypted
data and
data key in
S3 bucketData key
Decrypt
Amazon S3
Plaintext
data
8

Key management lifecycle
Define
Key
use
CreateDelete
Disable
Enable
Recover
Back up
Rotate

Two approaches for managing your keys
AWS managed master keys
• AWS services request AWS KMS to
automatically create master keys
• Keys are in your account but can only
be used by the AWS services that
created them
Customer managed master keys
• You create your master keys in
advance using AWS KMS
• You choose which keys to use when
setting up an AWS service to use
encryption
All operational aspects are the same:
security, latency, throughput, durability, availability, and auditability

Take control over your keys
• Control who can manage and use your keys
• Limit how your keys can be used (scope reduction)
• Define conditions of use (encryption context = specific data objects)
• Delegate permissions and share access across accounts
• Enable and disable keys instantly
• Control key deletion
• Control key rotation
• Organize your keys with aliases and tags
• Use keys outside AWS encrypting services
• Use AWS Encryption SDK or AWS KMS directly to encrypt data

Audit AWS KMS usage with AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", …at this time
"RequestParameters":
{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account

Bring your own key (BYOK)
Do you have any of these requirements?
Control how your key
was generated
(entropy sources)
Keep your own
backup copy of your
key material
Upload keys only
when you need them

AWS KMS custom key store
Enables you to use an AWS CloudHSM cluster, that you control, as your own
KMS key store. Your KMS keys are generated, stored, and used in devices that
are comparable to traditional on-premises HSMs.
AWS CloudHSM provides cloud-
based HSMs that are easy to scale
with automatic provisioning, high-
availability, and managed back-
ups.
Clients
AWS
services

Richard Crowley
Principal Engineer, Slack
March 27, 2019
Slack EKM

Slack EKM
● Integrates Slack with AWS KMS to give our most security-conscious
customers control over their encryption keys
● Helps customers manage the risk of relying on a vendor to protect
sensitive data and the risk of invisible disclosure

Slack EKM design objectives
● Slack must remain Slack, feature for feature
● EKM must inspire confidence and earn trust, not merely check a
box
● The application’s performance can’t become terrible
● Our engineers must remain productive

Slack EKM provides ...
Visibility into access to the keys that
can decrypt your messages and files
Control of key access by
organization, workspace, channel,
and time

High-level design
● Each time a message is sent or a file is uploaded, encrypt it and use
the customer’s master key to encrypt the data key
● Each time a message or file is read, use those same keys to decrypt it
● Use many data keys, each covering a small slice of messages or a
single file
● Give customers a log of all access to those data keys so they know
what’s being decrypted
● Give customers ownership of the master key
● Cache data keys in memory for five minutes to preserve performance

EncryptionContext scopes data keys to
data
A message is encrypted with an encryption key that’s scoped to:
● The organization that sent it
● The workspace in which the channel appears, if applicable
● The channel in which the message appears
● The hour in which the message was sent
A file is encrypted with an encryption key that’s scoped to:
● The organization that sent it
● The file itself

Example logs
CloudTrail
{
"eventName": "Decrypt",
"requestParameters": {
"encryptionContext":{
"C": "CD11VKXL3",
"T": "TD2FCEBLN",
"H": "2018-10-24T21",
"O": "ED14RK2GJ"
}
},
// ...
}
CloudWatch Logs
{
"Action": "Decrypt",
"KeyScope": {
"C": "CD11VKXL3",
"H": "2018-10-24T21",
"O": "ED14RK2GJ",
"T": "TD2FCEBLN"
},
"Reason": "history"
}

Example policies: Baseline
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::152659312504:root"},
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:O": "ED14RK2GJ"
}
}
}

Example policies: Lockdown
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
}
}
}

Example policies: Lockdown for one
channel
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:C": "CD11VKXL3",
}
}
}

Example policies: Lockdown a single month
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
},
"StringLike": {
"kms:EncryptionContext:H": "2018-07-*"
}
}
}

Example policies: Combining channel and
time
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:C": "CD11VKXL3",
},
"StringLike": {
"kms:EncryptionContext:H": "2018-07-*"
}
}
}

Slack EKM
● Most importantly, when you’re enrolled in EKM,
Slack remains Slack
● You gain control of and visibility into how
your encryption keys are being used
● And AWS KMS makes it fast and highly available

Summary
• Encryption by default is a realistic goal
• Sound key management provides enhanced access controls
and visibility
• AWS KMS is durable, secure, and integrated with 50+ AWS
services
• You have choices about the controls you place over your keys
• AWS KMS can be used as an independent control point for your
own applications and AWS partner solutions

Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit

Ähnlich wie Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit