Weitere ähnliche Inhalte Ähnlich wie Encryption for Everyone - AWS Summit Sydney 2018 (20) Mehr von Amazon Web Services (20) Encryption for Everyone - AWS Summit Sydney 20181. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aurelien Requiem
Solutions Architect, Amazon Web Services
Encryption For Everyone
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption Services
AWS Certificate Manager
(ACM)
AWS Key Management Service
(KMS)
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Key Management Service
Data
Information
Business
Logic
Data Encryption
Key Encrypted data +
Encrypted data key
AWS
KMS
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Certificate Manager
Customers
Employees
Customer
Environment
on AWS
Amazon CloudFront
Elastic
Load Balancing
API Gateway
AWS Certificate Manager AWS KMS
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your Workload On AWS
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Static content in Amazon S3
Multitier Workload on AWS
Amazon Relational
Database Service
(RDS)
EC2
instances
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Customer content in Amazon EBS
Multitier Workload on AWS
Amazon Relational
Database Service
(RDS)
EC2
instances
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Network communication
Multitier Workload on AWS
Amazon Relational
Database Service
(RDS)
EC2
instances
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Multitier Workload on AWS
Amazon Relational
Database Service
(RDS)
EC2
instances
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Amazon Relational
Database Service
(RDS)
EC2
instances
Multitier Workload on AWS
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Amazon Relational
Database Service
(RDS)
EC2
instances
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
EC2
instances
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket properties
S3 Bucket
EC2
instances
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
KMS Key permissions for the EC2 role
S3 Bucket
EC2
instances
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
Command:
aws
s3 cp
/space/data/hr-confidential-report.pdf
s3://sydsummit18/hr-confidential-report.pdf
Output:
upload: /space/data/hr-confidential-report.pdf
to s3://sydsummit18/hr-confidential-report.pdf
S3 Bucket
EC2
instances
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
Use KMS and you will never have
a world readable object
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
EC2
instances
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
Public
What if…
S3 Bucket
Policy
• Bucket public read
• Bucket public write
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
Public
Results:
• Bucket public read
• Bucket public write
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
Public
Results:
• Bucket public read
• Bucket public write
Denied
Denied
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
S3 Bucket
Public
Reason
• Require KMS Key permission
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Static Content In Amazon S3
Use KMS and you will never have
a world readable object
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users Amazon
CloudFront
Elastic Load
Balancing
S3 Bucket EBS snapshot
Amazon Relational
Database Service
(RDS)EC2
instances
Protecting Your Content In Amazon EBS
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
How EC2 and EBS work together
EC2 Instance
EBS Volume(s)
Compute layer
Storage layer
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Full disk encryption, in the past:
• Have the data encryption key stored in plain-text
• Manually enter the encryption key passphrase
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Creating an encrypted EBS volume
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Which data is encrypted?
• Data at rest in the EBS volume
• Data moving between EBS and EC2
• Underlying server performs encryption/decryption
EC2 Instance
EBS Volume
Compute layer
Storage layer
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Which data is encrypted?
• All snapshots created from the EBS volume
• All EBS volumes created from those snapshots
EBS VolumeEBS Volume EBS Snapshot
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
EBS VolumeEBS Volume EBS Snapshot
Use KMS and never risk exposing
your backups with the world
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
EBS Snapshot
Public
What if…
EBS Snapshot
permissions
• Snapshot public read
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Results:
• Copy snapshot
• Create volume
Denied
Denied
EBS Snapshot
Public
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
Reason:
• Require KMS Key permissions
EBS Snapshot
Public
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
KMS the service that keeps on giving…
EBS Volume
RDS Instance
EBS Volume
EC2 Instance
Amazon RDS takes
advantage of EBS volumes
for its storage layer. This
enables you to get the
same security benefits
when encrypting your data
at rest using KMS.
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Content In Amazon EBS
KMS the service that keeps on giving…
EBS Snapshot
AWS Regions
AWS Account When using KMS with
integrated services, you
enforce where to data copy
is allowed and who you
share your data with.
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multitier Workload On AWS
Visitors / Users
EBS
snapshot
EC2
instances
Amazon Relational
Database Service
(RDS)
Elastic Load
Balancing
S3 Bucket
Amazon
CloudFront
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multitier Workload On AWS
Visitors / Users
EBS
snapshot
EC2
instances
Amazon Relational
Database Service
(RDS)
Elastic Load
Balancing
S3 Bucket
Amazon
CloudFront
Login/Password
Personal information
Payment details
Confidential data
Company data
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Visitors / Users
EBS
snapshot
EC2
instances
Amazon Relational
Database Service
(RDS)
Elastic Load
Balancing
S3 Bucket
Amazon
CloudFront
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Visitors / Users
Elastic Load
Balancing
Amazon
CloudFront
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reasons:
• Assure data communication integrity
• Protect against eavesdropping
• Create trust online
“Dance like no one is watching,
encrypt like everyone is.”
Protecting Your Data In Transit
Visitors / Users
Elastic Load
Balancing
Amazon
CloudFront
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Requesting a certificate
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Deploying a certificate in Amazon CloudFront
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
What if…?
• You forget to renew the
certificate?
Visitors / Users
Elastic Load
Balancing
Amazon
CloudFront
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Features
• Automated certificate renewal
• Automated deployment
Visitors / Users
Elastic Load
Balancing
Amazon
CloudFront
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
ACM the service that also keeps on giving
Amazon CloudFront
Elastic
Load Balancing
API Gateway
AWS
Certificate Manager
Other integrated services:
• AWS Elastic Beanstalk
• AWS CloudFormation
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting Your Data In Transit
Security is our top priority
AWS Key
Management
Service (KMS)
AWS
Certificate Manager
Internal features
1. Certificate and private key
encrypted with data key
2. Data key encrypted with
KMS master key
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visitors / Users
Amazon
CloudFront
Multitier Workload On AWS
EBS
snapshot
EC2
instances
Amazon Relational
Database Service
(RDS)
Elastic Load
Balancing
S3 Bucket
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
• How do you track actions performed on your data?
• How do you record actions that used your KMS keys?
• How do you prove it’s really working?
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
CloudTrail provides:
• AWS API logs for your account, per region
• The ability to detect missing and altered logs
AWS
KMS
AWS CloudTrail Amazon S3Services and
customer API
requests
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
CloudTrail provides:
• AWS API logs for your account, per region
• The ability to detect missing and altered logs
AWS
KMS
AWS CloudTrail Amazon S3Services and
customer API
requests
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
• Records of all AWS API requests
• Supports filtering rules
• JSON format
• Integrated with Amazon Athena
• CloudTrail Processing Library for JavaAWS CloudTrail
Reading CloudTrail logs is easy as “The rule of 6 W”
• What happened?
• When did it happen?
• Which action and service?
• Where to?
• Who did it?
• Where from?
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
• What happened?
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
• What happened?
• When did it happen?
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
• What happened?
• Which action and service?
• When did it happen?
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
• Where to?
• What happened?
• Which action and service?
• When did it happen?
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
{
"awsRegion": "ap-southeast-2",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::123456789012:assumed-
role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on
resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678-
90ab-cdef01234567",
"eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9",
"eventName": "Decrypt",
"eventSource": "kms.amazonaws.com",
"eventTime": "2018-03-12T10:37:14Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
• Where to?
• What happened?
• Which action and service?
• When did it happen?
• Where from?
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
"userIdentity": {
"accessKeyId": "ASIAXXXXXXXX",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i-
12345678",
"invokedBy": "AWS Internal",
"principalId": "AROAXXXXXXXX:i-12345678",
"sessionContext": {
"attributes": { … },
"sessionIssuer": {
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/EC2WebAppRole",
"principalId": "AROAXXXXXXXX",
"type": "Role",
"userName": "EC2WebAppRole"
}
},
"type": "AssumedRole"
}
}
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controls And Visibility
• Who did it?
"userIdentity": {
"accessKeyId": "ASIAXXXXXXXX",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i-
12345678",
"invokedBy": "AWS Internal",
"principalId": "AROAXXXXXXXX:i-12345678",
"sessionContext": {
"attributes": { … },
"sessionIssuer": {
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/EC2WebAppRole",
"principalId": "AROAXXXXXXXX",
"type": "Role",
"userName": "EC2WebAppRole"
}
},
"type": "AssumedRole"
}
}
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Did We Learn?
Encryption for
everyone
Broad range
of integrated
services
Strong controls
and visibility of
your data
60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Much Does It Cost?
AWS Certificate
Manager
AWS Key
Management Service
SSL/TLS certificates are free when provisioned
through AWS Certificate Manager
1 Customer Managed Key (CMK) when creating 250
EBS volumes per month
3 API requests to create and provision unique data
key for each EBS volume
$1.00
$0.00
CMK
0 request
(750 requests – 20000 free tier requests)
$0.00 $1.00
61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where Should You Start?
Configure CloudTrail to save CloudTrail logs in your S3 bucket
Amazon S3AWS CloudTrail
Enable encryption at rest with KMS
Amazon S3 Amazon EBS Amazon RDS
62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34 Services Integrated With KMS
Amazon S3 Amazon EBS Amazon RDS
Amazon
Systems Manager
AWS Import/Export
Snowball
AWS Storage
Gateway
Amazon EFS Amazon
DynamoDB
AWS Database
Migration Service
Amazon
Lightsail
AWS
Lambda
Amazon
Redshift
AWS
CodeCommit
AWS
CodeBuild
AWS
CodeDeploy
AWS
CodePipeline
AWS
Cloud9
AWS
CloudTrail
Amazon
CloudWatch Logs
Amazon
EMR
Amazon
Kinesis Firehose
Amazon
Kinesis Streams
Amazon
Elastic Search
Amazon
Athena
Amazon Elastic
Transcoder
Amazon
SES
Storage & Content Delivery
Amazon
SQS
Amazon
WorkSpaces
Amazon
WorkMail
AWS Certificate
Manager
Alexa for
Business
Amazon
SageMaker
Databases Developer tools
Compute
Analytics
Enterprise Applications Application Services
Management tools Security, Identity
& Compliance
Machine learning Business productivity
Amazon
Connect
Contact Center
Media Services
Amazon Kinesis
Video Streams
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
References
https://docs.aws.amazon.com
/AmazonS3/latest/dev/bucke
t-encryption.html
https://docs.aws.amazon.com/
kms/latest/developerguide/ser
vices-ebs.html
https://aws.amazon.com/blog
s/security/
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You