How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? - FND310-R - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How encryption works in AWS: What
assurances do you have that unauthorized
users won’t access your data?
Ken Beer
General Manager – AWS Key Management Service
AWS
F N D 3 1 0 - R

Why encrypt in the cloud?
What everyone says
• Compliance
• Best practice in security
• Protect myself from my cloud provider’s other customers
• Protect myself from my cloud provider
What everyone means
• Minimizing unauthorized physical access to data
• Minimizing unauthorized logical access to data
• Confidentiality, Integrity, Availability

Minimizing unauthorized physical
access to data in the cloud
Data in transport
• On the wire – data center physical security, TLS, IPsec, MACsec
to prevent network sniffers/MITM
• On disk on a truck – courier/device security (e.g., AWS Snowball/AWS Snowmobile)
Data at rest
• Data center physical security
• Encryption – block, file, directory, file system, full disk
Data in use
• Data center physical security to prevent hands-on access to memory

Minimizing unauthorized logical
access to data in the cloud
Data in transport
• Networking access controls (security groups, VPC) that you control
• Encryption on the wire – TLS, IPsec, MACsec with keys that you control
Data at rest
• Access controls on data resource
• Encryption – Block, file, directory, file system, full disk with keys you control
Data in use
• Prevent unauthorized remote memory reads from service-owned memory
• Remove remote access tooling from customer-owned memory

Who cares most about controlling access?
IT security
Manages
key access
policies
Software
developer
Compliance
Verifies configuration
and historical access
Uses keys to
protect data

Control – What should it mean to you?
Access keys under your control
• You own the physical security of your access credentials
(console password, MFA, API signing keys)
• You alone can create/modify/delete resource permissions
• You have access to an audit event for every use of a credential or change to its state
Encryption keys/certificates under your control
• Keys are durable
• You trust your cloud provider to not lose them
• Maybe you also have a secured copy of keys outside the cloud for DR
• Keys are highly available
• You alone can create/modify/delete permissions to use keys
• You have access to an audit event for every use of a key or change to its state

AWS cryptography stack

IPsec options across several connections
VPC encryption
Default encryption between newer instance types
AWS managed VPN
IPsec VPN connection between your VPC and your single remote network – a virtual private
gateway provides two VPN endpoints (tunnels) for automatic failover
AWS VPN CloudHub over AWS Direct Connect
AWS managed VPN connections via your virtual private gateway to enable communication
between multiple remote networks
Third-party software VPN appliance
VPN connection to your remote network by using an Amazon EC2 instance in your VPC that's
running a third-party software VPN appliance

TLS over HTTP – BYO digital certificates
You can import your own certificates when using:
Your own applications running in Amazon EC2
Elastic Load Balancing (NLB/ALB)
Amazon CloudFront
Amazon API Gateway

AWS Certificate Manager (ACM)
Public Certificates
Provision TLS certificates for use with external-facing AWS resources
Amazon CloudFront
Amazon API Gateway
AWS Elastic Beanstalk
AWS handles the painful parts of PKI
Key pair and certificate signing request generation
Encryption of private keys via AWS KMS
Managed renewal and deployment
Domain validation (DV) through DNS validation/email

AWS Certificate Manager (ACM)
PrivateCertificates
Provision TLS certificates for use with internal-facing AWS resources
Amazon API Gateway
Exportable certificates (new!) for use with Amazon EC2 instances,
containers, on-premises servers, and IoT devices
AWS handles the painful parts of PKI
Key pair and certificate signing request generation
Encryption and storage of private keys
Managed renewal and deployment
– Notification options for exportable certificates

How are certificateswith private keys secured?
Elastic Load
Balancer
Plaintext
certificate
AWS Certificate
Manager
Encrypted certificate
in storage
AWS KMS
Data key +
encrypted data
key
Encrypted certificate

How are certificatesand private keys secured?
Elastic Load
Balancer
AWS KMS
Encrypted data
key
Decrypted data
key
Encrypted CertificatePlaintext
certificate

Third-party evidence of security controls in ACM
EN 319 411-1

Making TLS work better – s2n
• A TLS library designed by AWS to help your developers implement transport security
with faster performance
• Eliminates rarely used TLS options and extensions from libssl
• Used by many AWS services (all of Amazon S3) and available as open source
• Automated formal verification proves that outputs of the cryptographic operations are
correct for all potential inputs
https://github.com/awslabs/s2n

Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted data
key
Symmetric
data key
Master keySymmetric
data key
? Key hierarchy
Key management
?
Data-at-rest encryption primer

Options for data-at-rest encryption in AWS
Client-side encryption
• You encrypt your data before submitting it to an AWS service
• You supply encryption keys OR use keys in AWS KMS under your control
• Tools: AWS Encryption SDK, Amazon S3 Encryption Client, EMRFS Client, Amazon DynamoDB
Encryption Client
Server-side encryption
• AWS encrypts data on your behalf after it is received by the service
• 54 services including Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift, Amazon
WorkSpaces, Amazon Kinesis Data Streams, AWS CloudTrail…
• Integrated with AWS KMS so that you control key lifecycle and permissions

Your
applications
in your data
center
Your encrypted data in AWS services
Client-side encryption in AWS
EncryptionSDK,S3/EMRFS/DynamoDBclients,customer-supplied
AWS
Encryption SDK
Your key management
infrastructure
AWS
KMS
AWS
CloudHSM
Your key
management
infrastructure in EC2
Your application
in EC2

AWS Encryption SDK
Makingclient-sideencryptionsaferandeasier
In order to encrypt, developers have to keep track of only two things
• The message/file/stream they want to encrypt
• An identifier that points to the source of their keys (i.e., key provider)
Advanced users can customize the SDK in multiple ways
• Encrypt under different keys in different regions
• Cache data keys for re-use to minimize call rate to AWS KMS for better performance
Available in C, Java, Python, CLI
http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

Server-side encryption in AWS
Two-tiered key hierarchy using envelope encryption
• Unique data key encrypts customer data
• Customer master keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master keys than
billions of data keys
• Centralized access and audit of key activity
Customer master
keys
Data key 1
S3 object EBS volume Amazon Redshift
cluster
Data key 2 Data key 3 Data key 4
AWS Encryption
SDK
KMS

AWS KMS architecture
Your on-premises HSM
(BYOK)
Custom Key Store cluster
(AWS CloudHSM)
Native AWS KMS HSMs
• Data key generation
• Encryption
• Decryption
Your
data
Your client
(e.g., AWS Encryption SDK)
AWS
services
AWS KMS API
endpoint
• Authentication
• Authorization
• Logging

Stored by AWS KMS
AWS KMS key hierarchy
AWS KMS-managed
• All Hardened Security Modules (HSM) in a Region self-
generate keys in memory when provisioned; private keys
never leave the HSM
Encrypted by
Keys on HSMs in a Region
Customer-managed
• 256-bit symmetric customer master key generated in HSM or
imported by customer
• Stored in encrypted form in several locations by KMS; plaintext
version used only in memory on HSMs on demandEncrypted by
Customer master
key
Customer-managed or AWS service-managed
• 256-bit symmetric key returned to client by AWS
KMS to use for encrypting bulk data
Data Key

Security controls enforced by AWS KMS
When operational with keys provisioned
• No AWS operator can access a host
• No software updates allowed
After reboot and in a non-operational state
• No key material on host
• Software can only be updated
• After multiple AWS employees have reviewed the code
• It passes integration tests to ensure that no code was introduced that might leak
keys from memory
• Under quorum of multiple AWS KMS operators with valid credentials
Third-party evidence
• SOC 1 – Control 4.5: Customer master keys used for cryptographic operations in KMS are logically
secured so that no single AWS employee can gain access to the key material.
Keys on HSMs in a Region

You control how your AWS KMS keys are used
Each customer master key has a resource policy, which defines permissions for use
Sample permissions on a key
• Can only be used for encryption and decryption by <these users and roles> in
<these accounts>
• Can be used by application A to encrypt data and is only used by application B to
decrypt data
• Can be managed only by this set of administrator users or roles
• Can be used by <these external accounts>, but only for encryption/decryption, not administrative
tasks
Fully integrated with AWS Identity and Access Management

How AWS services use data keys
The EC2/EBS model
• Unique data keys per resource from AWS KMS are stored in hypervisor volatile memory for as long as
your resource is attached
• Permissions exist for AWS to re-provision data keys to volatile memory in cases of
AWS-caused events
• Examples: EBS, RDS, Amazon Redshift, Amazon WorkSpaces, Amazon Lightsail
The Amazon S3 model
• Data keys from AWS KMS are only used in volatile memory of service hosts for short periods
• Permissions may be created by you for a service to use keys in response to asynchronous events related
to your data in other services (e.g., writing CloudTrail events in S3)
• Examples: S3, Amazon EMR, CloudTrail, Amazon Athena, Amazon Kinesis, Amazon SQS, Amazon
CloudWatch

EBS encryption: Create volume
Data key
encrypted
under CMK
AWS KMS
kms.GenerateDataKey
WithoutPlaintext
IAM
AuthN/AuthZ
Does Alice have permission
to call
kms.GenerateDataKey
WithoutPlaintext?
EBS volume
Alice

EBS encryption: Attach volume
AWS KMS
Data key
encrypted
under CMK
IAM
AuthN/AuthZ
Does Alice have permission
to call kms.Decrypt?
EC2 instance
EBS volume
Alice
Data key
encrypted
under instance
public key

Nitro: Protecting the Amazon EBS encryption data key
Nitro cards Nitro security chip Nitro hypervisor
VPC networking
Amazon EBS
Instance storage
System controller
Integrated into motherboard
Protects hardware resources
Hardware root of trust
Lightweight hypervisor
Memory and CPU allocation
Bare Metal-like performance

Audit AWS KMS usage with AWS CloudTrail
"EventName":"DecryptResult", This AWS KMS API action was called…
"EventTiime":"2019-06-24T18:13:07Z", ….at this time
"RequestParameters":
"{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this CMK
“EncryptionContext":"vol-01b31f3f1d32b2f7f", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
“{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account

Third-party evidence of security controls in AWS KMS

AWS KMS cryptographic details
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

AWS KMS best practices whitepaper
https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

AWS KMS compliance reports
https://aws.amazon.com/artifact/

Crypto-related breakouts
FND302 – Data encryption concepts in AWS – using Cloud9 IDE
FND221 – Implement access control to data in AWS services using KMS
SDD353 – Cross-account encryption with AWS KMS and Slack Enterprise Key Management
SDD304 – Deep dive into AWS KMS
SDD402 – Using the AWS Encryption SDK for multiple master key encryption
SDD413 – How GoDaddy protects ecommerce and domains with AWS KMS and encryption
SDD333 – Achieving security goals with AWS CloudHSM
SEP304 – Cryptography in the next cycle

Thank you!
Ken Beer
kenbeer@amazon.com

How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? - FND310-R - AWS re:Inforce 2019

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? - FND310-R - AWS re:Inforce 2019

Ähnlich wie How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? - FND310-R - AWS re:Inforce 2019 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data? - FND310-R - AWS re:Inforce 2019