2. # whoami
DevOps Engineer | Brazilian
Enjoys security and cloud automation
2015 was a big year
au.linkedin.com/in/ricardoxmit
3. What to expect today?
• Understand options for protecting your
data
• Understand how KMS works
• Services that KMS is integrated with
• S3 and KMS
• EBS and KMS
• Demo
5. Options for encryption
1. Do it yourself
2. AWS Marketplace -> partner
solutions
3. Use AWS KMS
4. HSM - Hardware Security Module
6. If you don't use a service to
manage your keys…
• Keys that live in config files are exposed
- Application vulnerabilities, OS
vulnerabilities, staff turnover
• It’s hard to track how the keys are being used
• Rotating keys can be painful
7. AWS Key Management Service (KMS)
• Managed service that simplifies creation,
control, rotation, and use of encryption keys in
your applications
• Integrated with AWS server-side encryption
• S3, EBS, RDS, Amazon Aurora, Amazon
Redshift, WorkMail, Amazon WorkSpaces,
CloudTrail, and Amazon Elastic Transcoder
8. "Keys" considerations with any
solution
• Where are the keys stored?
• Where are keys used?
• Who has access to the keys?
• How can you make sure keys are being used
for the correct people/applications?
9. Type of keys
• Symmetric key -> same key to encrypt and
decrypt.
• Asymmetric key -> public / private key concept.
KMS uses Symmetric Encryption -> 256-bit AES
for master key
10. Options to encrypt you data using
KMS
1. Client-side encryption - you encrypt your
data BEFORE data submitted to service.
2. Server-side encryption - AWS encrypts
data on your behalf AFTER data is
received by service.
11. AWS KMS gives you control
You define who can:
• create key
• use a key
• enable/disable keys
• audit use of keys using cloudtrail
12. How do I use KMS?
Create Keys in KMS
• Give a name and description to the key
• Choose the IAM users and roles that
can administer this key
• Choose the IAM users and roles that
can use this key to encrypt and decrypt
data
• A new policy will be created
15. Considerations about KMS
• Keys are regionals. Re-encrypt your data with
you move date between regions.
• Direct encryption is limited to 4k of data to
optimize latency.
• Use envelope encryption with data keys for
larger messages.
15+ years working in IT.
2015 -> spend a month taking cyber security courses + took 2 aws exams
This is a 20 minutes talk + demo.
You will understand how the services works but you must read all the documentation.
- I have data that I want to encrypt.
- To do that, I generate a key. In this case, a Symmetric key and encrypt the data.
You can store the encryption data anywhere as you can only decrypt it using the key.
What we want to show is the key management is not that easy.
I have seen people storing the keys in S3, GIT repositories.
It is hard to protect it and keep track of what happened
Hardware you own or hardware the cloud owns?
client side or server side?
Demo is about option 2
1. BEFORE: Encryption is implemented in your code and you can use your keys from your aws account.
2. AFTER: aws encrypts data on your behalf AFTER data is received by service. encryption is handled automatically.
S3 will decrypt the object for anyone with permission to access this object.
S3 will decrypt the object for anyone with permission to access this object and permission to use the master key.
Amazon S3 requests a plaintext data key and a copy of the key encrypted by using the specified customer-managed master key or the AWS-managed master key.
AWS KMS creates a data key, encrypts it by using the master key, and sends both the plaintext data key and the encrypted data key to Amazon S3.
Amazon S3 encrypts the data using the data key and removes the plaintext key from memory as soon as possible after use.
Amazon S3 stores the encrypted data key as metadata with the encrypted data.
When you upload an object to a bucket you have 2 options:
S3 will decrypt the object for anyone with permission to access this object.
S3 will decrypt the object for anyone with permission to access this object and permission to use the master key.