SlideShare una empresa de Scribd logo

Encryption for Everyone - AWS Summit Sydney 2018

Amazon Web Services
Amazon Web Services

Encryption for Everyone Powerful encryption capabilities are available in the core services of the AWS cloud. AWS continues to innovate and release enhancements to encryption-specific services, and expand the encryption capabilities in new services to make encryption easy for everyone. Learn how to take advantage of these services and features to protect and secure your data in the cloud. Aurelian Requiem, Associate Solutions Architect, Amazon Web Services

1 de 64
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Aurelien Requiem Solutions Architect, Amazon Web Services Encryption For Everyone
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption Services AWS Certificate Manager (ACM) AWS Key Management Service (KMS)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service Data Information Business Logic Data Encryption Key Encrypted data + Encrypted data key AWS KMS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Certificate Manager Customers Employees Customer Environment on AWS Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager AWS KMS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Workload On AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Static content in Amazon S3 Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Customer content in Amazon EBS Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Network communication Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances Multitier Workload on AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket properties S3 Bucket EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 KMS Key permissions for the EC2 role S3 Bucket EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Command: aws s3 cp /space/data/hr-confidential-report.pdf s3://sydsummit18/hr-confidential-report.pdf Output: upload: /space/data/hr-confidential-report.pdf to s3://sydsummit18/hr-confidential-report.pdf S3 Bucket EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public What if… S3 Bucket Policy • Bucket public read • Bucket public write
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write Denied Denied
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Reason • Require KMS Key permission
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS)EC2 instances Protecting Your Content In Amazon EBS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS How EC2 and EBS work together EC2 Instance EBS Volume(s) Compute layer Storage layer
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Full disk encryption, in the past: • Have the data encryption key stored in plain-text • Manually enter the encryption key passphrase
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Creating an encrypted EBS volume
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • Data at rest in the EBS volume • Data moving between EBS and EC2 • Underlying server performs encryption/decryption EC2 Instance EBS Volume Compute layer Storage layer
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • All snapshots created from the EBS volume • All EBS volumes created from those snapshots EBS VolumeEBS Volume EBS Snapshot
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS VolumeEBS Volume EBS Snapshot Use KMS and never risk exposing your backups with the world
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS Snapshot Public What if… EBS Snapshot permissions • Snapshot public read
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Results: • Copy snapshot • Create volume Denied Denied EBS Snapshot Public
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Reason: • Require KMS Key permissions EBS Snapshot Public
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Volume RDS Instance EBS Volume EC2 Instance Amazon RDS takes advantage of EBS volumes for its storage layer. This enables you to get the same security benefits when encrypting your data at rest using KMS.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Snapshot AWS Regions AWS Account When using KMS with integrated services, you enforce where to data copy is allowed and who you share your data with.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront Login/Password Personal information Payment details Confidential data Company data
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reasons: • Assure data communication integrity • Protect against eavesdropping • Create trust online “Dance like no one is watching, encrypt like everyone is.” Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Requesting a certificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Deploying a certificate in Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit What if…? • You forget to renew the certificate? Visitors / Users Elastic Load Balancing Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Features • Automated certificate renewal • Automated deployment Visitors / Users Elastic Load Balancing Amazon CloudFront
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit ACM the service that also keeps on giving Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager Other integrated services: • AWS Elastic Beanstalk • AWS CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Security is our top priority AWS Key Management Service (KMS) AWS Certificate Manager Internal features 1. Certificate and private key encrypted with data key 2. Data key encrypted with KMS master key
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Multitier Workload On AWS EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • How do you track actions performed on your data? • How do you record actions that used your KMS keys? • How do you prove it’s really working?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Records of all AWS API requests • Supports filtering rules • JSON format • Integrated with Amazon Athena • CloudTrail Processing Library for JavaAWS CloudTrail Reading CloudTrail logs is easy as “The rule of 6 W” • What happened? • When did it happen? • Which action and service? • Where to? • Who did it? • Where from?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal",
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • When did it happen?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • Which action and service? • When did it happen?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen? • Where from?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Who did it? "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Did We Learn? Encryption for everyone Broad range of integrated services Strong controls and visibility of your data
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Much Does It Cost? AWS Certificate Manager AWS Key Management Service SSL/TLS certificates are free when provisioned through AWS Certificate Manager 1 Customer Managed Key (CMK) when creating 250 EBS volumes per month 3 API requests to create and provision unique data key for each EBS volume $1.00 $0.00 CMK 0 request (750 requests – 20000 free tier requests) $0.00 $1.00
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where Should You Start? Configure CloudTrail to save CloudTrail logs in your S3 bucket Amazon S3AWS CloudTrail Enable encryption at rest with KMS Amazon S3 Amazon EBS Amazon RDS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 Services Integrated With KMS Amazon S3 Amazon EBS Amazon RDS Amazon Systems Manager AWS Import/Export Snowball AWS Storage Gateway Amazon EFS Amazon DynamoDB AWS Database Migration Service Amazon Lightsail AWS Lambda Amazon Redshift AWS CodeCommit AWS CodeBuild AWS CodeDeploy AWS CodePipeline AWS Cloud9 AWS CloudTrail Amazon CloudWatch Logs Amazon EMR Amazon Kinesis Firehose Amazon Kinesis Streams Amazon Elastic Search Amazon Athena Amazon Elastic Transcoder Amazon SES Storage & Content Delivery Amazon SQS Amazon WorkSpaces Amazon WorkMail AWS Certificate Manager Alexa for Business Amazon SageMaker Databases Developer tools Compute Analytics Enterprise Applications Application Services Management tools Security, Identity & Compliance Machine learning Business productivity Amazon Connect Contact Center Media Services Amazon Kinesis Video Streams
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. References https://docs.aws.amazon.com /AmazonS3/latest/dev/bucke t-encryption.html https://docs.aws.amazon.com/ kms/latest/developerguide/ser vices-ebs.html https://aws.amazon.com/blog s/security/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You

Recomendados

Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...
Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...
Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...Amazon Web Services
 
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Module 5 - AWSome Day Online Conference 2018
Module 5 - AWSome Day Online Conference 2018Module 5 - AWSome Day Online Conference 2018
Module 5 - AWSome Day Online Conference 2018Amazon Web Services
 
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...Amazon Web Services
 
Manage your database in the cloud like a pro with Cloud Volumes Service for A...
Manage your database in the cloud like a pro with Cloud Volumes Service for A...Manage your database in the cloud like a pro with Cloud Volumes Service for A...
Manage your database in the cloud like a pro with Cloud Volumes Service for A...Amazon Web Services
 
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Amazon Web Services
 
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Amazon Web Services
 

Recomendados

Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...
Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...
Transforming Data Lakes with Amazon S3 Select & Amazon Glacier Select - AWS O...Amazon Web Services
 
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...
Kickstart Your All-In Move to the AWS Cloud Using AWS Storage Gateway and Ama...Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Module 5 - AWSome Day Online Conference 2018
Module 5 - AWSome Day Online Conference 2018Module 5 - AWSome Day Online Conference 2018
Module 5 - AWSome Day Online Conference 2018Amazon Web Services
 
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...
Bridge the Storage Gap: Hybrid Media Workflows with AWS Storage Gateway (STG3...Amazon Web Services
 
Manage your database in the cloud like a pro with Cloud Volumes Service for A...
Manage your database in the cloud like a pro with Cloud Volumes Service for A...Manage your database in the cloud like a pro with Cloud Volumes Service for A...
Manage your database in the cloud like a pro with Cloud Volumes Service for A...Amazon Web Services
 
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...
Customizing Data Lakes to Work for Your Enterprise with Sysco (STG340) - AWS ...Amazon Web Services
 
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Amazon Web Services
 
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...Amazon Web Services
 
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...Amazon Web Services
 
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAmazon Web Services
 
Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018Amazon Web Services
 
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...Amazon Web Services
 
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...Amazon Web Services
 
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics PlatformsAutomate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics PlatformsAmazon Web Services
 
Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018Amazon Web Services
 
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech TalksBig Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech TalksAmazon Web Services
 
Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon Web Services
 
Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018Amazon Web Services
 
Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Amazon Web Services
 
Enterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech TalksEnterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech TalksAmazon Web Services
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitAmazon Web Services
 
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...Amazon Web Services
 
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...Amazon Web Services
 
Deep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS SummitDeep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS SummitAmazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...Amazon Web Services
 
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018Amazon Web Services
 
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Amazon Web Services
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...Amazon Web Services
 
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...Amazon Web Services
 
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAmazon Web Services
 
Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018Amazon Web Services
 
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...Amazon Web Services
 
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...Amazon Web Services
 
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics PlatformsAutomate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics PlatformsAmazon Web Services
 
Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018Amazon Web Services
 
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech TalksBig Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech TalksAmazon Web Services
 
Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon Web Services
 
Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018Amazon Web Services
 
Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Amazon Web Services
 
Enterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech TalksEnterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech TalksAmazon Web Services
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitAmazon Web Services
 
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...Amazon Web Services
 
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...Amazon Web Services
 
Deep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS SummitDeep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS SummitAmazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...Amazon Web Services
 
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018Amazon Web Services
 

La actualidad más candente (20)

Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
Using Cloud File Storage to Accelerate Your Software Development Pipeline (ST...
 
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
Storing data long term with Amazon S3 Glacier Deep Archive - STG301 - New Yor...
 
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
 
Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018Module 2 - AWSome Day Online Conference 2018
Module 2 - AWSome Day Online Conference 2018
 
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
Power up Your AWS Data Lake and Warehouse with Trusted Data (Sponsored by Tal...
 
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
Learn to Build a Cloud-Scale Website Powered by Amazon EFS - AWS Online Tech ...
 
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics PlatformsAutomate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
Automate Business Insights on AWS - Simple, Fast, and Secure Analytics Platforms
 
Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018Module 1 - AWSome Day Online Conference 2018
Module 1 - AWSome Day Online Conference 2018
 
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech TalksBig Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
Big Data and Analytics Workloads on Amazon EFS - AWS Online Tech Talks
 
Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices
 
Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018Module 4 - AWSome Day Online Conference 2018
Module 4 - AWSome Day Online Conference 2018
 
Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate
 
Enterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech TalksEnterprise Applications with Amazon EFS - AWS Online Tech Talks
Enterprise Applications with Amazon EFS - AWS Online Tech Talks
 
Certificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS SummitCertificate management concepts in AWS - SEC205 - New York AWS Summit
Certificate management concepts in AWS - SEC205 - New York AWS Summit
 
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...“Lift and shift” storage for business-critical applications - STG203 - New Yo...
“Lift and shift” storage for business-critical applications - STG203 - New Yo...
 
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
Modernize your data warehouse with Amazon Redshift - ADB305 - New York AWS Su...
 
Deep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS SummitDeep dive on security in Amazon S3 - STG306 - New York AWS Summit
Deep dive on security in Amazon S3 - STG306 - New York AWS Summit
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
 
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
Analyzing and processing streaming data with Amazon EMR - ADB204 - New York A...
 
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
PreReLa #1 (PRL1-R1) - AWS re:Invent 2018
 

Similar a Encryption for Everyone - AWS Summit Sydney 2018

Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Amazon Web Services
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 
AWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAmazon Web Services
 
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...Amazon Web Services
 
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...Amazon Web Services
 
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage GatewayAmazon Web Services
 
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech Talks
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech TalksDeep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech Talks
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech TalksAmazon Web Services
 
Modern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWSModern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWSAWS Germany
 
Building Hybrid Cloud Storage Architectures with AWS
Building Hybrid Cloud Storage Architectures with AWSBuilding Hybrid Cloud Storage Architectures with AWS
Building Hybrid Cloud Storage Architectures with AWSAmazon Web Services
 
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018Query in Place with AWS (STG315-R1) - AWS re:Invent 2018
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018Amazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018Amazon Web Services
 
Using Search with a Database - Peter Dachnowicz
Using Search with a Database - Peter DachnowiczUsing Search with a Database - Peter Dachnowicz
Using Search with a Database - Peter DachnowiczAmazon Web Services
 
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017Amazon Web Services
 
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech Talks
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech TalksImproving Backup & DR – AWS Storage Gateway - AWS Online Tech Talks
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech TalksAmazon Web Services
 
Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Amazon Web Services
 
AWS Portfolio: highlight delle categorie di prodotti AWS con esempi
AWS Portfolio: highlight delle categorie di prodotti AWS con esempiAWS Portfolio: highlight delle categorie di prodotti AWS con esempi
AWS Portfolio: highlight delle categorie di prodotti AWS con esempiAmazon Web Services
 
Adding Search to DynamoDB: Database Week San Francisco
Adding Search to DynamoDB: Database Week San FranciscoAdding Search to DynamoDB: Database Week San Francisco
Adding Search to DynamoDB: Database Week San FranciscoAmazon Web Services
 
Using Search with a Database: Database Week SF
Using Search with a Database: Database Week SFUsing Search with a Database: Database Week SF
Using Search with a Database: Database Week SFAmazon Web Services
 

Similar a Encryption for Everyone - AWS Summit Sydney 2018 (20)

Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
Protecting Amazon EC2 Instances, Relational Databases, and NoSQL Workloads (S...
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 
AWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAWSomeday Brussels Technical Track
AWSomeday Brussels Technical Track
 
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...
Deep Dive: Building Hybrid Cloud Storage Architectures with AWS Storage Gatew...
 
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...
Automating Backup and Archiving on AWS with Commvault (STG358) - AWS re:Inven...
 
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway
SRV302 Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway
 
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech Talks
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech TalksDeep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech Talks
Deep Dive on New Features in Amazon S3 & Glacier - AWS Online Tech Talks
 
Modern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWSModern Applications Web Day | Container Workloads on AWS
Modern Applications Web Day | Container Workloads on AWS
 
Building Hybrid Cloud Storage Architectures with AWS
Building Hybrid Cloud Storage Architectures with AWSBuilding Hybrid Cloud Storage Architectures with AWS
Building Hybrid Cloud Storage Architectures with AWS
 
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018Query in Place with AWS (STG315-R1) - AWS re:Invent 2018
Query in Place with AWS (STG315-R1) - AWS re:Invent 2018
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018
Cloud Data Migration with Amazon EBS (CMP406-R2) - AWS re:Invent 2018
 
Using Search with a Database - Peter Dachnowicz
Using Search with a Database - Peter DachnowiczUsing Search with a Database - Peter Dachnowicz
Using Search with a Database - Peter Dachnowicz
 
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017
Migrating Large Scale Data Sets to the Cloud - STG204 - re:Invent 2017
 
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech Talks
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech TalksImproving Backup & DR – AWS Storage Gateway - AWS Online Tech Talks
Improving Backup & DR – AWS Storage Gateway - AWS Online Tech Talks
 
Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018Securing Your Big Data Workload - AWS Summit Sydney 2018
Securing Your Big Data Workload - AWS Summit Sydney 2018
 
AWS Portfolio: highlight delle categorie di prodotti AWS con esempi
AWS Portfolio: highlight delle categorie di prodotti AWS con esempiAWS Portfolio: highlight delle categorie di prodotti AWS con esempi
AWS Portfolio: highlight delle categorie di prodotti AWS con esempi
 
APN Live-AWS Core Services
APN Live-AWS Core ServicesAPN Live-AWS Core Services
APN Live-AWS Core Services
 
Adding Search to DynamoDB: Database Week San Francisco
Adding Search to DynamoDB: Database Week San FranciscoAdding Search to DynamoDB: Database Week San Francisco
Adding Search to DynamoDB: Database Week San Francisco
 
Using Search with a Database: Database Week SF
Using Search with a Database: Database Week SFUsing Search with a Database: Database Week SF
Using Search with a Database: Database Week SF
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Encryption for Everyone - AWS Summit Sydney 2018

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Aurelien Requiem Solutions Architect, Amazon Web Services Encryption For Everyone
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption Services AWS Certificate Manager (ACM) AWS Key Management Service (KMS)
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service Data Information Business Logic Data Encryption Key Encrypted data + Encrypted data key AWS KMS
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Certificate Manager Customers Employees Customer Environment on AWS Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager AWS KMS
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Workload On AWS
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Static content in Amazon S3 Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Customer content in Amazon EBS Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Network communication Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Multitier Workload on AWS Amazon Relational Database Service (RDS) EC2 instances
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances Multitier Workload on AWS
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS) EC2 instances
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket properties S3 Bucket EC2 instances
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 KMS Key permissions for the EC2 role S3 Bucket EC2 instances
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Command: aws s3 cp /space/data/hr-confidential-report.pdf s3://sydsummit18/hr-confidential-report.pdf Output: upload: /space/data/hr-confidential-report.pdf to s3://sydsummit18/hr-confidential-report.pdf S3 Bucket EC2 instances
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket EC2 instances
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public What if… S3 Bucket Policy • Bucket public read • Bucket public write
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Results: • Bucket public read • Bucket public write Denied Denied
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 S3 Bucket Public Reason • Require KMS Key permission
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Static Content In Amazon S3 Use KMS and you will never have a world readable object
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Elastic Load Balancing S3 Bucket EBS snapshot Amazon Relational Database Service (RDS)EC2 instances Protecting Your Content In Amazon EBS
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS How EC2 and EBS work together EC2 Instance EBS Volume(s) Compute layer Storage layer
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Full disk encryption, in the past: • Have the data encryption key stored in plain-text • Manually enter the encryption key passphrase
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Creating an encrypted EBS volume
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • Data at rest in the EBS volume • Data moving between EBS and EC2 • Underlying server performs encryption/decryption EC2 Instance EBS Volume Compute layer Storage layer
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Which data is encrypted? • All snapshots created from the EBS volume • All EBS volumes created from those snapshots EBS VolumeEBS Volume EBS Snapshot
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS VolumeEBS Volume EBS Snapshot Use KMS and never risk exposing your backups with the world
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS EBS Snapshot Public What if… EBS Snapshot permissions • Snapshot public read
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Results: • Copy snapshot • Create volume Denied Denied EBS Snapshot Public
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS Reason: • Require KMS Key permissions EBS Snapshot Public
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Volume RDS Instance EBS Volume EC2 Instance Amazon RDS takes advantage of EBS volumes for its storage layer. This enables you to get the same security benefits when encrypting your data at rest using KMS.
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Content In Amazon EBS KMS the service that keeps on giving… EBS Snapshot AWS Regions AWS Account When using KMS with integrated services, you enforce where to data copy is allowed and who you share your data with.
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multitier Workload On AWS Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront Login/Password Personal information Payment details Confidential data Company data
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket Amazon CloudFront
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reasons: • Assure data communication integrity • Protect against eavesdropping • Create trust online “Dance like no one is watching, encrypt like everyone is.” Protecting Your Data In Transit Visitors / Users Elastic Load Balancing Amazon CloudFront
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Requesting a certificate
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Deploying a certificate in Amazon CloudFront
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit What if…? • You forget to renew the certificate? Visitors / Users Elastic Load Balancing Amazon CloudFront
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Features • Automated certificate renewal • Automated deployment Visitors / Users Elastic Load Balancing Amazon CloudFront
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit ACM the service that also keeps on giving Amazon CloudFront Elastic Load Balancing API Gateway AWS Certificate Manager Other integrated services: • AWS Elastic Beanstalk • AWS CloudFormation
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting Your Data In Transit Security is our top priority AWS Key Management Service (KMS) AWS Certificate Manager Internal features 1. Certificate and private key encrypted with data key 2. Data key encrypted with KMS master key
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visitors / Users Amazon CloudFront Multitier Workload On AWS EBS snapshot EC2 instances Amazon Relational Database Service (RDS) Elastic Load Balancing S3 Bucket
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • How do you track actions performed on your data? • How do you record actions that used your KMS keys? • How do you prove it’s really working?
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
  • 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility CloudTrail provides: • AWS API logs for your account, per region • The ability to detect missing and altered logs AWS KMS AWS CloudTrail Amazon S3Services and customer API requests
  • 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Records of all AWS API requests • Supports filtering rules • JSON format • Integrated with Amazon Athena • CloudTrail Processing Library for JavaAWS CloudTrail Reading CloudTrail logs is easy as “The rule of 6 W” • What happened? • When did it happen? • Which action and service? • Where to? • Who did it? • Where from?
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal",
  • 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened?
  • 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • When did it happen?
  • 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • What happened? • Which action and service? • When did it happen?
  • 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen?
  • 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility { "awsRegion": "ap-southeast-2", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::123456789012:assumed- role/EC2WebAppRole/i-12345678 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-southeast-2:123456789012:key/abcdef12-1234-5678- 90ab-cdef01234567", "eventID": "aa2c4a1b-e413-4a5a-877b-666190ba4cb9", "eventName": "Decrypt", "eventSource": "kms.amazonaws.com", "eventTime": "2018-03-12T10:37:14Z", "eventType": "AwsApiCall", "eventVersion": "1.05", "recipientAccountId": "123456789012", "requestID": "5449c522-25e1-11e8-bb5a-01b7ca551a5f", "requestParameters": null, "responseElements": null, "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", • Where to? • What happened? • Which action and service? • When did it happen? • Where from?
  • 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
  • 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controls And Visibility • Who did it? "userIdentity": { "accessKeyId": "ASIAXXXXXXXX", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/EC2WebAppRole/i- 12345678", "invokedBy": "AWS Internal", "principalId": "AROAXXXXXXXX:i-12345678", "sessionContext": { "attributes": { … }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/EC2WebAppRole", "principalId": "AROAXXXXXXXX", "type": "Role", "userName": "EC2WebAppRole" } }, "type": "AssumedRole" } }
  • 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Did We Learn? Encryption for everyone Broad range of integrated services Strong controls and visibility of your data
  • 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Much Does It Cost? AWS Certificate Manager AWS Key Management Service SSL/TLS certificates are free when provisioned through AWS Certificate Manager 1 Customer Managed Key (CMK) when creating 250 EBS volumes per month 3 API requests to create and provision unique data key for each EBS volume $1.00 $0.00 CMK 0 request (750 requests – 20000 free tier requests) $0.00 $1.00
  • 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where Should You Start? Configure CloudTrail to save CloudTrail logs in your S3 bucket Amazon S3AWS CloudTrail Enable encryption at rest with KMS Amazon S3 Amazon EBS Amazon RDS
  • 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 Services Integrated With KMS Amazon S3 Amazon EBS Amazon RDS Amazon Systems Manager AWS Import/Export Snowball AWS Storage Gateway Amazon EFS Amazon DynamoDB AWS Database Migration Service Amazon Lightsail AWS Lambda Amazon Redshift AWS CodeCommit AWS CodeBuild AWS CodeDeploy AWS CodePipeline AWS Cloud9 AWS CloudTrail Amazon CloudWatch Logs Amazon EMR Amazon Kinesis Firehose Amazon Kinesis Streams Amazon Elastic Search Amazon Athena Amazon Elastic Transcoder Amazon SES Storage & Content Delivery Amazon SQS Amazon WorkSpaces Amazon WorkMail AWS Certificate Manager Alexa for Business Amazon SageMaker Databases Developer tools Compute Analytics Enterprise Applications Application Services Management tools Security, Identity & Compliance Machine learning Business productivity Amazon Connect Contact Center Media Services Amazon Kinesis Video Streams
  • 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. References https://docs.aws.amazon.com /AmazonS3/latest/dev/bucke t-encryption.html https://docs.aws.amazon.com/ kms/latest/developerguide/ser vices-ebs.html https://aws.amazon.com/blog s/security/
  • 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You