SlideShare una empresa de Scribd logo

Using AWS Key Management Service for Secure Workloads

Amazon Web Services
Amazon Web Services

Powerful encryption capabilities are available in the core services of the AWS cloud. AWS continues to release enhancements to encryption-specific services and expand encryption capabilities in new services to make security easy for everyone. Learn how to take advantage of these services and features to protect and secure your data in the cloud. Speaker: Dr. John Hildebrandt - Principle Solutions Architect, AWS

1 de 24
Descargar para leer sin conexión
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. John Hildebrandt Solutions Architect, Amazon Web Services Using AWS Key Management Service for Secure Workloads
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Background – IRAP AWS Key Management Service (KMS) overview Step through a example application
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Background - IRAP process update AWS on ASD CCSL at Unclassified DLM. Released Information Security Registered Assessors Program (IRAP) PROTECTED documentation via AWS Artifact. • 46 services in scope. Recommends use of KMS encryption and key management. • Supports DTA secure cloud strategy allowing agency based assessments. Continue to work with the Australian Signals Directorate to include services at PROTECTED level on Certified Cloud Services List.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IRAP scope Analytics Amazon Elastic MapReduce (Amazon EMR) Amazon Kinesis Data Streams Amazon Kinesis Data Firehose Desktop Amazon WorkSpaces Amazon WorkDocs Storage Amazon S3 Amazon S3 Transfer Acceleration Amazon EBS Amazon Glacier Database Amazon DynamoDB Amazon Redshift Amazon RDS Amazon ElastiCache Identity Amazon Identity and Access Management (IAM) AWS Directory Services Management Amazon CloudWatch Amazon CloudWatch Logs AWS CloudFormation AWS CloudTrail AWS Config App & Mobile Amazon API Gateway Amazon Simple Workflow Service Amazon Cognito AWS Step Functions Messaging Amazon Simple Notification Service Amazon Simple Queue Service Network Amazon Virtual Private Cloud (Amazon VPC) AWS Direct Connect Amazon CloudFront Amazon Route 53 Security Amazon Inspector AWS Key Management Service AWS CloudHSM Amazon EC2 Systems Manager AWS Web Application Firewall AWS Shield Compute Amazon EC2 Amazon Elastic Container Service (Amazon ECS) AWS Auto Scaling Amazon ELB AWS Lambda AWS Lambda@Edge Source: https://console.aws.amazon.com/artifact/home?region=ap-southeast-2#!/reports
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Key Management Service One-click Encryption Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail AWS Config Rules validation Encryption key management and compliance Usage recommended in Protected IRAP stage 2 report
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IRAP scope – KMS integrations * Analytics Amazon Elastic MapReduce (Amazon EMR) * Amazon Kinesis Data Streams * Amazon Kinesis Data Firehose * Desktop Amazon WorkSpaces * Amazon WorkDocs Storage Amazon S3 * Amazon S3 Transfer Acceleration Amazon EBS * Amazon Glacier * (via S3 lifecycle) Database Amazon DynamoDB * Amazon Redshift * Amazon RDS * Amazon ElastiCache Identity Amazon Identity and Access Management (IAM) * AWS Directory Services Management Amazon CloudWatch * Amazon CloudWatch Logs * AWS CloudFormation * AWS CloudTrail * AWS Config * App & Mobile Amazon API Gateway Amazon Simple Workflow Service Amazon Cognito AWS Step Functions Messaging Amazon Simple Notification Service Amazon Simple Queue Service * Network Amazon VPC * (end point) AWS Direct Connect Amazon CloudFront Amazon Route 53 Security Amazon Inspector AWS Key Management Service * AWS CloudHSM Amazon EC2 Systems Manager * AWS Web Application Firewall * (logs) AWS Shield Compute Amazon EC2 * (via EBS) Amazon ECS * (via EBS) AWS Auto Scaling Amazon ELB AWS Lambda * (ENV var) AWS Lambda@Edge
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Plaintex t data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? Encryption primer
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. “Key” questions to consider with any solution Where are keys stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software the cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are there for proper security around keys?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. How clients and AWS services typically integrate with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. KMS assurances Why should you trust AWS with your keys? • There are no tools in place to access your physical key material. • Your plaintext keys are never stored in nonvolatile memory. • You control who has permissions to use your keys. • Separation of duties between systems that use master keys and ones that use data keys. • Multiparty controls for all maintenance of KMS systems that use your master keys.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Third-party evidence of these controls • IRAP Protected report • FIPS 140-2 validated hardware security modules to protect the security of your keys • FedRAMP • HIPAA • ISO 27001, 27017, 27018, 9001 • Service Organization Control (SOC 1,2,3) • PCI-DSS • Germany C5 https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3009.pdf
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Application Typical web application stack. Let’s apply KMS across the stack. region Availability Zone Availability Zone virtual private cloud VPC subnet VPC subnet VPC subnet VPC subnet Auto Scaling group Web Tier Web Tier Application Load Balancer RDS Master instance RDS DB instance standby (multi-AZ) S3 Bucket Static content
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Web Tier • EC2 instances with EBS storage • EBS supports KMS encryption for data and boot volumes • EBS and KMS IAM based access control applies create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] AWS CLI/SDK
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Database Tier • RDS instances with EBS storage • KMS check box • Logs and snapshots also encrypted
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. S3 – Static Content, logs, backups • Server side KMS managed keys supported • Bucket policy to require encryption
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Validate KMS in use – AWS Config • Leverage AWS Config Rules to validate continuous compliance AWS Config
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. You control how and when your KMS keys can be used and by whom Sample permissions on a key: • Can only be used for encryption and decryption by <these users and roles> in <this account> • Can only be used by application A to encrypt data, but only used by application B to decrypt data • Can only be used to decrypt data if the service resource is active and additional parameters about the resource are passed in the call • Can be managed only by this set of administrator users or roles Fully integrated with AWS Identity and Access Management
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rotating keys in KMS What key rotation means: • A new version of a master key is created, but mapped to the same key ID or alias • All new encryption requests use the new version • All previous versions of keys are kept to perform decryption on older ciphertexts There is nothing users/applications need to do after a rotation – the same keyID or alias just works AWS CLI enable-key-rotation --key-id <value> Console (Key Summary Page)
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Auditability of KMS key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":"42.23.141.114 ", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam::123456789012:user/User123“} …by this AWS user in this account
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Automation • AWS CloudFormation – scripted deployment • Service Catalog – standard service offerings • AWS Landing Zone – standard account set up
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Summary • AWS KMS called out in IRAP report for Protected workloads • AWS KMS subject of multiple 3rd party audits • Integrated across AWS for ease of use • Demonstrated application across common workload
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Resources KMS • https://aws.amazon.com/kms Whitepaper on KMS cryptographic details • https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf Whitepaper on KMS best practices • https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf AWS Encryption SDK • http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html S3 encryption client • http://aws.amazon.com/articles/2850096021478074 AWS Security Blog • http://blogs.aws.amazon.com/security
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

Recomendados

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech Talks
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech TalksDeep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech Talks
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech TalksAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 

Recomendados

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech Talks
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech TalksDeep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech Talks
Deep Dive: Hybrid Cloud Storage with AWS Storage Gateway - AWS Online Tech TalksAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS RDS
AWS RDSAWS RDS
AWS RDSMahesh Raj
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud SecurityAWS Riyadh User Group
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and RecoveryAmazon Web Services
 
Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)Albert Suwandhi
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security
AWS SecurityAWS Security
AWS SecurityAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsFelipe
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)Albert Suwandhi
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsFelipe
 

La actualidad más candente (20)

Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS RDS
AWS RDSAWS RDS
AWS RDS
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and Recovery
 
Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)Introduction to AWS (Amazon Web Services)
Introduction to AWS (Amazon Web Services)
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
AWS Security
AWS SecurityAWS Security
AWS Security
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
AWS 101
AWS 101AWS 101
AWS 101
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and Alarms
 

Similar a Using AWS Key Management Service for Secure Workloads

AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Amazon Web Services
 
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Amazon Web Services
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...Amazon Web Services
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Amazon Web Services
 
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018Amazon Web Services
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitAmazon Web Services
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDayAmazon Web Services
 

Similar a Using AWS Key Management Service for Secure Workloads (20)

AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
Data Security in the Cloud - Matt Taylor - AWS TechShift ANZ 2018
 
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
 
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018
Accelerate Analytics at Scale with Amazon EMR - AWS Summit Sydney 2018
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
Managed Relational Databases
Managed Relational DatabasesManaged Relational Databases
Managed Relational Databases
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Using AWS Key Management Service for Secure Workloads

  • 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. John Hildebrandt Solutions Architect, Amazon Web Services Using AWS Key Management Service for Secure Workloads
  • 2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Background – IRAP AWS Key Management Service (KMS) overview Step through a example application
  • 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Background - IRAP process update AWS on ASD CCSL at Unclassified DLM. Released Information Security Registered Assessors Program (IRAP) PROTECTED documentation via AWS Artifact. • 46 services in scope. Recommends use of KMS encryption and key management. • Supports DTA secure cloud strategy allowing agency based assessments. Continue to work with the Australian Signals Directorate to include services at PROTECTED level on Certified Cloud Services List.
  • 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IRAP scope Analytics Amazon Elastic MapReduce (Amazon EMR) Amazon Kinesis Data Streams Amazon Kinesis Data Firehose Desktop Amazon WorkSpaces Amazon WorkDocs Storage Amazon S3 Amazon S3 Transfer Acceleration Amazon EBS Amazon Glacier Database Amazon DynamoDB Amazon Redshift Amazon RDS Amazon ElastiCache Identity Amazon Identity and Access Management (IAM) AWS Directory Services Management Amazon CloudWatch Amazon CloudWatch Logs AWS CloudFormation AWS CloudTrail AWS Config App & Mobile Amazon API Gateway Amazon Simple Workflow Service Amazon Cognito AWS Step Functions Messaging Amazon Simple Notification Service Amazon Simple Queue Service Network Amazon Virtual Private Cloud (Amazon VPC) AWS Direct Connect Amazon CloudFront Amazon Route 53 Security Amazon Inspector AWS Key Management Service AWS CloudHSM Amazon EC2 Systems Manager AWS Web Application Firewall AWS Shield Compute Amazon EC2 Amazon Elastic Container Service (Amazon ECS) AWS Auto Scaling Amazon ELB AWS Lambda AWS Lambda@Edge Source: https://console.aws.amazon.com/artifact/home?region=ap-southeast-2#!/reports
  • 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Key Management Service One-click Encryption Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail AWS Config Rules validation Encryption key management and compliance Usage recommended in Protected IRAP stage 2 report
  • 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IRAP scope – KMS integrations * Analytics Amazon Elastic MapReduce (Amazon EMR) * Amazon Kinesis Data Streams * Amazon Kinesis Data Firehose * Desktop Amazon WorkSpaces * Amazon WorkDocs Storage Amazon S3 * Amazon S3 Transfer Acceleration Amazon EBS * Amazon Glacier * (via S3 lifecycle) Database Amazon DynamoDB * Amazon Redshift * Amazon RDS * Amazon ElastiCache Identity Amazon Identity and Access Management (IAM) * AWS Directory Services Management Amazon CloudWatch * Amazon CloudWatch Logs * AWS CloudFormation * AWS CloudTrail * AWS Config * App & Mobile Amazon API Gateway Amazon Simple Workflow Service Amazon Cognito AWS Step Functions Messaging Amazon Simple Notification Service Amazon Simple Queue Service * Network Amazon VPC * (end point) AWS Direct Connect Amazon CloudFront Amazon Route 53 Security Amazon Inspector AWS Key Management Service * AWS CloudHSM Amazon EC2 Systems Manager * AWS Web Application Firewall * (logs) AWS Shield Compute Amazon EC2 * (via EBS) Amazon ECS * (via EBS) AWS Auto Scaling Amazon ELB AWS Lambda * (ENV var) AWS Lambda@Edge
  • 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Plaintex t data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? Encryption primer
  • 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. “Key” questions to consider with any solution Where are keys stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software the cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are there for proper security around keys?
  • 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. How clients and AWS services typically integrate with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
  • 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
  • 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. KMS assurances Why should you trust AWS with your keys? • There are no tools in place to access your physical key material. • Your plaintext keys are never stored in nonvolatile memory. • You control who has permissions to use your keys. • Separation of duties between systems that use master keys and ones that use data keys. • Multiparty controls for all maintenance of KMS systems that use your master keys.
  • 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Third-party evidence of these controls • IRAP Protected report • FIPS 140-2 validated hardware security modules to protect the security of your keys • FedRAMP • HIPAA • ISO 27001, 27017, 27018, 9001 • Service Organization Control (SOC 1,2,3) • PCI-DSS • Germany C5 https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3009.pdf
  • 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Example Application Typical web application stack. Let’s apply KMS across the stack. region Availability Zone Availability Zone virtual private cloud VPC subnet VPC subnet VPC subnet VPC subnet Auto Scaling group Web Tier Web Tier Application Load Balancer RDS Master instance RDS DB instance standby (multi-AZ) S3 Bucket Static content
  • 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Web Tier • EC2 instances with EBS storage • EBS supports KMS encryption for data and boot volumes • EBS and KMS IAM based access control applies create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] AWS CLI/SDK
  • 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Database Tier • RDS instances with EBS storage • KMS check box • Logs and snapshots also encrypted
  • 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. S3 – Static Content, logs, backups • Server side KMS managed keys supported • Bucket policy to require encryption
  • 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Validate KMS in use – AWS Config • Leverage AWS Config Rules to validate continuous compliance AWS Config
  • 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. You control how and when your KMS keys can be used and by whom Sample permissions on a key: • Can only be used for encryption and decryption by <these users and roles> in <this account> • Can only be used by application A to encrypt data, but only used by application B to decrypt data • Can only be used to decrypt data if the service resource is active and additional parameters about the resource are passed in the call • Can be managed only by this set of administrator users or roles Fully integrated with AWS Identity and Access Management
  • 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rotating keys in KMS What key rotation means: • A new version of a master key is created, but mapped to the same key ID or alias • All new encryption requests use the new version • All previous versions of keys are kept to perform decryption on older ciphertexts There is nothing users/applications need to do after a rotation – the same keyID or alias just works AWS CLI enable-key-rotation --key-id <value> Console (Key Summary Page)
  • 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Auditability of KMS key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":"42.23.141.114 ", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam::123456789012:user/User123“} …by this AWS user in this account
  • 21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Automation • AWS CloudFormation – scripted deployment • Service Catalog – standard service offerings • AWS Landing Zone – standard account set up
  • 22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Summary • AWS KMS called out in IRAP report for Protected workloads • AWS KMS subject of multiple 3rd party audits • Integrated across AWS for ease of use • Demonstrated application across common workload
  • 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Resources KMS • https://aws.amazon.com/kms Whitepaper on KMS cryptographic details • https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf Whitepaper on KMS best practices • https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf AWS Encryption SDK • http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html S3 encryption client • http://aws.amazon.com/articles/2850096021478074 AWS Security Blog • http://blogs.aws.amazon.com/security
  • 24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.