crypto-options on aws bertram dorn – specialized solutions
TRANSCRIPT
![Page 1: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/1.jpg)
©Amazon.com, Inc. and its affiliates. All rights reserved.
Crypto-Options on AWS
Bertram Dorn – Specialized Solutions Architect
Security/Compliance
Network/Databases
Amazon Web Services Germany GmbH
![Page 2: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/2.jpg)
Agenda
• Theory
• Options
![Page 3: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/3.jpg)
The Cryptographic Trinity
Key
Algorithm
Data
If you don’t own all three parts of the solution, yourdata is not considered to be “hard” encrypted…
![Page 4: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/4.jpg)
In Region I:
AWS AZ AWS AZ
![Page 5: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/5.jpg)
In Region II:
AWS DC AWS DC
AWS DC AWS DC
![Page 6: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/6.jpg)
Between Regions:
Region
Availability Zone
Availability Zone
Region
Availability Zone
Availability Zone
Public
Customer WAN
DX SiteDX Site
![Page 7: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/7.jpg)
Summary
• Data in transit within an AZ might leave the building
• Data in transit between AZs will leave the building
• Data in transit between AWS Regions or between AWS and
customer premises needs to be taken care of, too
• How about devices:– Device decommisining is main task for AWS
– This is fully compliant and audited
– No device does leave our DCs functional
– People leaving a DC need to pass a metal detector
Whatever you do: Encrypt Your Data in Flight
Let’s discuss data at rest
![Page 8: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/8.jpg)
Discussion Points
• Hard encryption might be excessive, for some purposes
• Find out where you need which kind of encryption – map your view
of risk and need
• Think about the lifetime of your data (example: German expiry of
use of 3DES and resulting requirement for bulk data re-encryption
with stronger algorithm…)
• Sometimes encryption is only there for Compliance reasons…
Work on your data classificationFind balance between your obligation for
executive care, cost and complexity
![Page 9: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/9.jpg)
But:
Getting Data at rest encrypted on AWSSo so easy that you should consider a policy:
All data need to be encrypted at rest!
![Page 10: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/10.jpg)
AWS services and where we look into today:
Technology Partners Consulting Partners AWS MarketplaceEcosystem
Elastic Beanstalk for Java, Node.js, Python,
Ruby, PHP and .NetOpsWorks CloudFormationContainers & Deployment (PaaS)
Management &
AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface
Direct Connect Route 53VPCNetworking
Analytics
Data PipelineRedshiftEMR Kinesis SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL Server
Elastic Load BalancerEC2 Auto Scaling
+
![Page 11: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/11.jpg)
AWS Key Management Service I
• Designed for Scalability and Throughput
• Uses bespoke AWS hardware + software
• Is a multi-tenant service
• Performs AES256 operations
• API for crypto command:– Key Management
– Encryption / Decryption
• Customer selects MasterKey
• Data Key is transported via envelope
encryption
Customer MasterKey(s)
Data Key 1
Amazon S3 Object
Amazon EBS Volume
Amazon Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
CustomApplication
AWS KMS
![Page 12: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/12.jpg)
AWS Key Management Service IIReference Architecture
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account.
2. Client request is authenticated based on whether they have access to use the master key.3. A new data encryption key is created and a copy of it is encrypted under the master key.4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data
and then deleted as soon as is practical.5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be
decrypted.
![Page 13: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/13.jpg)
S3 (normal mode)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 stores the data unencrypted
• Data travels unencrypted between AZs
• Enforce https:{
"Statement": [{
"Effect": "Deny”,
"Action": "s3:*",
"Condition": {
"Bool": { "aws:SecureTransport": false }
},
"Resource": "arn:aws:s3:::bucket/*"
]}
}
![Page 14: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/14.jpg)
S3 (server-side encryption)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with AWS owned key
• Data travels encrypted between AZs
• Data at rest is encrypted with AWS-owned key
• Enforce at-rest encryption:{
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
} } } ] }
![Page 15: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/15.jpg)
S3 (server-side, user key)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with customer key sent in request– The key will be forgotten by AWS immediatelly
• Data travels encrypted between Azs
• Data at rest is encrypted with customer-owned key
• Customer needs to send key in GET request
![Page 16: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/16.jpg)
S3 (server-side, user key + KMS)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with key sent in request
• Data travels encrypted between AZs
• Data at rest is encrypted with customer-owned key
• Key remains in KMS
IAM
KMS
Object
![Page 17: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/17.jpg)
S3 (client-side encryption)
AWS AZ
AWS AZ
AWS AZ
• Client encrypts the data locally with local held key
• Data is sent to S3 encrypted
• Data travels encrypted between AZs
• Data at rest is encrypted with customer-owned key
• AWS never sees the key
![Page 18: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/18.jpg)
EBS (normal mode)
AWS AZ
AWS AZ
• Instance sends data to volume via hypervisor module– Module can encrypt or not, depending on customer choice
– Data travels to the disks and between datacentres, potentially unencrypted
– Data lives unencrypted on Disk
![Page 19: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/19.jpg)
EBS (server-side encryption)
AWS AZ
AWS AZ
• Instance sends encrypted data over hypervisor to volume– Instance OS needs to support encryption
– Data travels encrypted to the disks and between datacentres
– Data lives encrypted on Disk
– AWS owns key/algorithm/data
– Included in scope of AWS SOC1 report
IAM
KMS
Volume
![Page 20: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/20.jpg)
CloudHSM
• Tamper-Proof and Tamper-Evident– Destroys its stored keys if under attack
• FIPS 140-2 Level 2 certified• Base position is to be a Keystore• Can also be used to timestamp documents• You can send data for encrypt / decrypt
– Key never does leave the HSM– Can be used by several commecial software– Can be used by API access the HSM
• Needs to be backed-up (ideally to HSM on customer premises)• Can be (and should) be combined in HA clusters• Is NOT a key management system
– but can work with some third-party ones
• Communicates via:– PKCS#11– JCE
• Some applications need a “plugin”
![Page 21: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/21.jpg)
Redshift can use CloudHSM
• When using CloudHSM– Redshift gets cluster key from HSM
– Redshift generates a database key and encrypts it with the cluster key from the
CloudHSM
– Redshift encrypts data with the database key
– Redshift supports re-encryption
![Page 22: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/22.jpg)
RDS Crypto Support
• RDS / Oracle can use CloudHSM to store keys for Oracle Wallet– So TDE can be HSM-backed
• RDS / MySQL, RDS / Postgres can use KMS to manage keys used
to encrypt underlying EBS volumes– So all tables are encrypted at rest
• Note that in-memory database contents (once the database has
been unlocked) are cleartext– RAM encryption is not something AWS has today, but it has been done in other
contexts
![Page 23: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/23.jpg)
VPC VGW
• Hardware IPsec termination points
• Data on the VPC side of the VGW is unprotected by the VGW (no
re-encryption)– If you need VPN termination with onward re-encryption, use EC2 instances with
OpenSWAN or Cisco CRSs instead…
• Uses pre-shared symmetric key
• The Key is a shared one between AWS and the customer
AWS AZ AWS AZCustomer
![Page 24: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/24.jpg)
Between Regions
Region
Availability Zone
Availability Zone
Region
Availability Zone
Availability Zone
Public
Customer WAN
DX Site DX Site
Custome
r DC
![Page 25: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/25.jpg)
Others
• Glacier– Archives have always been encrypted – this is entirely transparent to the user– Glacier keys are AES256– AWS holds key/algorithm/data
• Route53– Supports signed zones
• ELB– Supports SSL termination including onward re-encryption and customer choice of
cipher suite (useful post-POODLE)– AWS holds keys/algorithm/data– Unidirectional trust only (no certificate-based authentication of client to server)
• Import/Export– Currently relies on Truecrypt shared secret between customer and AWS for
exporting data– Truecrypt has not been broken, but it is not longer maintained. Therefore
import/export will choose another option
![Page 26: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/26.jpg)
Bertram DornAmazon Web Services Germany [email protected]
Additional Ressources:
http://aws.amazon.com/documentationhttp://aws.amazon.com/compliancehttp://aws.amazon.com/security
![Page 27: Crypto-Options on AWS Bertram Dorn – Specialized Solutions](https://reader036.vdocument.in/reader036/viewer/2022062504/586a31441a28ab917d8bf04c/html5/thumbnails/27.jpg)