AWS Security Webinar: The Key to Effective Cloud Encryption

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Webinar: The Key to Effective Cloud Encryption
September 2019
© 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION.
Tim Rains, Regional Leader Security & Compliance Business Acceleration EMEA ,WWPS
Dave Walker, Specialist Solutions Architect, Security and Compliance, EMEA

Agenda

Conversations with CISOs, CTOs, CIOs, DPOs, GCs
Encryption &
Key Management
Government
access to
data
Other
compliance
topics
Data
residency &
data
sovereignty

Encryption & Key Management
Typical reasons organizations protect data
• Compliance obligations
• Maintain confidentiality and integrity of data
• Mitigate risk of unauthorized access to data
• Physical
• Logical

Traditional Challenge: Operational Risks vs. Security Risks
Operational
risks
Security
risks

Ubiquitous Encryption
Amazon EBS
Amazon RDS
Amazon
Redshift
Amazon S3
Amazon
Glacier
Encrypted in transit
AWS CloudTrail
IAM
Auditable
Restricted access
Data sources Applications
and at rest
Fully managed
keys in AWS KMS
Imported
keys
Your KMI

Data at Rest

Symmetric Key Encryption
• Plaintext: information or data in an unencrypted, unprotected, or human-readable form
• Ciphertext: the encrypted data
• Protecting data keys: encrypting a data key protects it, making storage easier
• Encrypting the same data under multiple master/wrapping keys: instead of re-encrypting data multiple
times with different keys, re-encrypt only data keys that protect data
• Combining the strengths of multiple algorithms: can encrypt raw data with symmetric encryption and then
encrypt the data key with public key encryption
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html

Symmetric Algorithms
AWS cryptographic tools and services commonly
support widely used symmetric algorithms
• Advanced Encryption Standard (AES) with 128-,
192-, or 256-bit keys
• AES is often combined with Galois/Counter Mode
(GCM) and known as AES-GCM
• Triple DES (3DES) uses three 56-bit keys
• AES-256-XTS block cipher
https://docs.aws.amazon.com/crypto/latest/userguide/concepts-algorithms.html

Envelope Encryption
The practice of encrypting plaintext data with a data key, and then encrypting the data key
under another key.

Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master key
Or
Wrapping key
Symmetric
data key
? Key hierarchy
?
Envelope Encryption
The practice of encrypting plaintext data with a data key, and then encrypting the data key
under another key.

Envelope Encryption
The practice of encrypting plaintext data with a data key, and then encrypting the data key under
another key.
• A master key is an encryption key that is used to encrypt other encryption keys, such as
data keys and key encryption keys
• Unlike data keys and key encryption keys, master keys must be used in plaintext so they
can decrypt the keys that they encrypted
• The term master key usually refers to how the key is used, not how it is constructed
• Some AWS services provide master keys:
• The HSMs in an AWS CloudHSM cluster generate encryption keys that can be used
as data keys, key encryption keys, or master keys
• AWS Key Management Service (AWS KMS) generates and protects master keys. Its
customer master keys (CMKs) are created, managed, used, and deleted entirely
within AWS KMS
• AWS KMS allows you to import your own CMKs, if you want to generate them
independently or use some different key generation mechanism for them

Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available encryption clients:
• S3, DynamoDB, Amazon Elastic MapReduce File System (EMRFS), AWS
Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• Many integrated services including S3, Snowball, EBS, RDS, Amazon
Redshift, WorkSpaces, Amazon Kinesis Firehose, CloudTrail, etc.
Options for Data at Rest Encryption in AWS

Data at Rest
Client-side
Encryption

Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in EC2
Your encrypted data in select AWS services
Client-side Encryption in AWS
You encrypt your data before data submitted to service
AWS
KMS
AWS
CloudHSM

Client-side Encryption Example using a Client-Side Master Key
• Your client-side master keys and unencrypted data are never sent to AWS
• Amazon S3 encryption client generates a one-time-use symmetric key
(a.k.a. a data key) locally
• Data key used to encrypt the data of a single Amazon S3 object
• Client generates a separate data key for each object
• Client encrypts data key using the master key that you provide
• Client-side master key provided can be symmetric key or a public/private key pair
• Client uploads encrypted data key and its material description as part of the
object metadata
• Material description used to pick which client-side master key to use for decryption
• Client uploads encrypted data to Amazon S3 and saves encrypted data key
as object metadata in Amazon S3

Client-side Encryption Example using a Client-Side Master Key
• The client downloads encrypted object from Amazon S3
• Using the material description from the object's metadata, client determines
which master key to use
• Client uses that master key to decrypt the data key and then uses the data
key to decrypt the object
The following AWS SDKs support client-side encryption:
• AWS SDK for .NET
• AWS SDK for Go
• AWS SDK for Java
• AWS SDK for PHP
• AWS SDK for Ruby
• AWS SDK for C++;

Client-side encryption in AWS using a Client-Side Master Key
public static void main(String[] args) throws Exception {
Regions clientRegion = Regions.DEFAULT_REGION;
String bucketName = "*** Bucket name ***";
String objectKeyName = "*** Object key name ***";
String masterKeyDir = System.getProperty("java.io.tmpdir");
String masterKeyName = "secret.key";
// Generate a symmetric 256-bit AES key.
KeyGenerator symKeyGenerator = KeyGenerator.getInstance("AES");
symKeyGenerator.init(256);
SecretKey symKey = symKeyGenerator.generateKey();
// To see how it works, save and load the key to and from the file system.
saveSymmetricKey(masterKeyDir, masterKeyName, symKey);
symKey = loadSymmetricAESKey(masterKeyDir, masterKeyName, "AES");
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
Save data key to
file system, encrypt
with master key
Load key into
memory from
file system
Generate new
AES-256 data key
called symKey
Set up variables
and a master key

Client-side encryption in AWS using a Client-Side Master Key
try {
// Create the Amazon S3 encryption client.
EncryptionMaterials encryptionMaterials = new EncryptionMaterials(symKey);
AmazonS3 s3EncryptionClient = AmazonS3EncryptionClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withEncryptionMaterials(new StaticEncryptionMaterialsProvider(encryptionMaterials))
.withRegion(clientRegion)
.build();
// Upload a new object. The encryption client automatically encrypts it.
byte[] plaintext = "S3 Object Encrypted Using Client-Side Symmetric Master Key.".getBytes();
s3EncryptionClient.putObject(new PutObjectRequest(bucketName,
objectKeyName,
new ByteArrayInputStream(plaintext),
new ObjectMetadata()));
Tell the S3
encryption client
to use symKey
Now S3 encryption
client uses symKey to
encrypt objects it puts
into S3

Client-side decryption in AWS using a Client-Side Master Key
// Download and decrypt the object.
S3Object downloadedObject = s3EncryptionClient.getObject(bucketName, objectKeyName);
byte[] decrypted = com.amazonaws.util.IOUtils.toByteArray(downloadedObject.getObjectContent());
} //end of try
} //end of public static void main

Your
applications
in your data
center Amazon S3 encryption
client
Master key
Amazon S3
Client-side encryption in AWS
Using a Client-Side Master Key
Encrypted data key
Encrypted

Encrypted data key
Encrypted
Your
applications
in your data
center Amazon S3 encryption
client
Master keys
Amazon S3
Client-side decryption in AWS
Using a Client-Side Master Key
Encrypted data key
Encrypted

Client-side Encryption Example using DynamoDB Encryption Client
• DynamoDB Encryption Client processes one table item at a time
• First, it encrypts the values of attributes that you specify
• Then, it calculates a signature over the attributes that you specify, so you
can detect unauthorized changes to the item as a whole, including adding or
deleting attributes, or substituting one encrypted value for another
• Attribute names, and the names and values in the primary key (the partition
key and sort key) must remain in plaintext to make the item discoverable
• But they are included in the signature by default
• Do not put any sensitive data in the table name, attribute names, the names
and values of the primary key attributes, or any attribute values that you tell
the client not to encrypt

• Cryptographic materials providers (CMP)
• Wrapped Materials Provider (Wrapped CMP)
• Direct KMS Materials Provider
• Most Recent Provider
• Static Materials Provider
• The Wrapped CMP lets you use wrapping and signing keys from any source
with the DynamoDB Encryption Client
• Does not depend on any AWS service
• Generate and manage your wrapping and signing keys outside of the client

1. The Wrapped CMP generates a unique symmetric item encryption key for the table item
2. Uses the wrapping key that you specify to wrap the item encryption key. Then, it removes it from
memory as soon as possible.
3. Returns plaintext item encryption key, the signing key that you supplied, and an actual material
description that includes the wrapped item encryption key, and the encryption and wrapping
algorithms
4. Item encryptor uses plaintext key to encrypt item
1. It uses signing key that you supplied to sign item
2. Then, it removes the plaintext keys from memory as soon as possible
3. Copies fields in actual material description, including the wrapped encryption key, to material description attribute of
item

final EnumSet<EncryptionFlags> signOnly = EnumSet.of(EncryptionFlags.SIGN);
final EnumSet<EncryptionFlags> encryptAndSign = EnumSet.of(EncryptionFlags.ENCRYPT,
EncryptionFlags.SIGN);
final Map<String, Set<EncryptionFlags>> actions = new HashMap<>();
for (final String attributeName : record.keySet()) {
switch (attributeName) {
case partitionKeyName: // fall through to the next case
case sortKeyName:
// Partition and sort keys must not be encrypted, but should be signed
actions.put(attributeName, signOnly);
break;
case "test":
// Neither encrypted nor signed
break;
default:
// Encrypt and sign all other attributes
actions.put(attributeName, encryptAndSign);
break;
}
}
https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/dynamodb-encryption-client.pdf
For partition and sort
keys, sign only
If the attribute is “test”,
don’t sign or encrypt it;
do nothing
Encrypt and sign all
other attributes
Set up attribute
actions

//Encrypt and sign the item
final Map encrypted_record = encryptor.encryptRecord(record, actions, encryptionContext);
//Put the item in the DynamoDB table
final AmazonDynamoDB ddb = AmazonDynamoDBClientBuilder.defaultClient();
ddb.putItem(tableName, encrypted_record);
https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/dynamodb-encryption-client.pdf
Encrypt, sign, or do both on
record depending on attribute
Write the record to the database

The following figure shows a part of an example encrypted and signed table item
Partition and sort keys
not encryptedValue of the ‘test’
attribute is in plaintext
Values of
attributes are
encrypted
All attribute
names are in
plaintext

Client-side Encryption using AWS Encryption SDK
• The AWS Encryption SDK is a client-side encryption library designed to
make it easy for everyone to encrypt and decrypt data using industry
standards and best practices
• Enables you to focus on the core functionality of your application, rather
than on how to best encrypt and decrypt your data
• Without the AWS Encryption SDK, you might spend more effort on building
an encryption solution than on the core functionality of your application

• The AWS Encryption SDK answers questions like:
• Which encryption algorithm should I use?
• How, or in which mode, should I use that algorithm?
• How do I generate the encryption key?
• How do I protect the encryption key, and where should I store it?
• How can I make my encrypted data portable?
• How do I ensure that the intended recipient can read my encrypted data?
• How can I ensure my encrypted data is not modified between the time it is written
and when it is read?
• A default implementation that adheres to cryptography best practices
• A framework for protecting data keys with master keys
• A formatted message that stores encrypted data keys with encrypted data

Supported algorithm suites in the AWS encryption SDK
• C
• Java
• JavaScript
• Python
• AWS Encryption CLI (built on the AWS Encryption SDK for Python, supported on
Linux, macOS, and Windows)
AWS encryption SDK programming languages
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html

Key Management
• By default gets encryption/decryption materials from the source
you specify
• Master key provider when using Java or Python
• Keyring when using C or JavaScript
• A cryptographic service, such as AWS Key Management Service (AWS KMS)
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html

Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in EC2
Your encrypted data in select AWS services
Client-side Encryption in AWS
Encrypt your data before data submitted to service
AWS
KMS
AWS
CloudHSM

Encryption Key Management Options from AWS Partners
https://aws.amazon.com/marketplace

Data at Rest
Server-side
Encryption

• Amazon S3 encrypts data at the object level as it writes it to
disks and decrypts it when you access it
• Authenticated request and have access permissions
• 3 mutually exclusive options:
• Server-Side Encryption with Customer-Provided Keys (SSE-C)
• Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
• Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Server-side Encryption in Amazon S3

• Server-side encryption with customer-provided keys (SSE-C)
• Customer manages the encryption keys
• Amazon S3 manages the encryption, as it writes to disks, and
decryption when you access your objects
• You don't need to maintain any code to encrypt/decrypt data
• When object uploaded, Amazon S3 uses the customer provided
encryption key to apply AES-256 encryption
• Then removes the encryption key from memory
Server-side Encryption in Amazon S3 – SSE-C

• S3 does not store the encryption key you provide
• It stores a randomly salted HMAC value of the key to validate future
requests, that cannot be used to derive the value of the encryption
key or to decrypt the data
• If you lose the encryption key, you lose the object
• When you retrieve an object, you must provide the same encryption
key as part of your request
• S3 first verifies the encryption key you provided matches, and then
decrypts the object before returning the object data

Amazon S3 Web
Server
HTTPS
Customer
data
Amazon S3
storage fleet
Key is used at S3 web server, and then deleted.
Customer must provide same key when
downloading to allow S3 to decrypt data.
Customer-
provided key
Server-side encryption in AWS
S3 server-side encryption with customer-provided encryption keys (SSE-C)
Plaintext
data
Encrypted
data
Customer-
provided key

public class ServerSideEncryptionUsingClientSideEncryptionKey {
private static SSECustomerKey SSE_KEY;
private static AmazonS3 S3_CLIENT;
private static KeyGenerator KEY_GENERATOR;
public static void main(String[] args) throws IOException, NoSuchAlgorithmException {
String clientRegion = "*** Client region ***";
String bucketName = "*** Bucket name ***";
String keyName = "*** Key name ***";
String uploadFileName = "*** File path ***";
String targetKeyName = "*** Target key name ***";
https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html

// Create an encryption key.
KEY_GENERATOR = KeyGenerator.getInstance("AES");
KEY_GENERATOR.init(256, new SecureRandom());
SSE_KEY = new SSECustomerKey(KEY_GENERATOR.generateKey());
try {
S3_CLIENT = AmazonS3ClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Upload an object.
uploadObject(bucketName, keyName, new File(uploadFileName));
// Download the object.
downloadObject(bucketName, keyName);
// Verify that the object is properly encrypted by attempting to retrieve it
// using the encryption key.
retrieveObjectMetadata(bucketName, keyName);
} https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html
Generate new AES-
256 key called
SSE_Key
Encryption
&
decryption
inside these

private static void uploadObject(String bucketName, String keyName, File file) {
PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSECustomerKey(SSE_KEY);
S3_CLIENT.putObject(putRequest);
System.out.println("Object uploaded");
}
private static void downloadObject(String bucketName, String keyName) throws IOException {
GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, keyName).withSSECustomerKey(SSE_KEY);
S3Object object = S3_CLIENT.getObject(getObjectRequest);
System.out.println("Object content: ");
displayTextInputStream(object.getObjectContent());
}
private static void retrieveObjectMetadata(String bucketName, String keyName) {
GetObjectMetadataRequest getMetadataRequest = new GetObjectMetadataRequest(bucketName, keyName)
.withSSECustomerKey(SSE_KEY);
ObjectMetadata objectMetadata = S3_CLIENT.getObjectMetadata(getMetadataRequest);
System.out.println("Metadata retrieved. Object size: " + objectMetadata.getContentLength());
}
https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html
Put object in S3
Encrypt it using SSE_Key
Download object from S3
Decrypt it using SSE_Key
Retrieve object metadata using SSE_Key

Server-Side Encryption in Amazon S3
S3-Managed Keys (SSE-S3)

Server-Side Encryption in Amazon S3
S3-Managed Keys (SSE-S3)
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption":
"AES256"
}
}
},
{
"Sid":
"DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource":
"arn:aws:s3:::YourBucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption":
"true"
}
}
}
]
}

June 2019: 117 services integrated with KMS
Server-side Encryption using AWS KMS

Survey Question

AWS Key
Management
Service

• AWS KMS is a secure and resilient service that uses
FIPS 140-2 validated hardware security modules to
protect your keys
• You control access to your encrypted data by defining
permissions to use keys while AWS KMS enforces your
permissions and handles the durability and physical
security of your keys
• AWS KMS is integrated with AWS CloudTrail to record all
API requests, including key management actions and
usage of your keys
AWS Key Management Service

• Integrated with 117+ AWS services
• Supports AWS Encryption SDK and
other client-side encryption tools
• You can integrate it into your own
applications
• FIPS 140-2 validated: AWS KMS HSMs
were tested by an independent lab;
those results were further reviewed
by the Cryptographic Module
Validation Program run by NIST
https://csrc.nist.gov/projects/cryptographic-module-
validation-program/Certificate/3139

Security and quality controls in AWS KMS have been validated and certified by
the following compliance schemes:
• FIPS 140-2
• The AWS KMS cryptographic module running firmware version 1.4.4 is validated
at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including
physical security
• AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports
• PCI DSS Level 1
• ISO 27001
• ISO 27017
• ISO 27018
• ISO 9001
• FedRAMP
• HIPAA
Security Assurance
https://aws.amazon.com/kms/features/#AWS_Service_Integration

The EC2/EBS model
• Unique data keys per resource from KMS are stored in hypervisor/Nitro volatile memory for as long
as needed
• Permissions exist for AWS to re-provision data keys to volatile memory in cases of AWS-caused
events
• Examples: EBS, RDS, Redshift, WorkSpaces, Amazon Lightsail
The S3 model
• Data keys from KMS are only used in volatile memory of service hosts for an API transaction
• Permissions may exist to use keys in response to asynchronous events related to your data in other
services
• Examples: S3, EMR, CloudTrail, Amazon Athena, Amazon Kinesis, Amazon SQS, Amazon
CloudWatch
How AWS Services Use Data Keys

How Clients and AWS Services Typically Integrate with KMS
Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large
data
• Easier to manage small number of
master keys than millions of data keys
• Centralized access and audit of key
activity
Customer master
keys
Data key 1
S3 object EBS volume Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
KMS

How AWS Services Use Data Keys
Stored by KMS
KMS-managed
• All HSMs in a Region self-generate keys in memory when
provisioned. Master keys never leave the HSM
Encrypted by
Keys on HSMs in a Region
Customer-managed
• 256-bit symmetric Customer Master Key generated in HSM or
imported by customer
• Stored in encrypted form in several locations by KMS. Plaintext
version used only in memory on HSMs on demandEncrypted by
Customer Master
Key
Customer-managed or AWS service-managed
• 256-bit symmetric key returned to client by KMS
to use for encrypting bulk data
Data Key

AWS Managed Master Keys
• Individual AWS services request KMS
to create a master key for their
exclusive use
• Each service defines standard key
policy
• You can’t edit the policy or delete keys
Two Approaches for Managing Keys in Your Account
Customer Managed Master Keys
• You control key lifecycle
• You create keys in advance and delete
them when you’re done
• You decide which services use which
keys
• You define the key policy for each key
All operational aspects are the same:
security, latency, throughput, durability, availability, auditability

Your application or
AWS service
+
Data key Encrypted data key
Encrypted
data
Master keys in
customer’s account
KMS
How AWS services use your KMS keys
1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account
2. Client request is authenticated based on permissions set on both the user and the key
3. A unique data encryption key is created and encrypted under the KMS master key
4. The plaintext and encrypted data key is returned to the client
5. The plaintext data key is used to encrypt data and is then deleted when practical
6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption

Bring Your Own Key
Import encrypted key
material under the KMS CMK
key ID; set optional expiration
period
Import
Your key material
protected in KMS
Download a public
wrapping key
KMS
Download
RSA public key
Create customer master key
(CMK) container
Empty CMK container
with unique key ID
KMS
Creates
Export your key material
encrypted under the public
wrapping key Your key
management
infrastructure
Export
Your 256-bit key
material encrypted
under KMS public key

• Control how key is generated (randomness/entropy, etc)
• Control key lifetime: delete your key material from KMS
on-demand
• You control location and storage of your keys
• Keep your own backup copy of your key material
• Keep the key in the cloud only when you need it
Why Bring Your Own Key?

Q: How does AWS secure the master keys that I create inside AWS KMS?
• AWS KMS is designed so that no one, including AWS employees, can retrieve your
plaintext master keys from the service
• The service uses FIPS 140-2 validated hardware security modules (HSMs) to
protect the confidentiality and integrity of your keys
• Your plaintext keys never leave the HSMs, are never written to disk and are only
ever used in the volatile memory of the HSMs for the time needed to perform your
requested cryptographic operation
• AWS KMS keys are never transmitted outside of the AWS regions in which they
were created
• Updates to software on the service hosts and to the AWS KMS HSM firmware is
controlled by multi-party access control that is audited and reviewed by an
independent group within Amazon as well as a NIST-certified lab in compliance
with FIPS 140-2
https://aws.amazon.com/kms/faqs/
https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
AWS KMS FAQ

Security controls enforced by KMS
When operational with keys provisioned:
• No AWS operator can access a host
• No software updates allowed
• Your plaintext keys are never stored in non-volatile memory
• There are no tools in place to access your physical key material
• You can find evidence of every KMS API call in CloudTrail
After reboot and in a non-operational state:
• No key material on host
• Software can only be updated:
• After multiple AWS employees have reviewed the code
• Under quorum of multiple KMS operators with valid credentials
Keys on HSMs in a Region

You can control access to your KMS CMKs in these ways:
1. Use the key policy – a key policy controls access to a CMK
• Permissions: AWS KMS provides a set of API operations; to control access to these API operations,
AWS KMS provides a set of actions that you can specify in a policy.
• Conditions: use conditions in the policy to specify the circumstances in which a policy takes effect.
2. Use IAM policies in combination with the key policy – You can use IAM policies in
combination with the key policy to control access to a CMK. Controlling access this way
enables you to manage all of the permissions for your IAM identities in IAM.
3. Use grants in combination with the key policy – You can use grants in combination with
the key policy to allow access to a CMK. Controlling access this way enables you to allow
access to the CMK in the key policy, and to allow users to delegate their access to others.
• KMS grants are policy objects designed to be programmatically created and revoked as
resources are placed “in use” and “at rest”
https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html
Authenticated & Authorized Encryption

Allow a User to Encrypt and Decrypt with Specific CMKs

Multi-Factor Authentication Example
• To provide an additional layer of security over
specific actions, can use multi-factor
authentication (MFA) on critical KMS API calls
• Example calls: PutKeyPolicy,
ScheduleKeyDeletion, DeleteAlias,
DeleteImportedKeyMaterial
• If someone attempts to perform a critical AWS
KMS action, this CMK policy will validate that
their MFA was authenticated within the last 300
seconds (5 minutes), before performing the
action

Encryption Context Example
• To be sure of the integrity of data
encrypted with the AWS KMS APIs,
can pass an a set of name value
pairs as an Encryption Context
during AWS KMS encryption and
again when Decrypt or ReEncrypt
APIs are called

Auditability of KMS key usage through AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", ….at this time
"RequestParameters":
"{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
“{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account

AWS CloudHSM

Using Keys Securely in AWS
• Multi-tenant
• AWS-managed
• FIPS-validated HSMs
AWS CloudHSM
• Single-tenant
• Customer-controlled
• FIPS-validated HSMs
• Use directly or via AWS
KMS

• A cloud-based hardware security module (HSM) that enables you to easily generate and use
your own encryption keys in the AWS Cloud
• A fully-managed service that automates time-consuming administrative tasks for you, such as
• Hardware provisioning
• Software patching
• High-availability
• Backups
• Pay as you go with no upfront costs
• HSMs are part of a cluster
• Group of equivalent HSMs, 0 - 32 HSMs per cluster
• Each HSM instance appears as a network resource in your Amazon Virtual Private Cloud (VPC)
• Users, policies and keys are identical
• Clients automatically load balance across cluster
• Customers can deploy cross-AZ for high availability
• Allows you to copy backups of your CloudHSM Cluster from one region to another for disaster
recovery purposes and simplifies development of globally distributed or cross-region redundant
workloads
What is AWS CloudHSM?

Customers use AWS CloudHSM to…
• Offload the TLS/SSL processing for web servers
• Protect private keys for your issuing certificate authority (CA)
• Enable Transparent Data Encryption (TDE) for Oracle
databases
• Document and code signing
• Digital Rights Management

Aspects of Control in CloudHSM
Control
Application
Development
Algorithms
and Key
Lengths
User
Management
Specific
Compliance

Control Implies Responsibility
Control
Application
Development
Algorithms
and Key
Lengths
User
Management
Specific
Compliance
Responsibility
Application
Integration
HSM
Maintenance
Backups
ProvisioningHigh-
Availability
User
Management
Logging

CloudHSM Simplifies Management Tasks
Responsibility
Application
Integration
HSM
Maintenance
Backups
Provisioning
High-
Availability
User
Management
Logging

AWS CloudHSM
• Single tenant access to high performance FIPS
140-2 Level 3 validated hardware
• Hardware/service APIs managed by AWS
• Automatic patching, backup, HA
• HSMs are inside your Amazon VPC—isolated
from the rest of the network
• Uses 3rd party hardware with FIPS 140-2 level 3
validation
• Only you have access to your keys and
operations using the keys
• Your network traffic between CloudHSM and
client applications is strongly encrypted and
authenticated
CloudHSM
AWS administrator—
Manages the appliance
You—Control keys and
crypto operations
Amazon VPC

AWS CloudHSM Cluster Architecture
• You specify Amazon VPC in your AWS account and one
or more subnets in that VPC
• By putting HSMs in different Availability Zones, you
achieve redundancy and high availability in case
one Availability Zone is unavailable
• AWS CloudHSM puts an elastic network interface (ENI)
in specified subnet in your AWS account
• ENI is interface for interacting with the HSM
• The HSM resides in a separate VPC in an AWS
account that is owned by AWS CloudHSM
• The HSM and its corresponding network interface
are in the same Availability Zone
• You need AWS CloudHSM client software
• Install client on any compatible computer that can
connect to the HSM ENIs
• Typically you install client on Amazon EC2 instances
that reside in the same VPC as the HSM ENI

Total Control of Access Management
• AWS CloudHSM offers you secure HSM access to create
users and policies
• You can create granular access management policies for
up to 1,024 users on your HSMs
• Each user is in a private sandbox and can create keys
that are not visible to other users
• Keys can be shared with up to 8 other users who can
use (but not manage) that specific key
• AWS has no access to your encryption keys

AWS CloudHSM Separation of Duties
• Manufacturer
• Produces, certifies and signs FIPS-validated firmware
• AWS
• No access to crypto functions and cannot observe client<->HSM communications
• Initialize (and zeroize) the adapter
• Create and destroy/zeroize individual HSM’s
• Update firmware (FIPS validated only)
• Backup and Restore HSMs (encrypted backups)
• Manage Clustering (add/remove nodes, sync)
• Customer
• All key management and cryptographic functions
• Administrate authentication and access control to HSM (users, privileges, policies)
• Perform file-based backup

AWS CloudHSM Managed Backup
• AWS CloudHSM backs up encryption keys and entire HSM configuration,
including users and policies
• Your backups are encrypted by the HSM manufacturer and AWS
• Backups can only be decrypted inside your HSM
• Manufacturer’s key backup key (MKBK) exists in the HSM hardware
• AWS key backup key (AKBK) is securely installed by CloudHSM service when
hardware is placed into operation

AWS CloudHSM Managed Backup
• Backup of the HSM is encrypted using a backup encryption key (BEK), an AES-
256 key that is generated within the HSM when a backup is requested
• BEK is wrapped with an AES 256-bit wrapping key derived from the MKBK and
AKBK via a key derivation function (KDF)
• Each backup stored on Amazon S3 for high durability with extra layer of
encryption with AWS Key Management Service (AWS KMS)
• You can clone your backups to create new clusters

AWS Key Management
Service Custom Key Store

AWS KMS Custom Key Store
Clients
AWS
Services
• Combines AWS CloudHSM’s control with AWS KMS’s integrations
• Use CloudHSM-backed keys in most AWS services via AWS KMS

Why use AWS KMS Custom Key Store?
If your organization has requirements such as:
• You have keys that are required to be protected in a single-
tenant HSM or in an HSM over which you have direct control
• You have keys that are explicitly required to be stored in an
HSM validated at FIPS 140-2 level 3 overall
• The HSMs used in the default KMS key store are validated to level
2 overall, with level 3 in several categories, including physical
security
• You have keys that are required to be auditable
independently of KMS

VPC
CloudHSM Cluster
Customers’
applications
via AWS SDKs
KMS Standard
Key Store
AWS KMS
KMS Endpoint
KMS Custom Key Store
KMS HSM Fleet
117+ AWS
Services
AWS Cloud
Custom Key Store
‘Connector”
Custom
clients using
PKCS#11, JCE,
CNG

More Control Means More Responsibility
You take responsibility for certain operational aspects that
would otherwise be handled by KMS
• KMS stores imported keys only in volatile memory - you are
responsible for backups
• You have control over keys, backups and…
• Availability
• Performance
• Capacity
• Security properties of HSMs
• You determine resilience across AZs
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/

Choosing
Encryption Tools
& Services

Optimization Journey: Security & Business Operations
Client-side
encryption using
Client-Side
Master Keys
AWS
CloudHSM
AWS Key
Management
Service

Where are keys generated and stored?
• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?
• Client software you control?
• Server software the cloud provider controls?
Who can use the keys?
• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are there for proper security around keys?
Key Management Considerations

When to Use AWS Key Management Service
Consider using AWS KMS when:
• If you need to secure your encryption keys in a service
backed by FIPS-validated HSMs, but you do not need to
manage the HSMs yourself
• FIPS 140-2 Level 2 (overall) validated HSMs meets your
requirements
• AES-256 symmetric encryption meets your requirements
https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-kms.html

When to Use AWS CloudHSM
Consider using AWS CloudHSM if you require:
• Keys stored in dedicated, third-party validated hardware
security modules under your exclusive control
• FIPS 140-2 Level 3 validated HSMs
• Asymmetric encryption
• Integration with applications using PKCS#11, Java JCE,
or Microsoft CNG interfaces
• High-performance in-VPC cryptographic acceleration
(bulk crypto)
https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html

When to Use AWS KMS Custom Key Stores
Use AWS KMS Custom Key Stores when:
• Require keys be protected in a single-tenant HSM or in an HSM over which
you have direct control
• Explicit requirement for HSMs validated at FIPS 140-2 level 3 overall
• You have keys that are required to be auditable independently of KMS
• You are comfortable operating HSMs yourself
• Using the custom key store feature, you will perform certain tasks that are normally
handled by KMS
• You are comfortable with increased cost and potential impact on
performance and availability
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/

AWS re:Inforce 2019: Encrypting Everything with AWS
https://www.youtube.com/watch?v=oqHLLbOoxDg
AWS re:Inforce 2019: How Encryption Works in AWS
https://www.youtube.com/watch?v=plv7PQZICCM
AWS re:Invent 2017: A Deep Dive into AWS Encryption Services
https://www.youtube.com/watch?v=gTZgxsCTfbk
AWS Key Management Service Cryptographic Details
https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
AWS Key Management Service Best Practices
https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
AWS CloudHSM User Guide
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html
AWS re:Inforce 2019: Achieving Security Goals with AWS CloudHSM
https://www.youtube.com/watch?v=_gezaWmwzYY
Security of AWS CloudHSM Backups
https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-
backups.pdf
Resources
Announcing KMS Custom Key Stores using CloudHSM
https://www.youtube.com/watch?v=AAitIKFeO6k
Introducing AWS Key Management Service Custom Key Store - AWS
Online Tech Talks
https://www.youtube.com/watch?v=ksnHLFxgXcI
Are KMS custom key stores right for you?
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-
for-you/
How to Choose an Encryption Tool or Service
https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-
toplevel.html
Encryption and KMS Workshop in AWS
https://github.com/aws-samples/aws-kms-workshop

Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
https://aws.amazon.com/products/security

AWS Security Webinar: The Key to Effective Cloud Encryption

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security Webinar: The Key to Effective Cloud Encryption

Similar to AWS Security Webinar: The Key to Effective Cloud Encryption (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security Webinar: The Key to Effective Cloud Encryption