Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security Webinar: The Key to Effective Cloud Encryption

1,714 views

Published on

It’s essential to protect your private data at all times, especially when you don’t control all the hardware and software components with access to that information. Encryption is a powerful way for organisations to maintain an appropriate level of data confidentiality and integrity.

AWS offers many options for using encryption to protect your data in transit and at rest. A variety of features let you determine how much control you want over your encryption keys to achieve the right level of security. Join this two-hour deep dive webinar to learn which AWS encryption features are available, when to use them, and how to integrate them in your workloads.

  • Login to see the comments

AWS Security Webinar: The Key to Effective Cloud Encryption

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Webinar: The Key to Effective Cloud Encryption September 2019 © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Tim Rains, Regional Leader Security & Compliance Business Acceleration EMEA ,WWPS Dave Walker, Specialist Solutions Architect, Security and Compliance, EMEA
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Agenda
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Conversations with CISOs, CTOs, CIOs, DPOs, GCs Encryption & Key Management Government access to data Other compliance topics Data residency & data sovereignty
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Encryption & Key Management Typical reasons organizations protect data • Compliance obligations • Maintain confidentiality and integrity of data • Mitigate risk of unauthorized access to data • Physical • Logical
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Traditional Challenge: Operational Risks vs. Security Risks Operational risks Security risks
  6. 6. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Ubiquitous Encryption Amazon EBS Amazon RDS Amazon Redshift Amazon S3 Amazon Glacier Encrypted in transit AWS CloudTrail IAM Auditable Restricted access Data sources Applications and at rest Fully managed keys in AWS KMS Imported keys Your KMI
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at Rest
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Symmetric Key Encryption • Plaintext: information or data in an unencrypted, unprotected, or human-readable form • Ciphertext: the encrypted data • Protecting data keys: encrypting a data key protects it, making storage easier • Encrypting the same data under multiple master/wrapping keys: instead of re-encrypting data multiple times with different keys, re-encrypt only data keys that protect data • Combining the strengths of multiple algorithms: can encrypt raw data with symmetric encryption and then encrypt the data key with public key encryption https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Symmetric Algorithms AWS cryptographic tools and services commonly support widely used symmetric algorithms • Advanced Encryption Standard (AES) with 128-, 192-, or 256-bit keys • AES is often combined with Galois/Counter Mode (GCM) and known as AES-GCM • Triple DES (3DES) uses three 56-bit keys • AES-256-XTS block cipher https://docs.aws.amazon.com/crypto/latest/userguide/concepts-algorithms.html
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Envelope Encryption The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Envelope Encryption The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Plaintext data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master key Or Wrapping key Symmetric data key ? Key hierarchy ? Envelope Encryption The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Envelope Encryption The practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. • A master key is an encryption key that is used to encrypt other encryption keys, such as data keys and key encryption keys • Unlike data keys and key encryption keys, master keys must be used in plaintext so they can decrypt the keys that they encrypted • The term master key usually refers to how the key is used, not how it is constructed • Some AWS services provide master keys: • The HSMs in an AWS CloudHSM cluster generate encryption keys that can be used as data keys, key encryption keys, or master keys • AWS Key Management Service (AWS KMS) generates and protects master keys. Its customer master keys (CMKs) are created, managed, used, and deleted entirely within AWS KMS • AWS KMS allows you to import your own CMKs, if you want to generate them independently or use some different key generation mechanism for them
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side encryption • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in your AWS account • Available encryption clients: • S3, DynamoDB, Amazon Elastic MapReduce File System (EMRFS), AWS Encryption SDK Server-side encryption • AWS encrypts data on your behalf after data is received by service • Many integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces, Amazon Kinesis Firehose, CloudTrail, etc. Options for Data at Rest Encryption in AWS
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at Rest Client-side Encryption
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in EC2 Your encrypted data in select AWS services Client-side Encryption in AWS You encrypt your data before data submitted to service AWS KMS AWS CloudHSM
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using a Client-Side Master Key • Your client-side master keys and unencrypted data are never sent to AWS • Amazon S3 encryption client generates a one-time-use symmetric key (a.k.a. a data key) locally • Data key used to encrypt the data of a single Amazon S3 object • Client generates a separate data key for each object • Client encrypts data key using the master key that you provide • Client-side master key provided can be symmetric key or a public/private key pair • Client uploads encrypted data key and its material description as part of the object metadata • Material description used to pick which client-side master key to use for decryption • Client uploads encrypted data to Amazon S3 and saves encrypted data key as object metadata in Amazon S3
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using a Client-Side Master Key • The client downloads encrypted object from Amazon S3 • Using the material description from the object's metadata, client determines which master key to use • Client uses that master key to decrypt the data key and then uses the data key to decrypt the object The following AWS SDKs support client-side encryption: • AWS SDK for .NET • AWS SDK for Go • AWS SDK for Java • AWS SDK for PHP • AWS SDK for Ruby • AWS SDK for C++;
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side encryption in AWS using a Client-Side Master Key public static void main(String[] args) throws Exception { Regions clientRegion = Regions.DEFAULT_REGION; String bucketName = "*** Bucket name ***"; String objectKeyName = "*** Object key name ***"; String masterKeyDir = System.getProperty("java.io.tmpdir"); String masterKeyName = "secret.key"; // Generate a symmetric 256-bit AES key. KeyGenerator symKeyGenerator = KeyGenerator.getInstance("AES"); symKeyGenerator.init(256); SecretKey symKey = symKeyGenerator.generateKey(); // To see how it works, save and load the key to and from the file system. saveSymmetricKey(masterKeyDir, masterKeyName, symKey); symKey = loadSymmetricAESKey(masterKeyDir, masterKeyName, "AES"); https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html Save data key to file system, encrypt with master key Load key into memory from file system Generate new AES-256 data key called symKey Set up variables and a master key
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side encryption in AWS using a Client-Side Master Key try { // Create the Amazon S3 encryption client. EncryptionMaterials encryptionMaterials = new EncryptionMaterials(symKey); AmazonS3 s3EncryptionClient = AmazonS3EncryptionClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(encryptionMaterials)) .withRegion(clientRegion) .build(); // Upload a new object. The encryption client automatically encrypts it. byte[] plaintext = "S3 Object Encrypted Using Client-Side Symmetric Master Key.".getBytes(); s3EncryptionClient.putObject(new PutObjectRequest(bucketName, objectKeyName, new ByteArrayInputStream(plaintext), new ObjectMetadata())); https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html Tell the S3 encryption client to use symKey Now S3 encryption client uses symKey to encrypt objects it puts into S3
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side decryption in AWS using a Client-Side Master Key // Download and decrypt the object. S3Object downloadedObject = s3EncryptionClient.getObject(bucketName, objectKeyName); byte[] decrypted = com.amazonaws.util.IOUtils.toByteArray(downloadedObject.getObjectContent()); } //end of try } //end of public static void main https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Your applications in your data center Amazon S3 encryption client Master key Amazon S3 Client-side encryption in AWS Using a Client-Side Master Key Encrypted data key Encrypted
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Encrypted data key Encrypted Your applications in your data center Amazon S3 encryption client Master keys Amazon S3 Client-side decryption in AWS Using a Client-Side Master Key Encrypted data key Encrypted
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client • DynamoDB Encryption Client processes one table item at a time • First, it encrypts the values of attributes that you specify • Then, it calculates a signature over the attributes that you specify, so you can detect unauthorized changes to the item as a whole, including adding or deleting attributes, or substituting one encrypted value for another • Attribute names, and the names and values in the primary key (the partition key and sort key) must remain in plaintext to make the item discoverable • But they are included in the signature by default • Do not put any sensitive data in the table name, attribute names, the names and values of the primary key attributes, or any attribute values that you tell the client not to encrypt
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client • Cryptographic materials providers (CMP) • Wrapped Materials Provider (Wrapped CMP) • Direct KMS Materials Provider • Most Recent Provider • Static Materials Provider • The Wrapped CMP lets you use wrapping and signing keys from any source with the DynamoDB Encryption Client • Does not depend on any AWS service • Generate and manage your wrapping and signing keys outside of the client
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client 1. The Wrapped CMP generates a unique symmetric item encryption key for the table item 2. Uses the wrapping key that you specify to wrap the item encryption key. Then, it removes it from memory as soon as possible. 3. Returns plaintext item encryption key, the signing key that you supplied, and an actual material description that includes the wrapped item encryption key, and the encryption and wrapping algorithms 4. Item encryptor uses plaintext key to encrypt item 1. It uses signing key that you supplied to sign item 2. Then, it removes the plaintext keys from memory as soon as possible 3. Copies fields in actual material description, including the wrapped encryption key, to material description attribute of item
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client final EnumSet<EncryptionFlags> signOnly = EnumSet.of(EncryptionFlags.SIGN); final EnumSet<EncryptionFlags> encryptAndSign = EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN); final Map<String, Set<EncryptionFlags>> actions = new HashMap<>(); for (final String attributeName : record.keySet()) { switch (attributeName) { case partitionKeyName: // fall through to the next case case sortKeyName: // Partition and sort keys must not be encrypted, but should be signed actions.put(attributeName, signOnly); break; case "test": // Neither encrypted nor signed break; default: // Encrypt and sign all other attributes actions.put(attributeName, encryptAndSign); break; } } https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/dynamodb-encryption-client.pdf For partition and sort keys, sign only If the attribute is “test”, don’t sign or encrypt it; do nothing Encrypt and sign all other attributes Set up attribute actions
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client //Encrypt and sign the item final Map encrypted_record = encryptor.encryptRecord(record, actions, encryptionContext); //Put the item in the DynamoDB table final AmazonDynamoDB ddb = AmazonDynamoDBClientBuilder.defaultClient(); ddb.putItem(tableName, encrypted_record); https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/dynamodb-encryption-client.pdf Encrypt, sign, or do both on record depending on attribute Write the record to the database
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption Example using DynamoDB Encryption Client The following figure shows a part of an example encrypted and signed table item Partition and sort keys not encryptedValue of the ‘test’ attribute is in plaintext Values of attributes are encrypted All attribute names are in plaintext
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption using AWS Encryption SDK • The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices • Enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data • Without the AWS Encryption SDK, you might spend more effort on building an encryption solution than on the core functionality of your application
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption using AWS Encryption SDK • The AWS Encryption SDK answers questions like: • Which encryption algorithm should I use? • How, or in which mode, should I use that algorithm? • How do I generate the encryption key? • How do I protect the encryption key, and where should I store it? • How can I make my encrypted data portable? • How do I ensure that the intended recipient can read my encrypted data? • How can I ensure my encrypted data is not modified between the time it is written and when it is read? • A default implementation that adheres to cryptography best practices • A framework for protecting data keys with master keys • A formatted message that stores encrypted data keys with encrypted data
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption using AWS Encryption SDK Supported algorithm suites in the AWS encryption SDK • C • Java • JavaScript • Python • AWS Encryption CLI (built on the AWS Encryption SDK for Python, supported on Linux, macOS, and Windows) AWS encryption SDK programming languages https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side Encryption using AWS Encryption SDK Key Management • By default gets encryption/decryption materials from the source you specify • Master key provider when using Java or Python • Keyring when using C or JavaScript • A cryptographic service, such as AWS Key Management Service (AWS KMS) https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in EC2 Your encrypted data in select AWS services Client-side Encryption in AWS Encrypt your data before data submitted to service AWS KMS AWS CloudHSM
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Encryption Key Management Options from AWS Partners https://aws.amazon.com/marketplace
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at Rest Server-side Encryption
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Client-side encryption • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in your AWS account • Available encryption clients: • S3, DynamoDB, Amazon Elastic MapReduce File System (EMRFS), AWS Encryption SDK Server-side encryption • AWS encrypts data on your behalf after data is received by service • Many integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces, Amazon Kinesis Firehose, CloudTrail, etc. Options for Data at Rest Encryption in AWS
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • Amazon S3 encrypts data at the object level as it writes it to disks and decrypts it when you access it • Authenticated request and have access permissions • 3 mutually exclusive options: • Server-Side Encryption with Customer-Provided Keys (SSE-C) • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) • Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) Server-side Encryption in Amazon S3
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • Server-side encryption with customer-provided keys (SSE-C) • Customer manages the encryption keys • Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects • You don't need to maintain any code to encrypt/decrypt data • When object uploaded, Amazon S3 uses the customer provided encryption key to apply AES-256 encryption • Then removes the encryption key from memory Server-side Encryption in Amazon S3 – SSE-C
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • S3 does not store the encryption key you provide • It stores a randomly salted HMAC value of the key to validate future requests, that cannot be used to derive the value of the encryption key or to decrypt the data • If you lose the encryption key, you lose the object • When you retrieve an object, you must provide the same encryption key as part of your request • S3 first verifies the encryption key you provided matches, and then decrypts the object before returning the object data Server-side Encryption in Amazon S3 – SSE-C
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Amazon S3 Web Server HTTPS Customer data Amazon S3 storage fleet Key is used at S3 web server, and then deleted. Customer must provide same key when downloading to allow S3 to decrypt data. Customer- provided key Server-side encryption in AWS S3 server-side encryption with customer-provided encryption keys (SSE-C) Plaintext data Encrypted data Customer- provided key
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Server-side Encryption in Amazon S3 – SSE-C public class ServerSideEncryptionUsingClientSideEncryptionKey { private static SSECustomerKey SSE_KEY; private static AmazonS3 S3_CLIENT; private static KeyGenerator KEY_GENERATOR; public static void main(String[] args) throws IOException, NoSuchAlgorithmException { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; String keyName = "*** Key name ***"; String uploadFileName = "*** File path ***"; String targetKeyName = "*** Target key name ***"; https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Server-side Encryption in Amazon S3 – SSE-C // Create an encryption key. KEY_GENERATOR = KeyGenerator.getInstance("AES"); KEY_GENERATOR.init(256, new SecureRandom()); SSE_KEY = new SSECustomerKey(KEY_GENERATOR.generateKey()); try { S3_CLIENT = AmazonS3ClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider()) .withRegion(clientRegion) .build(); // Upload an object. uploadObject(bucketName, keyName, new File(uploadFileName)); // Download the object. downloadObject(bucketName, keyName); // Verify that the object is properly encrypted by attempting to retrieve it // using the encryption key. retrieveObjectMetadata(bucketName, keyName); } https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html Generate new AES- 256 key called SSE_Key Encryption & decryption inside these
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Server-side Encryption in Amazon S3 – SSE-C private static void uploadObject(String bucketName, String keyName, File file) { PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSECustomerKey(SSE_KEY); S3_CLIENT.putObject(putRequest); System.out.println("Object uploaded"); } private static void downloadObject(String bucketName, String keyName) throws IOException { GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, keyName).withSSECustomerKey(SSE_KEY); S3Object object = S3_CLIENT.getObject(getObjectRequest); System.out.println("Object content: "); displayTextInputStream(object.getObjectContent()); } private static void retrieveObjectMetadata(String bucketName, String keyName) { GetObjectMetadataRequest getMetadataRequest = new GetObjectMetadataRequest(bucketName, keyName) .withSSECustomerKey(SSE_KEY); ObjectMetadata objectMetadata = S3_CLIENT.getObjectMetadata(getMetadataRequest); System.out.println("Metadata retrieved. Object size: " + objectMetadata.getContentLength()); } https://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html Put object in S3 Encrypt it using SSE_Key Download object from S3 Decrypt it using SSE_Key Retrieve object metadata using SSE_Key
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Server-Side Encryption in Amazon S3 S3-Managed Keys (SSE-S3)
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Server-Side Encryption in Amazon S3 S3-Managed Keys (SSE-S3) { "Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] }
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. June 2019: 117 services integrated with KMS Server-side Encryption using AWS KMS
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Survey Question
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys • You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys • AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys AWS Key Management Service
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS Key Management Service • Integrated with 117+ AWS services • Supports AWS Encryption SDK and other client-side encryption tools • You can integrate it into your own applications • FIPS 140-2 validated: AWS KMS HSMs were tested by an independent lab; those results were further reviewed by the Cryptographic Module Validation Program run by NIST https://csrc.nist.gov/projects/cryptographic-module- validation-program/Certificate/3139
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes: • FIPS 140-2 • The AWS KMS cryptographic module running firmware version 1.4.4 is validated at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security • AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports • PCI DSS Level 1 • ISO 27001 • ISO 27017 • ISO 27018 • ISO 9001 • FedRAMP • HIPAA Security Assurance https://aws.amazon.com/kms/features/#AWS_Service_Integration
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. The EC2/EBS model • Unique data keys per resource from KMS are stored in hypervisor/Nitro volatile memory for as long as needed • Permissions exist for AWS to re-provision data keys to volatile memory in cases of AWS-caused events • Examples: EBS, RDS, Redshift, WorkSpaces, Amazon Lightsail The S3 model • Data keys from KMS are only used in volatile memory of service hosts for an API transaction • Permissions may exist to use keys in response to asynchronous events related to your data in other services • Examples: S3, EMR, CloudTrail, Amazon Athena, Amazon Kinesis, Amazon SQS, Amazon CloudWatch How AWS Services Use Data Keys
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. How Clients and AWS Services Typically Integrate with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. How AWS Services Use Data Keys Stored by KMS KMS-managed • All HSMs in a Region self-generate keys in memory when provisioned. Master keys never leave the HSM Encrypted by Keys on HSMs in a Region Customer-managed • 256-bit symmetric Customer Master Key generated in HSM or imported by customer • Stored in encrypted form in several locations by KMS. Plaintext version used only in memory on HSMs on demandEncrypted by Customer Master Key Customer-managed or AWS service-managed • 256-bit symmetric key returned to client by KMS to use for encrypting bulk data Data Key
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS Managed Master Keys • Individual AWS services request KMS to create a master key for their exclusive use • Each service defines standard key policy • You can’t edit the policy or delete keys Two Approaches for Managing Keys in Your Account Customer Managed Master Keys • You control key lifecycle • You create keys in advance and delete them when you’re done • You decide which services use which keys • You define the key policy for each key All operational aspects are the same: security, latency, throughput, durability, availability, auditability
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account 2. Client request is authenticated based on permissions set on both the user and the key 3. A unique data encryption key is created and encrypted under the KMS master key 4. The plaintext and encrypted data key is returned to the client 5. The plaintext data key is used to encrypt data and is then deleted when practical 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Bring Your Own Key Import encrypted key material under the KMS CMK key ID; set optional expiration period Import Your key material protected in KMS Download a public wrapping key KMS Download RSA public key Create customer master key (CMK) container Empty CMK container with unique key ID KMS Creates Export your key material encrypted under the public wrapping key Your key management infrastructure Export Your 256-bit key material encrypted under KMS public key
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • Control how key is generated (randomness/entropy, etc) • Control key lifetime: delete your key material from KMS on-demand • You control location and storage of your keys • Keep your own backup copy of your key material • Keep the key in the cloud only when you need it Why Bring Your Own Key?
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Q: How does AWS secure the master keys that I create inside AWS KMS? • AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext master keys from the service • The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys • Your plaintext keys never leave the HSMs, are never written to disk and are only ever used in the volatile memory of the HSMs for the time needed to perform your requested cryptographic operation • AWS KMS keys are never transmitted outside of the AWS regions in which they were created • Updates to software on the service hosts and to the AWS KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST-certified lab in compliance with FIPS 140-2 https://aws.amazon.com/kms/faqs/ https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf AWS KMS FAQ
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Security controls enforced by KMS When operational with keys provisioned: • No AWS operator can access a host • No software updates allowed • Your plaintext keys are never stored in non-volatile memory • There are no tools in place to access your physical key material • You can find evidence of every KMS API call in CloudTrail After reboot and in a non-operational state: • No key material on host • Software can only be updated: • After multiple AWS employees have reviewed the code • Under quorum of multiple KMS operators with valid credentials Keys on HSMs in a Region
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. You can control access to your KMS CMKs in these ways: 1. Use the key policy – a key policy controls access to a CMK • Permissions: AWS KMS provides a set of API operations; to control access to these API operations, AWS KMS provides a set of actions that you can specify in a policy. • Conditions: use conditions in the policy to specify the circumstances in which a policy takes effect. 2. Use IAM policies in combination with the key policy – You can use IAM policies in combination with the key policy to control access to a CMK. Controlling access this way enables you to manage all of the permissions for your IAM identities in IAM. 3. Use grants in combination with the key policy – You can use grants in combination with the key policy to allow access to a CMK. Controlling access this way enables you to allow access to the CMK in the key policy, and to allow users to delegate their access to others. • KMS grants are policy objects designed to be programmatically created and revoked as resources are placed “in use” and “at rest” https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html Authenticated & Authorized Encryption
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Allow a User to Encrypt and Decrypt with Specific CMKs
  66. 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Multi-Factor Authentication Example • To provide an additional layer of security over specific actions, can use multi-factor authentication (MFA) on critical KMS API calls • Example calls: PutKeyPolicy, ScheduleKeyDeletion, DeleteAlias, DeleteImportedKeyMaterial • If someone attempts to perform a critical AWS KMS action, this CMK policy will validate that their MFA was authenticated within the last 300 seconds (5 minutes), before performing the action
  67. 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Encryption Context Example • To be sure of the integrity of data encrypted with the AWS KMS APIs, can pass an a set of name value pairs as an Encryption Context during AWS KMS encryption and again when Decrypt or ReEncrypt APIs are called
  68. 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Auditability of KMS key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API action was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":" 203.0.113.113", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
  69. 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudHSM
  70. 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Using Keys Securely in AWS AWS Key Management Service • Multi-tenant • AWS-managed • FIPS-validated HSMs AWS CloudHSM • Single-tenant • Customer-controlled • FIPS-validated HSMs • Use directly or via AWS KMS
  71. 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. • A cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys in the AWS Cloud • A fully-managed service that automates time-consuming administrative tasks for you, such as • Hardware provisioning • Software patching • High-availability • Backups • Pay as you go with no upfront costs • HSMs are part of a cluster • Group of equivalent HSMs, 0 - 32 HSMs per cluster • Each HSM instance appears as a network resource in your Amazon Virtual Private Cloud (VPC) • Users, policies and keys are identical • Clients automatically load balance across cluster • Customers can deploy cross-AZ for high availability • Allows you to copy backups of your CloudHSM Cluster from one region to another for disaster recovery purposes and simplifies development of globally distributed or cross-region redundant workloads What is AWS CloudHSM?
  72. 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Customers use AWS CloudHSM to… • Offload the TLS/SSL processing for web servers • Protect private keys for your issuing certificate authority (CA) • Enable Transparent Data Encryption (TDE) for Oracle databases • Document and code signing • Digital Rights Management
  73. 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Aspects of Control in CloudHSM Control Application Development Algorithms and Key Lengths User Management Specific Compliance
  74. 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Control Implies Responsibility Control Application Development Algorithms and Key Lengths User Management Specific Compliance Responsibility Application Integration HSM Maintenance Backups ProvisioningHigh- Availability User Management Logging
  75. 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. CloudHSM Simplifies Management Tasks Responsibility Application Integration HSM Maintenance Backups Provisioning High- Availability User Management Logging
  76. 76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS CloudHSM • Single tenant access to high performance FIPS 140-2 Level 3 validated hardware • Hardware/service APIs managed by AWS • Automatic patching, backup, HA • HSMs are inside your Amazon VPC—isolated from the rest of the network • Uses 3rd party hardware with FIPS 140-2 level 3 validation • Only you have access to your keys and operations using the keys • Your network traffic between CloudHSM and client applications is strongly encrypted and authenticated CloudHSM AWS administrator— Manages the appliance You—Control keys and crypto operations Amazon VPC
  77. 77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS CloudHSM Cluster Architecture • You specify Amazon VPC in your AWS account and one or more subnets in that VPC • By putting HSMs in different Availability Zones, you achieve redundancy and high availability in case one Availability Zone is unavailable • AWS CloudHSM puts an elastic network interface (ENI) in specified subnet in your AWS account • ENI is interface for interacting with the HSM • The HSM resides in a separate VPC in an AWS account that is owned by AWS CloudHSM • The HSM and its corresponding network interface are in the same Availability Zone • You need AWS CloudHSM client software • Install client on any compatible computer that can connect to the HSM ENIs • Typically you install client on Amazon EC2 instances that reside in the same VPC as the HSM ENI
  78. 78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Total Control of Access Management • AWS CloudHSM offers you secure HSM access to create users and policies • You can create granular access management policies for up to 1,024 users on your HSMs • Each user is in a private sandbox and can create keys that are not visible to other users • Keys can be shared with up to 8 other users who can use (but not manage) that specific key • AWS has no access to your encryption keys
  79. 79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS CloudHSM Separation of Duties • Manufacturer • Produces, certifies and signs FIPS-validated firmware • AWS • No access to crypto functions and cannot observe client<->HSM communications • Initialize (and zeroize) the adapter • Create and destroy/zeroize individual HSM’s • Update firmware (FIPS validated only) • Backup and Restore HSMs (encrypted backups) • Manage Clustering (add/remove nodes, sync) • Customer • All key management and cryptographic functions • Administrate authentication and access control to HSM (users, privileges, policies) • Perform file-based backup
  80. 80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS CloudHSM Managed Backup • AWS CloudHSM backs up encryption keys and entire HSM configuration, including users and policies • Your backups are encrypted by the HSM manufacturer and AWS • Backups can only be decrypted inside your HSM • Manufacturer’s key backup key (MKBK) exists in the HSM hardware • AWS key backup key (AKBK) is securely installed by CloudHSM service when hardware is placed into operation
  81. 81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS CloudHSM Managed Backup • Backup of the HSM is encrypted using a backup encryption key (BEK), an AES- 256 key that is generated within the HSM when a backup is requested • BEK is wrapped with an AES 256-bit wrapping key derived from the MKBK and AKBK via a key derivation function (KDF) • Each backup stored on Amazon S3 for high durability with extra layer of encryption with AWS Key Management Service (AWS KMS) • You can clone your backups to create new clusters
  82. 82. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service Custom Key Store
  83. 83. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS KMS Custom Key Store Clients AWS Services • Combines AWS CloudHSM’s control with AWS KMS’s integrations • Use CloudHSM-backed keys in most AWS services via AWS KMS
  84. 84. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Why use AWS KMS Custom Key Store? If your organization has requirements such as: • You have keys that are required to be protected in a single- tenant HSM or in an HSM over which you have direct control • You have keys that are explicitly required to be stored in an HSM validated at FIPS 140-2 level 3 overall • The HSMs used in the default KMS key store are validated to level 2 overall, with level 3 in several categories, including physical security • You have keys that are required to be auditable independently of KMS
  85. 85. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. VPC CloudHSM Cluster Customers’ applications via AWS SDKs KMS Standard Key Store AWS KMS KMS Endpoint KMS Custom Key Store KMS HSM Fleet 117+ AWS Services AWS Cloud Custom Key Store ‘Connector” Custom clients using PKCS#11, JCE, CNG
  86. 86. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. More Control Means More Responsibility You take responsibility for certain operational aspects that would otherwise be handled by KMS • KMS stores imported keys only in volatile memory - you are responsible for backups • You have control over keys, backups and… • Availability • Performance • Capacity • Security properties of HSMs • You determine resilience across AZs https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/
  87. 87. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Survey Question
  88. 88. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing Encryption Tools & Services
  89. 89. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Optimization Journey: Security & Business Operations Client-side encryption using Client-Side Master Keys AWS CloudHSM AWS Key Management Service
  90. 90. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. Where are keys generated and stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software the cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are there for proper security around keys? Key Management Considerations
  91. 91. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. When to Use AWS Key Management Service Consider using AWS KMS when: • If you need to secure your encryption keys in a service backed by FIPS-validated HSMs, but you do not need to manage the HSMs yourself • FIPS 140-2 Level 2 (overall) validated HSMs meets your requirements • AES-256 symmetric encryption meets your requirements https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-kms.html
  92. 92. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. When to Use AWS CloudHSM Consider using AWS CloudHSM if you require: • Keys stored in dedicated, third-party validated hardware security modules under your exclusive control • FIPS 140-2 Level 3 validated HSMs • Asymmetric encryption • Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces • High-performance in-VPC cryptographic acceleration (bulk crypto) https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
  93. 93. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. When to Use AWS KMS Custom Key Stores Use AWS KMS Custom Key Stores when: • Require keys be protected in a single-tenant HSM or in an HSM over which you have direct control • Explicit requirement for HSMs validated at FIPS 140-2 level 3 overall • You have keys that are required to be auditable independently of KMS • You are comfortable operating HSMs yourself • Using the custom key store feature, you will perform certain tasks that are normally handled by KMS • You are comfortable with increased cost and potential impact on performance and availability https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/
  94. 94. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION. AWS re:Inforce 2019: Encrypting Everything with AWS https://www.youtube.com/watch?v=oqHLLbOoxDg AWS re:Inforce 2019: How Encryption Works in AWS https://www.youtube.com/watch?v=plv7PQZICCM AWS re:Invent 2017: A Deep Dive into AWS Encryption Services https://www.youtube.com/watch?v=gTZgxsCTfbk AWS Key Management Service Cryptographic Details https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf AWS Key Management Service Best Practices https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf AWS CloudHSM User Guide https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html AWS re:Inforce 2019: Achieving Security Goals with AWS CloudHSM https://www.youtube.com/watch?v=_gezaWmwzYY Security of AWS CloudHSM Backups https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm- backups.pdf Resources Announcing KMS Custom Key Stores using CloudHSM https://www.youtube.com/watch?v=AAitIKFeO6k Introducing AWS Key Management Service Custom Key Store - AWS Online Tech Talks https://www.youtube.com/watch?v=ksnHLFxgXcI Are KMS custom key stores right for you? https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right- for-you/ How to Choose an Encryption Tool or Service https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose- toplevel.html Encryption and KMS Workshop in AWS https://github.com/aws-samples/aws-kms-workshop
  95. 95. Thank you https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security © 2019. Amazon Web Services, EMEA SARL or its Affiliates. ALL RIGHTS RESERVED. NOT FOR FURTHER DISTRIBUTION.

×