Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Best Practices for Encrypting Data on AWS

1 214 vues

Publié le

This webinar will examine concepts for managing sensitive data in AWS. For example, using tools to encrypt client access with AWS Certificate Manager; secret management with AWS Systems Manager Parameter Store and its integration with deployment pipelines; and how to encrypt data at rest to ensure privacy.

  • Soyez le premier à commenter

Best Practices for Encrypting Data on AWS

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ric Harvey, Technical Developer Evangelist @ric__harvey Best Practices for Encrypting Data on AWS Encrypting data at rest and in transit
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data classification Start of by classifying data based on sensitivity: • Public data = unencrypted, non-sensitive, available to everyone • Critical data = encrypted, not directly accessible from the internet, requires authorization and authentication Use resource tags to help define the policy: • “DataClassification=CRITICAL” • Integrate access with IAM policies Amazon Macie: • Macie can automatically discover, classify and protect sensitive data through machine learning
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encrypt your data
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data in transit AWS endpoints are HTTPS, but what can you do? • VPN connectivity to VPC • TLS application communication • ELB or CloudFront with ACM
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Open source SSL/TLS implementation • Small and auditable code base • Powering 100% of TLS traffic in S3
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Certificate Manager • Protect and Secure Your Website • Get Certificates Easily • Managed Certificate Renewal • Secure Key Management • Centrally Manage Certificates on the AWS Cloud • Integrated with Other AWS Cloud Services • Import Third-Party Certificates • FREE!!!!
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data at rest
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why encrypt? • Organizational policies • Industry or government regulations • Protect the privacy of your customers
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key management infrastructure (KMI) Data Encryption Algorithm + Encryption Keys +
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The key to encryption: Who controls the keys? • Model A: You control the encryption method and the KMI • Model B: You control the encryption algorithm and the key management but allow AWS to provide the key storage layer • Model C: AWS controls the encryption method and the entire KMI Customer Managed AWS Managed Encryption Method KMI Key Storage Key Management Model A Encryption Method KMI Key Storage Key Management Model B Encryption Method KMI Key Storage Key Management Model C
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Model A You control the encryption method and the entire KMI
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 • Encrypt data before you upload to S3 • Decrypt data in application as you download • Use open source or third party tools • Amazon S3 encryption Client
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Elastic Block Store (EBS) • Block level storage network attached to an instance • Leverage most standard block level encryption tools: • Loop-AES, dm-crypt, etc • Leverage system level encryption tools: • eCryptfs, EncFs, etc • Provide the key from your own KMS • Caveat: data volumes only
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS • RDS doesn’t expose the disk – transparent encryption methods don’t apply • Selective encryption of data fields in your application • Encrypted data is decrypted in your application for presentation • Use standard libs: • openSSL, Bouncy Castle, etc
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Partners
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other services • AWS Storage Gateway • Amazon EMR
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Model B You control the encryption algorithm and the key management but allow AWS to provide the key storage layer
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hardware security module (HSM)
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudHSM • Fully managed service (Provisioning, HA, patching and backups) • Manage your own keys (FIPS 140-2 Level 3) • Integrates with industry standards • Export keys • Bring your own KMI (key rotation, access control policy)
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudHSM AWS CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Amazon Virtual Private Cloud Help meet compliance requirements for data security by using a dedicated Hardware Security Module appliance with AWS. • Dedicated, single-tenant hardware device • Can be deployed as HA and load balanced • Customer use cases: • Oracle TDE • MS SQL Server TDE • Setup SSL connections • Digital Rights Management (DRM) • Document Signing
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Model C AWS controls the encryption method and the entire KMI
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) • Provision and use keys with AWS Services • Send data to the service to encrypt and decrypt • Centralized access • Auditable • Integrates natively with other AWS services: • EBS, S3, Redshift • Low latency and Highly availability
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) Key Generator Data Key
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) PlainText Data Data Key + Encrypted Data
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) Existing Key Encryption Key + Encrypted Data Key Data Key
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) +Encrypted Data Key Encrypted Data AWS Storage Services
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 • Server-side encryption • Server-side encryption using customer provided keys (SSE-C) • Server-side encryption using KMS +
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Elastic Block Store (EBS) • Select a KMS key when creating the volume • Instance makes call to KMS • KMS uses master key to generate volume key • Key is stored in memory to encrypt and decrypt data • Volumes and Snapshots are encrypted
  32. 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS • RDS can create encrypted EBS volumes too! • Full disk encryption for database volumes • Data stored at rest on the volume, database snapshots, automated backups, and read replicas are all encrypted
  33. 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. $aws ssmget-parameter –nameMyParameter { "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value": "AQECAHgnOkMROh5LaLXkA4j0+…… " } } $aws ssmget-parameter –nameMyParameter --with-decryption { "Parameter": { "Type": "SecureString", "Name": "MyParameter", "Value": ”secret_value" } } AWS Systems Manager Parameter Store aws ssm put-parameter --name MyParameter --value "secret_value" --type SecureString • Manage and store application secrets to be consumed by your application • Integrates with KMS
  34. 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Redshift • Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key • Data encryption keys encrypt data blocks in the cluster. Each data block is assigned a randomly-generated AES-256 key. These keys are encrypted by using the database key for the cluster • The cluster key encrypts the database key for the Amazon Redshift cluster • You can use AWS KMS, AWS CloudHSM, or an external hardware security module (HSM) to manage the clusterkey
  35. 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EMR • S3DistCP moves large amounts of data from S3 into HDFS • Supports the ability to use SSE with S3 • No additional cost
  36. 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other services • AWS Storage Gateway • Amazon Glacier
  37. 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources Amazon Macie – https://aws.amazon.com/macie/ AWS Cloud HSM – https://aws.amazon.com/cloudhsm/ AWS KMS - https://aws.amazon.com/kms/ S2n - https://github.com/awslabs/s2n AWS Certificate Manager: https://aws.amazon.com/certificate-manager/
  38. 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Ric Harvey, Technical Developer Evangelist @ric__harvey

×