Cross-account encryption with AWS KMS and Slack Enterprise Key Management - SDD353 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-account encryption with AWS
KMS and Slack Enterprise Key
Management
Joe Norman
Partner Solutions Architect
AWS
S D D 3 5 3
Audrei Drummond
Staff Backend Engineer
Slack

Defense in depth
KMS key
policy
KMS keyRole
IAM policy
Amazon S3
VPC endpoint
VPCe policy
Amazon S3 bucket
Bucket policy
Users Documents

Encryption in AWS
Audit
Access controls
Encrypting services
Secondary
storage
Client
Corporate data
center
AWS Cloud

AWS Key Management Service (AWS KMS) custom key
store
Clients
AWS
services

AWS KMS keyhierarchy
Two-tiered hierarchy for keys
• Data keys used to encrypt customer data
• Customer master keys (CMKs) protect data keys
• CMK policies control access to data
• All activity associated with CMKs is logged
Benefits
• Envelope encryption avoids managing data keys
• Encrypted data keys stored with encrypted objects
• Well suited to encrypting large data objects
• Enables local key caching for high I/O operations
Customer
master key
S3 bucket Amazon EBS
volume
Amazon
RDS
instance
CMK
Data key Data key Data key
AWS KMS

Envelope encryption
Example: S3 server-side encryption
Plaintext
data
Encrypt process
Encrypted
data key
3
Data key
Data key
7
Data key
Encrypted
data key
6 Data key
Generate data key request
2
CMK
1
Amazon S3
Encrypt
Encrypted
data and
data key in
S3 bucket
4
Data key
Decrypt process
5
Encrypted
data and
data key in
S3 bucketData key
Decrypt
Amazon S3
Plaintext
data
8

Key policies
Allow: Grants access
Deny: Revokes access
Which actors get this access
allowed or denied?
API actions allowed or denied
by the policy
Actions are taken against the
CMK this policy is attached to
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Grant admin access to CMK",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[myAccount#]:role/KMSAdmin"
]
},
"Action": [
"kms:*",
]
"Resource": "*",
}]
}

Opening the floodgates
Client
Corporate data
center
AWS Cloud
VPC
Third-Party SaaS
Who controls the keys?
Customer
SaaS provider

Diving into the SaaS side
AWS Cloud
AWS KMSCustomer
SaaS provider AWS account

How can the customer keep more control?

Cross-account key policies
Allow: Grants access
Deny: Revokes access
All users in 3rd party AWS
account.
Make data keys to encrypt new
data and decrypt existing data
keys to decrypt previously
encrypted data.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Third-party access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
]
"Resource": "*",
}]
}

Key revocation
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Third-party access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
]
},
"Action": [
"kms:Decrypt",
]
"Resource": "*",
},
{
"Sid": "Revoke home folder access",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:root",
]
},
"Action": [
"kms:Decrypt",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:folder": "home"
}
}
}]}

Keep an eye on key usage with AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTime":"2014-08-18T18:13:07Z", …at this time
"RequestParameters":
{"keyId":"2b42x363-1911-4e3a-8321-6b67329024ex"}, …in reference to this key
"EncryptionContext":"volumeid-12345", …with this context
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
{"arn":"arn:aws:iam:: 111122223333:user/User123"} …by this AWS user in this account

Some challenges for consideration
• AWS KMS is a regional service
• Multiple regions = multiple CMKs
• Customer must trust that SaaS is deleting plaintext data keys
• Shared responsibility: Customer control over security increased
• Access control, key rotation, auditing

Slack is the collaboration hub that moves work forward

Slack Enterprise Grid

Slack EKM
Bring your own keys
Slack EKM integrates with AWS KMS to give our most
security-conscious customers control over their encryption
keys.
Granular key access control
Admins can revoke key access granularly, so teams
experience minimal disruption. Slack keeps working as
usual, and so do they.
Peace of mind for the security-conscious
Helps customers manage the risk of relying on a vendor to
protect sensitive data and the risk of invisible disclosure

Design objectives

Design objectives
Maintain all of Slack’s features in their full and unhindered form

Design objectives
Inspire a high level of customer trust by:
• Providing a detailed, un-tamperable audit log of key accesses
• Augmenting that with a log generated by Slack
• Restricting employee access to customers’ key material

Design objectives
Preserve Slack’s engineers’ ability to deliver features and fixes

Design objectives
Preserve Slack’s engineers’ ability to deliver features and fixes
Introduce minimal performance penalties

Slack EKM to end users

Slack EKM provides ...
Visibility into access to the keys that
can decrypt your messages and files
Control of key access by organization,
workspace, channel, and time

Slack EKM high-level design

• Encrypt every message or file using the customer’s encryption keys

• Decrypt every message or file using the same keys

• Use many keys, each covering a small slice of messages or a single file

• Give customers a log of all accesses to their keys

• Cache data keys for five minutes to preserve performance

• Cache data keys for five minutes to preserve performance
• Enable customers to control access to their keys via policies in AWS KMS

High-level design

Slack EKM
encryption
Log AWS KMS usage and
key scope

Slack EKM
encryption

Slack EKM
encryption
Your AWS Account
key scope

Slack EKM
encryption
Your AWS Account
Enforce Key
Policy
Log AWS KMS usage
and key scope

Slack EKM
decryption
Your AWS Account
parameters

Slack EKM
decryption
Your AWS Account
Enforce Key Policy
Log AWS KMS
usage and
parameters

Slack EKM
decryption
Your AWS Account
Send Logs
parameters

EncryptionContext scopes data keys to data
• A message is encrypted with an encryption key that’s scoped to:
• The organization
• The workspace
• The channel
• The hour
• A file is encrypted with an encryption key that’s scoped to:
• The organization
• The file

Granularly revoke key access

Example policies: Baseline
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::152659312504:root"},
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:O": "ED14RK2GJ"
}
}
}

Example policies: Baseline lockdown
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
}
}
}

Example policies: Lockdown for a channel
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:C": "CD11VKXL3",
}
}
}

Example policies: Lockdown org for a single month
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
},
"StringLike": {
"kms:EncryptionContext:H": "2019-06-*"
}
}
}

Example policies: Combining channel and time
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:C": "CD11VKXL3",
},
"StringLike": {
"kms:EncryptionContext:H": "2019-06-25T06"
}
}
}

Slack EKM
Decryption
Your AWS Account
Send Logs

Example logs
{
"eventName": "Decrypt",
"requestParameters": {
"encryptionContext":{
"C": "CD11VKXL3",
"T": "TD2FCEBLN",
"H": "2018-10-24T21",
"O": "ED14RK2GJ"
}
},
// ...
}
{
"Action": "Decrypt",
"KeyScope": {
"C": "CD11VKXL3",
"H": "2018-10-24T21",
"O": "ED14RK2GJ",
"T": "TD2FCEBLN"
},
"Reason": "history"
}
AWS CloudTrail Amazon CloudWatch Logs

Slack EKM
Most importantly, when you’re enrolled in
EKM, Slack remains Slack
You gain control of and visibility into how your
encryption keys are being used
And AWS KMS makes it fast and highly
available

Thank you!
Joe Norman
Audrei Drummond

Cross-account encryption with AWS KMS and Slack Enterprise Key Management - SDD353 - AWS re:Inforce 2019

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cross-account encryption with AWS KMS and Slack Enterprise Key Management - SDD353 - AWS re:Inforce 2019

Similaire à Cross-account encryption with AWS KMS and Slack Enterprise Key Management - SDD353 - AWS re:Inforce 2019 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Cross-account encryption with AWS KMS and Slack Enterprise Key Management - SDD353 - AWS re:Inforce 2019