(sec301) encryption and key management in aws | aws re:invent 2014
DESCRIPTION
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.TRANSCRIPT
November 12, 2014 Las Vegas, NV
Ken Beer, AWS Identity and Access Management
Todd Cignetti, AWS Security
Plaintext
DataHardware/
Software
Encrypted
Data
Encrypted
Data in Storage
Encrypted
Data Key
Symmetric
Data Key
Master KeySymmetric
Data Key
? Key Hierarchy
?
Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your Encrypted Data in AWS Services
…
Your key management
infrastructure
Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your Encrypted Data in Amazon S3
Your application in
Amazon EC2
AWS SDK with
S3 Encryption Client
Plaintext
DataEncrypted
Data
Customer
Provided Key Amazon S3 Web
Server
HTTPS
Customer
Data
Amazon S3
Storage Fleet
• Key is used at Amazon S3 webserver, then deleted
• Customer must provide same key when downloading to
allow Amazon S3 to decrypt data
Customer
Provided Key
Your encryption
client application
Your
applications
in your data
center
Your application in
Amazon EC2
Your Encrypted Data in AWS Services
…
Partner KMI
Partner KMI
• Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
• Benefits of envelope encryption:• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master
keys than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 ObjectAmazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
AWS Key Management ServiceReference Architecture
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a
reference to a master key under the account.
2. Client request is authenticated based on whether they have access to use the master key.
3. A new data encryption key is created and a copy of it is encrypted under the master key.
4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt
customer data and then deleted as soon as is practical.
5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data
needs to be decrypted.
AWS Key Management ServiceProviding security for your keys
Todd Cignetti, AWS Security
HSM
dedicated access
• Only you have access to your keys and
operations on the keys
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
SafeNet ProtectV Manager
and Virtual KeySecure
in Amazon EC2SafeNet
ProtectV
Client
AWS
CloudHSM
Your encrypted data
in Amazon EBS
Your applications
in Amazon EC2
ProtectV Client
• Encrypts I/O from
Amazon EC2
instances to Amazon
EBS volumes
• Includes pre-boot
authentication
Your
applications
in Amazon
EC2
Amazon Redshift
Cluster
Your encrypted data
in Amazon Redshift
AWS CloudHSM
AWS
CloudHSM
Your database
with TDE in
Amazon EC2
Master key is created in
the HSM and never
leaves
Your applications
in Amazon EC2
DIYAWS Marketplace
Partner SolutionAWS CloudHSM
AWS Key
Management
Service
Where are keys
generated and
stored
Your network or in
AWS
Your network or in
AWS
In AWS, on an
HSM that you
control
AWS
Where keys are
used
Your network or
your EC2 instance
Your network or
your EC2 instance
AWS or your
applications
AWS services or
your applications
How to control key
use
Config files,
Vendor-specific
management
Vendor-specific
management
Customer code +
Safenet APIs
Policy you define;
enforced in AWS
Responsibility for
Performance/Scale
You You You AWS
Integration with
AWS services?
Limited Limited Limited Yes
Pricing model Variable Per hour/per year Per hour Per key/usage
https://aws.amazon.com/kms
– https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
https://aws.amazon.com/cloudhsm/
https://aws.amazon.com/whitepapers/
http://aws.amazon.com/articles/2850096021478074
http://www.aws-partner-directory.com/
http://blogs.aws.amazon.com/security
http://bit.ly/awsevals