In this session, we share best practices and easily-leveraged solutions for enacting autonomous systems in the face of subversion. From gag orders to warrantless searches and seizures, learn about specific tactics to protect and exercise data privacy, both for partners and customers.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ken Beer, General Manager, AWS Key Management Service
November 29, 2016
GPST303
AWS Partners and Data Privacy

2. Privacy Concerns for AWS Partners
Prevent unauthorized access to data owned…
- by the partner
- the partner’s customer
- the partner’s partners
Provide evidence of all access to data

3. Ensuring privacy using security controls
• Identity and Access Management
• Encryption at rest techniques you can apply
• Key management strategies
• Logging for audit and assurance

4. Client-side encryption at rest
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS
account
• Requires more developer expertise
• Available AWS clients to help:
• Amazon S3, Amazon EMR File System (EMRFS), Amazon
DynamoDB, AWS Encryption SDK
• Using these clients does not give AWS employees
access to your keys or your data

5. Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in Amazon EC2
Your encrypted data in select AWS services
Client-side encryption at rest

6. Server-side encryption at rest
• AWS encrypts data on your behalf after the data is
received by service
• Over 23 AWS services support encryption including
Amazon S3, Amazon EBS, Amazon RDS, and AWS
Lambda
• Requires less developer expertise than client-side
• Using server-side encryption does not give AWS
employees access to your keys or your data

7. create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id
<value>] --availability-zone <value> [--volume-type <value>] [--iops <value>]
[--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>]
[--generate-cli-skeleton]
Console
AWS CLI/SDK
Server-side encryption at rest in Amazon EBS

8. Plaintext
data
Hardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master keySymmetric
data key
? Key hierarchy
?
The key management challenge

9. Key Management Strategies
• Roll your own solution
• Store keys in a different own server/instance
• Use open source software with unique access controls
• Commercial vendors
• Dedicated appliance or virtual appliance to store keys
• AWS CloudHSM
• AWS Key Management Service

10. AWS CloudHSM
• You receive dedicated access to
HSM appliances
• HSMs located in AWS data centers
• Monitored by AWS for power and
network connectivity
• HSMs are inside your Amazon VPC
– isolated from the rest of the
network
• Uses Gemalto SafeNet Luna SA
HSM appliances
• Only you have access to your keys
and operations on the keys using
custom clients – no AWS APIs
CloudHSM
AWS administrator –
Provisions the appliance
You – Control keys and
client crypto operations
Amazon Virtual Private Cloud

11. AWS CloudHSM
Available in nine regions worldwide
• US East (N. Virginia, Ohio), US West (N. California, Oregon), EU
(Frankfurt, Ireland) and Asia Pacific (Sydney, Tokyo, Singapore)
Compliance
• Included in AWS PCI DSS and SOC-1 compliance packages
• FIPS 140-2 level 2 (maintained by Gemalto/SafeNet)
Typical use cases
• Use with Amazon RDS for Oracle TDE
• Partner ecosystem (Oracle, SQL Server, Apache, SafeNet)
• Custom applications using non-AWS SDKs

12. AWS Key Management Service (KMS)
• Managed service that simplifies creation, control,
rotation, and use of encryption keys in your applications
• Integrated with AWS server-side encryption
• Integrated with AWS client-side encryption via SDKs
• Integrated with AWS CloudTrail to provide auditable
logs of key usage for regulatory and compliance
activities
• Available in all commercial regions except China

13. Integration with AWS KMS
Two-tiered key hierarchy using
envelope encryption
• Unique data key encrypts
customer data
• AWS KMS customer
master keys (CMKs)
encrypt data keys
Customer master
keys
Data key 1
S3 object EBS volume Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
AWS KMS

14. Integration with AWS KMS
Benefits
• Limits risk of compromised
data key
• Better performance for
encrypting large data
• Easier to manage small
number of CMKs than
millions of data keys
• Centralized access and
audit of key activity
Customer master
keys
Data key 1
S3 object EBS volume Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
AWS KMS

15. Customer Master Keys (CMKs) in AWS KMS
Default CMKs
• Generated by AWS and unique to your account
• Usable only by users/roles in your account
• AWS manages key lifecycle, but can’t directly access key material
Custom CMKs
• Generated by AWS, but you manage lifecycle of the CMK
• You control how and when your CMKs can be used and by whom
by defining granular permissions on your keys using IAM and KMS
policies
• AWS can’t directly access key material

16. Import Key: Bring your own keys to AWS KMS
• You control how keys are generated
• You store the master copy of the key outside of AWS
• You can use imported keys with all KMS-integrated services
• You can define an optional expiration time
• You can delete and re-import the key at any time to control
when AWS can use it to encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure,
including SafeNet Gemalto and Thales e-Security

17. Import Key: Bring your own keys to AWS KMS
Import encrypted key material
under the KMS CMK key ID;
set optional expiration period
Import
Your key material
protected in KMS
Download a public
wrapping key
KMS
Download
RSA public key
Create customer master key
(CMK) container
Empty CMK container
with unique key ID
KMS
Creates
Export your key material
encrypted under the public
wrapping key Your key
management
infrastructure
Export
Your 256-bit key
material encrypted
under KMS public key

18. Workloads enabled by Import Key
• A bank customer can generate and store the master copy of their
key material in a FIPS 140-2 validated solution to satisfy their
InfoSec requirements
• A pharma customer could make keys available only during
processing of drug trial data in EMR/Amazon Redshift
• When processing is finished, expire/delete the keys so that data
stored at rest in AWS cannot be decrypted
• A government customer that needs access to data for many years
doesn’t have to trust AWS to never lose their keys

19. Audit key usage/data access with AWS CloudTrail
“eventName":“Decrypt", This KMS API was called…
“eventTime":"2016-08-18T18:13:07Z", ...at this time...
“requestParameters": {
“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, ...in reference to this key...
“encryptionContext":"volumeid-12345”} …to protect this resource...
“sourceIPAddress”:"42.23.141.114”, ...from this address...
“userIdentity": {
{"arn":"arn:aws:iam::111122223333:user/User123”} …by this AWS user in this
account.
• Automation: CloudWatch alarms or events on CloudTrail logs
• Reconciliation: find anomalous key usage by generating audit logs
in your application and comparing it to CloudTrail logs

20. AWS KMS assurances: Why trust AWS?
• There are no tools in place to access your physical key
material
• Your plaintext keys are never stored in nonvolatile
memory
• You control who has permissions to use your keys
• Separation of duties between systems that use master
keys and ones that use data keys
• Multiparty controls for all maintenance of KMS systems
that use your master keys

21. AWS KMS assurances: compliance
• AWS Service Organization Controls (SOC 1, SOC 2,
SOC 3)
• PCI-DSS Level 1
• ISO 27017, ISO 27018, ISO 9001
• In evaluation for FIPS 140-2 and FedRAMP

22. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or Imported by
you
In AWS, on an HSM
that you control
Your network or in
EC2 instance
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
Custom code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable

23. Law enforcement requests for encrypted data
• We can’t predict what law enforcement will ask for
• We have no tools to decrypt your data or your keys
outside of the existing APIs you call that cause your data
to be decrypted
• We only consider responding to requests if the target is
our customer
• We tell law enforcement to talk to you if the target is your
customer, even if their data is hosted in our infrastructure

24. AWS do’s and don’ts you can count on
We Do…
• …challenge overly broad government subpoenas
• …advocate for modern privacy laws
• …oppose legislation that would weaken information security
• …notify customers before disclosing content information
• …offer strong encryption and key management options
• …recommend security best practices
We Do Not…
• …disclose customer information unless legally required
• …participate in government programs to capture customer data
https://aws.amazon.com/blogs/security/privacy-and-data-security/

25. Call to action
• Enable encryption at rest
• What is your key management strategy?
• Is KMS right for your customers?
• Is Import Key right for your customers?
• Does your customer need a dedicated HSM to store keys?
• Customers have customers, too (privacy preservation can be
recursive)

26. Thank you!

27. Remember to complete
your evaluations!