AWS Key Management Service provides an easy and cost-effective way to secure your data in AWS. In this session, you learn about leveraging the latest features of the service to minimize risk for your data. We also review the recently released Import Key feature that gives you more control over the encryption process by letting you bring your own keys to AWS.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ken Beer, General Manager, AWS Key Management Service
Cory Minkovich, Staff Software Engineer, Box Inc.
SEC303
Get the Most from AWS KMS
Architecting Applications for High Security
November 29, 2016

2. What to expect from this short talk
• How to approach secure application design
• Best practices for using AWS KMS
• New key management feature – Import Key
• A partner shares their experience using AWS KMS

3. Confidentiality – only authorized users can access data
Integrity – data can’t be changed without detection
Availability – data is accessible when needed
Goals for secure application design

4. • Access control on systems and/or data itself
• Principal, Action, Resource, Condition
• Encryption
• Renders data inaccessible without a key
• Authenticated encryption protects data from modification
• Easier to tightly control access to a key than the data
• Independent controls for keys and data
Confidentiality

5. • Physical integrity
• Replicate across independent systems
• Mitigates risk of data corruption or code errors
• Logical integrity
• Checksum
• Message authentication code (MAC)
• Digital signature
Integrity

6. • Ability to access ANY copy of the data
• How much time can your users live with zero access?
• Latency of access to primary copy of the data
• How much time can your users wait for normal access?
Availability

7. Sample application requirements
1. Retrieve multiple encrypted secrets and deploy to instance
(e.g. database passwords, credentials to a 3rd-party service)
2. Decrypt material and provision plaintext secrets on the instance
Implications for security…
• C – Don’t store plaintext secrets on disk
• C – Don’t decrypt secrets anywhere but the instance
• I – Keep ciphertext of secrets in multiple locations
• I – Ensure secrets haven’t changed since last used
• A – If instance can launch, secrets should be accessible
• A – Time to provision all secrets to instance < 1 minute

8. Mapping KMS features to requirements
“Don’t store plaintext secret on disk” and
“Don’t decrypt secret anywhere but the instance”
Implies…
• Encryption and decryption of secret should happen within your
application code running on your instance – no server-side encryption
• KMS-integrated client-side options:
• AWS Encryption SDK
• S3 Encryption Client
• DynamoDB Encryption Client

9. Client integration with KMS
Two-tiered key hierarchy using envelope encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master
keys than millions of data keys
• Centralized access and audit of key activity
Customer master
keys
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
KMS

10. Mapping KMS features to requirements
“Keep ciphertext of secrets in multiple locations”
Implies…
Use a redundant storage architecture
- S3 is designed to provide 99.999999999% durability
- Backup copy in DynamoDB (or vice versa)

11. Mapping KMS features to requirements
“Ensure secrets haven’t changed since last used”
Implies…
• Use an authenticated encryption method (e.g. AES-GCM)
• Use KMS Encryption Context as input for signing ciphertext: a string-
string pair submitted with kms.Encrypt, kms.GenerateDataKey*
and kms.Decrypt calls
• KMS Encryption Context values can be enforced via policy and they
show up in AWS CloudTrail logs
“requestParameters": {“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”,
“encryptionContext":"volumeid-123abcd4”}

12. Mapping KMS features to requirements
“If instance can launch, secrets should be accessible” and
“Time to provision plaintext secrets to instance < 1 minute”
Implies…
• Use KMS endpoints in the same region as EC2 instance
• Measure request latencies and decide whether to cache data keys
in memory for faster encrypt/decrypt times
• Note: Be very careful that you understand how/when keys are re-used

13. Best practices for client-side use of KMS
• Encoding
• If using AWS CLI – understand base64 behavior; AWS SDKs using
KMS APIs assume raw bytes
• Request rates
• KMS throttles at 100 rps per calling account for encrypt/decrypt
operations – we can make exceptions depending on your use case
• Use key aliases instead of 32-char keyId
• Enables you to re-use code in multiple regions, even with different
KMS master keyIds across regions
• Note: Aliases aren’t supported in KMS key or IAM policies

14. Authorization logic in KMS
• Key Policy is King!
• You can choose delegate to IAM policies
• KMS grants are policy objects designed to be
programmatically created and revoked as
resources are placed “in use” and “at rest”
• IAM policies must reference the KMS keyId
• Don’t expect to use aliases
• Avoid using Resource: “*” this gives
permission to use ALL keys in your account
1. KMS Key Policy
IAM Policy
referencing this
keyId?
2. KMS Grants
Is this user/group/role
allowed to perform this
action on this master key?

15. Key management options

16. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

17. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

18. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

19. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

20. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

21. Comparison of key management options
KMS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable

22. KMS Import Key – giving you more control
• You control how master keys are generated
• You store the master copy of the keys
• You import the key into KMS and set an optional expiration time
• You use imported keys with all KMS-integrated services and SDKs
• You can delete and re-import the key at any time to control when
you or AWS can use it to encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure,
including SafeNet Gemalto and Thales e-Security

23. Import Key workflow
Import encrypted key material
under the KMS CMK keyId;
set optional expiration period
Import
Your key material
protected in KMS
Download a public
wrapping key
KMS
Download
RSA Public Key
Create customer master key
(CMK) container
Empty CMK container
with unique keyId
KMS
Creates
Export your key material
encrypted under the public
wrapping key Your key
management
infrastructure
Export
Your 256-bit key
material encrypted
under KMS public Key

24. Getting the most from KMS
• Identify your C-I-A requirements up front
• Use envelope encryption as a way to limit blast radius of
any single data key
• Think carefully about data key re-use when trying to
improve performance
• Use Encryption Context where practical
• Use Import Key for more control (if you have existing key
management infrastructure)
• Verify that AWS CloudTrail logs tell you what you need

25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cory Minkovich
Staff Software Engineer, Box Inc.
November 29, 2016
Box KeySafe
How KMS saved us from managing HSMs

26. Box is a modern content management platform that transforms
how organizations work and collaborate to achieve results faster.

27. Box is a Content Platform
for the Modern Enterprise
• Built for cloud and mobile
• Connects to all your business apps
• Centralized security controls
• Comes with unlimited storage for
users

28. Powering digital transformation in every industry
Healthcare Provider
Content Management
Collaboration
Advanced Security
Custom Application Patients

29. Customer-managed encryption is hard
Historically the choice was between…
Client-side agent
Works well for basic
storage, but not
collaborative cloud services
or multiple devices
(ex: nCrypted Cloud,
Microsoft RMS)
Proxy-based
Works well for selective
encryption, but breaks
many cloud applications
(ex: most CASBs)
API – after upload
Also best suited for
selective encryption
and also breaks cloud
apps
(ex: most CASBs)

30. Drawbacks of historic solutions
Productivity & Ease of Use
Governance Controls
Incentive for Shadow IT
• Breaks file preview
• Breaks mobile access
• Breaks 3rd -party app
integrations
Overall Security
• Breaks antivirus
• Breaks DLP tools
• Blocks file preview as a security feature
• eDiscovery not possible/difficult
• Content workflow will be limited
• Complicates UX
• Encourages adoption of unsanctioned
tools

31. • Secure, reliable, on-demand
• Software-based approach
• Simple, configurable in 30
minutes
Introducing Box KeySafe
for customer-managed encryption

32. How Box Encryption works
A comparison of approaches

33. CUSTOMER
File
Uploaded
1
DEK
Unique
DEK
Generated
2
File
Encrypted
with DEK
3
DEK Encrypted
with Box KEK
5
DEK
Encrypted
DEK Stored
6
Encrypted
File Stored
4
NativeBoxEncryption

34. CUSTOMER
Backup HSM
Amazon Web Services
File Uploaded1
LOG
KeySafewith
AWSCloudHSM
Gemalto
Safenet HSM
File encrypted
with Box Key
2
Box Key encrypted
with Customer Key
(includes Audit Params)
3
Audit Logs
Updated
3

35. CUSTOMER
Backup HSM
Amazon Web Services
File Uploaded1
LOG
KeySafewithAWSKMS
File encrypted
with Box Key
2
Box Key encrypted
with Customer Key
(includes Audit Params)
3
Audit Logs
Updated
3
KMS

36. AWS CloudHSM vs. AWS KMS
CloudHSM KMS
Request Rate
(crypto + audit
logging)
Audit logging increases latency Default limit is 100 rps but can be increased
Audit Logging Separate requests (higher latency) Same request
Reliability Customer must manage patching and HA
Box must support every HSM version
No observed problems so far
Durability Back up HSM + possible multi-region
setup
Trust Amazon or import own key to KMS
Integration
Complexity
1k lines + SDK + multiple RPMs 200 lines + SDK

37. Code architecture

38. HSM 1KeySafeArchitecture
HSM 2
HSM 3
Customer1
HSM
Connector
Customer 1
HSM
Connector
Customer 2
HSM 1
HSM 2
HSM 3
Customer2
Key
Encryption
Decryption
Service
(KEDS)
AWS KMS

39. KMS code samples – health checking

40. KMS code samples – CloudTrail logging
annotation:
{
box-req:
"50F8B0EA6BF3F",
box-oid: "file_345678",
box-uid: "12345",
box-eid: "67890"
}
AWS CloudTrail Log

41. KMS challenges

42. Key rotation concerns
• Native key rotation is supported, but…
• Only yearly supported natively
• Some customers want quarterly rotation
• Changing the master key quarterly is really cumbersome
• Some compliance schemes require re-encrypt after rotation
• Bulk re-encrypt operations are problematic
• Only CloudTrail knows if key rotation happens
• No way to know if encrypted blob was created before or after key
rotation
• Only way to be safe is to re-encrypt all the data keys every year

43. Key availability concerns
• KMS keys are regionally isolated
• HA within region but no customer backup
• Some customers want more control
• Key import supports multi-region
• Same key material can be imported to multiple regions, but
each region’s key has unique keyId
• Lack of multiple imported key versions breaks simple key
rotation, and requires creation of multiple master keyIds
• Not easy to automate on customer side or Box side

44. KeySafe summary
• Integrating with AWS CloudHSM and KMS allows Box
• Guaranteed audit trail
• Ultimate access control delegated to customers
• Easy to incorporate into envelope encryption
• Tradeoffs
• Minor latency increase
• Availability surface area increase

45. Thank you!
Email me at
keds@box.com
with any questions!

46. Remember to complete
your evaluations!
Remember to complete
your evaluations!