A security-first approach to delivering end-user computing services - FND327 ...
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit (20)
Mais de Amazon Web Services (20)
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
- 1. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Data protection using encryption in AWS Richard Moulds Principal Product Manager AWS Key Management Service S E C 2 0 1 Richard Crowley Principal Engineer Slack
- 2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Encrypt, where? Client InstancesHTTPS Application code Data in motion Network encryption Data at rest Storage encryption Data in use Application level encryption Client-side encryption = You encrypt Server-side encryption = AWS encrypts S3 bucket EBS volume
- 3. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Defense in depth KMS key policy KMS keyRole IAM policy S3 VPC endpoint VPCe policy S3 bucket Bucket policy Users Documents
- 4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Traditional reasons to not encrypt Performance Complexity Availability Latency overhead Crypto acceleration Fragmented systems Inconsistent controls Loss of keys Key provisioning
- 5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Encryption in AWS Audit Access controls Encrypting services Secondary storage Client Corporate data center AWS Cloud
- 6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS KMS integration AWS offering category AWS services integrated with AWS KMS for customer owned keys Compute Amazon EC2 - AWS Lambda - Amazon Lightsail* Storage Amazon EBS - Amazon EFS - Amazon FSx for Windows File Server - Amazon S3 Glacier - Amazon S3 - AWS Storage Gateway Databases Amazon Aurora - Amazon DynamoDB* - Amazon DynamoDB Accelerator (DAX)* - Amazon Neptune - Amazon Redshift - Amazon RDS Analytics Amazon Athena - Amazon Elasticsearch Service - Amazon EMR - AWS Glue - Amazon Kinesis Data Firehose - Amazon Kinesis Data Streams - Amazon Managed Streaming for Kafka (Amazon MSK) Machinelearning Amazon Comprehend* - Amazon Lex - Amazon SageMaker - Amazon Translate Application services Amazon Elastic Transcoder - Amazon Simple Email Service (Amazon SES) - Amazon Simple Queue Service (Amazon SQS) Migration& transfer AWS Snowball - AWS Snowball Edge - AWS Snowmobile - AWS Database Migration Service Developer tools AWS Cloud9 - AWS CodeBuild - AWS CodeCommit* - AWS CodeDeploy - AWS CodePipeline - AWS X-Ray Managementtools AWS CloudTrail - Amazon CloudWatch Logs - AWS Systems Manager Media services Amazon Kinesis Video Streams Security & identity AWS Certificate Manager* - AWS Secrets Manager Enterprise applications Amazon WorkMail - Amazon WorkSpaces Business productivity Alexa for Business* Contact center Amazon Connect *Supports only AWS managed KMS keys.
- 7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T KMS key hierarchy Two-tiered hierarchy for keys • Data keys used to encrypt customer data • Customer master keys (CMKs) protect data keys • CMK policies control access to data • All activity associated with CMKs is logged Benefits • Envelope encryption avoids managing data keys • Encrypted data keys stored with encrypted objects • Well suited to encrypting large data objects • Enables local key caching for high I/O operations Customer master key S3 bucket EBS volume RDS instance CMK Data key Data key Data key Key Management Service
- 8. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Envelope encryption Example: S3 server-side encryption Plaintext data Encrypt process Encrypted data key 3 Data key Data key 7 Data key Encrypted data key 6 Data key Generate data key request 2 CMK 1 Amazon S3 Encrypt Encrypted data and data key in S3 bucket 4 Data key Decrypt process 5 Encrypted data and data key in S3 bucketData key Decrypt Amazon S3 Plaintext data 8
- 9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Key management lifecycle Define Key use CreateDelete Disable Enable Recover Back up Rotate
- 10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Two approaches for managing your keys AWS managed master keys • AWS services request AWS KMS to automatically create master keys • Keys are in your account but can only be used by the AWS services that created them Customer managed master keys • You create your master keys in advance using AWS KMS • You choose which keys to use when setting up an AWS service to use encryption All operational aspects are the same: security, latency, throughput, durability, availability, and auditability
- 11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Take control over your keys • Control who can manage and use your keys • Limit how your keys can be used (scope reduction) • Define conditions of use (encryption context = specific data objects) • Delegate permissions and share access across accounts • Enable and disable keys instantly • Control key deletion • Control key rotation • Organize your keys with aliases and tags • Use keys outside AWS encrypting services • Use AWS Encryption SDK or AWS KMS directly to encrypt data
- 12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Audit AWS KMS usage with AWS CloudTrail "EventName":"DecryptResult", This KMS API action was called… "EventTiime":"2014-08-18T18:13:07Z", …at this time "RequestParameters": {"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":" 203.0.113.113", …from this IP address "UserIdentity": {"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
- 13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Bring your own key (BYOK) Do you have any of these requirements? Control how your key was generated (entropy sources) Keep your own backup copy of your key material Upload keys only when you need them
- 14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS KMS custom key store Enables you to use an AWS CloudHSM cluster, that you control, as your own KMS key store. Your KMS keys are generated, stored, and used in devices that are comparable to traditional on-premises HSMs. AWS CloudHSM provides cloud- based HSMs that are easy to scale with automatic provisioning, high- availability, and managed back- ups. Clients AWS services
- 15. Richard Crowley Principal Engineer, Slack March 27, 2019 Slack EKM
- 16. Slack EKM ● Integrates Slack with AWS KMS to give our most security-conscious customers control over their encryption keys ● Helps customers manage the risk of relying on a vendor to protect sensitive data and the risk of invisible disclosure
- 17. Slack EKM design objectives ● Slack must remain Slack, feature for feature ● EKM must inspire confidence and earn trust, not merely check a box ● The application’s performance can’t become terrible ● Our engineers must remain productive
- 18. Slack EKM to end users
- 19. Slack EKM to end users
- 20. Slack EKM provides ... Visibility into access to the keys that can decrypt your messages and files Control of key access by organization, workspace, channel, and time
- 21. High-level design ● Each time a message is sent or a file is uploaded, encrypt it and use the customer’s master key to encrypt the data key ● Each time a message or file is read, use those same keys to decrypt it ● Use many data keys, each covering a small slice of messages or a single file ● Give customers a log of all access to those data keys so they know what’s being decrypted ● Give customers ownership of the master key ● Cache data keys in memory for five minutes to preserve performance
- 22. Your AWS account
- 23. Your AWS account
- 24. Encrypt
- 25. Decrypt
- 26. Enforce Key Policy
- 27. Send Logs
- 28. EncryptionContext scopes data keys to data A message is encrypted with an encryption key that’s scoped to: ● The organization that sent it ● The workspace in which the channel appears, if applicable ● The channel in which the message appears ● The hour in which the message was sent A file is encrypted with an encryption key that’s scoped to: ● The organization that sent it ● The file itself
- 29. Example logs CloudTrail { "eventName": "Decrypt", "requestParameters": { "encryptionContext":{ "C": "CD11VKXL3", "T": "TD2FCEBLN", "H": "2018-10-24T21", "O": "ED14RK2GJ" } }, // ... } CloudWatch Logs { "Action": "Decrypt", "KeyScope": { "C": "CD11VKXL3", "H": "2018-10-24T21", "O": "ED14RK2GJ", "T": "TD2FCEBLN" }, "Reason": "history" }
- 30. Example policies: Baseline { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::152659312504:root"}, "Action": ["kms:Decrypt", "kms:GenerateDataKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:O": "ED14RK2GJ" } } }
- 31. Example policies: Lockdown { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::152659312504:root"}, "Action": ["kms:Decrypt", "kms:GenerateDataKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:O": "ED14RK2GJ" } } }
- 32. Example policies: Lockdown for one channel { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::152659312504:root"}, "Action": ["kms:Decrypt", "kms:GenerateDataKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:C": "CD11VKXL3", "kms:EncryptionContext:O": "ED14RK2GJ" } } }
- 33. Example policies: Lockdown a single month { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::152659312504:root"}, "Action": ["kms:Decrypt", "kms:GenerateDataKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:O": "ED14RK2GJ" }, "StringLike": { "kms:EncryptionContext:H": "2018-07-*" } } }
- 34. Example policies: Combining channel and time { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::152659312504:root"}, "Action": ["kms:Decrypt", "kms:GenerateDataKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:C": "CD11VKXL3", "kms:EncryptionContext:O": "ED14RK2GJ" }, "StringLike": { "kms:EncryptionContext:H": "2018-07-*" } } }
- 35. Slack EKM ● Most importantly, when you’re enrolled in EKM, Slack remains Slack ● You gain control of and visibility into how your encryption keys are being used ● And AWS KMS makes it fast and highly available
- 36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Summary • Encryption by default is a realistic goal • Sound key management provides enhanced access controls and visibility • AWS KMS is durable, secure, and integrated with 50+ AWS services • You have choices about the controls you place over your keys • AWS KMS can be used as an independent control point for your own applications and AWS partner solutions
- 37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Thank you! S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
- 38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I TS UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
