Mais conteúdo relacionado Semelhante a Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 (20) Mais de Amazon Web Services (20) Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing your block storage on AWS
Ashish Palekar
Director, Product Management
Elastic Block Store
@logicalblock
G R C 2 0 7
2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Block storage in AWS
• Local Instance Storage
• Elastic Block Store (EBS)
• EBS Snapshots
• Encryption
• Local Instance Storage, EBS, Snapshots
• Launching Encrypted Volumes from Unencrypted Snapshots / AMIs
• Sharing Encrypted Snapshots / AMIs across Account
• Account Level Encryption by Default
3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Block Storage Offerings
sc1st1
Amazon EBS HDD-
backed volumes
Amazon EBS
Snapshots
Amazon EC2
instance store
HDDSSD
Amazon EBS SSD-
backed volumes
io1gp2
4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EC2 instance store?
• Local to instance
• Non-persistent data store
• Data not replicated (by default)
• No snapshot support
• SSD or HDD
Amazon EC2 instances
Physical Host
InstanceStore
or
5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
Amazon
EC2
instance
Amazon
EBS
volume
6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
!=
Amazon
EC2
instance
Amazon
EBS
volume
7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
Amazon
EC2
instance
Amazon
EBS
volume
8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Volumes persist independent of Amazon EC2
• Select storage and compute based on your
workload
• Detach and attach between instances within
the same Availability Zone
Amazon EC2 instance
Availability Zone
AWS Region
Amazon EC2
instance
Amazon EBS volume
9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon EBS?
• Volumes attach to one instance
• Many volumes can attach to an instance
• Separate boot and data volumes
Availability Zone
AWS Region
Amazon EC2
instance
EBS volume EBS volume EBS volume
10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types
Hard disk drives (HDD)Solid-state drives (SSD)
11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types
HDDSSD
Provisioned
IOPS SSD
io1
General
Purpose SSD
gp2
Throughput
Optimized HDD
st1 sc1
Cold
HDD
12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS use cases
HDDSSD
Relational Databases
MySQL, SQL Server,
PostgreSQL, SAP,
Oracle
NoSQL Databases
Cassandra, MongoDB,
CouchDB
Big Data , Analytics
Kafka, Splunk, Hadoop,
Data Warehousing
File / Media
CIFS/NFS, Transcoding,
Encoding, Rendering
13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types: General Purpose SSD
gp2
Throughput: Up to 250 MiB/s
Latency: Single-digit ms
Capacity: 1 GiB to 16 TiB
Baseline: 100 to 16,000 IOPS; 3 IOPS per GiB
Burst: 3,000 IOPS (for volumes up to 1,000 GiB)
General Purpose SSD
Great for boot volumes, low-latency applications, and bursty databases
14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types: Provisioned IOPS
io1
Baseline: 100 – 64,000 IOPS
Throughput: Up to 1,000 MiB/s
Latency: Single-digit ms
Capacity: 4 GiB to 16 TiB
Ideal for critical applications and databases with sustained IOPS
Provisioned IOPS
15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types: Throughput Optimized
Baseline: 40 MiB/s per TiB up to 500 MiB/s
Capacity: 500 GiB to 16 TiB
Burst: 250 MiB/s per TiB up to 500 MiB/s
Ideal for large-block, high-throughput sequential workloads
st1
Throughput Optimized HDD
16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume types: Cold HDD
Baseline: 12 MiB/s per TB up to 192 MiB/s
Capacity: 500 GiB to 16 TiB
Burst: 80 MiB/s per TB up to 250 MiB/s
Ideal for sequential throughput workloads, such as logging and backup
sc1
Cold HDD
17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Snapshots
• Copy of Amazon EBS volumes stored on
Amazon S3
• Snapshots are Regional
• First snapshot is a full copy
• Subsequent snapshots are incremental
• Snapshots can be shared / copied
• Create volumes from Snapshots
EC2 instance
EBS volume
Availability Zone Region
19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption – NVMe Local Instance Storage
Instances: C5d, I3, I3en, F1, M5ad, P3dn.24xlarge, R5d, R5ad,
Z1d
• Drives are always encrypted – cannot be disabled
• You cannot change encryption keys
• Encryption uses XTS-AES-256 block cipher
• Implemented on HW module on instance – keys unique to
each NVMe instance storage device
• Keys destroyed on instance stop/terminate
Instance
20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption – Amazon EBS
Integrates with Amazon Key Management Service (KMS) –
AES-256 Encryption
Uses Customer Master Keys (CMKs)
Encrypted EBS volume implies the following are
encrypted:
• Data at rest inside the volume
• Data moving between the volume and instance
• Snapshots created from the volume
• Volumes created from such snapshots
Amazon EC2 instance
Amazon EBS volume
Availability Zone
21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Volume encryption
Amazon EBS
encryption:
data volumes
22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Volume encryption
Amazon EBS encryption:
data volumes
23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Volume encryption
Create a new AWS KMS master key for Amazon EBS
• Define key rotation policy
• Enable AWS CloudTrail auditing
• Control who can use key
• Control who can administer key
24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Volume encryption
Amazon EBS encryption:
data volumes
25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS encryption:
data volumes
RunInstances with custom CMKs
26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS encryption:
data volumes
RunInstances with custom CMKs
27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS encryption:
data volumes
RunInstances with custom CMKs
$> aws ec2 run-instances –image-id ami-b42209de –count 1 –
instance-type m4.large –region us-east-1 –block-device-
mappings file://mapping.json
mapping.json
{
"DeviceName": "/dev/sda1",
"Ebs": {
"DeleteOnTermination": true,
"VolumeSize": 100,
"VolumeType": "gp2",
"Encrypted": true,
"kmsKeyID": "arn:aws:kms:us-east-1:012345678910:key/abcd1234-
a123-456a-a12b-a123b4cd56ef"
}
}
28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS volume 1AWS KMS
Envelope
encryption
Amazon EBS encryption: How it works
EBS
master key
Data key 1
Data key 2
Data key 3
Amazon EBS volume 2
Amazon EBS volume 3
29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS
Envelope
encryption
Amazon EBS encryption: How it works
EBS
master key
Amazon EBS volume 1
Amazon EBS volume 2
Amazon EBS volume 3
30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS
Envelope
encryption
Amazon EBS encryption: How it works
EBS
master key
• Limits exposure risk
• Performance
• Simplifies key management
Amazon EBS volume 1
Amazon EBS volume 2
Amazon EBS volume 3
31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Optimized Performance and Encryption
Does choosing encryption reduce Amazon EBS Optimized
Performance?
• Amazon EBS Optimized Performance is the same with and
without encryption for the ‘4’ and ‘5’ family of instances
• In other words, encryption does not reduce the rated
performance of an instance in the ‘4’ or ‘5’ family
EC2 instance
EBS volume
Availability Zone
32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS snapshot encryption
• Snapshots of encrypted volumes are
automatically encrypted
• Volumes created from encrypted snapshots are
automatically encrypted
• You can encrypt an unencrypted snapshot when you
copy a snapshot
• You can re-encrypt a snapshot you own with a different
key when you copy a snapshot
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Snapshots different from volumes / instance storage
Snapshots can be shared across accounts
Snapshots can be copied across accounts
Snapshots can be copied within accounts
Snapshots can be copied across regions
Snapshots are used to create AMIs
EC2 instance
EBS volume
Availability Zone
Region
34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing Snapshots and AMIs
aws ec2 describe-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute
createVolumePermission
aws ec2 modify-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute
createVolumePermission
{
"SnapshotId": "snap-00d820abc6be8d639",
"CreateVolumePermissions": []
}
35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing Snapshots and AMIs
36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing Snapshots and AMIs
Public sharing: Reasonable use case for AMIs – AWS Marketplace AMIs
Share non-AMI snapshots with specific accounts
To launch a volume from a snapshot, you need a copy of snapshot in-region
37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Copy Snapshots across regions
AWS Region
Amazon EBS
snapshot
Availability Zone
Amazon EBS
volume
Amazon
S3
AWS Region
Amazon EBS
snapshot
Availability Zone
Amazon EBS
volume
38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Copy Snapshots
Amazon S3 Encryption protects snapshots in-transit during
the copy operation
Unencrypted snapshots can be encrypted during copy
Encrypted snapshots can be re-encrypted during copy
First copy across regions is a full copy
Snapshots are incremental after first copy
- Same CMK needed on both ends to support incremental copies
39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Copy Snapshots: encrypt or re-encrypt
aws ec2 copy-snapshot --source-snapshot-id
snap-010bb9c48a9a4c237 --destination-region
us-west-1 --encrypted --kms-key-id
key/1234abcd-12ab-34cd-56ef-1234567890ab
40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Copy Snapshots across regions
Copy Snapshots across accounts across
regions
Lock down resource level permissions on
target snapshot copy
Multi-region = Protection against regional
events
Permission lock down = malicious or
unintentional deletes of data
Availability Zone
Region Region
41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Three new features to make encryption easier
• Launch encrypted volumes from unencrypted snapshots / AMIs
• Launch volumes encrypted with different CMK from encrypted snapshots / AMIs
• Share snapshots encrypted with custom CMKs across accounts
• Encryption By Default for EBS for an account in a region with a single setting
43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously ...
Unencrypted
Snapshot / AMI
Encrypted Snapshot
/ AMI
Encrypted Amazon
EBS Volumes
Copy and encrypt Create volume
44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now ...
Unencrypted
Snapshot / AMI
Encrypted Amazon
EBS Volumes
Launch encrypted volume
45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to do this
46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to do this
aws ec2 create-volume --snapshot-
id snap-010bb9c48a9a4c237 --
availability-zone us-west-2a --
encrypted --volume-type gp2
47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Simple: Single step to launch encrypted volumes
Compatible: Enables introducing encryption even while using unencrypted AMIs
Saves time
Less cost – no need to create and save copies of snapshots for launch
49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously ...
Snapshot / AMI
encrypted with
custom CMK
Copy snapshots
across accounts
Account 1 Account 2 Account 1 Account 2
Create
Volumes
Account 1 Account 2
50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now ...
Snapshot / AMI
encrypted with
custom CMK
Share snapshots across accounts
Account 1 Account 2 Account 1 Account 2
51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to do this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:CreateGrant",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-
1:<111111111111>:key/<key-id of cmkSource>"
]
}
]
}
52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to do this
$> aws ec2 run-instances
--image-id ami-XXXXX
--count 1
--instance-type m4.large
--region us-east-1
--subnet-id subnet-aec2fc86
--key-name 2016KeyPair
--security-group-ids sg-f7dbc78e
subnet-id subnet-aec2fc86
--block-device-mappings
file://mapping.json
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Encrypted": true,
"KmsKeyId":
"arn:aws:kms:us-east-
1:<999999999999>:key/<abcd1234-a123-
456a-a12b-a123b4cd56ef>"
}
}
]
53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Simple: Single step to launch encrypted volumes from snapshots encrypted by
custom CMK
Saves time
Less cost – no need to create and save copies of snapshots for launch
55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously …
Unencrypted
Snapshot / AMI
Copy snapshots
across accounts
Account 1 Account 2 Account 1 Account 2
Create
Volumes
Account 1 Account 2
56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now ...
Unencrypted
Snapshot / AMI
Share snapshots across accounts
Account 1 Account 2 Account 1 Account 2
58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Previously …
Region
Set IAM policies
Account 1
Region
Account 1
59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now …
Region
Account Level Regional Setting
Account 1
Region
Account 1
60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to do this
61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Simple: Easy to ensure compliance without change to workflows
Compatible: Enables introducing encryption even while using unencrypted
snapshots and AMIs
62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Level EncryptionMonitor access
In Closing …