Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing your block storage on AWS
Ashish Palekar
Director, Product Management
Elastic Block Store
@logicalblock
G R C 2 0 7

Agenda
• Block storage in AWS
• Local Instance Storage
• Elastic Block Store (EBS)
• EBS Snapshots
• Encryption
• Local Instance Storage, EBS, Snapshots
• Launching Encrypted Volumes from Unencrypted Snapshots / AMIs
• Sharing Encrypted Snapshots / AMIs across Account
• Account Level Encryption by Default

AWS Block Storage Offerings
sc1st1
Amazon EBS HDD-
backed volumes
Amazon EBS
Snapshots
Amazon EC2
instance store
HDDSSD
Amazon EBS SSD-
backed volumes
io1gp2

What is Amazon EC2 instance store?
• Local to instance
• Non-persistent data store
• Data not replicated (by default)
• No snapshot support
• SSD or HDD
Amazon EC2 instances
Physical Host
InstanceStore
or

What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
Amazon
EC2
instance
Amazon
EBS
volume

What is Amazon EBS?
• Block storage as a service
• Create, attach volumes through an API
• Service accessed over the network
!=
Amazon
EC2
instance
Amazon
EBS
volume

What is Amazon EBS?
Amazon
EC2
instance
Amazon
EBS
volume

What is Amazon EBS?
• Volumes persist independent of Amazon EC2
• Select storage and compute based on your
workload
• Detach and attach between instances within
the same Availability Zone
Amazon EC2 instance
Availability Zone
AWS Region
Amazon EC2
instance
Amazon EBS volume

What is Amazon EBS?
• Volumes attach to one instance
• Many volumes can attach to an instance
• Separate boot and data volumes
Availability Zone
AWS Region
Amazon EC2
instance
EBS volume EBS volume EBS volume

Amazon EBS volume types
Hard disk drives (HDD)Solid-state drives (SSD)

Amazon EBS volume types
HDDSSD
Provisioned
IOPS SSD
io1
General
Purpose SSD
gp2
Throughput
Optimized HDD
st1 sc1
Cold
HDD

Amazon EBS use cases
HDDSSD
Relational Databases
MySQL, SQL Server,
PostgreSQL, SAP,
Oracle
NoSQL Databases
Cassandra, MongoDB,
CouchDB
Big Data , Analytics
Kafka, Splunk, Hadoop,
Data Warehousing
File / Media
CIFS/NFS, Transcoding,
Encoding, Rendering

Amazon EBS volume types: General Purpose SSD
gp2
Throughput: Up to 250 MiB/s
Latency: Single-digit ms
Capacity: 1 GiB to 16 TiB
Baseline: 100 to 16,000 IOPS; 3 IOPS per GiB
Burst: 3,000 IOPS (for volumes up to 1,000 GiB)
General Purpose SSD
Great for boot volumes, low-latency applications, and bursty databases

Amazon EBS volume types: Provisioned IOPS
io1
Baseline: 100 – 64,000 IOPS
Throughput: Up to 1,000 MiB/s
Latency: Single-digit ms
Ideal for critical applications and databases with sustained IOPS
Provisioned IOPS

Amazon EBS volume types: Throughput Optimized
Baseline: 40 MiB/s per TiB up to 500 MiB/s
Burst: 250 MiB/s per TiB up to 500 MiB/s
Ideal for large-block, high-throughput sequential workloads
st1
Throughput Optimized HDD

Amazon EBS volume types: Cold HDD
Baseline: 12 MiB/s per TB up to 192 MiB/s
Burst: 80 MiB/s per TB up to 250 MiB/s
Ideal for sequential throughput workloads, such as logging and backup
sc1
Cold HDD

Amazon EBS Snapshots
• Copy of Amazon EBS volumes stored on
Amazon S3
• Snapshots are Regional
• First snapshot is a full copy
• Subsequent snapshots are incremental
• Snapshots can be shared / copied
• Create volumes from Snapshots
EC2 instance
EBS volume
Availability Zone Region

Encryption – NVMe Local Instance Storage
Instances: C5d, I3, I3en, F1, M5ad, P3dn.24xlarge, R5d, R5ad,
Z1d
• Drives are always encrypted – cannot be disabled
• You cannot change encryption keys
• Encryption uses XTS-AES-256 block cipher
• Implemented on HW module on instance – keys unique to
each NVMe instance storage device
• Keys destroyed on instance stop/terminate
Instance

Encryption – Amazon EBS
Integrates with Amazon Key Management Service (KMS) –
AES-256 Encryption
Uses Customer Master Keys (CMKs)
Encrypted EBS volume implies the following are
encrypted:
• Data at rest inside the volume
• Data moving between the volume and instance
• Snapshots created from the volume
• Volumes created from such snapshots
Amazon EC2 instance
Amazon EBS volume
Availability Zone

Amazon EBS Volume encryption
Amazon EBS
encryption:
data volumes

Amazon EBS encryption:
data volumes

Create a new AWS KMS master key for Amazon EBS
• Define key rotation policy
• Enable AWS CloudTrail auditing
• Control who can use key
• Control who can administer key

data volumes
RunInstances with custom CMKs

data volumes
RunInstances with custom CMKs
$> aws ec2 run-instances –image-id ami-b42209de –count 1 –
instance-type m4.large –region us-east-1 –block-device-
mappings file://mapping.json
mapping.json
{
"DeviceName": "/dev/sda1",
"Ebs": {
"DeleteOnTermination": true,
"VolumeSize": 100,
"VolumeType": "gp2",
"Encrypted": true,
"kmsKeyID": "arn:aws:kms:us-east-1:012345678910:key/abcd1234-
a123-456a-a12b-a123b4cd56ef"
}
}

Amazon EBS volume 1AWS KMS
Envelope
encryption
Amazon EBS encryption: How it works
EBS
master key
Data key 1
Data key 2
Data key 3
Amazon EBS volume 2
Amazon EBS volume 3

AWS KMS
Envelope
encryption
EBS
master key
Amazon EBS volume 1
Amazon EBS volume 2
Amazon EBS volume 3

AWS KMS
Envelope
encryption
EBS
master key
• Limits exposure risk
• Performance
• Simplifies key management
Amazon EBS volume 1
Amazon EBS volume 2
Amazon EBS volume 3

Amazon EBS Optimized Performance and Encryption
Does choosing encryption reduce Amazon EBS Optimized
Performance?
• Amazon EBS Optimized Performance is the same with and
without encryption for the ‘4’ and ‘5’ family of instances
• In other words, encryption does not reduce the rated
performance of an instance in the ‘4’ or ‘5’ family
EC2 instance
EBS volume
Availability Zone

Amazon EBS snapshot encryption
• Snapshots of encrypted volumes are
automatically encrypted
• Volumes created from encrypted snapshots are
automatically encrypted
• You can encrypt an unencrypted snapshot when you
copy a snapshot
• You can re-encrypt a snapshot you own with a different
key when you copy a snapshot
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Snapshots different from volumes / instance storage
Snapshots can be shared across accounts
Snapshots can be copied across accounts
Snapshots can be copied within accounts
Snapshots can be copied across regions
Snapshots are used to create AMIs
EC2 instance
EBS volume
Availability Zone
Region

Sharing Snapshots and AMIs
aws ec2 describe-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute
createVolumePermission
aws ec2 modify-snapshot-attribute --snapshot-id snap-00d820abc6be8d639 --attribute
createVolumePermission
{
"SnapshotId": "snap-00d820abc6be8d639",
"CreateVolumePermissions": []
}

Public sharing: Reasonable use case for AMIs – AWS Marketplace AMIs
Share non-AMI snapshots with specific accounts
To launch a volume from a snapshot, you need a copy of snapshot in-region

Copy Snapshots across regions
AWS Region
Amazon EBS
snapshot
Availability Zone
Amazon EBS
volume
Amazon
S3
AWS Region
Amazon EBS
snapshot
Availability Zone
Amazon EBS
volume

Copy Snapshots
Amazon S3 Encryption protects snapshots in-transit during
the copy operation
Unencrypted snapshots can be encrypted during copy
Encrypted snapshots can be re-encrypted during copy
First copy across regions is a full copy
Snapshots are incremental after first copy
- Same CMK needed on both ends to support incremental copies

Copy Snapshots: encrypt or re-encrypt
aws ec2 copy-snapshot --source-snapshot-id
snap-010bb9c48a9a4c237 --destination-region
us-west-1 --encrypted --kms-key-id
key/1234abcd-12ab-34cd-56ef-1234567890ab

Copy Snapshots across regions
Copy Snapshots across accounts across
regions
Lock down resource level permissions on
target snapshot copy
Multi-region = Protection against regional
events
Permission lock down = malicious or
unintentional deletes of data
Availability Zone
Region Region

Three new features to make encryption easier
• Launch encrypted volumes from unencrypted snapshots / AMIs
• Launch volumes encrypted with different CMK from encrypted snapshots / AMIs
• Share snapshots encrypted with custom CMKs across accounts
• Encryption By Default for EBS for an account in a region with a single setting

Previously ...
Unencrypted
Snapshot / AMI
Encrypted Snapshot
/ AMI
Encrypted Amazon
EBS Volumes
Copy and encrypt Create volume

Now ...
Unencrypted
Snapshot / AMI
Encrypted Amazon
EBS Volumes
Launch encrypted volume

How to do this

How to do this
aws ec2 create-volume --snapshot-
id snap-010bb9c48a9a4c237 --
availability-zone us-west-2a --
encrypted --volume-type gp2

Benefits
Simple: Single step to launch encrypted volumes
Compatible: Enables introducing encryption even while using unencrypted AMIs
Saves time
Less cost – no need to create and save copies of snapshots for launch

Previously ...
Snapshot / AMI
encrypted with
custom CMK
Copy snapshots
across accounts
Account 1 Account 2 Account 1 Account 2
Create
Volumes
Account 1 Account 2

Now ...
Snapshot / AMI
encrypted with
custom CMK
Share snapshots across accounts

How to do this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:CreateGrant",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-
1:<111111111111>:key/<key-id of cmkSource>"
]
}
]
}

How to do this
$> aws ec2 run-instances
--image-id ami-XXXXX
--count 1
--instance-type m4.large
--region us-east-1
--subnet-id subnet-aec2fc86
--key-name 2016KeyPair
--security-group-ids sg-f7dbc78e
subnet-id subnet-aec2fc86
--block-device-mappings
file://mapping.json
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Encrypted": true,
"KmsKeyId":
"arn:aws:kms:us-east-
1:<999999999999>:key/<abcd1234-a123-
456a-a12b-a123b4cd56ef>"
}
}
]

Benefits
Simple: Single step to launch encrypted volumes from snapshots encrypted by
custom CMK
Saves time
Less cost – no need to create and save copies of snapshots for launch

Previously …
Unencrypted
Snapshot / AMI
Copy snapshots
across accounts
Create
Volumes
Account 1 Account 2

Now ...
Unencrypted
Snapshot / AMI
Share snapshots across accounts

Previously …
Region
Set IAM policies
Account 1
Region
Account 1

Now …
Region
Account Level Regional Setting
Account 1
Region
Account 1

Benefits
Simple: Easy to ensure compliance without change to workflows
Compatible: Enables introducing encryption even while using unencrypted
snapshots and AMIs

Account Level EncryptionMonitor access
In Closing …

Thank you!
Ashish Palekar
@logicalblock

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019

Semelhante a Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019