Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Size: px

Start display at page:

Download "Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH"

Sydney Gardner
5 years ago
Views:

2 Agenda Theory Options

3 The Cryptographic Trinity Key Data Algorithm If you don t own all three parts of the solution, your data is not considered to be hard encrypted

4 In Region I:

5 In Region II: AWS DC AWS DC AWS DC AWS DC

6 Between Regions: Availability Zone Availability Zone Public Availability Zone Availability Zone Region DX Site Customer WAN DX Site Region

7 Summary Data in transit within an AZ might leave the building Data in transit between AZs will leave the building Data in transit between AWS Regions or between AWS and customer premises needs to be taken care of, too Whatever you do: Encrypt Your Data in Flight What about devices? Device decommissioning is a primary task for AWS This is fully compliant and audited No device leaves our DCs in a functional state People leaving a DC need to pass through a metal detector Let s discuss data at rest

8 Discussion Points Hard encryption might be excessive, for some purposes Find out where you need which kind of encryption map your view of risk and need Think about the lifetime of your data (example: German expiry of use of 3DES and resulting requirement for bulk data re-encryption with stronger algorithm ) Sometimes encryption is only there for Compliance reasons Work on your data classification Find balance between your obligation for executive care, cost and complexity

9 But: Getting Data at rest encrypted on AWS is so easy that you should consider a policy: All data need to be encrypted at rest!

AWS services and where we look into today: + Technology Partners Consulting Partners Ecosystem AWS Marketplace Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and.

10 AWS services and where we look into today: + Technology Partners Consulting Partners Ecosystem AWS Marketplace Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and.net Containers & Deployment (PaaS) OpsWorks CloudFormation IAM CloudTrail Cloud HSM CloudWatch Management & Administration Management Console APIs and SDKs Command Line Interface Analytics Application Services EMR Redshift Kinesis Data Pipeline CloudFront SNS SQS SES SWF WorkSpaces AppStream CloudSearch Networking VPC Direct Connect Route 53 Compute Storage MySQL, PostgreSQL Databases Oracle, SQL Server EC2 Elastic Load Balancer Auto Scaling S3 EBS Glacier Storage Gateway Import/Export RDS DynamoDB ElastiCache Regions Availability Zones Content Delivery POPs

11 AWS Key Management Service I Designed for Scalability and Throughput Uses bespoke AWS hardware + software Is a multi-tenant service Performs AES256 operations API for crypto command: Key Management Encryption / Decryption Customer selects MasterKey Data Key is transported via envelope encryption Data Key 1 Amazon S3 Object Customer Master Key(s) Data Key 2 Data Key 3 Data Key 4 Amazon EBS Volume Amazon Redshift Cluster AWS KMS Custom Application

AWS Key Management Service II Reference Architecture Encrypted Data Application or AWS Service Data Key + Encrypted Data Key AWS Key Management Service Master Key(s) in Customer s Account 1.

12 AWS Key Management Service II Reference Architecture Encrypted Data Application or AWS Service Data Key + Encrypted Data Key AWS Key Management Service Master Key(s) in Customer s Account 1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account. 2. Client request is authenticated based on whether they have access to use the master key. 3. A new data encryption key is created and a copy of it is encrypted under the master key. 4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data and then deleted as soon as is practical. 5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be decrypted.

"Statement": [{ "Effect": "Deny, "Action": "s3:*", "Condition": {

13 S3 (normal mode) Data is sent to S3 encrypted S3 stores the data unencrypted Data travels unencrypted between AZs Enforce https: { } "Statement": [{ "Effect": "Deny, "Action": "s3:*", "Condition": { "Bool": { "aws:securetransport": false } }, "Resource": "arn:aws:s3:::bucket/*" ]}

S3 (server-side encryption) Data is sent to S3 encrypted S3 encrypts data with AWS owned key Data travels encrypted between AZs Data at rest is encrypted with AWS-owned key Enforce at-rest

14 S3 (server-side encryption) Data is sent to S3 encrypted S3 encrypts data with AWS owned key Data travels encrypted between AZs Data at rest is encrypted with AWS-owned key Enforce at-rest encryption: { "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aes256" } } } ] }

15 S3 (server-side, user key) Data is sent to S3 encrypted S3 encrypts data with customer key sent in request The key will be forgotten by AWS immediately Data travels encrypted between AZs Data at rest is encrypted with customer-owned key Customer needs to send key in GET request

16 IAM S3 (server-side, user key + KMS) Data is sent to S3 encrypted S3 encrypts data with key sent in request Data travels encrypted between AZs Data at rest is encrypted with customer-owned key Key remains in KMS KMS Object

encrypted Data travels encrypted between AZs Data at

17 S3 (client-side encryption) Client encrypts the data locally with local held key Data is sent to S3 encrypted Data travels encrypted between AZs Data at rest is encrypted with customer-owned key AWS never sees the key

18 EBS (normal mode) Instance sends data to volume via hypervisor module Module can encrypt or not, depending on customer choice Data travels to the disks and between datacentres, potentially unencrypted Data lives unencrypted on Disk

IAM EBS (server-side encryption) Instance sends encrypted data over hypervisor to volume Instance OS needs to support encryption Data travels

19 IAM EBS (server-side encryption) Instance sends encrypted data over hypervisor to volume Instance OS needs to support encryption Data travels encrypted to the disks and between datacentres Data lives encrypted on Disk AWS owns key/algorithm/data Included in scope of AWS SOC1 report KMS Volume

CloudHSM Tamper-Proof and Tamper-Evident Destroys its stored keys if under attack FIPS 140-2 Level 2 certified Base position is to be a Keystore

commercial software products Can be used by API to access the HSM Needs to be backed-up (ideally to HSM on customer premises) Can (and should) be

20 CloudHSM Tamper-Proof and Tamper-Evident Destroys its stored keys if under attack FIPS Level 2 certified Base position is to be a Keystore Can also be used to timestamp documents You can send data for encrypt / decrypt Key never leaves the HSM as cleartext Can be used by several commercial software products Can be used by API to access the HSM Needs to be backed-up (ideally to HSM on customer premises) Can (and should) be combined in HA clusters Is NOT a key management system but can work with some third-party ones Communicates via: PKCS#11 JCE Some applications need a plugin

21 Redshift can use CloudHSM When using CloudHSM Redshift gets cluster key from HSM Redshift generates a database key and encrypts it with the cluster key from the CloudHSM Redshift encrypts data with the database key Redshift supports re-encryption

22 RDS Crypto Support RDS / Oracle can use CloudHSM to store keys for Oracle Wallet So TDE can be HSM-backed RDS / MySQL, RDS / Postgres can use KMS to manage keys used to encrypt underlying EBS volumes So all tables are encrypted at rest Note that in-memory database contents (once the database has been unlocked) are cleartext RAM encryption is not something AWS has today, but it has been done in other contexts

VPC VGW Hardware IPsec termination points Data on the VPC side of the VGW is unprotected by the VGW (no re-encryption) If you need VPN termination with onward

23 VPC VGW Hardware IPsec termination points Data on the VPC side of the VGW is unprotected by the VGW (no re-encryption) If you need VPN termination with onward re-encryption, use EC2 instances with OpenSWAN or Cisco CRSs instead Uses pre-shared symmetric key The Key is a shared one between AWS and the customer Customer

24 Between Regions Public Availability Zone Availability Zone Availability Zone Region Customer WAN Custome r DC Availability Zone Region DX Site DX Site

25 Others Glacier Archives have always been encrypted this is entirely transparent to the user Glacier keys are AES256 AWS holds key/algorithm/data Route53 Supports signed zones ELB Supports SSL termination including onward re-encryption and customer choice of cipher suite (useful post-poodle) AWS holds keys/algorithm/data Unidirectional trust only (no certificate-based authentication of client to server) Import/Export Currently relies on Truecrypt shared secret between customer and AWS for exporting data Truecrypt has not been broken, but it is not longer maintained. Therefore import/export will choose another option

26 Bertram Dorn Amazon Web Services Germany GmbH Additional Ressources:

Werden Sie ein Teil von Internet der Dinge auf AWS. AWS Enterprise Summit 2015 Dr. Markus Schmidberger -

Werden Sie ein Teil von Internet der Dinge auf AWS AWS Enterprise Summit 2015 Dr. Markus Schmidberger - schmidbe@amazon.de Internet of Things is the network of physical objects or "things" embedded with