AWS Security & Encryption

KMS, Encryption SDK, SSM Parameter Store

Why encryption? Encryptio in flight (SSL)

• Data is encrypted before sennding and decrypted after receiving
• SSL certtificatts help with enccryptionnn (HTTPS)
• Encryption in flight ensure no MITM (ma in tthe middle attack) can happen

  Why enryption? Server side encryption at rest

• Data is encrytion after being received by the server
• Data is decryted before beinng sent
• It is stored in an encryted form thanks to a key (usually a data key)
• The enncryption / decryption keys must be managed somewhere and the server must have access to it

  Why encryption? Client side encryption

• Data is encrypted by the client and never decrypted by server
• Data will be decrypted by a receivinng client
• The server should not be able to decrypt the data
• Cloud leverage Envelope Encryption

  AWS KMS (Key Management Service)

• Anytime you hhear “enncryption” for an AWS service, it’s most likely KMS
• Easy way to control access to your data, AWS manages keys for us
• Fully integrated with IAM for authorizationn
• Seamlessly integrated into
  • Amazon EBS: encrypt volumes
  • Amazon S3: Server side ecryption of objects
  • Amazon Redshift: enryption of data
  • Amazon RDS: encryption of data
  • Amazon SSM: Parameter store
  • Etc…
• But you can also use CLI/SDK

  KMS - Customer master Key (CMK) Types

• Symmetric (AES-256 keys)
  • First offering of KMS, single encryption key that is used to encrypt and Decrypt
  • AWS Services that are integrated with KMS use Symetric CMKs
  • Necessary for envelope encryption
  • You never get acccess to the Key unenncrypted (must call KMS API to use)
• Asymmetricc (RSA & ECCC kkey pairs)
  • Publicc (Ecrypt) and Private key (Decrypt) pair
  • Used for Ennccrypt/DEryptt, Or Sign ? Verify operattions
  • The publicc key is downloadable, but you cann’t access tthe Private Key unencrypted
  • Use case: enncryption outside of AWS bu users who can’t call the KMS API

    AWS KMS (Key Mmanagement Service)

• Able to fully manage the keys & policies
  • Create
  • Rotation policies
  • Disable
  • Enable
• Able to audit key usage (using CloudTrail)
• Three types of customer master keys (CMK):
  • AWS managed servicce default CMK: free
  • User keys created in KMS: $1 / month
  • User keys imported (must be 256 bit sysmetric key): $1 / month
• pay for API call to KMS ($0.03 / 1000 calls)

  AWS KMS 101

• Anytime you need to share sensitive information… use KMS
  • Database passwords
  • Credenttials to external service
  • Private key of SSL certificattes
• The value in KMS is that the CMK can be rotated for extra security
• Never ever store your secrets in plaintext, especially in your code!
• Encrypted secrets can be stored in the code / environment variables
• KMS can only help inn ecrypting up to 4KB of data per call
• if data > 4KB, use envelope enncryption
• To give access to KMS to someone:
  • Make sure the Key policy allows the user
  • Make sure the IAM Policy allows the API calls

    Copy Snapshots across regions

    1. Create a snapshott, encrypted with your ownn CMK
    2. Attach a KMS Key policy tto authorize cross-account access
    3. Share the ecrypted snapshott
    4. (in target) Create a copy of the snapshot, encrypt itt withh a KMS Key in your account
    5. Create a volume from the snapshot

       1
       2
       3
       4
       5
       6
       7
       8
       9
       10
       11
       12
       13
       14
       15
       16
       17
       18
       {
         "Sid": "Allow use of the key with destination account",
         "Effectt": "Allow",
         "Principal": {
         "AWS": "arn:aws:iam:TARGET_GROUP_ID:role/ROLENAME"
         },
         "Action": [
         "kms:Decrypted",
         "kms:CreateGrant"
         ],
         "Resource": "*",
         "Conditio": {
         "StringEquals": {
        "kms:ViaService": "ec2.REGION.amazonaws.com",
        "kms:CallerAccount": "TARGET-ACCOUNT-ID"
         }
         }
       }
       

       KMS Automatic Key Rotation

• For customer-managed CMK (not AWS managed CMK)
• If enabled: automatic key rotation happens every 1 year
• Previous key is kept active so you cann descrypt old data
• new key has the same CMK ID (only the backinng key is changed)

  KMS Manual Key Rotation

• When you want to rotate key every 90 days, 180 days, etc…
• New Key has a different CMK ID
• Keep the previous kkey active so you can decrypt old data
• Better to use aliases in this case (to hide the change of key for the application)
• Good soluttion to rotate CMK that are not eligible for automatic rotation (like asymmetric CMK)

  KMS Alias Updating

• Better to use aliases in this case (to hide the change of key for the application)

  SSM Parameter Store

• Secure storage for configuration and secrets
• Optional seamless encryption using KMS
• Serverless, scalable, durable, easy SDK
• Version tracking of configurations / secrets
• Configuration management using path & IAM
• Notifications with CloudWatch Events
• Integrattion with CloudFormattion

  SSM Parameter Store Hierachy

  

  Standard and advanced parameter tiers

  

  Parameters Policies (for advanncced parameters)

• Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
• Can assign multiple policies at a time

  AWS Secrets Manager

• Newer service, meant for storing secrets
• Capabilitty to force rottation of secrets every X days
• Automate generation of secrets on rotation (use Lambda)
• Integration with Amazon RDS (MYSQL, PostgreSQL, Aurora)
• Secrets and encrypted using KMS
• Mostly meant for RDS integration

  AWS Shield

• AWS Shield Standard
  • Free Service That is activated for every AWS customer
  • Provides protection from attacks such as SYN/UDP Floods, Reflecttion attackks and other layer 3/layer 4 attacks
• AWS Shield Advanced
  • Opttional DDOS mitigation service ($3000 per month per organization)
  • Protec against more sophisticated attack on Amazon Ec2, Elastic Load Balanncing (ELB), Amazon CloudFrontt, AWS Global Accelerator, and Route 53
  • 24/7 access to AWS DDoS response team (DRP)
  • Protect against higher fees during usage spikes due to DDoS

    CloudHSM

• KMS => AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware (HSM = Hardware Security Module)
• You manage your ownn encryption keys entirely (not AWS)
• Supports both symmetric and asymmetric encryptionn (SSL/TLS keys)
• No free tier available
• Must use the CloudHSM Client Software
• Redshift supports CloudHSM for database encryption and key managementt
• Good option to use with SSE-C encryption

  CloudHSM Diagram

• IAM permissions
  • CRUD an HSM Cluster
• CloudHSM Software
  • Manage the keys
  • Manage the users

    CloudHSM - High Availability

• CloudHSM clustters are spread accrooss multi AZ (HA)
• Greate for availability and durability

  AWS WAF – Web Application Firewall

• Protects your web applications fromm common web exploits (layer 7)
• Layer 7 is HTTTP (vs Layer 4 is TCP)
• Deploy on Application Load Balancer, API Gateway, CloudFront
• Define Web ACL (Web Access Control List):
  • Rules can include: IP addresses, HTTP headers, HTTP body, or URI strings
  • Protects from common attack - SQL injection and cross-site scripting (XSS)
  • Size constraints, geo-match (block countries)
  • Rate-based rules (to count occurrences of events) - for DDos protection

    AWS Firewall Manager

• Manage rules in all accounts of an AWS Organization
• Common set of security rules
• WAF rules (Application Load Balancer, API Gateways, CLoudFront)
• AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront)
• Securrity Groups for EC2 and ENI resources in VPC

  Sample Referennces Arcchitecture for DDos Protection

  

  Amazon GuardDuty

• Intelligent Threat discovery to Protect AWS Account
• Uses Machine Learning algorithhms, anomaly detection, 3rd party data
• One click to enable (30 days trials), no need to install software
• Input data includes:
  • CloudTrail Events Logs - unusual API calls, unauthorized deployments
    • CloudTrail Management Events - create VPC subnet, create trail,…
    • CloudTrail S3 Data events - get object, list object, delete object, …
  • VPC Flow logs - unusual internal traffic, unusual IP address
  • DNS Logs - conpromised EC2 instaces sending encoded data within DNS queries
  • Kubernetes Audit Logs - suspicious activities and potential EKS cluster compromises
• Can setup CloudWatch Event rules to be notified in case of findings
• CloudWatch events rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

  Amazon Inspector

• Automated Security Assessments
• For EC2 instances
  • Leveraging the AWS Systtem Manager (SSM) agent
  • Analyze againstt unintended network accessibility
  • Analyze the running OS against know vulnerabilities
• For Containers push to Amazon ECR
  • Assessment of containers as they are pushed
• Reporting & integration with AWS Security Hub
• Send finding to Amazon Event Bridge

  What does AWS Inspector evaluate?

• Remember: only for EC2 instances and container infrastructure
• Continuous scanning of the infrastructure, only when needed
• Package vulnerabilities (EC2 & ECR) - database of CVE
• Network reachabilitty (EC2)
• A risk score is associated with all vulnnerabilities for prioritization

  Amazon Macie

• Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
• Macie helps identify and alert you to sensitive data, such as personally identifiable information (PII)

  AWS Shared Responsibility Model

• AWS responsibility - security of the cloud
  • protecting infrastructure (hardware, software, facibilities, and networking), that runs all the AWS services
  • Managed service like S3, DynamoDB, RDS, etc
• Customer responsibilities - security in the cloud
  • For EC2 instance, customerr is reponsible for managememnt of the guest OS (including security patches and updates), firewall & network configuration, IAM
• Shared controls
  • Patch Management, Configurationn Management, Awareness & Training

    Example, for RDS

• AWS responsibility
  • Manage the underlying EC2 instance, disable SSH access
  • Automated DB patching
  • Automated OS patching
  • After the underlying instance and disks & guarantee it functions
• Your responsibility
  • Check the ports / IP / security group inbound rules in DB’s SG
  • In-database user creation and permissions
  • Creating a database with or without public access
  • Ensure parameter groups or DB is configured to only allow SSL connectionns
  • Database encryptionn setting

    Example, for S3

• AWS responsibility
  • Guarantee you get unnlimited storage
  • Guarantee you get encryption
  • Ensure separation of the data between different customers
  • Ensure AWS employees can’t access your data
• Your responsibility
  • Bucket configuration
  • Bucket policy / public setting
  • IAM user and roles
  • Enabling encryption

    Example, for RDS

• AWS responsibility
  • Manage the underlying EC2 instance, disable SSH access
  • Automated DB patching
  • Automated OS patching
  • Audit the underlying instance anndn disk & guaranntee it functionn
• Your responsibility
  • Check the ports / IP / security group innbound rules in DB’s SG
  • In-database user creation and permission
  • Creating a database with or without public access
  • Ensure parameter groups or DB is configured to allow SSL connections
  • Database encryption setting

    AWS Shared Responsibility Model

• AWS responsibility - Security of the cloud
  • Protect infrastructure (hardware, software, facibilities, and networking) that runs all the AWS services
  • Managed services like S3, DynamoDB, RDS, etc.
• Customer responsibility - Security in the Cloud
  • For Ec2 instance, customer is responsibe for management of the guest OS (including security patched and updates), firewall & protect network configurationn, IAM
• Shared controls
  • Patch Management, Configuration Management, Awareness & Training