Introduction of AWS KMS
16
ENCRYPTION WITH AWS KMS Key Management Service
-
Upload
ricardo-schmidt -
Category
Internet
-
view
350 -
download
1
Transcript of Introduction of AWS KMS
ENCRYPTION WITH AWS KMS
Key Management Service
# whoami
DevOps Engineer | BrazilianEnjoys security and cloud automation
2015 was a big yearau.linkedin.com/in/ricardoxmit
What to expect today?
• Understand options for protecting your data
• Understand how KMS works• Services that KMS is integrated with• S3 and KMS• EBS and KMS• Demo
What’s the main problem?
Options for encryption
1.Do it yourself2.AWS Marketplace -> partner
solutions3.Use AWS KMS4.HSM - Hardware Security
Module
If you don't use a service to manage your keys…
• Keys that live in config files are exposed
- Application vulnerabilities, OS vulnerabilities, staff turnover• It’s hard to track how the keys are being
used• Rotating keys can be painful
AWS Key Management Service (KMS)
• Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications
• Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon
Redshift, WorkMail, Amazon WorkSpaces, CloudTrail, and Amazon Elastic Transcoder
"Keys" considerations with any solution
• Where are the keys stored? • Where are keys used? • Who has access to the keys?• How can you make sure keys are being
used for the correct people/applications?
Type of keys
• Symmetric key -> same key to encrypt and decrypt.
• Asymmetric key -> public / private key concept.
KMS uses Symmetric Encryption -> 256-bit AES for master key
Options to encrypt you data using KMS
1. Client-side encryption - you encrypt your data BEFORE data submitted to service.
2. Server-side encryption - AWS encrypts data on your behalf AFTER data is received by service.
AWS KMS gives you control
You define who can:• create key• use a key• enable/disable keys• audit use of keys using cloudtrail
How do I use KMS?Create Keys in KMS• Give a name and description to the
key• Choose the IAM users and roles
that can administer this key• Choose the IAM users and roles
that can use this key to encrypt and decrypt data
• A new policy will be created
KMS with EBS
KMS with S3
Considerations about KMS
• Keys are regionals. Re-encrypt your data with you move date between regions.
• Direct encryption is limited to 4k of data to optimize latency.
• Use envelope encryption with data keys for larger messages.
DEMO
