©Amazon.com,Inc.anditsaffiliates.Allrightsreserved.

Crypto-Options on AWS

Bertram Dorn – Specialized Solutions ArchitectSecurity/ComplianceNetwork/Databases

Amazon Web Services EMEA

Agenda

• Theory• Options

The Cryptographic Trinity

Key

Algorithm

Data

Ifyoudon’townallthreepartsofthesolution,yourdataisnotconsideredtobe“hard”encrypted…

Acces to AWS

• WebInterface• CLI• SDK• APIAdmin

ForinstrumentationAWS

AWSIAM

AlloftheAWSAPIsareavailableviaSSL/TLSprotectedendpointswhichprovideserverauthentication.AWSallowscustomerstousetheirownencryptionmechanisms fornearlyalltheservices,includingS3,EBS,SimpleDB andEC2.IPSec tunnels toVPCarealsoencrypted.Amaon S3alsooffersServerSideEncryptionasanoption forcustomers.Customersmayalsousethird-partyencryption technologies.

In Region I:

AWS AZ AWS AZ

In Region II:

AWS DC AWS DC

AWS DC AWS DC

Between Regions:

Region

Availability Zone

Availability Zone

Region

Availability Zone

Availability Zone

Public

CustomerWAN

DX Site DX Site

Summary• Data in transit within an AZ might leave the building• Data in transit between AZs will leave the building• Data in transit between AWS Regions or between AWS and

customer premises needs to be taken care of, too

• What about devices?– Device decommissioning is a primary task for AWS– This is fully compliant and audited– No device leaves our DCs in a functional state– People leaving a DC need to pass through a metal detector

Whateveryoudo:EncryptYourDatainFlight

Let’sdiscussdataatrest

Discussion Points

• Hard encryption might be excessive, for some purposes• Find out where you need which kind of encryption – map your view

of risk and need• Think about the lifetime of your data (example: German expiry of

use of 3DES and resulting requirement for bulk data re-encryption with stronger algorithm…)

• Sometimes encryption is only there for Compliance reasons…

WorkonyourdataclassificationFindbalancebetweenyourobligationfor

executivecare,costandcomplexity

But:

GettingDataatrestencryptedonAWSissoeasythatyoushouldconsiderapolicy:

Alldataneedtobeencryptedatrest!

AWSservicesandwherewelookintotoday:

Technology Partners Consulting Partners AWS MarketplaceEcosystem

Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS)

Management &Administration

IAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface

Direct Connect Route 53VPCNetworking

Analytics

Data PipelineRedshiftEMR Kinesis SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL Server

Elastic Load BalancerEC2 Auto Scaling

+

AWS Key Management Service I

• Designed for Scalability and Throughput• Uses bespoke AWS hardware + software• Is a multi-tenant service• Is a regionalizes service• Performs AES256 operations• API for crypto command:

– Key Management– Encryption / Decryption

• Customer selects MasterKey• Data Key is transported via envelope

encryption• Services are responsible for the en/de/re-

cryption action

CustomerMasterKey(s)

DataKey1

AmazonS3Object

AmazonEBSVolume

AmazonRedshiftCluster

DataKey2 DataKey3 DataKey4

CustomApplication

AWS KMS

AWS Key Management Service IIReference Architecture

Application or AWS Service

+DataKeyEncryptedDataKey

EncryptedData

Master Key(s) in Customer’s Account

AWSKey Management Service

1. ApplicationorAWSserviceclientrequestsanencryptionkeytousetoencryptdata,andpasses areference toamasterkeyundertheaccount.

2. Clientrequestisauthenticatedbasedonwhethertheyhaveaccesstousethemasterkey.3. Anewdataencryptionkeyiscreatedandacopyofitisencryptedunderthemasterkey.4. Bothdatakeyandencrypteddatakeyarereturnedtotheclient.Datakeyisusedtoencryptcustomerdata

andthendeletedassoonasispractical.5. EncrypteddatakeyisstoredforlateruseandsentbacktoAWSKMSwhenthesourcedataneedstobe

decrypted.

S3 (normal mode)

AWS AZ

AWS AZ

AWS AZ

• Data is sent to S3 encrypted • S3 stores the data unencrypted• Data travels unencrypted between AZs

• Enforce https:{"Statement": [{"Effect": "Deny”,"Action": "s3:*","Condition": {"Bool": { "aws:SecureTransport": false }

},"Resource": "arn:aws:s3:::bucket/*"

]}}

S3 (server-side encryption)

AWS AZ

AWS AZ

AWS AZ

• Data is sent to S3 encrypted• S3 encrypts data with AWS owned key• Data travels encrypted between AZs• Data at rest is encrypted with AWS-owned key

• Enforce at-rest encryption:{

"Statement":[{"Sid":"DenyUnEncryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::YourBucket/*","Condition":{

"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"

} } } ] }

S3 (server-side, user key)

AWS AZ

AWS AZ

AWS AZ

• Data is sent to S3 encrypted• S3 encrypts data with customer key sent in request

– The key will be forgotten by AWS immediately• Data travels encrypted between AZs

• Data at rest is encrypted with customer-owned key• Customer needs to send key in GET request

S3 (server-side, user key + KMS)

AWS AZ

AWS AZ

AWS AZ

• Data is sent to S3 encrypted• S3 encrypts data with key sent in request• Data travels encrypted between AZs• Data at rest is encrypted with customer-owned key• Key remains in KMS

IAM

KMS

Object

Example

Instance A

bucketobject

roleAWSIAM

AWSKMS

AmazonS3

AmazonEC2

Instance B

AWSCloudTrail

S3 (client-side encryption)

AWS AZ

AWS AZ

AWS AZ

• Client encrypts the data locally with local held key• Data is sent to S3 encrypted• Data travels encrypted between AZs• Data at rest is encrypted with customer-owned key• AWS never sees the key

EBS (normal mode)

AWS AZ

AWS AZ

• Instance sends data to volume via hypervisor module– Module can encrypt or not, depending on customer choice– Data travels to the disks and between datacentres, potentially unencrypted– Data lives unencrypted on Disk

EBS (server-side encryption)

AWS AZ

AWS AZ

• Instance sends encrypted data over hypervisor to volume– Instance OS needs to support encryption– Data travels encrypted to the disks and between datacentres– Data lives encrypted on Disk– AWS owns key/algorithm/data– Included in scope of AWS SOC1 report

IAM

KMS

Volume

CloudHSM• Tamper-Proof and Tamper-Evident

– Destroys its stored keys if under attack• FIPS 140-2 Level 2 certified• Base position is to be a Keystore• Can also be used to timestamp documents• You can send data for encrypt / decrypt

– Key never leaves the HSM as cleartext– Can be used by several commercial software products– Can be used by API to access the HSM

• Needs to be backed-up (ideally to HSM on customer premises)• Can (and should) be combined in HA clusters• Is NOT a key management system

– but can work with some third-party ones• Communicates via:

– PKCS#11– JCE

• Some applications need a “plugin”

Redshift can use CloudHSM• When using CloudHSM

– Redshift gets cluster key from HSM– Redshift generates a database key and encrypts it with the cluster key from the

CloudHSM– Redshift encrypts data with the database key– Redshift supports re-encryption

RDS Crypto Support• RDS / Oracle can use CloudHSM to store keys for Oracle Wallet

– So TDE can be HSM-backed• RDS / MySQL, RDS / Postgres can use KMS to manage keys used

to encrypt underlying EBS volumes– So all tables are encrypted at rest

• Note that in-memory database contents (once the database has been unlocked) are cleartext

– RAM encryption is not something AWS has today, but it has been done in other contexts

VPC VGW• Hardware IPsec termination points• Data on the VPC side of the VGW is unprotected by the VGW (no

re-encryption)– If you need VPN termination with onward re-encryption, use EC2 instances with

OpenSWAN or Cisco CRSs instead…• Uses pre-shared symmetric key• The Key is a shared one between AWS and the customer

AWS AZ AWS AZCustomer

Between Regions

Region

Availability Zone

Availability Zone

Region

Availability Zone

Availability Zone

Public

CustomerWAN

DX Site DX Site

Customer DC

Others• Glacier

– Archives have always been encrypted – this is entirely transparent to the user– Glacier keys are AES256– AWS holds key/algorithm/data

• Route53– Supports signed zones

• ELB– Supports SSL termination including onward re-encryption and customer choice of

cipher suite (useful post-POODLE)– AWS holds keys/algorithm/data– Unidirectional trust only (no certificate-based authentication of client to server)

• Import/Export Snowball– Uses AES256 inside the Snowball device– The Snowball device is equipped with a TPM to protect and authenticate crypto

material

BertramDornAmazonWebServicesGermanyGmbHbedorn@amazon.de

Additional Ressources:

http://aws.amazon.com/documentationhttp://aws.amazon.com/compliancehttp://aws.amazon.com/security

HSM Integration for Customer-Only Key

Web-Server

HSM

Storage

TLSconnectio

nto

HSM,nokey

Extractp

olicy

TLSconnectio

nHS

Moffloaded

Generatetemp.

AssymKeyPair

SendPublicKeyto

Client

Encrypt DataWithPublicKey

SendCryped

Datato

Server

SendCryped

Datato

HSM

Re-Encrypt withSym-StorageKey

SendCryped

Datato

Server

StoreDa

ta

AESStorageKey

SendReq

for

SecureDataStorage

DeleteTempDataAnd Keys