Encryption

Data at rest vs. Data in transit

• At rest: data stored or archived on a device

  • On a hard disk, on a RDS instance, in S3 Glacier Deep Archive, etc.

• In transit (in motion): data being moved from one location to another

  • Transfer from on-premises to AWS, EC2 to DynamoDB, etc.

  • This means data transferred on the network

• We want to encrypt data in both states to protect it!

• For this we leverage encryption keys

AWS KMS (Key Management Service)

• Anytime you hear “encryption” for an AWS service, it’s most likely KMS

• KMS = AWS manages the encryption keys for us

• Encryption Opt-in:

  • EBS volumes: encrypt volumes

  • S3 buckets: Server-side encryption of objects

  • Redshift database: encryption of data

  • RDS database: encryption of data

  • EFS drives: encryption of data

• Encryption Automatically enabled:

  • CloudTrail Logs

  • S3 Glacier

  • Storage Gateway

CloudHSM

  • KMS => AWS manages the software for encryption

  • CloudHSM => AWS provisions encryption hardware

  • Dedicated Hardware (HSM = Hardware Security Module)

  • You manage your own encryption keys entirely (not AWS)

  • HSM device is tamper resistant, FIPS 140-2 Level 3 compliance

Types of KMS Keys

Customer Managed Key:

  • Create, manage and used by the customer, can enable or disable

  • Possibility of rotation policy (new key generated every year, old key preserved)

  • Possibility to bring-your-own-key

• AWS Managed Key:

  • Created, managed and used on the customer’s behalf by AWS

  • Used by AWS services(aws/s3, aws/ebs, aws/redshift)

• AWS Owned Key:

  • Collection of CMKs that an AWS service owns and manages to use in multiple accounts

  • AWS can use those to protect resources in your account (but you can’t view the keys)

• CloudHSM Keys (custom keystore):

  • Keys generated from your own CloudHSM hardware device

  • Cryptographic operations are performed within the CloudHSM cluster

PreviousPenetration Testing on AWS CloudNextAWS Certificate Manager (ACM)

Last updated