KMS, Encryption SDK, SSM Parameter Store Flashcards
help with encryption (HTTPS)
SSL certificates
What does KMS stand for?
Key Management Service
- Anytime you hear “encryption” for an AWS service
- AWS manages encryption keys for us
- Fully integrated with IAM for authorization
- Easy way to control access to your data
KMS (Key Management Service)
Able to audit KMS Key usage using _________?
CloudTrail
KMS Key Encryption also available through ________?
API calls (SDK, CLI)
Encrypted secrets can be stored in the ________?
code / environment variables
KMS KeysTypes -
* Single encryption key that is used to Encrypt and Decrypt
* AWS services that are integrated with KMS use Symmetric CMKs
* You never get access to the KMS Key unencrypted (must call KMS API to use)
Symmetric (AES-256 keys)
KMS KeysTypes -
* Public (Encrypt) and Private Key (Decrypt) pair
* Used for Encrypt/Decrypt, or Sign/Verify operations
* The public key is downloadable, but you can’t access the Private Key unencrypted
* Use case: encryption outside of AWS by users who can’t call the KMS API
Asymmetric (RSA & ECC key pairs)
- AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
- AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
- Customer managed keys created in KMS: $1 / month
- Customer managed keys imported (must be symmetric key): $1 / month
- pay for API call to KMS ($0.03 / 10000 calls)
Types of KMS Keys
- AWS-managed KMS Key: automatic every 1 year
- Customer-managed KMS Key: (must be enabled) automatic every 1 year
- Imported KMS Key: only manual rotation possible using alias
Automatic Key rotation
- Created if you don’t provide a specific KMS Key Policy
- Complete access to the key to the root user = entire AWS account
Default KMS Key Policy
- Define users, roles that can access the KMS key
- Define who can administer the key
- Useful for cross-account access of your KMS key
Custom KMS Key Policy
5 Steps to Copying Snapshots across accounts
- Create a Snapshot, encr ypted with your own KMS Key (Customer Managed Key)
- Attach a KMS Key Policy to authorize cross-account access
- Share the encr ypted snapshot
- (in target) Create a copy of the Snapshot, encrypt it with a CMK in your account
- Create a volume from the snapshot
- Identical KMS keys in different AWS Regions that can be used interchangeably
- They have the same key ID, key material, automatic rotation…
KMS Multi-Region Keys
- Encrypt in one Region and decrypt in other Regions
- No need to re-encrypt or making cross-Region API calls
KMS Multi-Region Keys
- They are NOT global (Primary + Replicas)
- Each one is managed independently
KMS Multi-Region Keys
global client-side encryption, encryption on Global DynamoDB, Global Aurora
KMS Multi-Region Keys
We can encrypt specific attributes client-side in our DynamoDB table using the ___________?
Amazon DynamoDB Encryption Client
READ EVERYTHING
* Combined with Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the DynamoDB Global table, then clients in these regions can use low- latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key
DynamoDB Global Tables and KMS Multi- Region Keys Client-Side encryption
READ EVERYTHING
* We can encrypt specific attributes client-side in our Aurora table using the AWS Encryption SDK
* Combined with Aurora Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the Global Aurora DB, then clients in these regions can use low-latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key, we can protect specific fields even from database admins
Global Aurora and KMS Multi-Region Keys Client-Side encryption
READ EVERYTHING
- Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
- Objects encrypted with SSE-C (customer provided key) are never replicated
- For objects encrypted with SSE-KMS, you need to enable the option
- Specify which KMS Key to encrypt the objects within the target
bucket - Adapt the KMS Key Policy for the target key
- An IAM Role with kms:Decrypt for the source KMS Key and
kms:Encrypt for the target KMS Key - You might get KMS throttling errors, in which case you can ask
for a Service Quotas increase
- Specify which KMS Key to encrypt the objects within the target
- You can use multi-region AWS KMS Keys, but they are currently treated as independent keys by Amazon S3 (the object will still be decrypted and then encr ypted)
S3 Replication
Encryption Considerations
- AMI in Source Account is encrypted with KMS Key from Source Account
- Must modify the image attribute to add a Launch Permission which corresponds to the specified target AWS account
- Must share the KMS Keys used to encrypted the snapshot the AMI references with the target account / IAM Role
- The IAM Role/User in the target account must have the permissions to DescribeKey, ReEncrypted, CreateGrant, Decrypt
- When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes
AMI Sharing Process Encrypted via KMS
- Secure storage for configuration and secrets
- Optional Seamless Encryption using KMS
- Serverless, scalable, durable, easy SDK
- Version tracking of configurations / secrets
- Security through IAM
- Notifications with Amazon EventBridge
- Integration with CloudFormatio
SSM Parameter Store
What are the 2 types of parameter tiers?
Standard
Advanced
Total number of parameters allowed (per AWS account and
Region)
Standard - 10,000
Advanced - 100,000
Maximum size of a parameter value
Standard - 4KB
Advanced - 8KB
Parameter policies available
Standard - No
Advanced - Yes
Cost
Standard - No additional charge
Advanced - Charges Apply
Storage Pricing
Standard - Free
Advanced - $0.05 per advanced parameter per month
- Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
- Can assign multiple policies at a time
Parameters Policies (for advanced parameters)
- Newer service, meant for storing secrets
- Capability to force rotation of secrets every X days
- Automate generation of secrets on rotation (uses Lambda)
- Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
- Secrets are encrypted using KMS
- Mostly meant for RDS integration
AWS Secrets Manager
- Replicate Secrets across multiple AWS Regions
- Secrets Manager keeps read replicas in sync with the primary Secret
- Ability to promote a read replica Secret to a standalone Secret
AWS Secrets Manager – Multi-Region Secrets
multi-region apps, disaster recovery strategies, multi-region DB…
AWS Secrets Manager – Multi-Region Secrets
Easily provision, manage, and deploy TLS Certificates
AWS Certificate Manager (ACM)
Provide in-flight encryption for websites (HTTPS)
AWS Certificate Manager (ACM)