KMS, Encryption SDK, SSM Parameter Store Flashcards
help with encryption (HTTPS)
SSL certificates
What does KMS stand for?
Key Management Service
- Anytime you hear “encryption” for an AWS service
- AWS manages encryption keys for us
- Fully integrated with IAM for authorization
- Easy way to control access to your data
KMS (Key Management Service)
Able to audit KMS Key usage using _________?
CloudTrail
KMS Key Encryption also available through ________?
API calls (SDK, CLI)
Encrypted secrets can be stored in the ________?
code / environment variables
KMS KeysTypes -
* Single encryption key that is used to Encrypt and Decrypt
* AWS services that are integrated with KMS use Symmetric CMKs
* You never get access to the KMS Key unencrypted (must call KMS API to use)
Symmetric (AES-256 keys)
KMS KeysTypes -
* Public (Encrypt) and Private Key (Decrypt) pair
* Used for Encrypt/Decrypt, or Sign/Verify operations
* The public key is downloadable, but you can’t access the Private Key unencrypted
* Use case: encryption outside of AWS by users who can’t call the KMS API
Asymmetric (RSA & ECC key pairs)
- AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
- AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
- Customer managed keys created in KMS: $1 / month
- Customer managed keys imported (must be symmetric key): $1 / month
- pay for API call to KMS ($0.03 / 10000 calls)
Types of KMS Keys
- AWS-managed KMS Key: automatic every 1 year
- Customer-managed KMS Key: (must be enabled) automatic every 1 year
- Imported KMS Key: only manual rotation possible using alias
Automatic Key rotation
- Created if you don’t provide a specific KMS Key Policy
- Complete access to the key to the root user = entire AWS account
Default KMS Key Policy
- Define users, roles that can access the KMS key
- Define who can administer the key
- Useful for cross-account access of your KMS key
Custom KMS Key Policy
5 Steps to Copying Snapshots across accounts
- Create a Snapshot, encr ypted with your own KMS Key (Customer Managed Key)
- Attach a KMS Key Policy to authorize cross-account access
- Share the encr ypted snapshot
- (in target) Create a copy of the Snapshot, encrypt it with a CMK in your account
- Create a volume from the snapshot
- Identical KMS keys in different AWS Regions that can be used interchangeably
- They have the same key ID, key material, automatic rotation…
KMS Multi-Region Keys
- Encrypt in one Region and decrypt in other Regions
- No need to re-encrypt or making cross-Region API calls
KMS Multi-Region Keys
- They are NOT global (Primary + Replicas)
- Each one is managed independently
KMS Multi-Region Keys
global client-side encryption, encryption on Global DynamoDB, Global Aurora
KMS Multi-Region Keys
We can encrypt specific attributes client-side in our DynamoDB table using the ___________?
Amazon DynamoDB Encryption Client
READ EVERYTHING
* Combined with Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the DynamoDB Global table, then clients in these regions can use low- latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key
DynamoDB Global Tables and KMS Multi- Region Keys Client-Side encryption
READ EVERYTHING
* We can encrypt specific attributes client-side in our Aurora table using the AWS Encryption SDK
* Combined with Aurora Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the Global Aurora DB, then clients in these regions can use low-latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key, we can protect specific fields even from database admins
Global Aurora and KMS Multi-Region Keys Client-Side encryption
READ EVERYTHING
- Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
- Objects encrypted with SSE-C (customer provided key) are never replicated
- For objects encrypted with SSE-KMS, you need to enable the option
- Specify which KMS Key to encrypt the objects within the target
bucket - Adapt the KMS Key Policy for the target key
- An IAM Role with kms:Decrypt for the source KMS Key and
kms:Encrypt for the target KMS Key - You might get KMS throttling errors, in which case you can ask
for a Service Quotas increase
- Specify which KMS Key to encrypt the objects within the target
- You can use multi-region AWS KMS Keys, but they are currently treated as independent keys by Amazon S3 (the object will still be decrypted and then encr ypted)
S3 Replication
Encryption Considerations
- AMI in Source Account is encrypted with KMS Key from Source Account
- Must modify the image attribute to add a Launch Permission which corresponds to the specified target AWS account
- Must share the KMS Keys used to encrypted the snapshot the AMI references with the target account / IAM Role
- The IAM Role/User in the target account must have the permissions to DescribeKey, ReEncrypted, CreateGrant, Decrypt
- When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes
AMI Sharing Process Encrypted via KMS
- Secure storage for configuration and secrets
- Optional Seamless Encryption using KMS
- Serverless, scalable, durable, easy SDK
- Version tracking of configurations / secrets
- Security through IAM
- Notifications with Amazon EventBridge
- Integration with CloudFormatio
SSM Parameter Store
What are the 2 types of parameter tiers?
Standard
Advanced
Total number of parameters allowed (per AWS account and
Region)
Standard - 10,000
Advanced - 100,000
Maximum size of a parameter value
Standard - 4KB
Advanced - 8KB
Parameter policies available
Standard - No
Advanced - Yes
Cost
Standard - No additional charge
Advanced - Charges Apply
Storage Pricing
Standard - Free
Advanced - $0.05 per advanced parameter per month
- Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
- Can assign multiple policies at a time
Parameters Policies (for advanced parameters)
- Newer service, meant for storing secrets
- Capability to force rotation of secrets every X days
- Automate generation of secrets on rotation (uses Lambda)
- Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
- Secrets are encrypted using KMS
- Mostly meant for RDS integration
AWS Secrets Manager
- Replicate Secrets across multiple AWS Regions
- Secrets Manager keeps read replicas in sync with the primary Secret
- Ability to promote a read replica Secret to a standalone Secret
AWS Secrets Manager – Multi-Region Secrets
multi-region apps, disaster recovery strategies, multi-region DB…
AWS Secrets Manager – Multi-Region Secrets
Easily provision, manage, and deploy TLS Certificates
AWS Certificate Manager (ACM)
Provide in-flight encryption for websites (HTTPS)
AWS Certificate Manager (ACM)
Supports both public and privateTLS certificates
AWS Certificate Manager (ACM)
Free of charge for publicTLS certificates
AWS Certificate Manager (ACM)
AutomaticTLS certificate renewal
AWS Certificate Manager (ACM)
Integrations with (loadTLS certificates on)
* ElasticLoadBalancers(CLB,ALB,NLB)
* CloudFront Distributions
* APIs on API Gateway
AWS Certificate Manager (ACM)
Can you use ACM with EC2?
NO
What does ACM stand for?
AWS Certificate Manager
4 steps to ACM – Requesting Public Certificates?
- List domain names to be included in the certificate
* Fully Qualified Domain Name (FQDN): corp.example.com
* WildcardDomain:*.example.com - Select Validation Method: DNS Validation or Email validation
* DNS Validation is preferred for automation purposes
* Email validation will send emails to contact addresses in the WHOIS database
* DNS Validation will leverage a CNAME record to DNS config (ex: Route 53) - It will take a few hours to get verified
- The Public Certificate will be enrolled for automatic renewal
* ACM automatically renews ACM-generated certificates 60 days before expiry
With ACM – Importing Public Certificates, what is the policy with renewals?
No automatic renewal, must import a new certificate before expiry
ACM sends daily expiration events starting _________ prior to expiration
45 days
With ACM sending out daily expiration events, can you configure the number of days?
YES
Where fo ACM sending out daily expiration events appear?
EventBridge
___________ has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)
AWS Config
- Protects your web applications from common web exploits (Layer 7)
- Layer 7 is HTTP (vs Layer 4 is TCP/UDP)
- Deploy on
- Application Load Balancer
- API Gateway
- CloudFront
- AppSync GraphQL API
- Cognito User Pool
AWS WAF – Web Application Firewall
- Define Web ACL (Web Access Control List) Rules:
- IP Set: up to 10,000 IP addresses – use multiple Rules for more
IPs - HTTP headers, HTTP body, or URI strings Protects from common
attack - SQL injection and Cross-Site Scripting (XSS) - Size constraints, geo-match (block countries)
- Rate-based rules (to count occurrences of events) – for DDoS
protection
- IP Set: up to 10,000 IP addresses – use multiple Rules for more
- Web ACL are Regional except for CloudFront
- A rule group is a reusable set of rules that you can add to a web ACL
AWS WAF – Web Application Firewall
WAF _________ support the Network Load Balancer (Layer 4)
does not
We can use _____________ for fixed IP and WAF on the ALB
Global Accelerator
Distributed Denial of Service – many requests at the same time
DDoS
- Free service that is activated for every AWS customer
- Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks
AWS Shield Standard
- Optional DDoS mitigation service ($3,000 per month per organization)
- Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
- 24/7 access to AWS DDoS response team (DRP)
- Protect against higher fees during usage spikes due to DDoS
- The automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks
AWS Shield Advanced:
- Manage rules in all accounts of an AWS Organization
- Security policy: common set of security rules
- WAF rules (Application Load Balancer, API Gateways, CloudFront)
- AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront)
- Security Groups for EC2, Application Load BAlancer and ENI
resources in VPC - AWS Network Firewall (VPC Level)
- Amazon Route 53 Resolver DNS Firewall
- Policies are created at the region level
- Rules are applied to new resources as they are created (good for compliance) across all and future accounts in your Organization
AWS Firewall Manager
are used together for comprehensive protection
WAF
Shield
Firewall Manager
Define your _________ rules in WAF
Web ACL
For granular protection of your resources, ___________ alone is the correct choice
WAF
If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use _______________
Firewall Manager with AWS WAF
adds additional features on top of AWS WAF, such as dedicated support from the Shield ResponseTeam (SRT) and advanced reporting.
Shield Advanced
If you’re prone to frequent DDoS attacks, consider purchasing _________________
Shield Advanced
- Web Application delivery at the edge
- Protect from DDoS Common Attacks (SYN floods, UDP reflection…)
BP1 – CloudFront
- Access your application from the edge
- Integration with Shield for DDoS protection
- Helpful if your backend is not compatible with CloudFront
BP1 – Global Accelerator
- Domain Name Resolution atthe edge
- DDoS Protection mechanism
BP3 – Route 53
- Protect Amazon EC2 against high traffic
- That includes using Global Accelerator, Route 53, CloudFront, Elastic Load Balancing
Infrastructure layer defense (BP1, BP3, BP6)
Helps scale in case of sudden traffic surges including a flash crowd or a DDoS attack
Amazon EC2 with Auto Scaling (BP7)
Elastic Load Balancing scales with the traffic increases and will distribute the traffic to many EC2 instances
Elastic Load Balancing (BP6)
- CloudFront cache static content and serve it from edge locations, protecting your backend
- AWS WAF is used on top of CloudFront and Application Load Balancer to filter and block requests based on request signatures
- WAF rate-based rules can automatically block the IPs of bad actors
- Use managed rules on WAF to block attacks based on IP reputation, or block anonymous Ips
- CloudFront can block specific geographies
Detect and filter malicious web requests (BP1, BP2)
Shield Advanced automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks
ShieldAdvanced(BP1,BP2,BP6)
Using CloudFront, API Gateway, Elastic Load Balancing to hide your backend resources (Lambda functions, EC2 instances)
Obfuscating AWS resources (BP1, BP4, BP6)
- Use security groups and NACLs to filter traffic based on specific IP at the subnet or ENI-level
- Elastic IP are protected by AWS Shield Advanced
Security groups and Network ACLs (BP5)
- Hide EC2, Lambda, elsewhere
- Edge-optimized mode, or CloudFront + regional mode (more control for DDoS)
- WAF + API Gateway: burst limits, headers filtering, use API keys
Protecting API endpoints (BP4)
AWS Best Practices for DDoS Resiliency Edge Location Mitigation (BP1, BP3)
BP1 – CloudFront
BP1 – Global Accelerator
BP3 – Route 53
AWS Best Practices for DDoS Resiliency Best practices for DDoS mitigation
Infrastructure layer defense (BP1, BP3, BP6)
Amazon EC2 with Auto Scaling (BP7)
Elastic Load Balancing (BP6)
AWS Best Practices for DDoS Resiliency Application Layer Defense
Detect and filter malicious web requests (BP1, BP2)
ShieldAdvanced(BP1,BP2,BP6)
AWS Best Practices for DDoS Resiliency Attack surface reduction
Obfuscating AWS resources (BP1, BP4, BP6)
Intelligent Threat discover y to protect your AWS Account
Amazon GuardDuty
Uses Machine Learning algorithms, anomaly detection, 3rd party data
Amazon GuardDuty
One click to enable (30 days trial), no need to install software
Amazon GuardDuty
- Input data includes:
- CloudTrail Events Logs – unusual API calls, unauthorized
deployments
* CloudTrailManagementEvents–createVPCsubnet,createtrail,…
* CloudTrailS3DataEvents–getobject,listobjects,deleteobject,… - VPC Flow Logs – unusual internal traffic, unusual IP address
- DNS Logs – compromised EC2 instances sending encoded data
within DNS queries - Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda,
S3 Data Events…
- CloudTrail Events Logs – unusual API calls, unauthorized
Amazon GuardDuty
Can setup EventBridge rules to be notified in case of findings
Amazon GuardDuty
EventBridge rules can target AWS Lambda or SNS
Amazon GuardDuty
Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)
Amazon GuardDuty
- Automated Security Assessments
- For EC2 instances
- Leveraging the AWS System Manager (SSM) agent
- Analyze against unintended network accessibility
- Analyze the running OS against known vulnerabilities
- For Container Images push to Amazon ECR
- Assessment of Container Images as they are pushed
- For Lambda Functions
- Identifies software vulnerabilities in function code and package
dependencies - Assessment of functions as they are deployed
- Identifies software vulnerabilities in function code and package
- Reporting & integration with AWS Security Hub
- Send findings to Amazon Event Bridge
Amazon Inspector
Amazon Inspector evaluates only ………
EC2 instances
Container Images
Lambda functions
Amazon Inspector, continuous scanning of the infrastructure, only ___________
when needed
is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
AWS Macie
helps identify and alert you to sensitive data, such as personally identifiable information (PII)
AWS Macie
