Security - Protecting data at rest and at transit Flashcards
1
Q
At rest - Considerations
A
- There’s two ways to protect data at rest:
- Access permissions such as bucket policies, user policies, or ACLs
- Encryption: requires access to a key to encrypt and decrypt data. If the key is lost, so is the data
- Key material is a bunch of random secret data. Can use it to know how that material was generated
- Key administrators can manage the key but don’t have permissions to use it. However, they can allow themselves to use it
2
Q
At rest - S3 Encryption types
A
- Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
- Server-Side Encryption with KMS keys stored in AWS KMS (SSE-KMS)
- Server-Side Encryption with Customer-Provided Keys (SSE-C): you manage the keys and S3 manages the encryption process
- Client-side encryption: you manage the encryption process, keys, and related tools. Objects are encrypted before being uploaded to S3 and decrypted after being downloaded from S3
3
Q
At rest - S3 Access permissions: considerations
A
- The creation of a folder or object require the same permissions
- Bucket policy is a resource policy
- An IAM user policy can overlap a bucket policy and viceversa. It’s inline
4
Q
At rest - S3 Access permissions: ways to grant access
A
- By using a ACL. It’s legacy
- Origin access identity (OAI): make objects accesible only through a CloudFront distribution, but not directly to those objects
- Grant anonymous access to individual S3 objects, or read permissions to everyone by using object’s ACL
- The access is denied, when an object’s URL is inserted from a browser, and don’t exist read permissions for the public
- On an authenticated request, when clicking on download button on AWS console, a pre-signed URL is generated. The URL contains the principal credentials that allow to download the object
5
Q
At rest - CloudHSM
A
- It’s a managed hardware device that runs in a VPC, so you can use your HSMs (Hardware Security Modules) to generate and use your own encryption keys
- It’s the only FIPS 140-2 Level 3 solution
- Can be used on some scenarios like:
- To offload SSL / TLS processing of web servers
- To store private keys and sign certificate requests so that you can act as an issuing CA
- Can backup it’s data to S3 buckets in the same region by generating an unique Ephemeral Backup key (EBK) to encrypt data, and a Persistent Backup Key (PBK) to encrypt that EBK
6
Q
At transit - Ways to encrypt using TLS
A
- Configure application to use TLS: application-dependent configuration. Independent of AWS
- Application load balancer:
- Configure AWS application load balancer to use TLS. Force all clients to go through the load balancer
- Need at least two AZs
- Be smart and select where to terminate TLS connection: in ALB, or in individual instances. If it terminates on instances, then the installation and maintenance times will increase