Security - Protecting data at rest and at transit Flashcards

1
Q

At rest - Considerations

A
  • There’s two ways to protect data at rest:
  • Access permissions such as bucket policies, user policies, or ACLs
  • Encryption: requires access to a key to encrypt and decrypt data. If the key is lost, so is the data
  • Key material is a bunch of random secret data. Can use it to know how that material was generated
  • Key administrators can manage the key but don’t have permissions to use it. However, they can allow themselves to use it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

At rest - S3 Encryption types

A
  • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • Server-Side Encryption with KMS keys stored in AWS KMS (SSE-KMS)
  • Server-Side Encryption with Customer-Provided Keys (SSE-C): you manage the keys and S3 manages the encryption process
  • Client-side encryption: you manage the encryption process, keys, and related tools. Objects are encrypted before being uploaded to S3 and decrypted after being downloaded from S3
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

At rest - S3 Access permissions: considerations

A
  • The creation of a folder or object require the same permissions
  • Bucket policy is a resource policy
  • An IAM user policy can overlap a bucket policy and viceversa. It’s inline
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

At rest - S3 Access permissions: ways to grant access

A
  • By using a ACL. It’s legacy
  • Origin access identity (OAI): make objects accesible only through a CloudFront distribution, but not directly to those objects
  • Grant anonymous access to individual S3 objects, or read permissions to everyone by using object’s ACL
  • The access is denied, when an object’s URL is inserted from a browser, and don’t exist read permissions for the public
  • On an authenticated request, when clicking on download button on AWS console, a pre-signed URL is generated. The URL contains the principal credentials that allow to download the object
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

At rest - CloudHSM

A
  • It’s a managed hardware device that runs in a VPC, so you can use your HSMs (Hardware Security Modules) to generate and use your own encryption keys
  • It’s the only FIPS 140-2 Level 3 solution
  • Can be used on some scenarios like:
  • To offload SSL / TLS processing of web servers
  • To store private keys and sign certificate requests so that you can act as an issuing CA
  • Can backup it’s data to S3 buckets in the same region by generating an unique Ephemeral Backup key (EBK) to encrypt data, and a Persistent Backup Key (PBK) to encrypt that EBK
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

At transit - Ways to encrypt using TLS

A
  1. Configure application to use TLS: application-dependent configuration. Independent of AWS
  2. Application load balancer:
    - Configure AWS application load balancer to use TLS. Force all clients to go through the load balancer
    - Need at least two AZs
  • Be smart and select where to terminate TLS connection: in ALB, or in individual instances. If it terminates on instances, then the installation and maintenance times will increase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly