AWS Key Management
1 like147 views
AWS Key Management Service (KMS) simplifies the creation and control of encryption keys for data encryption, utilizing FIPS 140-2 validated hardware security modules. The AWS Encryption SDK supports various AES encryption options and features data key caching to enhance efficiency in cryptographic operations. Different methods, including server-side and client-side encryption, are available for managing encryption in Amazon S3, allowing customers to select the key management approach that best suits their needs.
AWS Key Management
- 1. Amazon Web Service – Key Management
- 2. AWS Key Management AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys.
- 3. Algorithm Suites in the AWS Encryption SDK • The algorithms used in AWS Encryption SDK are the Advanced Encryption Standard (AES) algorithm in known as AES-GCM. • The SDK supports 256-bit, 192-bit, and 128-bit encryption keys. The length of the initialization vector (IV) is always 12 bytes; the length of the authentication tag is always 16 bytes.
- 4. Other supported algorithm suites • AES-GCM with Key Derivation Only The AES-GCM algorithm uses a key derivation function, but lacks the ECDSA signature that provides authenticity and nonrepudiation. • AES-GCM without Key Derivation or Signing The AES-GCM algorithm uses the data encryption key as the AES-GCM encryption key, instead of using a key derivation function to derive a unique key.
- 5. AWS Encryption SDK Programming Languages • Java • Python • Command Line interface
- 6. AWS - Data Key Caching Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one.
- 7. Benefits of Data Caching • It leads to reuse of the data key • It generates the numerous data keys • Your cryptographic operations are unacceptably slow, expensive, limited, or resource-intensive.
- 8. The AWS Encryption SDK helps you to create and manage your data key cache. It provides a Local Crypto Material Cache and a caching cryptographic materials manager that interacts with the cache and enforces security thresholds that you set
- 9. • Plaintext data key • Encrypted data keys (one or more) • Encryption context • Message signing key (if one is used) • Algorithm suite • Metadata, including usage counters for enforcing security thresholds Data key caching stores data keys and related cryptographic materials in a cache. Each entry includes the elements listed below
- 10. Cached Entries for Decryption Requests The entries that are added to a data key cache as a result of a decryption operation include the following elements: • Plaintext data key • Signature verification key (if one is used) • Metadata, including usage counters for enforcing security thresholds
- 11. Encrypt Data without Caching
- 12. Encrypt Data with Caching
- 13. Data Key Caching Example
- 14. Data Encryption in Amazon S3 Cloud storage services such as Amazon S3, the need for encryption is clear. Encrypting data-at-rest in almost any solution has long become best practice, and most IAAS providers offering storage will also offer encryption.
- 15. There are five ways to implement the data encryption in Amazon S3 • Server-Side Encryption with Amazon S3-Managed Keys • Server-Side Encryption with AWS KMS-Managed Keys • Server-Side Encryption with Customer-Provided Keys • Client-Side Encryption with an AWS KMS–Managed Customer Master Key • Client-Side Encryption with a Client-Side Master Key
- 16. Server-Side Encryption with Amazon S3-Managed Keys Server-side encryption with Amazon S3- managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
- 17. Server-Side Encryption with AWS KMS-Managed Keys AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. You use AWS KMS via the Encryption Keys section in the IAM console or via AWS KMS APIs to centrally create encryption keys, define the policies that control how keys can be used, and audit key usage to prove they are being used correctly.
- 18. Highlights of SSE-KMS • You can choose to create and manage encryption keys yourself. • The data keys used to encrypt your data are also encrypted and stored alongside the data they protect. • Auditable master keys can be created, rotated, and disabled from the IAM console. • The security controls in AWS KMS can help you meet encryption- related compliance requirements.
- 19. Server-Side Encryption with Customer-Provided Keys Server-side encryption with customer- provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects.
- 20. Highlights of SSE-C • You must use https protocol service only. • You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.
- 21. Client-Side Encryption with an AWS KMS–Managed Customer Master Key Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options: • Use an AWS KMS-managed customer master key • Use a client-side master key
- 22. Thank You……, Presented By; Nantha Kumar Rajasekaren,
- 23. To Follow Me ; Facebook; https://www.facebook.com/profile.php?id=100016683103655 Nantha Kumar Rajasekaren. Twitter ; https://twitter.com/NRajasekaren Nantha Kumar Rajasekaren. LinkedIn; https://www.linkedin.com/in/nantha-kumar-rajasekaren-502211148/ Nantha Kumar Rajasekaren.