Protect your Data on AWS using the Encryption method.pdf
0 likes34 views
The document discusses data protection on AWS through various encryption methods, emphasizing the importance of managing encryption keys and ensuring compliance with regulations like GDPR. It covers different encryption types, including server-side, client-side, and methods using AWS Key Management Service (KMS). Additionally, it highlights the importance of understanding IAM policies, the various types of EBS volumes, and AWS compliance certifications.
Protect your Data on AWS using the Encryption method.pdf
- 1. Protect your Data on AWS using the Encryption method
- 2. About Speaker Liudmyla Dziubynska CTO at Zenbit Tech Expert in full-stack development and AWS Proficient in modern technologies including ReactJS, NodeJS, GraphQL, TypeScript In-depth knowledge of cloud cost optimization techniques and strategies Proven experience in cloud migration and deployment Skilled in cloud security and data management Familiar with cloud monitoring and analytics tools, such as Amazon CloudWatch Knowledge of cloud resource management tools, such as AWS Auto Scaling or Kubernetes Experienced with cloud-based storage solutions, such as Amazon S3 or Google Cloud Storage
- 3. Encryption on flight protect against MITM (man in the middle atack) Encryption types Encryption on flight (ssl) 1. Data encrypted before sending to server and decrypted on server side Ssl certificates help with encryptions
- 4. Encryption and decryption key should be managed somewhere It stored in encrypted format thanks to the key Decrypted before send back to client Encryption types 2. Server-side encryption on rest Data is encrypted by received by server
- 5. Could leverage Envelope encryption Encryption types 3. Client-side encryption Decrypted on the client side, never decrypted by server-side
- 6. AWS KMS It fully integrated with IAM for authorisation You can audit KMS API calls with Cloud Trail KMS manage encryption key for us 01 Symetryc(AES-256) 02 Asymmetric(RSA&ECC keypairs) KMS key types:
- 7. AWS managed key (free to use) - aws/serwise-name, example aws/rds Customer manage key (CMK) - 1$/m CMS imported(should be 256 symmetric key) - 1$/m 3 types of KMS keys:
- 8. Default - created if you dont provide custom policy, default give access to everyone in your account to access the key KMS Policies If you will not provide right policy KMS key will not be accesseble Custom - define users, roles who can have accessto key, define who can administer the key
- 9. EBS gp2/gp3 (SSD): General purpose SSD volume that balances price and performance for a widevarietyofworkloads iol / io2 (SSD): Highest-performance SSD volume for mission-critical low-latency or high-throughputworkloads stl (HDD): Low cost HDD volume designed for frequently accessed, throughput-intensive workloads scl (HDD): Lowest cost HDD volume designed forlessfrequentlyaccessedworkloads EBS Volumes come in 6 types
- 10. Data at rest is encrypted inside the volume All the data in flight moving between the instance and the volume is encrypted All snapshots are encrypted All volumes created from the snapshot Encryption and decryption are handled transparently WhenyoucreateanencryptedEBSvolume,you getthefollowing: Create an EBS snapshot of the volume Encrypt the EBS snapshot ( using copy) Create new ebs volume from the snapshot ( the volume will also be encrypted) Attach the encrypted volume to the original instance StepstoencryptanunencryptedEBSvolume: EBS Encryption
- 11. 01 Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) - Encrypts S3 objects using keys handled,managed,andownedbyAWS 03 02 04 S3 encryption Client-SideEncryption Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS) - Leverage AWS Key Management Service(AWSKMS)tomanageencryptionkeys Server-Side Encryption with Customer-Provided Keys (SSE-C) - When you want to manage your ownencryptionkeys
- 12. Amazon S3 Encryption — SSE-S3 User HTTP(S) + Header *Encryptionusingkeyshandled,managed,andownedbyAWS *Objectisencryptedserver-sidebyAWS *EncryptiontypeisAES-256 *Mustsetheader"x-amz-server-side-encryption":"AES256" Object S3 Owner Key Encryption S3 Bucket Amazon S3
- 13. Amazon S3 Encryption — SSE-KMS HTTP(S) + Header User *EncryptionusingkeyshandledandmanagedbyAWSKMS(KeyManagementService) *KMSadvantages:usercontrol+auditkeyusageusingCloudTrail *Objectisencryptedserverside *Mustsetheader"x-amz-server-side-encryption":"aws:kms" Object KMS Key Encryption S3 Bucket AWS KMS Amazon S3
- 14. If you use SSE-KMS, you may be impacted by the KMS limits When you download, it calls the Decrypt KMS API Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region) SSE-KMS Limitation When you upload, it calls the GenerateDataKey KMS API
- 15. Amazon S3 Encryption — SSE-C User HTTPSONLY *Server-SideEncryptionusingkeysfullymanagedbythecustomeroutsideofAWS *AmazonS3doesNOTstoretheencryptionkeyyouprovide *HTTPSmustbeused *EncryptionkeymustprovidedinHTTPheaders,foreveryHTTPrequestmade Object Client-Provided Key Encryption S3 Bucket Amazon S3 upload + Key in Header
- 16. Amazon S3 Encryption — Client-Side Encryption *UseclientlibrariessuchasAmazonS3Client-SideEncryptionLibrary *ClientsmustencryptdatathemselvesbeforesendingtoAmazonS3 *ClientsmustdecryptdatathemselveswhenretrievingfromAmazonS3 *Customerfullymanagesthekeysandencryptioncycle Encryption File S3 Bucket Amazon S3 Client Key HTTP(S) File (Encrypted) upload
- 17. When it comes to encryption in AWS, compliance is a critical consideration. The GDPR does not specify a particular type of encryption that organizations must use. Instead, the GDPR requires that organizations implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing of personal data. AWS offers a range of compliance certifications, including SOC 2, SOC 3, ISO 27001, PCI DSS, HIPAA, and many others. Compliance considerations
- 18. Join our Cloud Solutions Hub LinkedIn Group! Contact us We will be glad to answer on any questions! Liudmyla Dziubynska CTO at Zenbit Tech Scan the QR-Code to get Lyudmila's contacts and link to our Cloud Solutions Hub LinkedIn Group!