Amazon AWS SysOps – Security and Compliance for SysOps part 4

9. KMS Overview + Encryption in Place

Okay, so now let’s talk about Kms. And Kms is for key management service. So anytime you hear encryption in an AWS service, most likely this will involve Kms. And Kms is an easy way to control access to your data. And the data is going to be encrypted by keys and AWS, Kms will manage this key for us. So, Kms is a store, we have some control over it, but some things we cannot do with this store. And so that’s how the security comes from. So Kms is fully integrated with IAM for authorization. So basically we’re saying, okay, this application can access this key through IAM. And so if it can access this key, then it can encrypt or decrypt this data.

So Kms, we’ve seen it’s fully integrated with many AWS services, such as EBS to encrypt volumes S three to do service, side encryption of objects, redshift if you want to encrypt data RDS again to encrypt data SSM will see this in the future lecture for parameter store, et cetera, et cetera, et cetera. Pretty much every AWS service is integrated in some ways with Kms, but we can also use the Cln SDK to perform encryption on our side. And we’ll see this in the next lecture as we do a hands on So as a 101. Basically, when you think about something, you say, okay, I need to share sensitive information with someone. With an application, you need to use Kms.

That sensitive information may be database passwords, credentials to external service, a private key of an SSL certificate, basically anything that is sensitive. And so the value in Kms is that the customer master key Cmk that will be used to encrypt your data, you can never retrieve it, you can never see what it is. And the Cmk is managed by Kms, Kms on top of it. Kms can rotate your Cmk and make it change quite often. So the idea is that you are going to use Kms to encrypt and decrypt your data, and you never get to get to see the key itself. Now we’ll see in the diagram what that looks like to make it a bit simpler. But for now, you know this. You should not ever store your secrets in plain text, especially in your code.

So the idea is that you would send your secrets beforehand to Kms to encrypt them, and then your encrypted secrets could definitely be stored in your code or your environment variables. And then no one can decrypt these secrets unless they have access through IAM to decrypt it with Kms. And so Kms though, can only help in encrypting up to 4 data per call. And so this is super important to understand this. Kms can only encrypt up to four kilobyte of data, because the exam will ask you, hey, we want to encrypt 1 data, how do we do it? Well, the answer is if your data is greater than 4 KB, we can still use Kms, but we have to use a technique called envelope encryption.

Now, envelope encryption is something I will deal with in two lectures from now. So forget about it. Just know that Kms for now can help encrypting 4 data maximum. So a database, password, credentials, SSL certificates, all these things should be less than 4 data. So we can directly use Kms to encrypt and decrypt things. Now, if you want to give access to Kms to someone, you make sure that the key policy allows the user and the IAM policy allows the API call. So Kms, what does it give us? Really? It gives us the ability to manage the keys and the policies. We can create keys, we can rotate keys, we can disable keys and enable keys. So we get full ability to manage these keys, but we never ever see the keys themselves. Now we can audit the key usage using cloud trail. That’s very important.

And there’s three types of Cmk or Customer Master keys you can have in Kms. You can have the AWS managed service default Cmk and that is a free key. And basically, anytime you want to encrypt EBS. Using the default key, this would be using the AWS managed service default Cmk. We’ll see this in the next lecture, how they look like for the user key. If you want to create your own customer master key directly in Kms, you can do that, but it will cost you one dollars per month. And if you wanted to create the keys yourself, you didn’t trust Kms, but then you wanted to put them into Kms for storage. It would also cost you one dollars per month.

On top of it, every time you call Kms for doing an encryption or decryption or any API call, you will have to pay and the cost is 0. 3 for 10,000 calls. That doesn’t seem like much, but if you start encrypting millions of data objects and retrieve them very often, the cost can rise very, very quickly. So let’s be a bit more concrete. And how does Kms work? So Kms has a multitude of APIs and the first two APIs I want to introduce you to in this lecture and we’ll get to practice them in the next lecture is the encrypt and the decrypt API. So here is our client and the client is us. And we’re going to use a Cli or the SDK and we have a secret, for example, a password.

So the password is a small secret, it’s less than 4 KB. So we can use directly the encrypt and the decrypt API here is Kms. And so what we’re going to say is, this guy okay, we want to use the encrypt API. So we send the secret to Kms and we say, by the way, we want to use this Cmk. So this Cmk could be something, a CMK that you’ve imported or created striped within Kms. Kms is okay, I’d love to encrypt your secret. But first I need to check your Im permissions because it will make sure that the client has the permission to encrypt the data using the Cmk we’ve indicated. So it checks. The permission figures out, yes, we do have the right I am permissions.

So Kms within the service will perform the encryption and it will send back to us the encrypted secrets. So now we have the encrypted secret. And as you can see, we just sent something to Kms and it sent us back the encrypted secrets. The encryption itself happened on the Kms side. Now we want to decrypt our secrets. And so we’re the client and we say, hey, would like to decrypt the secret. Let’s use the decrypt API. And by the way, here is the Cmk that enabled the encryption in the first place. Kms says, okay, let’s just check your IAM permissions, making sure you do have access to this Cmk and make sure that you can perform the decrypt API. Yes, you can.

Okay, Kms will decrypt the secret for us and send us back the decrypted secrets. And so, as you can see here, all the encryption and the decryption happen Kms side, and it checks for the IAM permissions. Finally, when you do perform encryption using Kms, you have two ways of doing it. And some ways you have to do a migration. It can be done through a snapshot or a backup. So it includes EBS volumes. And we’ve seen this RDS database, we’ve seen this already. Elastic cage and efs network file system. So if you wanted to encrypt an unencrypted EBS volume or RDS or SDKS or Efs, you would have to do a snapshot first, then encrypt the snapshot and then finally restore as an encrypted volume.

So you need to know this. But one service allows for in place encryption, and that is S Three. That means that if you do turn on a file to be encrypted using Kms all of a sudden from unencrypted to encrypted, then it’s fine. You don’t need to back it up or anything like this. It will happen directly in place on the S Three side. So it’s good to know. It’s really, really good. Important. Because the exam will ask you a few questions around which services must be requiring a migration for encryption and which ones must not. And so, here is the list for migration EBS RDS, elastic Cache, Efs and for in place encryption, s Three. So, hope you enjoyed this lecture. I will see you in the next one. For cloud. Hsm.

10. CloudHSM Overview

So let’s talk about another way of performing encryption in the Cloud, and that is using cloud Hsm. So, Kms, if you use Kms, which is not cloud Hsm, that means that AWS will manage all the software for the encryption. AWS is responsible for performing the encryption, but with cloud Hsm, AWS will only provision the encryption hardware. This the hardware will be dedicated to you. Hsm means hardware security module. And what you have to do is that you manage your own encryption keys entirely, not AWS. So you have more control over your encryption keys in Kms, you don’t manage them in Cloud SM, you get to see them entirely. So why would you do this? Well, maybe you have other security requirements.

And so the cloud Hsm hardware is temporary resistance. That means that no one can touch it. On the AWS side, it’s a hardware, it’s just for you and it’s resistant. Now, if you need to talk compliance, it is this very long compliance called phipps 142, level three compliance. So if you see this in the exam, we need encryption with this kind of compliance level, then cloud SSM is the answer. Now, cloud Hsm cluster is spread across multiple AZ, which makes it highly available, and then it support both symmetric and asymmetric encryption. Asymmetric encryption is more when you have SSL or TLS keys, when you have Https. And so that is something that is not available on Kms. And Kms it’s only symmetric, not asymmetric.

And so that could be also exam question saying we’re looking for an encryption mechanism that is supporting asymmetric encryption. Which one should use Kms or cloud Hsm? The answer is Cloud Hsm. There is no free tier available. So if you start using it, then you have to pay and you must use the cloud Hsm client software. So there is no easy API call to do. So it’s something a little bit different than Kms for sure. Now for the diagram, if you need to remember something, basically your cloud SSM clients talks to cloud SSM service and there’s an encrypted connection between the two. And you manage all the keys in cloud Hsm, but AWS only manages the hardware, which is different than Kms, where AWS manages more.

So let’s do a quick analysis on cloud Hsm versus Kms to make it crystal clear. So the tenancy for Kms it’s multitenant key storage, whereas for cloud Hsm is dedicated to you. So it’s single tenant key storage. So it could be also one of the trick question you can have at the exam. For the keys. On Kms, it’s owned and managed by AWS, not by you, whereas on Hsm you are in full control of your keys. So it’s customer managed for the encryption. Very important, it’s only symmetric on Kms, whereas on cloud Hsm it is symmetric and asymmetric. Now, to be very, very detailed, is there cryptographic acceleration on Kms? No, but on Cloud Hsm yes. SSL TLS and Oracle Tde.

And then for key storage and management, kms can be accessible from multiple regions and it’s centralized management from IAM and its own console, actually, as we will see in next lecture. Whereas for Cloud Hsm it’s in your Vpc and then it can only be used on other Vpc using Vpc peering. So it’s more of an appliance, it’s more of a software. Now, is it available for the feature Kms? Yes. Cloud Hsm no. So I hope that makes sense. Basically, remember, the main difference is going to be around asymmetric encryption and this kind of tenancy, one customer only and also the requirements for compliance. This fips 142 level three. And that’s it. That’s all you need to remember. We’ll just get to see them very quickly in the next lecture at a high level. So see you in the next lecture.

11. KMS + CloudHSM Hands On

Okay, so for AWS, the first thing we have to do is look at the Kms console. And so it used to be through IAM you could manage Kms, but now there is a dedicated Kms console. So why don’t we have a look at it right away? This way we’ll know for sure. Ready for the future? And so when you get to Kms, you get AWS managed keys, which is basically the keys that are managed for each service. So s three RDS EBS etc. These are all keys that are managed by AWS and you don’t pay for those. And then you get customer managed keys, and the other one you create, and basically you will pay for those if you use them. So if you wanted to create a key, we click on Create a Key. You can use an alias and remember you’re going to pay for it.

So I’ll call it Demo and you can add a description. You could have some advanced options. So either we can have Kms generate the key for us, or we could specify an external location. So that means we have to basically import our own keys into Kms, or we can use a custom key store, Cloud Hsm, but we don’t have a Cloud Hsm yet, so we can’t have that. So the cool thing is that we could use Cloud Hsm to generate Kms keys, but for now we’ll just use Kms right away. Click on next. You could tag your key if you wanted to, and then you define Key Administrators if you wanted to. So I’ll just select Stefan as an account and then we allow Key Administrators to delete this key.

Next you could say who can use this key? So it’s like a key policy. So I’ll say okay, Stefan can also use this key as well, but you could also add other roles and other accounts. Click on Next and then this gives you basically a key policy which defines who is an administrator and who is going to be a user, which is super cool. Click on finish. And here we go. My demo key has been created. I can click on Demo and see that it is enabled. There is an alias, there’s also an ARN, and when it was created, we can look at the key policy to look at the policy view, or we can switch to the default view and get a nice table around who the Key Administrators are and the key users. And that’s good.

Tags if you wanted to edit your tags and key rotation is if you wanted to change the key every year through Cmk. So that means automatically the key will change to a new key every year. Maybe that will reinforce security for you. Okay, so right now I don’t necessarily need that key. So what you can do to disable it is you click on Key Action. The first thing you want to do is click on Schedule key deletion, then you can say between seven and 30 days to delete the key. So I’ll just say seven days and I confirm and I schedule deletion. And now my key is pending deletion, which will happen in seven days. You can also cancel that key deletion if you wanted to use that key instead.

Now, if we can have custom key stores and we talked about cloud Hsm, so right now there is no custom keystore in your account because we haven’t created a cloud Hsm cluster. So let’s have a look at cloud Hsm very quickly. Remember, there’s no free tier for cloud Hsm. So if you do do this, then you will have to pay. So we create a cluster, and to create a cluster, you need to define a VPC, and then you need to define AZ to make it highly available. So I’ll define three AZ and I can either create a new cluster or restore a cluster from a backup. I’ll just create a new cluster and that’s it. That’s all you need to do to create a cloud Hsm cluster.

Click on create cluster. And now the cluster will be provisioned. So it’s being created. And remember, you’re going to pay for it if you use it. And so within it, you get an idea of how many Hsm. So actual hardware are being used. And then you should use basically the cloud Hsm client to interact with it. I will not do this. It’s pretty advanced, I would say. But basically this is how you would go to create a new cluster and then move on with basically the creation of your keys if you wanted to. So remember, when you’re done, if you want to play with it, I encourage you to maybe play with it on your own time. But for the scope of the exam, you just need to know at a high level what cloud Hsm is.

And once this cluster is being created, then you could basically generate Kms keys directly in this custom key store. So you say now, okay, I don’t want Amazon to basically store my keys. I want my cloud Hsm cluster to store my keys. And that would be how you would do this integration. So I won’t wait, to be honest. There’s not much else to show you. So I’ll go ahead and delete this cluster. This way I don’t pay for it. And now the deletion is in progress and that’s just what this hands on, very high level, I know, but if you get to see how things work at a high level, which I like, and I will see you in the next lecture.