AWS ‐ Encryption & Security ‐ PKI Services | Key Management | Secrets Manager | Encryption SDK - FullstackCodingGuy/Developer-Fundamentals GitHub Wiki

Cryptograph Services (Enc/Dec Data)

  • Confidentiality - encrypting data is keeping the data safe from plain eyes
  • Data Integrity - Ensure data cannot be altered by unauthorized personality, encrypt and send the data to other party to ensure data is not tampered to ensure integrity
  • Authentication
  • Non-Repudiation

Encryption Algorithm

  • Symmetric

    • enc + dec using same key
    • Less secure, as it requires to use the same key with consuming party

  • Asymmetric

    • enc + dec using public and private key
      • Public key (less sensitive key) - to encrypt the data, it can be shared to parties who wants to encrypt the data, cannot be used to decrypt
      • Private key (protected key) - to decrypt the data, should not be shared, keep it with you to decrypt the data
    • Secured algorithm than symmetric

AWS Cryptography Services

AWS CloudHSM

  • It provides a physical key for env and dec, It is a hardware security modules (HSM), these are physical devices to store the secrets securely, better than software modules as it cannot be broken easily, not exposed to internet unless any specific need, HSM used for advanced security

AWS KMS (Key Management Service)

  • It is an encryption key management system
  • It allows you to manage the cryptographic keys in the cloud
  • It has Customer master keys (CMKs) - customer keys are encrypted, in order to access them kms provides an unencrypted key
  • It supports Persistent Encryption - even when the data is Moved/Copied/Shared

AWS Encryption SDK

  • It is a client side encryption library that lets you perform cryptography in your own apps, it can be shipped in your code
  • it is open source sdk
  • supports all data types for encryption

Amazon DynamoDb Encryption Client

  • It is an encryption mechanism for the data of dynamodb database
  • it is open source

AWS Secret Manager

  • Centralized secret repository to store secrets private and protected
  • It can be directly used in the application, such as connection string in config settings

image

AWS Public Key Infrastructure (PKI) Services

  • It is managed unified system to manage the certificates
  • Supports certificate mgmt - such as issuing cert, validate cert, revoke cert

What is a certificate?

  • A certificate is an issued document that verifies or authenticates an identity
  • ex: authenticity of a website, identifies who you are

PKI Tools

AWS Certificate Manager (ACM)

  • Is a service that manages any certificates you required to authenticate in aws services
  • ACM Supplies the Certificate Authority (CA), which is responsible for creating, managing, verifying certificates, it provides authorized certificates, it uses public + private key pairs to bind the identity information
  • It is world wide ca
  • Public certs do have expiry time

AWS Certificate Manager Private Certificate Authority (ACM PCA)

  • To store the private certs
  • It is not internet wide, only used for internal purpose
  • It tightly works with ACM
  • It is not exposed world wide, instead used within the internal organization (onpremise) for validating authenticity while service accessed
  • No expiry limit for private certs

image

AWS Internet Facing Services uses x509 certs

image

Choosing a PKI Service

  • Choose ACM - to secure public facing resources such as website, public facing load balancers
    • public cert allows anyone in the internet to validate your authenticity
    • public cert has restrictions such as definite expiry time
    • limitations in generating public certs, as it involve costs
  • Choose ACM PCA - if you want to secure network traffic between services private to your organization
    • bulk cert generation
    • no expiry restriction
    • control over encryption algorithm used and details of the cert

How the SSL Flow Works in the website / How certificate validation works in browser?

  • Website launched -> Browser reads the public key from the certificate -> Browser sends the public key to the certificate authority to authenticate the identity sent in the certificate -> The CA contains the private key (which nobody can access) which is used to authenticate the certificate
  • Certificate Authority validates the cert and tells the browser whether it tells who it is, if this validation fails, you get insecure website error in your browser

AWS Key Management Service (AWS KMS)

  • It stores customer master keys (CMKs)

  • Customer Master key is the start of key hierarchy, because it is used to encrypt and protect other encryption keys

  • AWS Managed Keys

  • Customer Master Keys

image

image

image

image

image

image

CMKs

2 types of cryptography methods

  • RSA CMKs
  • Elliptic Curve CMKs(ECCs) - More secure

Choosing which type of key

Symmetric Key

  • When you want encryption and decryption within the integrated aws services, then choose symmetric key

Asymmetric Key

  • If you want encryption/dec to outside of aws services, then use asymmetric key, (public and private key), in this case, client encrypts data using public key and server verifies it using private key
  • Asymmetric encryption is also called as public key encryption
  • In addition to enc/dec, we can also use this key to sign and verify purpose

image

AWS Secrets Manager

  • A service for managing the secrets in the aws

image

Features

  • Application programs access the secret manager programmatically to acquire the secret values via an API
  • Stores a wide variety of secrets, it internally stores as bytes
  • Secrets are stored in encrypted way
  • Supports automatic secret rotation
  • Secrets access are controlled via roles and policies

image

image

image

  • Identity based policies provide access by identity

  • Attribute based permission grant is the easy way to give permissions to identities, as every time assigning policies/roles to identities will be challenging task when done repeatedly.

  • Resource based policies - Secrets defined as resources, in this approach permissions can be defined for specific resources

image

AWS Security Token Service (AWS STS)

  • It provides temporary security credentials for trusted users

  • It allows the users to access the aws services without having the aws identity

  • It allows the users to perform actions similar to the aws long term credentials such as IAM users but it will live short term from minutes to hours

  • Once it is expired, you cant use it again, you need to request a new token again

  • ex: if you want the user to access an api for a short time without having any identity user, you can request for token from sts and allow the user to access the service

  • temporary credentials can also be used for app-to-service interactions too

image

image

image

Quiz

When creating a secret in AWS Secrets Manager, you choose “Other type of secret” as your secret type. What is the format of the secret data? ans: Key-value pairs

When creating a custom key store in AWS, what step is done from an EC2 instance? image

Which characteristics correctly define AWS Secrets Manager? image

Match the key types used in AWS KMS to their characteristics. image

A banking organization wants to send documents to customers to be signed. They need to ensure the signatures they receive back are valid. What cryptography objective does the organization have? image

Which characteristics correctly define a rotation function? image

What are the requirements for rotating a user secret using a master secret in AWS Secrets Manager? image

Which AWS service(s) use public key certificates? image

What are the common uses of AWS STS temporary credentials?

When creating a customer managed key in the AWS Console, what section shows the access permissions details for a key in JSON format? image

What are the features of keyrings used by the AWS Encryption SDK? image

What AWS KMS access management strategy is useful for assigning temporary permissions to CMKs? image