Headshots - PaulDuvall/aws-encryption-workshop GitHub Wiki

Hello, I am Paul Duvall and welcome to Continuous Encryption on AWS LiveLessons!

I am an award-winning CTO, entrepreneur, researcher, and author of multiple publications including Continuous Integration: Improving Software Quality and Reducing Risk - which was a 2008 Jolt Award Winner.

I have been an AWS Hero since 2016, which recognizes a very select group for their significant knowledge-sharing contributions to the AWS community.

I am also a founder of Stelligent and served as CTO for 12 years.

I currently serve as Chief AWS Evangelist at Mphasis and I have 6 AWS certifations including AWS Certified DevOps Engineer Professional and AWS Certified Security - Specialty. I have architected, implemented and managed software and systems solutions for over 20 years. I blog at mphasis.com and stelligent.com, and I host the DevOps on AWS Radio podcast.

Continuous Encryption on AWS LiveLessons is a course that is most useful if you are a a security and compliance professional or a software engineer who wants to integrate encryption into every facet of the software development and delivery process. It assumes you have a working knowledge of AWS and have a basic knowledge of programming and want to make encryption ubiquitous across all your systems.

In this LiveLesson, you will learn how to automate encryption on AWS using AWS Developer Tools, Security, Identity & Compliance, and AWS Management & Governance services. The focus of the LiveLesson is on how to apply continuous delivery to encryption and not on software architectures.

This Continuous Encryption on AWS LiveLesson has a heavy focus on the use of the following AWS services:

AWS Key Management Service - a fully-managed service for easily creating and controlling the keys used to encrypt your data. AWS CloudFormation - a tool you can use to create and manage resources with templates. AWS CodePipeline - a fully-managed service for releasing software using Continuous Delivery. AWS CodeCommit - a fully-managed service for storing code in private Git repositories. AWS CodeBuild - a fully-managed service for building and testing code. AWS Config and Config Rules - a fully-managed service for tracking resource inventory and changes. AWS Config Rules checks whether changes violate any of the conditions in your rules. Amazon CloudWatch Event Rules - a fully-managed service for detecting events and triggering targets that can remediate noncompliant resources.

You will also learn to automate these services:

AWS Certificate Manager - a service that helps provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. Amazon CloudFront - a service that provides a fast, highly secure and programmable content delivery network (CDN). AWS Secrets Manager - a service that allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

This Continuous Encryption on AWS LiveLesson is part of The DevSecOps on AWS Series with Pearson. The focus of which is to help security and compliance professionals and software engineers define preventive, detective, and responsive controls as code that are part of software delivery workflows.

These automated controls help protect workloads, mitigate threats and vulnerabilities, provide visibility over the operation of your deployments, and drive remediation of potential deviations from your security baselines on AWS.

==========EXAMPLES==========

All of the examples in this course are automated via AWS CloudFormation. AWS CodePipeline is the service used for continuous delivery of encryption in this course. All of the examples are available from a GitHub repository that will be referenced throughout this course: https://github.com/PaulDuvall/aws-encryption-workshop/.

==========FEES==========

If you launch all of the sample solutions and then terminate the resources after one day, you will spend less than $15 on AWS fees for the use of the AWS services. While the course predominantly uses AWS tools, there will be some third-party integrations and open-source tools incorporated into the examples. You can fork the GitHub repository to make your own changes.

==========LESSONS==========

In Lesson 1, Automating AWS Resources, you will learn about automation and Continuous Delivery on AWS using CloudFormation and CodePipeline.

In Lesson 2, Key Management, you will learn how to create, disable, and delete 256-bit symmetric keys using the AWS Key Management Service and CloudFormation.

In Lesson 3, Developing with Encryption, you will learn how to perform client-side encryption and manage secret data when developing applications.

In Lesson 4, Encryption in Transit, you will learn how to encrypt data as it is sent over the wire between clients and servers using the AWS Console, CloudFormation, and CodePipeline.

In Lesson 5, Encryption at Rest, you will learn how to encrypt data at rest for specific AWS resources using the AWS Console and CloudFormation.

In Lesson 6, Detecting Encrypted Resources, you will learn how to run detective compliance checks using AWS Config Rules using the AWS Console and CloudFormation.

In Lesson 7, Logging Key Usage, you will learn how to create a CloudTrail log and determine whether a KMS key has recently been used.

In Lesson 8, Continuous Encryption, you will put together an end-to-end Continuous Encryption solution on AWS.

The best way to reach me is on Twitter at the handle @paulduvall.

Ok, let's get started with Continuous Encryption on AWS!

==========LESSON INTRODUCTIONS===========

Welcome to Lesson 1 - Automating AWS Resources

In this lesson, you will learn the key components of AWS CloudFormation and AWS CodePipeline. You will learn how to use these tools to help automate the provisioning and the software delivery workflows including encryption as code.

By the end of this lesson, you will be able to do the following:

  • Describe core AWS CloudFormation components
  • Describe the benefits of CloudFormation
  • Access the CloudFormation documentation
  • Access the CloudFormation console
  • Describe core AWS CodePipeline components
  • Describe benefits of of CodePipeline
  • Use the CodePipeline Console
  • Launch a CloudFormation stack that deploys a simple deployment pipeline

Welcome to Lesson 2: Key Management

You can create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications using the AWS Key Management Service or KMS.

By the end of this lesson, you will be able to do the following:

  • Create, Disable, and Delete a KMS key using the AWS Console.
  • Automate the creation of a KMS key using AWS CloudFormation.
  • Schedule the waiting period for KMS deletion.
  • Attach a KMS key to an AWS resource.

Welcome to Lesson 3: Developing with Encryption

You can enable client-side encryption on AWS using the Encryption SDK and manage secrets using the AWS Secrets Manager.

By the end of this lesson, you will be able to do the following:

  • Perform client-side encryption using the AWS Encryption SDK.
  • Automat the provisioning and automatic rotation of username and password secrets for Amazon RDS using the AWS Secrets Manager, AWS CloudFormation, and AWS Lambda.

Welcome to Lesson 4: Encryption in Transit

The AWS Certificate Manager handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications.

By the end of this lesson, you will be able to do the following:

  • Create a TLS digital certificate using the ACM in the AWS Console.
  • Use the AWS Console to create an Amazon CloudFront distribution and attach the ACM certificate to the distribution and ensure that all traffic is encrypted in transit.
  • Use AWS CloudFormation to automate the provisioning of a TLS digital certificate using the AWS Certificate Manager.
  • Use AWS CloudFormation to create an Amazon CloudFront distribution and attach the ACM certificate to the distribution and ensure that all traffic is encrypted in transit.
  • Use AWS CloudFormation to create a deployment pipeline in AWS CodePipeline capable of deploying the ACM certificate and CloudFront distribution to AWS.

Welcome to Lesson 5: Encryption at Rest

Data at rest refers to the inactive data as it is stored in its digital form - such as a database, block storage, object storage, and so on.

By the end of this lesson, you will be able to do the following:

  • Enable encryption while creating EBS, DynamoDB, RDS, and S3 resources in the Console.
  • Use AWS CloudFormation to automate the creation and encryption of EBS, DynamoDB, RDS, and S3 resources.

Welcome to Lesson 6: Detecting Encrypted Resources

You can establish detective controls that discover changes to your AWS infrastructure and apply rules that you define to determine if the resource is compliant or noncompliant.

By the end of this lesson, you will be able to do the following:

  • Describe AWS Config and Config Rules
  • Configure Managed Rules to run on your AWS account
  • Run Managed Config Rules from the console to detect encryption for specific AWS resources
  • Run Managed Config Rules using CloudFormation to detect encryption for specific AWS resources

Welcome to Lesson 7: Logging and Searching KMS Keys

By the end of this lesson, you will be able to do the following:

  • Create an AWS CloudTrail log in Console.
  • Automatically provision a CloudTrail log in CloudFormation and view the JSON payload.
  • Search for uses of a KMS key within CloudTrail logs using Amazon Athena.

Welcome to Lesson 8: Continuous Encryption

In this lesson you will put together preventive, detective, and remediation controls into a complete Continuous Encryption solution.

By the end of this lesson, you will be able to do the following:

  • Describe a workflow for preventing, detection, and remediation of unencrypted resources
  • Manually provision an automatic remediation solution using Config Rules, CloudWatch Event Rules, and Lambda
  • Create a continuous delivery solution for preventing, detecting, and remediating unencrypted resources using CloudFormation and CodePipeline

==========Summary===========

In Continuous Encryption on AWS, you learned the following:

Do not write crypto yourself. Encryption can become part of the development to production lifecycle. Automate all the things - including encryption - as part of a deployment pipeline. Run preventive static analysis checks for encryption controls as part of Continuous Delivery. Use KMS keys to create and manage keys, rotate them, grant access, and schedule them for deletion. Use Secrets Manager to securely create, store, and rotate secrets. Encrypt data at rest using built-in attributes with AWS resources. Encrypt data in transit using AWS Certificate Manager. Run detective controls for run-time encryption checks using AWS Config Rules, Amazon CloudWatch Rules, and AWS Lambda Use AWS CloudFormation to automate the creation of encrypted resources on AWS. Use AWS CodePipeline to automate the continuous delivery workflows for encryption on AWS. Use AWS CloudTrail to monitor KMS key usage. Simplify external and internal compliance audits. Do not write the crypto yourself – AWS provides AES 256-bit GCM encryption, so you definitely do not need the write the crypto yourself.

If you want, look at the third-party attestations in terms of SOC compliance and FIPS 140-2 standard, PCI, etc., you can use AWS Artifact to confirm these attestations – if your auditors are looking for that and you have that requirement. With Artifact, you have that level of trust to know that the third party has looked at this and they understand how the service works within the AWS data centers and so forth.

The other thing you learned is how encryption becomes part of that software development life cycle using CloudFormation and CodePipeline (and you can use other tools for this automation), you can build in static analysis checks to ensure that encryption is occurring prior to launching the resources as a part of your software systems. You can automate all these things as a part of a deployment pipeline.

You can get encryption in transit through the use of CloudFront and AWS Certificate Manager. ACM performs certificate rotation as well.

KMS is the underpinning of all this. KMS allows us to create and delete keys and grant access to them and apply fine-grained permissions to these keys through key policies. You can rotate keys and you are assured it does not go outside the hardware-security module on which it is running.

You can use Secrets Manager to store secrets for things like usernames and passwords, things that you needed a state for and you need to have encrypted. Secrets Manager performs the rotation for you - allowing you to generate random secrets.

You can run detective controls for runtime encryption checks using AWS Config Rules and CloudWatch Event Rules, so that once it is in use (whether it is preproduction or production) we can ensure that we are always in compliance.

You can use CloudTrail and encrypt these CloudTrail logs. You can also monitor key usage to ensure that you know how the keys are being used and any actions you might need to take before you delete a key.

Finally, when it comes to internal or external audits that you need to perform – if you are able to build this automated encryption into your end-to-end software development lifecycle, it makes that whole process easier and you are always in compliance with the directives that you have in place as a part of your overall software development lifecycle.