© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ken Beer, General Manager, AWS Key Management Service

November 29, 2016

GPST303

AWS Partners and Data Privacy

Privacy Concerns for AWS Partners

Prevent unauthorized access to data owned…

- by the partner

- the partner’s customer

- the partner’s partners

Provide evidence of all access to data

Ensuring privacy using security controls

• Identity and Access Management

• Encryption at rest techniques you can apply

• Key management strategies

• Logging for audit and assurance

Client-side encryption at rest

• You encrypt your data before data submitted to service

• You supply encryption keys OR use keys in your AWS

account

• Requires more developer expertise

• Available AWS clients to help:

• Amazon S3, Amazon EMR File System (EMRFS), Amazon

DynamoDB, AWS Encryption SDK

• Using these clients does not give AWS employees

access to your keys or your data

Your

applications

in your data

center

Your key

management

infrastructure in EC2

Your encryption

client application

Your key management

infrastructure Your application

in Amazon EC2

Your encrypted data in select AWS services

Client-side encryption at rest

Server-side encryption at rest

• AWS encrypts data on your behalf after the data is

received by service

• Over 23 AWS services support encryption including

Amazon S3, Amazon EBS, Amazon RDS, and AWS

Lambda

• Requires less developer expertise than client-side

• Using server-side encryption does not give AWS

employees access to your keys or your data

create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id

<value>] --availability-zone <value> [--volume-type <value>] [--iops <value>]

[--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>]

[--generate-cli-skeleton]

Console

AWS CLI/SDK

Server-side encryption at rest in Amazon EBS

Plaintext

dataHardware/

software

Encrypted

data

Encrypted

data in storage

Encrypted

data key

Symmetric

data key

Master keySymmetric

data key

? Key hierarchy

?

The key management challenge

Key Management Strategies

• Roll your own solution

• Store keys in a different own server/instance

• Use open source software with unique access controls

• Commercial vendors

• Dedicated appliance or virtual appliance to store keys

• AWS CloudHSM

• AWS Key Management Service

AWS CloudHSM

• You receive dedicated access to

HSM appliances

• HSMs located in AWS data centers

• Monitored by AWS for power and

network connectivity

• HSMs are inside your Amazon VPC

– isolated from the rest of the

network

• Uses Gemalto SafeNet Luna SA

HSM appliances

• Only you have access to your keys

and operations on the keys using

custom clients – no AWS APIs

CloudHSM

AWS administrator –

Provisions the appliance

You – Control keys and

client crypto operations

Amazon Virtual Private Cloud

AWS CloudHSM

Available in nine regions worldwide

• US East (N. Virginia, Ohio), US West (N. California, Oregon), EU

(Frankfurt, Ireland) and Asia Pacific (Sydney, Tokyo, Singapore)

Compliance

• Included in AWS PCI DSS and SOC-1 compliance packages

• FIPS 140-2 level 2 (maintained by Gemalto/SafeNet)

Typical use cases

• Use with Amazon RDS for Oracle TDE

• Partner ecosystem (Oracle, SQL Server, Apache, SafeNet)

• Custom applications using non-AWS SDKs

AWS Key Management Service (KMS)

• Managed service that simplifies creation, control,

rotation, and use of encryption keys in your applications

• Integrated with AWS server-side encryption

• Integrated with AWS client-side encryption via SDKs

• Integrated with AWS CloudTrail to provide auditable

logs of key usage for regulatory and compliance

activities

• Available in all commercial regions except China

Integration with AWS KMS

Two-tiered key hierarchy using

envelope encryption

• Unique data key encrypts

customer data

• AWS KMS customer

master keys (CMKs)

encrypt data keys

Customer master

keys

Data key 1

S3 object EBS volume Amazon

Redshift

cluster

Data key 2 Data key 3 Data key 4

Custom

application

AWS KMS

Integration with AWS KMS

Benefits

• Limits risk of compromised

data key

• Better performance for

encrypting large data

• Easier to manage small

number of CMKs than

millions of data keys

• Centralized access and

audit of key activity

Customer master

keys

Data key 1

S3 object EBS volume Amazon

Redshift

cluster

Data key 2 Data key 3 Data key 4

Custom

application

AWS KMS

Customer Master Keys (CMKs) in AWS KMS

Default CMKs

• Generated by AWS and unique to your account

• Usable only by users/roles in your account

• AWS manages key lifecycle, but can’t directly access key material

Custom CMKs

• Generated by AWS, but you manage lifecycle of the CMK

• You control how and when your CMKs can be used and by whom

by defining granular permissions on your keys using IAM and KMS

policies

• AWS can’t directly access key material

Import Key: Bring your own keys to AWS KMS

• You control how keys are generated

• You store the master copy of the key outside of AWS

• You can use imported keys with all KMS-integrated services

• You can define an optional expiration time

• You can delete and re-import the key at any time to control

when AWS can use it to encrypt/decrypt data on your behalf

• Works with standards-based key management infrastructure,

including SafeNet Gemalto and Thales e-Security

Import Key: Bring your own keys to AWS KMS

Import encrypted key material

under the KMS CMK key ID;

set optional expiration period

Import

Your key material

protected in KMS

Download a public

wrapping key

KMS

Download

RSA public key

Create customer master key

(CMK) container

Empty CMK container

with unique key ID

KMS

Creates

Export your key material

encrypted under the public

wrapping key Your key

management

infrastructure

Export

Your 256-bit key

material encrypted

under KMS public key

Workloads enabled by Import Key

• A bank customer can generate and store the master copy of their

key material in a FIPS 140-2 validated solution to satisfy their

InfoSec requirements

• A pharma customer could make keys available only during

processing of drug trial data in EMR/Amazon Redshift

• When processing is finished, expire/delete the keys so that data

stored at rest in AWS cannot be decrypted

• A government customer that needs access to data for many years

doesn’t have to trust AWS to never lose their keys

Audit key usage/data access with AWS CloudTrail

“eventName":“Decrypt", This KMS API was called…

“eventTime":"2016-08-18T18:13:07Z", ...at this time...

“requestParameters": {“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, ...in reference to this key...

“encryptionContext":"volumeid-12345”} …to protect this resource...

“sourceIPAddress”:"42.23.141.114”, ...from this address...

“userIdentity": {{"arn":"arn:aws:iam::111122223333:user/User123”} …by this AWS user in this

account.

• Automation: CloudWatch alarms or events on CloudTrail logs

• Reconciliation: find anomalous key usage by generating audit logs

in your application and comparing it to CloudTrail logs

AWS KMS assurances: Why trust AWS?

• There are no tools in place to access your physical key

material

• Your plaintext keys are never stored in nonvolatile

memory

• You control who has permissions to use your keys

• Separation of duties between systems that use master

keys and ones that use data keys

• Multiparty controls for all maintenance of KMS systems

that use your master keys

AWS KMS assurances: compliance

• AWS Service Organization Controls (SOC 1, SOC 2,

SOC 3)

• PCI-DSS Level 1

• ISO 27017, ISO 27018, ISO 9001

• In evaluation for FIPS 140-2 and FedRAMP

Comparison of key management options

KMS CloudHSMAWS Marketplace

Partner SolutionsDIY

Where keys are

generated and stored

AWS, or Imported by

you

In AWS, on an HSM

that you control

Your network or in

EC2 instance

Your network or in

AWS

Where keys are used AWS services or your

applications

AWS or your

applications

Your network or your

EC2 instance

Your network or your

EC2 instance

How to control key use Policy you define;

enforced by AWS

Custom code +

SafeNet APIs

Vendor-specific

management

Config files, vendor-

specific management

Responsibility for

performance/scale

AWS You You You

Integration with AWS

services?

Yes Limited Limited Limited

Pricing model Per key/usage Per hour Per hour/per year Variable

Law enforcement requests for encrypted data

• We can’t predict what law enforcement will ask for

• We have no tools to decrypt your data or your keys

outside of the existing APIs you call that cause your data

to be decrypted

• We only consider responding to requests if the target is

our customer

• We tell law enforcement to talk to you if the target is your

customer, even if their data is hosted in our infrastructure

AWS do’s and don’ts you can count on

We Do…

• …challenge overly broad government subpoenas

• …advocate for modern privacy laws

• …oppose legislation that would weaken information security

• …notify customers before disclosing content information

• …offer strong encryption and key management options

• …recommend security best practices

We Do Not…

• …disclose customer information unless legally required

• …participate in government programs to capture customer data

https://aws.amazon.com/blogs/security/privacy-and-data-security/

Call to action

• Enable encryption at rest

• What is your key management strategy?

• Is KMS right for your customers?

• Is Import Key right for your customers?

• Does your customer need a dedicated HSM to store keys?

• Customers have customers, too (privacy preservation can be

recursive)

Thank you!

Remember to complete

your evaluations!