-
Encryption in transit
-
Certificate considerations
- Many certificates vs few : What influences it ?
- Least privilege and separation of duties
- Performance and Scale
- Cost Optimization
-
Regionality :
- Why would a customer import certificates ?
- Issuing certificates vs exporting certificates - the difference ?
-
Templates and cert customization :
- Using certificates with IOT ?
- Using certificates with containers/kubernetes
-
AWS Certificate Manager (ACM) vs
ACP Private Certificate Authority (CA)
-
ACM
- This service is for enterprise customers who need a secure web presence using TLS.
- AWS Certificate Manager (ACM)
- Setup
- Issuing and managing certificates
- Managed renewal
- Import certificates
- Export certificate
- Tagging ACM certificates
- Monitoring and logging
- Troubleshooting
-
ACM Private CA
- This service is for enterprise customers building a public key infrastructure
(PKI) inside the AWS cloud and intended for private use within an organization
-
Security of the ACM PCA
- Certificate hierarchies and their relevance
- Certificate domain names and constraints around them
- Certificate inventory
- Certificate Expiry
- Deployment considerations
- Private CA administration
- Certificate administration
- Using an external CA
- Troubleshooting
- Services integrated with ACM
-
Encryption at rest
-
Client side vs server side encryption
-
Client side
- S3 encryption client
- multi-region keys
- dynamodb encryption client
- AWS Encryption SDK
-
Server side
- SSE-KMS (S3)
- AWS services use this to encrypt data (EBS, RDS, etc.)
-
AWS Key Management Service (KMS)
-
Features
- Centralized Key Management
- AWS Service Integration (over 100 services)
-
Audit Capabilities (CloudTrail)
- Users
- Time
- API action
- Key used (when relevant)
-
Scalability, Durability, and High Availability (11x 9's)
- Multi-region keys
- Secure (FIPS 140-2 validated)
- Custom Key Store (symmetric keys only)
- Support for Asymmetric Keys
-
Compliance
- SOC
- FIPS 140-2
- FedRAMP
- HIPAA
-
Concepts
-
AWS KMS Key
- Key material
- Used to encrypt data
- Used to decrypt data
- Key metadata
- Key ID
- Creation date
- Description
- Key State
-
Types of keys
- Symmetric (256-bit)
- Asymmetric
- Types
- RSA
- Elliptic curve (ECC)
- Uses
- Encryption & decryption
- Signing & verification
-
Key material source
- KMS-provided
- customer-imported
- AWS CloudHSM cluster
-
Key management
- AWS managed KMS keys
- read-only policies
- Customer managed KMS keys
- custom key policies
- custom IAM policies
- key grants
- enable/disable
- rotate cryptographic material
- add custom tags
- create custom key aliases
- schedule keys for deletion
-
Key rotation
- Customer managed keys
- Optional - yearly
- AWS managed keys
- Required - every 3 years
- AWS owned keys
- varies - AWS service-specific
-
AWS CloudHSM
-
Benefits
- Generate and use encryption keys on FIPS 140-2 level 3 validated HSMs
- Deploy secure, compliant workloads
- Use an open HSM built on industry standards
- Keep control of your encryption keys
- Easy to manage and scale
- Control AWS KMS keys
-
Use cases
- Offload the SSL/TLS processing
for web servers
- Protect the private keys for an
issuing certificate authority (CA)
- Enable transparent data encryption
(TDE) for Oracle databases
-
Concepts
- CloudHSM Clusters
- Backups
- Client SDK
-
Users
- Managing users and keys
- Getting started
- Integrating 3rd party apps
- Monitoring
- Pricing
-
AWS Secrets Manager
-
Benefits
- Rotate secrets safely
- Manage access with
fine-grained policies
- Secure and audit
secrets centrally
- Pay as you go
- Easily replicate secrets
to multiple regions
-
Features
- Programmatically retrieve encrypted
secret values at runtime
-
Store different types of secrets
- Secret name and description
- Rotation or expiration settings
- ARN of the KMS key associated with the secret
- Any attached AWS tags
-
Automatically rotate your secrets
- Creates a new version
of the secret.
- Stores the secret in Secrets Manager.
- Configures the protected
service to use the new version.
- Verifies the new version.
- Marks the new version
as production ready.
- DB and services supported
- Amazon Aurora on Amazon RDS
- MySQL on Amazon RDS
- PostgreSQL on Amazon RDS
- Oracle on Amazon RDS
- MariaDB on Amazon RDS
- Microsoft SQL Server on Amazon RDS
- Amazon DocumentDB
- Amazon Redshift
- Control access to secrets
-
Compliance support
- HIPAA
- PCI DSS
- ISO
- SOC
- FedRAMP
- DoD SRG
- IRAP
- OSPAR
- Supports VPC endpoints
- Supported integrated with
over 30+ AWS services
-
Concepts
- Authentication and
access control
- Creating and managing secrets
- Retrieving secrets
- Rotating secrets
- Monitoring secrets
- Tutorials
- AWS Systems Manager Parameter Store
-
Use cases and resources
-
Videos & demos
- CM Private CA - Creating a New Private Certificate Authority
- ACM Private CA - CA Hierarchies: What are they and why are they important?
- ACM Private CA - Disaster Recovery Reference Architectures
- ACM Private CA - Reduce Costs by Sharing Private CAs Using AWS RAM
- ACM Private CA - Certificate Templates
- HMAC APIs (KMS)
- Macie + SecHub
- Macie Data Identifiers
- Multi Region Keys
- Multi-Region Secret Replication
- Secrets Manager Rotation Windows
-
Code Signing
- Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys
- Best practices and advanced patterns for Lambda code signing
- How to verify AWS KMS signatures in decoupled architectures at scale
- Signing executables with HSM-backed certificates using multiple Windows instances
- Combining encryption and signing with AWS KMS asymmetric keys
- How to verify AWS KMS asymmetric key signatures locally with OpenSSL
- Digital signing with the new asymmetric keys feature of AWS KMS
- How to migrate a digital signing workload to AWS CloudHSM
- AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)
- New – Code Signing, a Trust and Integrity Control for AWS Lambda
- How to protect HMACs inside AWS KMS
-
CloudHSM
- How to deploy CloudHSM to securely share your keys with your SaaS provider
- Migrate and secure your Windows PKI to AWS with AWS CloudHSM
- Integrate CloudHSM PKCS #11 Library 5.0 with serverless workloads
- How to lower costs by automatically deleting and recreating HSMs
-
KMS
- How to BYOK (bring your own key) to AWS KMS for less than $15.00 a year using AWS CloudHSM
- Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability
- Are KMS custom key stores right for you?
-
General Data Protection
- Best practices for securing sensitive data in AWS data stores
- Millennium Management: Secure machine learning using Amazon SageMaker
-
S3 Data Protection
- IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
-
Encryption SDK
- How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C
-
Amazon Macie
- Automate the archival and deletion of sensitive data using Amazon Macie
-
ACM / ACM Private CA
- How to use ACM Private CA for enabling mTLS in AWS App Mesh
- Securing Kubernetes applications with AWS App Mesh and cert-manager
- Maintaining Transport Layer Security all the way to your container: using the Application Load Balancer with Amazon ECS and Envoy
- Using ACM Private Certificate Authority in a multi-account environment by using IAM roles
- Setting up end-to-end TLS encryption on Amazon EKS with the new AWS Load Balancer Controller
- TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS
-
Secrets Manager
- How to configure rotation windows for secrets stored in AWS Secrets Manager
-
Cryptography
- What is cryptographic computing? A conversation with two AWS experts
-
Data discovery and classification
-
Data classification
-
Basics
- Data is the product and currency
of information systems
- Data has intrinsic value
based on its use
- Data is one of the fundamental
subjects of cybersecurity efforts
- Data must be classified protected
based on its impact
- Storage must support protections
appropriate to the data classification
-
Data risks
- Legal – Civil or criminal liability
- Reputational – Tarnished perception to customers,
partners, regulators, or the public
- Financial – Direct or indirect loss of money
- Operational – Impact to productivity or
disruption of business practices
-
Sample classification levels
- Public
- Privileged
- Restricted
-
Data governance and oversight
- Storage – Data assets should have
a designated place to live.
- Attribution and Ownership – Every data asset
must have an owner and a purpose
- Labeling – All data assets should be labeled
- Inventory – Location of data
assets should be tracked
- Discovery – All data should be scanned to ensure
the contents match what’s expected
-
Methods of data discovery
- User-based – (Manual)
- Context-based – (Manual or Automated)
- Content-based – (Automated)
-
Data protection
considerations
-
Access
- Entities – Authorized people or processes
- Methods – By what mechanisms
- Conditions – Under which conditions
is access allowed
-
Encryption
- Strength per classification level
- Keys per purpose and/or attribution
-
Logging, Monitoring
and Alerting
- Log all reads and writes
- Alert on unauthorized or
unexpected operations
- Monitor configuration drift
-
Lifecycle
- Retention
- Backups
- Destruction standards
-
Amazon Macie
-
Monitoring and processing findings
-
EventBridge
- Reoirt to Jira or Slack
- Tags buckets as "sensitive"
- Visualize findings with Amazon QuickSight
- Take action using AWS Step Functions
- etc.
- Security Hub
- Amazon Partner Network
-
Macie onboarding
- Enable Macie on all accounts
- Evaluate bucket security posture
- Run inspection jobs on data sets
-
Centrally manage multiple Macie accounts
- AWS Organizations
- Membership invitations
-
Additional considerations
- Allowing Macie to access
buckets and objects
- Supported file and storage formats
- Encrypted objects
- Long term storage of results
- Forecasting and monitoring costs
-
Security in Amazon Macie
- Data protection
- Identity and access management
- Logging and monitoring
- Compliance validation
- Resilience
- Infrastructure security
- VPC endpoints (AWS PrivateLink)
-
Sensitive Data Discovery jobs
-
Automate the discovery of sensitive data
- Continuous
- On-demand
- Control breadth/depth/exclude
-
Discover a variety of sensitive data types
- Managed data identifiers
(credentials, financial, PHI, PII)
- Custom data identifiers
-
Scan Job configuration
- S3 bucket components
- Gathering metadata and calculating statistics
- General information about bucket (name, ARN, etc.)
- Account-level permissions settings that apply to the bucket
- Bucket-level permissions settings for the bucket
- Shared access and replication settings for the bucket
- Object counts and settings for objects in the bucket
- Monitoring bucket security and privacy
- Account-level events
- Bucket-level events
- Evaluating bucket security and access control
- Zelkova
- Scope for sensitive data
discovery jobs
- S3 buckets
- Preview the criteria results
- Include existing S3 objects
- Sampling depth (% of objects)
- S3 object criteria (include/exclude)
- Last modified
- Prefix
- Storage size
- Tags
-
Data security configuration
& policies checking
- Know if your buckets are encrypted
- Know if your buckets are open to the world (Public read and/or write)
- Know if your buckets are being shared outside your Org
-
Evaluate and monitor data for security and access control
- Dashboard
- Policy findings
- Sensitive data findings
- Statistics
- Suppressing findings
- S3 bucket inventory
-
Fundamentals
-
Data usage
- Data in motion
- Data at rest
- Data in use
-
People
- Data Owner
- Data Custodian
- Data Controller
- Data Processor
- Data Protection Officer
-
Process
- Create a Data Classification Policy
- Data Sovereignty
-
Identify location of your data
- How is my data stored
-
Classify your data
- Tags
- Labels
- Metadata
-
Technology
- Encryption and Key Management
- Data Discovery and Classification
- Certificate Management
- Secrets Management
- Digital Rights Management
- Tokenization
- Data Loss Prevention
-
Certificates
- What are certificates
- What’s a certificate authority
- Why is identity verification using certificates useful as
compared to username and password based mechanisms
- What data is being protected ?