Data Protection in AWS

Encryption in transit
1. Certificate considerations
  1. Many certificates vs few : What influences it ?
  2. Least privilege and separation of duties
  3. Performance and Scale
  4. Cost Optimization
  5. Regionality :
    1. Why would a customer import certificates ?
    2. Issuing certificates vs exporting certificates - the difference ?
  6. Templates and cert customization :
    1. Using certificates with IOT ?
  7. Using certificates with containers/kubernetes
2. AWS Certificate Manager (ACM) vs ACP Private Certificate Authority (CA)
  1. ACM
    1. This service is for enterprise customers who need a secure web presence using TLS.
    2. AWS Certificate Manager (ACM)
    3. Setup
    4. Issuing and managing certificates
    5. Managed renewal
    6. Import certificates
    7. Export certificate
    8. Tagging ACM certificates
    9. Monitoring and logging
    10. Troubleshooting
  2. ACM Private CA
    1. This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization
    2. Security of the ACM PCA
      1. Certificate hierarchies and their relevance
      2. Certificate domain names and constraints around them
      3. Certificate inventory
      4. Certificate Expiry
    3. Deployment considerations
    4. Private CA administration
    5. Certificate administration
    6. Using an external CA
    7. Troubleshooting
  3. Services integrated with ACM
Encryption at rest
1. Client side vs server side encryption
  1. Client side
    1. S3 encryption client
    2. multi-region keys
    3. dynamodb encryption client
    4. AWS Encryption SDK
  2. Server side
    1. SSE-KMS (S3)
    2. AWS services use this to encrypt data (EBS, RDS, etc.)
2. AWS Key Management Service (KMS)
  1. Features
    1. Centralized Key Management
    2. AWS Service Integration (over 100 services)
    3. Audit Capabilities (CloudTrail)
      1. Users
      2. Time
      3. API action
      4. Key used (when relevant)
    4. Scalability, Durability, and High Availability (11x 9's)
      1. Multi-region keys
    5. Secure (FIPS 140-2 validated)
    6. Custom Key Store (symmetric keys only)
    7. Support for Asymmetric Keys
    8. Compliance
      1. SOC
      2. FIPS 140-2
      3. FedRAMP
      4. HIPAA
  2. Concepts
    1. AWS KMS Key
      1. Key material
      2. Used to encrypt data
      3. Used to decrypt data
      4. Key metadata
      5. Key ID
      6. Creation date
      7. Description
      8. Key State
    2. Types of keys
      1. Symmetric (256-bit)
      2. Asymmetric
      3. Types
      4. RSA
      5. Elliptic curve (ECC)
      6. Uses
      7. Encryption & decryption
      8. Signing & verification
    3. Key material source
      1. KMS-provided
      2. customer-imported
      3. AWS CloudHSM cluster
    4. Key management
      1. AWS managed KMS keys
      2. read-only policies
      3. Customer managed KMS keys
      4. custom key policies
      5. custom IAM policies
      6. key grants
      7. enable/disable
      8. rotate cryptographic material
      9. add custom tags
      10. create custom key aliases
      11. schedule keys for deletion
    5. Key rotation
      1. Customer managed keys
      2. Optional - yearly
      3. AWS managed keys
      4. Required - every 3 years
      5. AWS owned keys
      6. varies - AWS service-specific
3. AWS CloudHSM
  1. Benefits
    1. Generate and use encryption keys on FIPS 140-2 level 3 validated HSMs
    2. Deploy secure, compliant workloads
    3. Use an open HSM built on industry standards
    4. Keep control of your encryption keys
    5. Easy to manage and scale
    6. Control AWS KMS keys
  2. Use cases
    1. Offload the SSL/TLS processing for web servers
    2. Protect the private keys for an issuing certificate authority (CA)
    3. Enable transparent data encryption (TDE) for Oracle databases
  3. Concepts
    1. CloudHSM Clusters
    2. Backups
    3. Client SDK
    4. Users
      1. Managing users and keys
  4. Getting started
  5. Integrating 3rd party apps
  6. Monitoring
  7. Pricing
4. AWS Secrets Manager
  1. Benefits
    1. Rotate secrets safely
    2. Manage access with fine-grained policies
    3. Secure and audit secrets centrally
    4. Pay as you go
    5. Easily replicate secrets to multiple regions
  2. Features
    1. Programmatically retrieve encrypted secret values at runtime
    2. Store different types of secrets
      1. Secret name and description
      2. Rotation or expiration settings
      3. ARN of the KMS key associated with the secret
      4. Any attached AWS tags
    3. Automatically rotate your secrets
      1. Creates a new version of the secret.
      2. Stores the secret in Secrets Manager.
      3. Configures the protected service to use the new version.
      4. Verifies the new version.
      5. Marks the new version as production ready.
      6. DB and services supported
      7. Amazon Aurora on Amazon RDS
      8. MySQL on Amazon RDS
      9. PostgreSQL on Amazon RDS
      10. Oracle on Amazon RDS
      11. MariaDB on Amazon RDS
      12. Microsoft SQL Server on Amazon RDS
      13. Amazon DocumentDB
      14. Amazon Redshift
    4. Control access to secrets
    5. Compliance support
      1. HIPAA
      2. PCI DSS
      3. ISO
      4. SOC
      5. FedRAMP
      6. DoD SRG
      7. IRAP
      8. OSPAR
    6. Supports VPC endpoints
    7. Supported integrated with over 30+ AWS services
  3. Concepts
    1. Authentication and access control
    2. Creating and managing secrets
    3. Retrieving secrets
    4. Rotating secrets
    5. Monitoring secrets
    6. Tutorials
5. AWS Systems Manager Parameter Store
Use cases and resources
1. Videos & demos
  1. CM Private CA - Creating a New Private Certificate Authority
  2. ACM Private CA - CA Hierarchies: What are they and why are they important?
  3. ACM Private CA - Disaster Recovery Reference Architectures
  4. ACM Private CA - Reduce Costs by Sharing Private CAs Using AWS RAM
  5. ACM Private CA - Certificate Templates
  6. HMAC APIs (KMS)
  7. Macie + SecHub
  8. Macie Data Identifiers
  9. Multi Region Keys
  10. Multi-Region Secret Replication
  11. Secrets Manager Rotation Windows
2. Code Signing
  1. Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys
  2. Best practices and advanced patterns for Lambda code signing
  3. How to verify AWS KMS signatures in decoupled architectures at scale
  4. Signing executables with HSM-backed certificates using multiple Windows instances
  5. Combining encryption and signing with AWS KMS asymmetric keys
  6. How to verify AWS KMS asymmetric key signatures locally with OpenSSL
  7. Digital signing with the new asymmetric keys feature of AWS KMS
  8. How to migrate a digital signing workload to AWS CloudHSM
  9. AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)
  10. New – Code Signing, a Trust and Integrity Control for AWS Lambda
  11. How to protect HMACs inside AWS KMS
3. CloudHSM
  1. How to deploy CloudHSM to securely share your keys with your SaaS provider
  2. Migrate and secure your Windows PKI to AWS with AWS CloudHSM
  3. Integrate CloudHSM PKCS #11 Library 5.0 with serverless workloads
  4. How to lower costs by automatically deleting and recreating HSMs
4. KMS
  1. How to BYOK (bring your own key) to AWS KMS for less than $15.00 a year using AWS CloudHSM
  2. Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability
  3. Are KMS custom key stores right for you?
5. General Data Protection
  1. Best practices for securing sensitive data in AWS data stores
  2. Millennium Management: Secure machine learning using Amazon SageMaker
6. S3 Data Protection
  1. IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
7. Encryption SDK
  1. How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C
8. Amazon Macie
  1. Automate the archival and deletion of sensitive data using Amazon Macie
9. ACM / ACM Private CA
  1. How to use ACM Private CA for enabling mTLS in AWS App Mesh
  2. Securing Kubernetes applications with AWS App Mesh and cert-manager
  3. Maintaining Transport Layer Security all the way to your container: using the Application Load Balancer with Amazon ECS and Envoy
  4. Using ACM Private Certificate Authority in a multi-account environment by using IAM roles
  5. Setting up end-to-end TLS encryption on Amazon EKS with the new AWS Load Balancer Controller
  6. TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS
10. Secrets Manager
  1. How to configure rotation windows for secrets stored in AWS Secrets Manager
11. Cryptography
  1. What is cryptographic computing? A conversation with two AWS experts
Data discovery and classification
1. Data classification
  1. Basics
    1. Data is the product and currency of information systems
    2. Data has intrinsic value based on its use
    3. Data is one of the fundamental subjects of cybersecurity efforts
    4. Data must be classified protected based on its impact
    5. Storage must support protections appropriate to the data classification
  2. Data risks
    1. Legal – Civil or criminal liability
    2. Reputational – Tarnished perception to customers, partners, regulators, or the public
    3. Financial – Direct or indirect loss of money
    4. Operational – Impact to productivity or disruption of business practices
  3. Sample classification levels
    1. Public
    2. Privileged
    3. Restricted
  4. Data governance and oversight
    1. Storage – Data assets should have a designated place to live.
    2. Attribution and Ownership – Every data asset must have an owner and a purpose
    3. Labeling – All data assets should be labeled
    4. Inventory – Location of data assets should be tracked
    5. Discovery – All data should be scanned to ensure the contents match what’s expected
  5. Methods of data discovery
    1. User-based – (Manual)
    2. Context-based – (Manual or Automated)
    3. Content-based – (Automated)
2. Data protection considerations
  1. Access
    1. Entities – Authorized people or processes
    2. Methods – By what mechanisms
    3. Conditions – Under which conditions is access allowed
  2. Encryption
    1. Strength per classification level
    2. Keys per purpose and/or attribution
  3. Logging, Monitoring and Alerting
    1. Log all reads and writes
    2. Alert on unauthorized or unexpected operations
    3. Monitor configuration drift
  4. Lifecycle
    1. Retention
    2. Backups
    3. Destruction standards
3. Amazon Macie
  1. Monitoring and processing findings
    1. EventBridge
      1. Reoirt to Jira or Slack
      2. Tags buckets as "sensitive"
      3. Visualize findings with Amazon QuickSight
      4. Take action using AWS Step Functions
      5. etc.
    2. Security Hub
    3. Amazon Partner Network
  2. Macie onboarding
    1. Enable Macie on all accounts
    2. Evaluate bucket security posture
    3. Run inspection jobs on data sets
    4. Centrally manage multiple Macie accounts
      1. AWS Organizations
      2. Membership invitations
  3. Additional considerations
    1. Allowing Macie to access buckets and objects
    2. Supported file and storage formats
    3. Encrypted objects
    4. Long term storage of results
    5. Forecasting and monitoring costs
    6. Security in Amazon Macie
      1. Data protection
      2. Identity and access management
      3. Logging and monitoring
      4. Compliance validation
      5. Resilience
      6. Infrastructure security
      7. VPC endpoints (AWS PrivateLink)
  4. Sensitive Data Discovery jobs
    1. Automate the discovery of sensitive data
      1. Continuous
      2. On-demand
      3. Control breadth/depth/exclude
    2. Discover a variety of sensitive data types
      1. Managed data identifiers (credentials, financial, PHI, PII)
      2. Custom data identifiers
    3. Scan Job configuration
      1. S3 bucket components
      2. Gathering metadata and calculating statistics
      3. General information about bucket (name, ARN, etc.)
      4. Account-level permissions settings that apply to the bucket
      5. Bucket-level permissions settings for the bucket
      6. Shared access and replication settings for the bucket
      7. Object counts and settings for objects in the bucket
      8. Monitoring bucket security and privacy
      9. Account-level events
      10. Bucket-level events
      11. Evaluating bucket security and access control
      12. Zelkova
      13. Scope for sensitive data discovery jobs
      14. S3 buckets
      15. Preview the criteria results
      16. Include existing S3 objects
      17. Sampling depth (% of objects)
      18. S3 object criteria (include/exclude)
      19. Last modified
      20. Prefix
      21. Storage size
      22. Tags
  5. Data security configuration & policies checking
    1. Know if your buckets are encrypted
    2. Know if your buckets are open to the world (Public read and/or write)
    3. Know if your buckets are being shared outside your Org
    4. Evaluate and monitor data for security and access control
      1. Dashboard
      2. Policy findings
      3. Sensitive data findings
      4. Statistics
      5. Suppressing findings
      6. S3 bucket inventory
Fundamentals
1. Data usage
  1. Data in motion
  2. Data at rest
  3. Data in use
2. People
  1. Data Owner
  2. Data Custodian
  3. Data Controller
  4. Data Processor
  5. Data Protection Officer
3. Process
  1. Create a Data Classification Policy
  2. Data Sovereignty
  3. Identify location of your data
    1. How is my data stored
  4. Classify your data
    1. Tags
    2. Labels
    3. Metadata
4. Technology
  1. Encryption and Key Management
  2. Data Discovery and Classification
  3. Certificate Management
  4. Secrets Management
  5. Digital Rights Management
  6. Tokenization
  7. Data Loss Prevention
5. Certificates
  1. What are certificates
  2. What’s a certificate authority
  3. Why is identity verification using certificates useful as compared to username and password based mechanisms
  4. What data is being protected ?