AWS Cloud Developer Associate Certification

19.Security Services – KMS, Encryption SDK, SSM Parameter Store

Index

1. AWS Security – Section Introduction
2. Encryption 101
3. KMS
   • KMS Overview
   • KMS Hands On w/ CLI
   • KMS Encryption Patterns and Envelope Encryption
   • Encryption SDK CLI Hands On
   • KMS Limits
   • KMS and AWS Lambda Practice
4. S3
   1. S3 Security Advanced
   2. S3 Bucket Key
5. SSM
   • SSM Parameter Store Overview
   • SSM Parameter Store Hands On (CLI)
   • SSM Parameter Store Hands On (AWS Lambda)
6. Secrets Manager –
   • Secrets Manager Overview
   • Secrets Manager – Hands On
7. SSM Parameter Store vs Secrets Manager
8. CloudWatch Logs Encryption
9. CodeBuild Security

AWS Security – Section Introduction

Why encryption?

Encryption in flight (SSL)

1. Data is encrypted before sending and decrypted after receiving
2. SSL certificates help with encryption (HTTPS)
3. Encryption in flight ensures no MITM (man in the middle attack) can happen

Server side encryption at rest

1. Data is encrypted after being received by the server
2. Data is decrypted before being sent
3. It is stored in an encrypted form thanks to a key (usually a data key)
4. The encryption / decryption keys must be managed somewhere and the server must have access to it

Client side encryption

1. Data is encrypted by the client and never decrypted by the server
2. Data will be decrypted by a receiving client
3. The server should not be able to decrypt the data
4. Could leverage Envelope Encryption

KMS (Key Management Service)

KMS Overview

1. Anytime you hear “encryption” for an AWS service, it’s most likely KMS
2. Easy way to control access to your data, AWS manages keys for us
3. Fully integrated with IAM for authorization
4. Seamlessly integrated into:
   1. Amazon EBS: encrypt volumes
   2. • Amazon S3: Server side encryption of objects
   3. • Amazon Redshift: encryption of data
   4. • Amazon RDS: encryption of data
   5. • Amazon SSM: Parameter store
   6. • Etc…
5. But you can also use the CLI / SDK
6. Able to fully manage the keys & policies
   1. Create
   2. • Rotation policies
   3. • Disable
   4. • Enable
7. Able to audit key usage (using CloudTrail)
8. Three types of Customer Master Keys (CMK):
   1. AWS Managed Service Default CMK: free
   2. User Keys created in KMS: $1 / month
   3. User Keys imported (must be 256-bit symmetric key): $1 / month
9. pay for API call to KMS ($0.03 / 10000 calls)

AWS KMS 101

1. Anytime you need to share sensitive information… use KMS
   1. Database passwords
   2. • Credentials to external service
   3. • Private Key of SSL certificates
2. The value in KMS is that the CMK used to encrypt data can never be retrieved by the user, and the CMK can be rotated for extra security
3. Never ever store your secrets in plaintext, especially in your code!
4. Encrypted secrets can be stored in the code / environment variables
5. KMS can only help in encrypting up to 4KB of data per call
6. If data > 4 KB, use envelope encryption
7. To give access to KMS to someone
   1. Make sure the Key Policy allows the user
   2. Make sure the IAM Policy allows the API calls

KMS Key Policies

1. Control access to KMS keys, “similar” to S3 bucket policies
2. Difference: you cannot control access without them
3. Default KMS Key Policy:
   1. Created if you don’t provide a specific KMS Key Policy
   2. Complete access to the key to the root user = entire AWS account
   3. Gives access to the IAM policies to the KMS key
4. Custom KMS Key Policy:
   1. Define users, roles that can access the KMS key
   2. Define who can administer the key
   3. Useful for cross-account access of your KMS key

Copying Snapshots across accounts

1. Create a Snapshot, encrypted with your own CMK
2. Attach a KMS Key Policy to authorize cross-account access
3. Share the encrypted snapshot
4. (in target) Create a copy of the Snapshot, encrypt it with a KMS Key in your account
5. Create a volume from the snapshot

KMS – Customer Master Key (CMK) Types

1. Symmetric (AES-256 keys)
   1. First offering of KMS, single encryption key that is used to Encrypt and Decrypt
   2. AWS services that are integrated with KMS use Symmetric CMKs
   3. Necessary for envelope encryption
   4. You never get access to the Key unencrypted (must call KMS API to use)
2. Asymmetric (RSA & ECC key pairs)
   1. Public (Encrypt) and Private Key (Decrypt) pair
   2. Used for Encrypt/Decrypt, or Sign/Verify operations
   3. The public key is downloadable, but you can’t access the Private Key unencrypted
   4. Use case: encryption outside of AWS by users who can’t call the KMS API

Envelope Encryption

1. KMS Encrypt API call has a limit of 4 KB
2. If you want to encrypt >4 KB, we need to use Envelope Encryption
3. The main API that will help us is the GenerateDataKey API
4. For the exam: anything over 4 KB of data that needs to be encrypted must use the Envelope Encryption == GenerateDataKey API

Encryption SDK

1. The AWS Encryption SDK implemented Envelope Encryption for us
2. The Encryption SDK also exists as a CLI tool we can install
3. Implementations for Java, Python, C, JavaScript
4. Feature – Data Key Caching
   1. re-use data keys instead of creating new ones for each encryption
   2. Helps with reducing the number of calls to KMS with a security trade-off
   3. Use LocalCryptoMaterialsCache (max age, max bytes, max number of messages)

KMS Symmetric – API Summary

1. Encrypt: encrypt up to 4 KB of data through KMS
2. • GenerateDataKey: generates a unique symmetric data key (DEK)
   1. • returns a plaintext copy of the data key
   2. • AND a copy that is encrypted under the CMK that you specify
3. • GenerateDataKeyWithoutPlaintext:
   1. • Generate a DEK to use at some point (not immediately)
   2. • DEK that is encrypted under the CMK that you specify (must use Decrypt later)
4. • Decrypt: decrypt up to 4 KB of data (including Data Encryption Keys)
5. • GenerateRandom: Returns a random byte string

KMS Request Quotas

1. When you exceed a request quota, you get a ThrottlingException
2. To respond, use exponential backoff (backoff and retry)
3. For cryptographic operations, they share a quota
4. This includes requests made by AWS on your behalf (ex: SSE-KMS)
5. For GenerateDataKey, consider using DEK caching from the Encryption SDK
6. You can request a Request Quotas increase through API or AWS support

S3 Encryption for Objects

1. There are 4 methods of encrypting objects in S3
   1. SSE-S3: encrypts S3 objects using keys handled & managed by AWS
   2. SSE-KMS: leverage AWS Key Management Service to manage encryption keys
   3. SSE-C: when you want to manage your own encryption keys
   4. Client Side Encryption
2. It’s important to understand which ones are adapted to which situation for the exam

SSE-KMS

1. SSE-KMS: encryption using keys handled & managed by KMS
2. KMS Advantages: user control + audit trail
3. Object is encrypted server side
4. Must set header: “x-amz-server-side-encryption”: ”aws:kms”
5. SSE-KMS leverages the GenerateDataKey & Decrypt KMS API calls
6. To perform SSE-KMS, you need:
   1. A KMS Key Policy that authorizes the user / role
   2. An IAM policy that authorizes access to KMS
   3. Otherwise you will get an access denied error
7. S3 calls to KMS for SSE-KMS count against your KMS limits
   1. If throttling, try exponential backoff
   2. If throttling, you can request an increase in KMS limits
   3. The service throttling is KMS, not Amazon S3

S3 Bucket Policies – Force SSL

1. To force SSL, create an S3 bucket policy with a DENY on the condition aws:SecureTransport = false
2. Note: Using an allow on aws:SecureTransport = true would allow anonymous GetObject if using SSLGetObject if using SSL

S3 Bucket Policy – Force Encryption of SSE-KMS

1. Deny incorrect encryption header: make sure it includes aws:kms (== SSE-KMS)
2. Deny no encryption header to ensure objects are not uploaded un-encrypted
3. Note: could swap 2) for S3 default encryption of SSE-KMS

S3 Bucket Key for SSE-KMS encryption

1. New setting to decrease…
   1. Number of API calls made to KMS from S3 by 99%
   2. Costs of overall KMS encryption with Amazon S3 by 99%
2. This leverages data keys
   1. A “S3 bucket key” is generated
   2. That key is used to encrypt KMS objects with new data keys
3. You will see less KMS CloudTrail events in CloudTrail

SSM Parameter Store

1. Secure storage for configuration and secrets
2. Optional Seamless Encryption using KMS
3. Serverless, scalable, durable, easy SDK
4. Version tracking of configurations / secrets
5. Configuration management using path & IAM
6. Notifications with CloudWatch Events
7. Integration with CloudFormation

SSM Parameter Store Hierarchy

1. • /my-department/
   1. • my-app/
      1. • dev/
         1. • db-url
         2. • db-password
      2. • prod/
         1. • db-url
         2. • db-password
   2. • other-app/
2. • /other-department/
3. • /aws/reference/secretsmanager/secret_ID_in_Secrets_Manager
4. • /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2

Standard and advanced parameter tiers

	Standard	Advanced
Total number of parameters allowed (per AWS account and Region)	10,000	100,000
Maximum size of a parameter value	4 KB	8 KB
Parameter policies available	No	Yes
Cost	No additional charge	Charges apply
Storage Pricing	Free	$0.05 per advanced parameter per month
API Interaction Pricing (higher throughput = up to 1000 Transactions per second)	Standard Throughput: free Higher Throughput: $0.05 per 10,000 API interactions	Standard Throughput: $0.05 per 10,000 API interactions Higher Throughput: $0.05 per 10,000 API interactions

Parameters Policies (for advanced parameters)

1. Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
2. Can assign multiple policies at a time

AWS Secrets Manager Overview

1. Newer service, meant for storing secrets
2. Capability to force rotation of secrets every X days
3. Automate generation of secrets on rotation (uses Lambda)
4. Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
5. Secrets are encrypted using KMS
6. Mostly meant for RDS integration

SSM Parameter Store vs Secrets Manager

1. Secrets Manager ($$$):
   1. Automatic rotation of secrets with AWS Lambda
   2. Lambda function is provided for RDS, Redshift, DocumentDB
   3. KMS encryption is mandatory
   4. Can integration with CloudFormation
2. SSM Parameter Store ($):
   1. Simple API
   2. No secret rotation (can enable rotation using Lambda triggered by CW Events
   3. KMS encryption is optional
   4. Can integration with CloudFormation
   5. Can pull a Secrets Manager secret using the SSM Parameter Store API

CloudWatch Logs Encryption

1. You can encrypt CloudWatch logs with KMS keys
2. Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.
3. You cannot associate a CMK with a log group using the CloudWatch console.
4. You must use the CloudWatch Logs API:
   1. associate-kms-key : if the log group already exists
   2. create-log-group: if the log group doesn’t exist yet

CodeBuild Security

1. To access resources in your VPC, make sure you specify a VPC configuration for your CodeBuild
2. Secrets in CodeBuild
3. Don’t store them as plaintext in environment variables
4. Instead…
   1. Environment variables can reference parameter store parameters
   2. Environment variables can reference secrets manager secrets