-
Notifications
You must be signed in to change notification settings - Fork 61
/
AWS Notes 11 - Cryptography.txt
179 lines (150 loc) · 10.9 KB
/
AWS Notes 11 - Cryptography.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
===============================================
===============================================
=
= AWS
= Certified Solutions Architect - Professional
= SAP-C01 Exam Study Notes
=
= *** Note 11: Cryptography ***
=
= Created:
= By: Hicham El Alaoui
= Email: [email protected]
= Date: Mar-2021
=
= Source: https://github.com/helalaoui/AWS-Solutions-Architect-Certification
=
===============================================
===============================================
AWS Signature version 4:
- When you send HTTP requests to AWS services, you (or your client tool/SDK) sign the requests so that AWS can identify who sent them.
- You sign requests with your AWS access key, which consists of an access key ID and secret access key.
- Some requests do not need to be signed, such as anonymous requests to Amazon S3.
===========================
AWS CloudHSM:
- A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys.
- AWS CloudHSM provides single-tenant HSMs in the AWS Cloud.
- Use cases:
- Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
- Use symmetric and asymmetric algorithms to encrypt and decrypt data.
- Cryptographically sign data (including code signing) and verify signatures.
- Offload the SSL/TLS Processing for Web Servers.
- Protect the Private Keys for a certificate issuing Certificate Authority (CA).
- CloudHSM Client SDK includes software to integrate your applications with your CloudHSM cluster.
- You can create a cluster that has from 1 to 28 HSMs in different AZs in the same Region. The default limit is 6 HSMs per account per region.
- Backup:
- AWS CloudHSM makes periodic backups of the users, keys, and policies in the cluster.
- The HSM encrypts all of its data before sending it to a service-controlled S3 bucket.
- FIPS 140-2 Level 3 certified.
- Pricing: number of hours.
===========================
Envelope encryption:
- Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
- The latter key can also be encrypted under a third key, and so on.
- Eventually, one key must remain in plaintext so you can decrypt the keys and your data.
- This top-level plaintext encryption key is known as the master key.
AWS Key Management Service (KMS):
- A fully managed service to create and manage cryptographic keys.
- You can create symmetric or asymmetric keys.
- You can also import keys from your own key management infrastructure or use keys stored in your AWS CloudHSM cluster (custom key store). In both cases, only symmetric keys are supported.
- Enforces permissions to use keys using AWS IAM.
- KMS keys management is a multi-tenant infrastructure (FIPS level 2). If you require a dedicated infrastructure (FIPS Level 3), use a custom key store (backed with a CloudHSM cluster).
- In KMS, a master key is called Customer Master Key (CMK).
Customer Master Keys (CMKs):
- CMK is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state.
- You can use AWS KMS APIs directly to encrypt and decrypt data using your CMKs stored in the service (up to 4 KB of data per API call).
- Can be Symmetric or Asymmetric.
- Symmetric Keys cannot be exported.
- For Asymmetric keys, only the public key can be exported.
- Key identifiers (Key IDs) act as names for your CMKs.
Custom Key Store:
- KMS provides the option for you to create your own key store using HSMs that you own and manage (FIPS 140-2 Level 3 certified).
- Each custom key store is backed by an AWS CloudHSM cluster.
- When you create a CMK in a custom key store, the service generates and stores key material for the CMK in the associated CloudHSM cluster.
Asymmetric Keys:
- KMS provides you the capability to create and use asymmetric CMKs.
- You can designate a CMK for use as a signing key pair or an encryption key pair.
- Asymmetric cryptographic operations using these CMKs are performed inside HSMs. You can request the public portion of the asymmetric CMK for use in your local applications, while the private portion never leaves the service.
- You can also generate an asymmetric data key pair. This operation returns a plaintext copy of the public key and private key.
Symmetric vs Asymmetric:
- AWS KMS supports symmetric and asymmetric CMKs.
- A symmetric CMK represents a 256-bit key that is used for encryption and decryption.
- An asymmetric CMK represents either:
- an RSA key pair that is used for encryption and decryption or signing and verification (but not both),
- an Elliptic Curve (ECC) key pair that is used for signing and verification.
Customer managed CMKs:
- You have full control over the management of your keys, including the ability to share access to keys across accounts or services.
- You can assign policies to these CMKs.
- You can define an alias and description for the key.
- You can opt-in to have the key automatically rotated once per year (for symmetric keys only).
AWS managed CMKs:
- Applies to some AWS services only.
- For these AWS services, data is encrypted by default using keys that are stored in your AWS KMS and managed by the AWS service in question.
- Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf.
- Automatic rotation required every 3 years (for symmetric keys only).
AWS owned CMKs:
- a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts.
- You cannot view or use them.
Key Material:
- Key Material: the 256-bit key that is included in a CMK and used to encrypt and decrypt data.
- By default, KMS generates the key material for the CMK you create.
- But you can create a CMK without key material and then import your own key material into that CMK, a feature often known as "bring your own key" (BYOK).
- Importing Key Material:
- Supported only for symmetric CMKs in AWS KMS key stores. It is not supported on asymmetric CMKs or CMKs in custom key stores.
- You cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.
- Importing the same key material to two different CMKs does not make them identical CMKs.
Key Rotation:
- To create new cryptographic material for your CMK, you can do either manual or automatic rotation of the CMK.
- Automatic Rotation:
- Supported only on symmetric customer-managed CMKs.
- Rotation is done once per year without the need to re-encrypt previously encrypted data.
- The properties of the CMK, including its key ID, key ARN, region, policies, and permissions, do not change when the key is rotated.
- The service automatically keeps older versions of the master key available to decrypt previously encrypted data.
- Manual Rotation:
- You create a new CMK and then change your applications or aliases to use the new CMK.
- The new CMK has as a different key ID and ARN.
- You can use a KMS alias to refer to a CMK in your applications. You then need to only update the KMS alias when rotating the CMK.
- Use cases:
- Control the key rotation schedule
- Rotate CMKs that are not eligible for automatic key rotation: asymmetric CMKs, CMKs in custom key stores, and CMKs with imported key material.
- You should keep the original CMK enabled: when decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data.
Data keys:
- Used to encrypt data locally in the AWS service or in your application.
- Generated by KMS but must be used outside of KMS.
- Data keys are not retained or managed by AWS KMS.
- Can be exported in plain text or encrypted under a symmetric CMK you define.
- Can be symmetric (data key) or asymmetric (data key pair).
- Data keys used by AWS Services:
- Some AWS services (like S3) encrypt your data and store an encrypted copy of the data key along with the encrypted data.
- When the service needs to decrypt your data, it requests AWS KMS to decrypt the data key using your CMK.
- If the user requesting data from the AWS service is authorized to decrypt under your CMK, the AWS service will receive the decrypted data key from AWS KMS. The AWS service then decrypts your data and returns it in plaintext.
CMK Authorization:
- Key administrator: manages the key but cannot use it.
- Key User: can use the key.
KMS Service Access:
- Access to KMS uses a public endpoint (Internet).
- If you want avoid traversing Internet to communicate with KMS, use a VPC Endpoint and enable the Private DNS Name option.
=======================
AWS Certificate Manager (ACM):
- A service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.
- ACM makes it easy to import SSL/TLS certificates issued by third-party CAs and deploy them with your ELBs, CloudFront and API Gateways.
- Certificates in ACM are regional resources. To use a certificate with ELB for the same FQDN in more than one AWS region, you must request or import a certificate for each region.
- To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region.
- Public and private certificates provisioned through AWS Certificate Manager for use with ACM-integrated services are free.
- ACM provides managed renewal for your Amazon-issued SSL/TLS certificates.
- ACM Private Certificate Authority (CA):
- A managed private CA service that helps you easily and securely manage the lifecycle of your private certificates.
- You pay monthly for the operation of the private CA and for the private certificates you issue.
ACM vs IAM certificate store:
- For certificates in a Region supported by ACM, we recommend that you use ACM to provision, manage, and deploy your server certificates.
- In unsupported Regions, you must use IAM as a certificate manager.
=======================
AWS Secrets Manager:
- Enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
- Provides this flexibility by storing the secret as key-value pairs of text strings.
- Supports versioning.
- Can automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
- Supports binary data in the secret.
- Access control enforced by AWS IAM: use identity-based or resource-based policies.
- Uses KMS Envelope Encryption: secrets can be encrypted by a data key generated by KMS. The encrypted data key is stored with the secret. Secret Manager uses KMS to decrypt the data key when needed.
- Sensitive data stored in AWS Secrets Manager secrets can be exposed to an ECS container or to an AWS Batch job as environment variables or as part of the log configuration.