En este post veremos los puntos más importantes a nivel de seguridad y encriptación de datos.
Encryption:
- In flight (SSL): encrypted trhough SSL certificates and HTTPS ensures no MITM.
- Server-side at rest: encrypted via KMS keys for example in server before persisting data
- Client-side: encrypted by client before sending to server. Could leverage envelope encryption.
KMS: managed encryption keys in AWS.
- Key Types:
- KMS Keys: old KMS customer master key
- Symmetric (AES-256 keys): services using this, use Symmetric CMKs.
- Asymmetric (RSA & ECC key pairs).
- KMS Keys:
- AWS Owned keys (free): sse-s3, sse-sqs, sse-ddb...
- AWS Managed Key (free): aws/ebs, aws/sqs...
- Customer Managed Keys created in KMS ($1/month + API Calls)
- Customer Manage Imported Keys ($1/month + API Calls)
- + pay for API call to KMS ($0.03/10.000 calls).
- Automatic key rotation: every year except for imported keys which is manual.
- KMS Key policies: default (root user) - custom (who users-roles can access the key). Usefull for cross-account access to your keys.
- Snapshots across regions: keys are region specific therefore two keys are needed. Even multi-region keys, which works under the replication model (primay key syncs replicas). Used for transparent multi-region replication in Aurora or DynamoDB for example.
- Snapshots across accounts: use KMS key policy to auth cross account access.
S3 Replication with encryption: unencrypted and SSE-S3 encrypted are replicated. SSE-C are never replicated. SSE-KMS can be replicated if enabled (use KMS key policies for kms:Decrypt and kms:Encrypt, may need Quota increase if API call hit limits). With multi-region KMS process is still the same (treated as different KMS keys for the replication process).
AMI sharing encrypted via KMS: image attribute launch permissions specifying target AWS account, share KMS keys used to encrypt. Target account can use a new KMS onwned key when launching, to re-encrypt volumes.
System Manager Store: secure storage for configuration and secrets (optionally encrypted trhough KMS), versions, notifications, integration with CloudFormation. Two tiers, Advanced is pay per advanced parameter per month (0.05$). Can use parameter policies (TTL expiration date)and max size of parameter is increased from 4KB to 8KB.
AWS Secrets Manager: newer service meant for storing secrets (always encrypted). For rotation, automate generation of secrets on rotation, integration with RDS. There are multi-region secrets (via replica).
AWS Certificate Manager (ACM): provide in-fligth encryption for ELB, CloudFront, API Gateway (not with EC2 directly).
- Requesting pyblic certificates: domains (FQDN or wildcards), validation method (DNS or email), automatic renewal (for public certificates prior 60 days).
- Importing public certificates: losses the automatic renewal but daily expiration events witll start 45 days (config) notifying expirations.
- ACM integration with API Gateway:
- ed-optimized (default) for global clients: TLS certificate must be in the same region as CloudFront
- regional: TLS imported on API Gateway in the same region as the API Stage
- set-up CNAME or A-Alias for resolution in both cases.
Web Application Firewall (WAF): protects on layer 7: ALB, API Gateway, CloudFront, Appsync GraphQL API, Cognito user pool. Web ACLs are regional except for CloudFront.
AWS Shield: protect DDoS attacks. Free in standard (SYN/DUP, 3/layer attacks..) Shield advanced (3k/month) protect agaings more sophisticated attacks and response team (DRP), protect from high fees in spikes, automatically evaulation and deployment of rules.
AWS Firewall Manager: manage rules in all accounts in AWS Organizations trough Security Policies (WAF rules, AWS Shield Advanced, SGs, AWS Network Firewall (VPC), Route53 resolver DNS firewall, Policies at region-level).
Amazon GuardDuty: intelligent (ML) threat discovery. Input data includes:
- CloudTrail Eventws Logs
- VPC Flow Logs
- DNS Logs
- Optional Features
- Can protect against CryptoCurrency attacks
Amazon Inspector: automatic security assestments: EC2 instances, Container Images (ECR) and Lambda functions.
Amazon Macie: detects trough ML and pattern matchig PII in your buckets.
