Overview of Encryption Data with AWS

gkzz
6 min readApr 23, 2020

--

Hello, Medium.

How’s your AWS Certification Exam study going?

I’ll share with you what I’ve learned today.

Today’s topic is about encryption data with AWS.

Here we go!

1. What should you do at first to protect your data?

That is, AWS says, Data classification, which is private/critical or not.

The features of the private data:

# Encrypted
# Not be directly accessible from the internet
# Be required authorization and authentication

sources: Best Practices for Encrypting Data on AWS

Anyway, I have got the following question.

Why isn’t everything encrypted?

I would be happy to reply, if you have any idea:)

The answer I googled and found is as follows:

The first answer that we will give is that having encryption on the web site slows it down. While it may not be important for you to visit your bank’s web site at the fastest internet speeds, there are certain web sites where speed really does matter. This is especially true if you are on a web site with a lot of content. So if the data on the web site is not vital and the amount of content is large then there really is no reason to add encryption. And that leads to my next point.

Not everything is important enough to have encryption on it. If you are on a web page with just picture of cats being goofy then you do not need encryption. Different web sites have different security priorities.

sources: WHY ISN’T EVERYTHING ENCRYPTED ONLINE?

My point is to consider which to encrypted or not.

Let me ask you a few simple questions.

Q. Is it important enough to be encrypted, even if it cannot be transferred quickly?
Q. Should the general public not receive it?

2. When should data be encrypted?

Sensitive data must be protected in the following.

# While being transported, in transit 
# While being stored, at rest
FIGURE1: “When should data be encrypted”, created by myself

Let’s have a look at more concretely.

Use cases to transport data, in transit

# Implement secure key and certificate management  - AWS Certificate Manager
# Enforce encryption in transit - Security groups to allow HTTPS protocol to an Application Load Balancer or EC2 instance. - HTTPS with CloudFront - SSL/TLS with Amazon RDS, Amazon Redshift - IPsec VPN for securing point-to-point or network-to-network connections - s2n, a TLS library designed by AWS

sources: How do you protect your data in transit? — AWS Well-Architected Framework

Use cases to store data, at rest

The keys to encryption:

# Encryption method, where to be encrypted
# Key Management Infrastructure (KMI) - the storage component of the KMI - the management layer of the KMI

sources: Best Practices for Encrypting Data on AWS

AWS provides us three different models:

# Model A  - You control the encryption method and the entire KMI
# Model B - You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer
# Model C - AWS controls the encryption method and the entire KMI

sources: Best Practices for Encrypting Data on AWS

FIGURE2: “Best Practices for Encrypting Data on AWS

The differences between them is who manages three elements, customers or AWS.

Let’s have a check at the models one by one.

Model A: You control the encryption method and the entire KMI

# Amazon S3- Client-side encryption with KMS managed keys (CSE-KMS), 
Client-side encryption with customer-managed keys (CSE-C)
-> Encript data before uploading to S3 -> Decript data when downloading it# Amazon EBS - capability to just only encrypt data volumes, not Amazon EBS boot volumes

- user-defined
# AWS Storage Gateway
# Amazon RDS

Model B: You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer

# The Differences between Model A and Model B is where keys are stored  - Model A: in your on-premise infrastructures  - Model B: in AWS CloudHSM

Model C: AWS controls the encryption method and the entire KMI

# Amazon S3  - SSE-S3    -> automatically encryption  - SSE-KMS    -> aws encryption for you  - SSE-C
-> client-side encryption

# Amazon EBS

# Amazon RDS

# AWS Systems Manager Parameter Store

# Amazon Redshift

# Amazon EMR

# Amazon Glacier

# AWS Storage Gateway

Protecting Data Using Encryption

I’ll also give you the following figure so that I’m faced with questions about Encryption to Amazon S3 so many times.

FIGURE3: “Protecting Data Using Encryption”, created by myself
FIGURE4: “Cheat Sheet of Data Encryption”, created by myself

The points:

# There are two types of keys  - Client Master Key(CMK)  - Data Encryption Key(DEK)
# There are two location to be encrypted with CMK - Client-Side - Server-Side
# The location to be encrypted with DEK means that the differences between managed level
- C < KMS < Amazon S3

Deep in dive into encryption

As I’ve studied encryption with AWS, I got the following questions.

# What is the differences between server-side and client-side encryption?
# Which services are encrypted by default?

What is the differences between server-side and client-side encryption?

The following material says.

The difference between server-side and client-side encryption is fairly simple. With server-side encryption, the encryption algorithm and process is run from the server-side — in this instance, within S3. Client-side encryption means that the encryption process is executed on the client first before the data is sent to S3 for storage.

source: AWS Certified Solutions Architect Official Study Guide

Which services are encrypted by default?

In transit:

# By Default  - Amazon Glacier (with SSL)# By User-defined- AWS Storage Gateway (with HTTPS)  
-> When transferred from on-premises to Amazon S3
- Amazon RDS (with SSL)
-> Between RDS and the other AWS service in VPC
- Amazon ElastiCache for Redis

source: AWS認定資格試験テキスト AWS認定 ソリューションアーキテクト-アソシエイト

At rest:

# By Default- Amazon Glacier# By User-defined- Amazon EBS- Amazon S3- AWS Storage Gateway (with KMS)
-> when stored in Amazon S3
- Amazon RDS
-> Storage where data is stored including read replica
-> snapshot -> other related to RDS, like log- Amazon ElastiCache for Redis
-> Data stored in ElasticCache is encrypted

source: AWS認定資格試験テキスト AWS認定 ソリューションアーキテクト-アソシエイト

Summary

Let’s go over what I ’ve talked about so far.

# The first thing to protect your data is Data classification.
# When it should be encrypted, in transit is at rest.
# Use cases to transport data, in transit - Implement secure key and certificate management - Enforce encryption in transit
# Use cases to store data, at rest - Encryption method, where to be encrypted - Key Management Infrastructure (KMI)
# Amazon S3 Encryption Family - SSE-S3, SSE-KMS, SSE-C, CSE-KMS, CSE-C

Notes

The following article is so useful for me that I would like to share with you.

AWS Encrypting Data at Rest — Whitepaper — Certification

Please like this article and follow me:)

--

--

gkzz

🇯🇵 #SoftwareDeveloper #MeijiUniv @apc_tweet Opinions are my own. #Geek #ギークハウス大倉山 #gkz https://gkzz.github.io/