{"id":2578,"date":"2019-03-08T19:57:20","date_gmt":"2019-03-08T18:57:20","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=2578"},"modified":"2019-09-03T21:32:36","modified_gmt":"2019-09-03T19:32:36","slug":"securing-aws-cloud-services","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2019\/03\/08\/securing-aws-cloud-services\/","title":{"rendered":"Securing AWS Cloud Services"},"content":{"rendered":"<p><span style=\"color: #3366ff;\">Key Pairs<\/span><\/p>\n<p>Amazon EC2 instances created from a public AMI use a public\/private key pair instead of a password for signing in via SSH. The public key is embedded in your instance, and you use the private key to sign in securely without a password. After you create your own AMIs, you can choose other mechanizms to log securely to your new instances.<\/p>\n<p><!--more--><\/p>\n<p>Amazon CloudFront key pair can be created only by the root account and cannot be created by IAM users.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">X.509 Certificates<\/span><\/p>\n<p>X.509 Certificates are used to sign SOAP-based requests. They contain a public key and additional metadata (for example an expiration date that AWS verifies when you upload the certificate) and is associated with a private key.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">KMS &#8211; Key Management Service<\/span><\/p>\n<p>AW Key Management Service (KMS) provides regional, secure key management and encryption and decryption services. KMS is FIPS 140-2 level 2 validated, and certain aspects support level 3 (exam hint). Everything in KMS is regional. KMS can use CloudHSM via Custom Key Stores (FIPS 140-2 Level 3)<\/p>\n<p>KMS manages customer master keys (CMK), which are created in a region and never leave the region or KMS. They can encrypt or decrypt data up to 4 KB. CMKs have key policies and can be used to create other keys.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3069 aligncenter\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CMK.jpg\" alt=\"\" width=\"120\" height=\"106\" \/><\/p>\n<ul>\n<li>KMS can encrypt data up to 4 KB with a CMK \u2014 you supply the data and specify the key to use.<\/li>\n<li>It can decrypt data up to 4 KB \u2014 you provide the ciphertext, and it returns the plaintext.<\/li>\n<li>You can also re-encrypt up to 4 KB \u2014 you supply the ciphertext, the new key to use, and you are returned new ciphertext (at no point do you see the plaintext).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>KMS can generate a data encryption key (DEK) using a CMK. You or a service can use a DEK to encrypt or decrypt data of any size. KMS supplies a plaintext version and an encrypted version.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3070 aligncenter\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CMK2.jpg\" alt=\"\" width=\"263\" height=\"162\" \/><br \/>\nThe encrypted DEK and encrypted data can be stored together. KMS is used to decrypt the DEK, which can then decrypt the data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3071 aligncenter\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CMK3.jpg\" alt=\"\" width=\"252\" height=\"135\" \/><\/p>\n<ul>\n<li>Provides a simple interface used to generate and manage cryptographic keys<\/li>\n<li>Operate as a cryptographic service provider for protecting data.<\/li>\n<li>Easy way to control access to your data using managed encryption<\/li>\n<li>Integrated with AWS services including EBS, S3, and RedShift to simplify encryption of your data<\/li>\n<li>Create, rotate, disable, enable, and define usage policies for master keys<\/li>\n<li>KMS keys are <strong>region-specific<\/strong><\/li>\n<li>Data encrypted under a key becomes irretrievable if the key is lost<\/li>\n<li>Key usage is recorded in CloudTrail logs for audit purposes<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">CloudHSM (Hardware Security Module)<\/span><\/p>\n<ul>\n<li>Dedicated hardware security modules under your exclusive control<\/li>\n<li>Designed to store and process cryptographic keys securely<\/li>\n<li>FIPS 140-2 Level 3 compliance<\/li>\n<li>Designed to integrate with VPC<\/li>\n<li>Integrates with PKCS#11, Java JCE, and Microsoft CNG<\/li>\n<li>Can connect to CloudHSM from your on-premises datacenter using VPN or AWS Direct Connect<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #3366ff;\">AWS Certificate Manager (ACM)<\/span><\/p>\n<ul>\n<li>Service that lets you provison,\u00a0 manage and deploy SSL\/TLS certyficates for use with AWS cloud services.<\/li>\n<li>Native integration with ELB, CloudFront, Elastic Beanstalk, and API Gateway<\/li>\n<li>No cost associated with certificates \u2014 only the resources with which they are used<\/li>\n<li>Certificates automatically renew when actively used with supported services<\/li>\n<li>Integrates with Route 53 to perform DNS checks as part of the certificate-issuing process<\/li>\n<li>ACM is regional \u2014 certificates can be applied to services in that region only<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2588\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CertyficateManager.jpg\" alt=\"\" width=\"614\" height=\"711\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CertyficateManager.jpg 614w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/CertyficateManager-259x300.jpg 259w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Pairs Amazon EC2 instances created from a public AMI use a public\/private key pair instead of a password for signing in via SSH. The public key is embedded in your instance, and you use the private key to sign in securely without a password. After you create your own AMIs, you can choose other &hellip; <\/p>\n<p class=\"link-more\"><a href=\"http:\/\/miro.borodziuk.eu\/index.php\/2019\/03\/08\/securing-aws-cloud-services\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Securing AWS Cloud Services&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":2580,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2578"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2578"}],"version-history":[{"count":8,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2578\/revisions"}],"predecessor-version":[{"id":3073,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2578\/revisions\/3073"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/2580"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2578"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}