AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Art of Mastering Data
Protection on AWS
Ahmed Gouda
Solutions Architect, AWS
gouda@amazon.com
/ahmedgouda
@AskGouda

Agenda
Amazon Simple Storage Service (Amazon S3) access control mechanisms
Amazon S3 Block Public Access
How Amazon S3 authorizes a request
Amazon S3 encryption
Monitoring security in Amazon S3

Data Protection on AWS
Identity & Access Management Encryption

Defense in depth
KMS key policy
KMS keyRole
IAM policy
S3 VPC endpoint
VPCe policy
S3 bucket
Bucket policy
Users Documents

How can I help ensure the files in my Amazon S3
bucket are secure?
• Least privilege - Security best practice
• Start with a minimum set of permissions
• Grant additional permissions as necessary
• Defining the right set of permissions requires some research
• What actions a particular service supports?
• What is required for the specific task?
• What permissions are required in order to perform those actions?

Amazon S3 access control mechanisms
• AWS Identity and Access Management (IAM) policies
• Amazon S3 bucket policy
• Amazon S3 access control lists (ACLs)
• Amazon S3 VPCE policy
• Pre-Signed URLs

Let’s start with IAM
1. Principal
AWS
Management
Console
API / CLI

• “What can this user do in
AWS?”
• You prefer to keep access
control policies in IAM
environment
• Controls all AWS Services
• “Who can access this S3
resource?”
• You prefer to keep access
control policies in S3
environment
• Grant cross-account access to
your S3 bucket without using
IAM roles
IAM user policy Amazon S3 Bucket policy
User policy vs. resource policies

{
"Version":"2012-10-17",
"Statement":[
{
”Sid":"Allow-write-and-read",
"Effect": ”Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
],
"Resource":"arn:aws:s3:::mybucket/*"
}
]
}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": ”AllowingReadPermission",
"Effect": "Allow",
"Principal": {"AWS":"1111111111"},
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::
mybucket /*”],
"Condition": {"StringEquals":
{"s3:ExistingObjectTag/Project": "X"}}
}
]
}
Bucket policy allows principal from AWS Account
1111111111 to read objects from mybucket, but
condition limits it to objects that have a specific Tag value
IAM user policy Amazon S3 Bucket policy
User policy allows this particular user to PUT and GET
objects into the mybucket

Amazon S3 Access Control Lists (ACLs)
• ACLs only grant access (cannot explicitly deny)
• Written in XML format
• Has predefined groups like “All Users”, ”Any Authenticated User”
• Tip: Use caution when using these groups
• Finite set of permissions compared to policies
• For example, READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
• Preferably use bucket policies vs. bucket ACLs

Amazon S3 Virtual Private Cloud Endpoint (VPCE)
Prior to Amazon S3 VPCE Using Amazon S3 VPCE
• Public IP on Amazon Elastic Compute Cloud
(Amazon EC2) Instances and Internet Gateway
• Private IP on Amazon EC2 Instances and NAT
• Access S3 using S3 Private Endpoint without
using NAT instances or gateways
• Restrict access to S3 bucket from outside of VPC
Amazon
S3
Amazon S3
VPC NAT
gateway
Amazon
EC2
Amazon
EC2
Amazon
EC2
Internet Internet
Internet
gateway

Example: Restricting access to a specific bucket
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": {"AWS":"1111111111"},
"Action": [ "s3:GetObject, s3:PutObject",
"Effect": ”Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
}
]
}

Example: Restricting access to principals in your organization
{
"Version": "2012-10-17",
"Statement": {
"Sid": ”Principals-only-from-my-Org",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:putobject",
"Resource":["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {"StringEquals":
{"aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}

Example: Restricting access to a specific endpoint
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
} ] }

Pre-signed URLs
• Uses permissions of the IAM user/role
who creates the URL
• To generate URL, provide your
security credentials, a bucket name,
an object key, HTTP method (GET or
PUT) and expiration date and time
• Only valid until expiration time
• Caution: Anyone with URL can
perform those actions
Availability
Zone #1
EC2 instance
Generates
URL
S3
Request Access
Get/Put
Object

What is public access?
• Any anonymous or overly permissive access is considered public access
• Access control lists (ACLs) with grantees such as
• All Users – Anyone on the Internet
• Any authenticated user – Anyone with an AWS account
• Public bucket policy with overly permissive access, for example
• { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow” }
• {“Principal”: “*”, “Resource”: “*”, “Action”: “s3:putobject”, “Effect”: “Allow”, “Condition”: {
“StringLike”:{ “aws:sourcevpc”: “vpc-*”}}}
• Any explicit cross-account access IS NOT considered public access

Amazon S3 Block Public Access
API, SDK, CLI
and Console

Amazon S3 Block Public Access settings
1. Block new public ACLs and uploading public objects
2. Remove public access granted through public ACLs
3. Block new public bucket policies
4. Block public and cross-account access to buckets that have public
policies

Amazon S3 Block Public Access APIs
• PUT PublicAccessBlock
• GET PublicAccessBlock
• DELETE PublicAccessBlock
• GET BucketPolicyStatus
• Returns if the bucket policy is public or not

• User check – Check if parent account granted permission
• Bucket check – Check if bucket owner granted permission
• Object check – Look for explicit ”allow”
• Policy enforcement: An explicit deny in any policy overrides any allows
How Amazon S3 authorizes a request?

Ex1: Bucket operation requested by bucket owner
Bucket
Check
Access
Denied
Access
Granted
Authorized
Request made with
root credentials Yes
No
Requester: AWS Account: 1111-1111-1111
PD’s has root credentials: 1111-1111-1111
Bucket Owner: 1111-1111-1111

Ex2: Bucket operation requested by an IAM user
whose parent AWS account is also the bucket owner
Requester: PD (IAM User)
PD’s parent Account: 1111-1111-1111
Bucket Owner: 1111-1111-1111
Authority:
AWS Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
Check
Bucket
Check

Authority:
Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
check
Bucket
check
Authority:
Account:2222-2222-2222
Requester: PD
Bucket Owner: 2222-2222-2222
Ex3: Bucket operation requested by an IAM user
whose parent AWS account is not the bucket owner

Ex4: Authorization request for object operation
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
Requester: PD
Bucket Owner: 2222-2222-2222
Object Owner: 3333-3333-3333
Authority:
1111-1111-1111
User
Check
Bucket
Check
Authority:
2222-2222-2222
Object
Check
Authority:
3333-3333-3333

Account-A Bucket
Managing cross-account access in Amazon S3
AccountARole
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::AccountA:role/AccountARole"
}
}
Users in other Accounts assumes AccountARole

Cross-region replication – Ownership Override
For business continuity, you can use the Object Ownership Override to
separate the access control of source objects and replicated objects, so the
source object owners cannot read, update, or delete the replicated
objects in the destination
Source bucket owner owns
object
Destination bucket owner
owns replica
Override access control
Maintain two
different stacks
of ownership

Encrypt, where?
Client InstancesHTTPS
Application
code
Data in motion
Network encryption
Data at rest
Storage encryption
Data in use
Application level encryption
Client-side encryption = You encrypt
Server-side encryption = AWS encrypts
S3 bucket EBS volume

Defense in depth
KMS key
policy
KMS keyRole
IAM policy
S3 VPC endpoint
VPCe policy
S3 bucket
Bucket policy
Users Documents

Traditional reasons to not encrypt
Performance Complexity Availability
Latency overhead
Crypto acceleration
Fragmented systems
Inconsistent controls
Loss of keys
Key provisioning

Encryption in AWS
Audit
Access
controls
Encrypting services
Secondary
storage
Client
Corporate data
center
AWS Cloud

AWS KMS integration
AWS offering
category
AWS services integrated with AWS KMS for customer owned keys
Compute Amazon EC2 - AWS Lambda - Amazon Lightsail*
Storage Amazon EBS - Amazon EFS - Amazon FSx for Windows File Server - Amazon S3 Glacier - Amazon S3 - AWS Storage Gateway
Databases Amazon Aurora - Amazon DynamoDB* - Amazon DynamoDB Accelerator (DAX)* - Amazon Neptune - Amazon Redshift - Amazon RDS
Analytics
Amazon Athena - Amazon Elasticsearch Service - Amazon EMR - AWS Glue - Amazon Kinesis Data Firehose - Amazon Kinesis Data
Streams - Amazon Managed Streaming for Kafka (Amazon MSK)
Machine learning Amazon Comprehend* - Amazon Lex - Amazon SageMaker - Amazon Translate
Application services Amazon Elastic Transcoder - Amazon Simple Email Service (Amazon SES) - Amazon Simple Queue Service (Amazon SQS)
Migration & transfer AWS Snowball - AWS Snowball Edge - AWS Snowmobile - AWS Database Migration Service
Developer tools AWS Cloud9 - AWS CodeBuild - AWS CodeCommit* - AWS CodeDeploy - AWS CodePipeline - AWS X-Ray
Management tools AWS CloudTrail - Amazon CloudWatch Logs - AWS Systems Manager
Media services Amazon Kinesis Video Streams
Security & identity AWS Certificate Manager* - AWS Secrets Manager
Enterprise applications Amazon WorkMail - Amazon WorkSpaces
Business productivity Alexa for Business*
Contact center Amazon Connect
*Supports only AWS managed KMS keys.

KMS key hierarchy
Two-tiered hierarchy for keys
• Data keys used to encrypt customer data
• Customer master keys (CMKs) protect data keys
• CMK policies control access to data
• All activity associated with CMKs is logged
Benefits
• Envelope encryption avoids managing data keys
• Encrypted data keys stored with encrypted objects
• Well suited to encrypting large data objects
• Enables local key caching for high I/O operations
Customer
master key
S3
bucket
EBS
volume
RDS
instance
CMK
Data key Data key Data key
Key Management Service

Envelope encryption
Example: S3 server-side encryption
Plaintext
data
Encrypt process
Encrypted
data key
3
Data key
Data key
7
Data key
Encrypted
data key
6 Data key
Generate data key request
2
CMK
1
Amazon S3
Encrypt
Encrypted
data and
data key in
S3 bucket
4
Data key
Decrypt process
5
Encrypted
data and
data key in
S3 bucketData key
Decrypt
Amazon S3
Plaintext
data
8

Key management lifecycle
Define
Key
use
CreateDelete
Disable
Enable
Recover
Back up
Rotate

Two approaches for managing your keys
AWS managed master keys
• AWS services request AWS KMS
to automatically create master
keys
• Keys are in your account but can
only be used by the AWS
services that created them
Customer managed master keys
• You create your master keys in
advance using AWS KMS
• You choose which keys to use
when setting up an AWS service
to use encryption
All operational aspects are the same:
security, latency, throughput, durability, availability, and auditability

Take control over your keys
• Control who can manage and use your keys
• Limit how your keys can be used (scope reduction)
• Define conditions of use (encryption context = specific data objects)
• Delegate permissions and share access across accounts
• Enable and disable keys instantly
• Control key deletion
• Control key rotation
• Organize your keys with aliases and tags
• Use keys outside AWS encrypting services
• Use AWS Encryption SDK or AWS KMS directly to encrypt data

Audit AWS KMS usage with AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", …at this time
"RequestParameters":
{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account

Bring your own key (BYOK)
Do you have any of these requirements?
Control how your
key was generated
(entropy sources)
Keep your own
backup copy of
your key material
Upload keys only
when you need
them

AWS KMS custom key store
Enables you to use an AWS CloudHSM cluster, that you control, as
your own KMS key store. Your KMS keys are generated, stored, and
used in devices that are comparable to traditional on-premises HSMs.
AWS CloudHSM provides
cloud-based HSMs that are
easy to scale with automatic
provisioning, high-availability,
and managed back-ups.
Clients
AWS
services

Amazon S3 default encryption
Provides S3 encryption-at-rest support for applications that do not
otherwise support encrypting data in Amazon S3
One time
bucket level
set up
Automatically
encrypts all new
objects
Supports SSE-S3
and SSE-KMS
Simplified
compliance

Monitoring Amazon S3 security settings
Bucket access control
view in S3 console
Trusted Advisor
Amazon MacieAWS Config rules
S3-bucket-public-read-prohibited
S3-bucket-public-write-prohibited

Monitoring Amazon S3 security settings...contd.
AWS CloudTrail
Object encryption status
Amazon S3 Inventory
Amazon S3 Server
Access Logs

Let’s recap some of the best practices
• Always follow the principle of least privilege
• Most use cases don’t require public access – Recommend turning on
the Amazon S3 Block Public Access settings
• Authorization: All decisions start at Deny
• Authorization: An explicit Deny will override any allows
• Use default encryption to protect your data
• Monitor and audit your data with tools such as AWS Trusted Advisor,
AWS Config, AWS CloudTrail, and S3 Inventory

Let’s recap some of the best practices
• Encryption by default is a realistic goal
• Sound key management provides enhanced access controls and
visibility
• AWS KMS is durable, secure, and integrated with 50+ AWS
services
• You have choices about the controls you place over your keys
• AWS KMS can be used as an independent control point for your
own applications and AWS partner solutions

Thank you!
Ahmed Gouda
gouda@amazon.com
/ahmedgouda
@AskGouda

AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws

More Related Content

Similar to AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws (20)

More from AWS Riyadh User Group (19)

Recently uploaded (20)

AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws