Encryption

avatar
Created by
Ivan

Subdecks (1)

Cards (31)

  • Encryption in flight, also known as TLS or SSL, is a method where data is encrypted before sending and decrypted after receiving.
  • TLS certificates are used in encryption in flight to ensure the identity of the sender and receiver.
  • Encryption in flight (TLS / SSL): Encryption in flight ensures no MITM (man in the middle attack) can happen 
  • Server-side encryption at rest. The encryption / decryption keys must be managed somewhere, and the server must have access to it
  • Client-side encryption
    Data is encrypted & decrypted by the client and never decrypted by the server. Could leverage Envelope Encryption
  • CloudHSM
     
    ·      KMS => AWS manages the software for encryption. CloudHSM => AWS provisions encryption hardware
    ·      Dedicated Hardware (HSM = Hardware Security Module)
    ·      You manage your own encryption keys entirely (not AWS)
    ·      HSM device is tamper resistant
    ·      Supports both symmetric and asymmetric encryption (SSL/TLS keys)
    ·      No free tier available
    ·      Must use the CloudHSM Client Software
    ·      Redshift supports CloudHSM for database encryption and key management
    ·      Good option to use CloudHSM with SSE-C (Server Side Encryption - Custom) encryption
  • CloudHSM vs. KMS
  • CloudHSM – Integration with AWS and 3rd Party Services
    Integration with AWS Services:
    • Through integration with AWS KMS
    • Configure KMS Custom Key Store with CloudHSM • Example: EBS, S3, RDS, ...
    • Supports RDS OracleTDE (through KMS)
  • CloudHSM – Integration with AWS and 3rd Party Services
    Integration with 3rd Party Services:
    • Allows creating and storing keys in CloudHSM
    • Use cases: SSL/TLS Offload, Windows Server Certificate Authority (CA), Oracle TDE, Microsoft SignTool, Java Keytool, ...
  • Use AWS Resource Access Manager (AWS RAM) to share resources you create in one AWS account with other accounts.
  • CloudHSM – Sharing Cluster Across-Accounts
    • You can share the private subnets a CloudHSM clusters resides in using AWS RAM
    • You CANNOT share the CloudHSM cluster itself by using RAM, you share the underlying subnet itself.
    • Share VPC Subnets with entire Organization, specific OUs, or AWS accounts
    • Note: configure CloudHSM Security Group to allow traffic from clients
  • Asymmetric Encryption
    • Also known as public key cryptography.
    Uses both a Public and Private key.
    One always encrypts whilst the other decrypts
  • Symmetric Encryption
    The same key is used for both encryption and decryption
  • What's the difference between Asymmetric Encryption (AE) vs Symmetric Encryption (SE)
    SE uses the Same key to both encrypt and decrypt data, while AE uses two different keys for the same purpose
  • Which is preferred for storing sensitive values at code runtime (Lambda or otherwise) - Secrets Manager or environment variables?
    AWS recommend that you use Secrets Manager instead of environment variables whenever you can