aws re:invent 2016: get the most from aws kms: architecting applications for high security (sec303)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ken Beer, General Manager, AWS Key Management Service

Cory Minkovich, Staff Software Engineer, Box Inc.

SEC303

Get the Most from AWS KMSArchitecting Applications for High Security

November 29, 2016

What to expect from this short talk

• How to approach secure application design

• Best practices for using AWS KMS

• New key management feature – Import Key

• A partner shares their experience using AWS KMS

Confidentiality – only authorized users can access data

Integrity – data can’t be changed without detection

Availability – data is accessible when needed

Goals for secure application design

• Access control on systems and/or data itself

• Principal, Action, Resource, Condition

• Encryption

• Renders data inaccessible without a key

• Authenticated encryption protects data from modification

• Easier to tightly control access to a key than the data

• Independent controls for keys and data

Confidentiality

• Physical integrity

• Replicate across independent systems

• Mitigates risk of data corruption or code errors

• Logical integrity

• Checksum

• Message authentication code (MAC)

• Digital signature

Integrity

• Ability to access ANY copy of the data

• How much time can your users live with zero access?

• Latency of access to primary copy of the data

• How much time can your users wait for normal access?

Availability

Sample application requirements

1. Retrieve multiple encrypted secrets and deploy to instance

(e.g. database passwords, credentials to a 3rd-party service)

2. Decrypt material and provision plaintext secrets on the instance

Implications for security…

• C – Don’t store plaintext secrets on disk

• C – Don’t decrypt secrets anywhere but the instance

• I – Keep ciphertext of secrets in multiple locations

• I – Ensure secrets haven’t changed since last used

• A – If instance can launch, secrets should be accessible

• A – Time to provision all secrets to instance < 1 minute

Mapping KMS features to requirements

“Don’t store plaintext secret on disk” and

“Don’t decrypt secret anywhere but the instance”

Implies…

• Encryption and decryption of secret should happen within your

application code running on your instance – no server-side encryption

• KMS-integrated client-side options:

• AWS Encryption SDK

• S3 Encryption Client

• DynamoDB Encryption Client

Client integration with KMS

Two-tiered key hierarchy using envelope encryption

• Unique data key encrypts customer data

• KMS master keys encrypt data keys

Benefits

• Limits risk of compromised data key

• Better performance for encrypting large data

• Easier to manage small number of master

keys than millions of data keys

• Centralized access and audit of key activity

Customer master

keys

Data key 1

S3 object EBS

volume

Amazon

Redshift

cluster

Data key 2 Data key 3 Data key 4

Custom

application

KMS


“Keep ciphertext of secrets in multiple locations”

Implies…

Use a redundant storage architecture

- S3 is designed to provide 99.999999999% durability

- Backup copy in DynamoDB (or vice versa)


“Ensure secrets haven’t changed since last used”

Implies…

• Use an authenticated encryption method (e.g. AES-GCM)

• Use KMS Encryption Context as input for signing ciphertext: a string-string pair submitted with kms.Encrypt, kms.GenerateDataKey*

and kms.Decrypt calls

• KMS Encryption Context values can be enforced via policy and they

show up in AWS CloudTrail logs

“requestParameters": {“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, “encryptionContext":"volumeid-123abcd4”}


“If instance can launch, secrets should be accessible” and

“Time to provision plaintext secrets to instance < 1 minute”

Implies…

• Use KMS endpoints in the same region as EC2 instance

• Measure request latencies and decide whether to cache data keys

in memory for faster encrypt/decrypt times

• Note: Be very careful that you understand how/when keys are re-used

Best practices for client-side use of KMS

• Encoding

• If using AWS CLI – understand base64 behavior; AWS SDKs using

KMS APIs assume raw bytes

• Request rates

• KMS throttles at 100 rps per calling account for encrypt/decrypt

operations – we can make exceptions depending on your use case

• Use key aliases instead of 32-char keyId

• Enables you to re-use code in multiple regions, even with different

KMS master keyIds across regions

• Note: Aliases aren’t supported in KMS key or IAM policies

Authorization logic in KMS

• Key Policy is King!

• You can choose delegate to IAM policies

• KMS grants are policy objects designed to be

programmatically created and revoked as

resources are placed “in use” and “at rest”

• IAM policies must reference the KMS keyId

• Don’t expect to use aliases

• Avoid using Resource: “*” this gives

permission to use ALL keys in your account

1. KMS Key Policy

IAM Policy

referencing this

keyId?

2. KMS Grants

Is this user/group/role

allowed to perform this

action on this master key?

Key management options

Comparison of key management options

KMS CloudHSMAWS Marketplace

Partner SolutionsDIY

Where keys are

generated and stored

AWS, or imported by

you

In AWS, on a 3rd party

HSM that you control

Your network or in

EC2 instance

Your network or in

EC2 instance

Where keys are used AWS services or your

applications

AWS or your

applications

Your network or your

EC2 instance

Your network or your

EC2 instance

How to control key use Policy you define;

enforced by AWS

SafeNet-specific

access controls

Vendor-specific

access controls

You implement

access controls

Responsibility for

performance/scale

AWS You You You

Integration with AWS

services?

Yes Limited Limited Limited

Pricing model Per master key +

usage

Up front + per hour Variable Variable

KMS Import Key – giving you more control

• You control how master keys are generated

• You store the master copy of the keys

• You import the key into KMS and set an optional expiration time

• You use imported keys with all KMS-integrated services and SDKs

• You can delete and re-import the key at any time to control when

you or AWS can use it to encrypt/decrypt data on your behalf

• Works with standards-based key management infrastructure,

including SafeNet Gemalto and Thales e-Security

Import Key workflow

Import encrypted key material

under the KMS CMK keyId;

set optional expiration period

Import

Your key material

protected in KMS

Download a public

wrapping key

KMS

Download

RSA Public Key

Create customer master key

(CMK) container

Empty CMK container

with unique keyId

KMS

Creates

Export your key material

encrypted under the public

wrapping key Your key

management

infrastructure

Export

Your 256-bit key

material encrypted

under KMS public Key

Getting the most from KMS

• Identify your C-I-A requirements up front

• Use envelope encryption as a way to limit blast radius of

any single data key

• Think carefully about data key re-use when trying to

improve performance

• Use Encryption Context where practical

• Use Import Key for more control (if you have existing key

management infrastructure)

• Verify that AWS CloudTrail logs tell you what you need

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Cory Minkovich

Staff Software Engineer, Box Inc.

November 29, 2016

Box KeySafeHow KMS saved us from managing HSMs

Box is a modern content management platform that transforms

how organizations work and collaborate to achieve results faster.

Box is a Content Platform

for the Modern Enterprise

• Built for cloud and mobile

• Connects to all your business apps

• Centralized security controls

• Comes with unlimited storage for

users

Powering digital transformation in every industry

Healthcare Provider

Content Management

Collaboration

Advanced Security

Custom Application Patients

Customer-managed encryption is hard

Historically the choice was between…

Client-side agent

Works well for basic storage, but not

collaborative cloud services or multiple devices

(ex: nCrypted Cloud, Microsoft RMS)

Proxy-based

Works well for selective encryption, but breaks

many cloud applications

(ex: most CASBs)

API – after upload

Also best suited for selective encryption

and also breaks cloud apps

(ex: most CASBs)

Drawbacks of historic solutions

Productivity & Ease of Use

Governance Controls

Incentive for Shadow IT

• Breaks file preview• Breaks mobile access • Breaks 3rd -party app

integrations

Overall Security• Breaks antivirus• Breaks DLP tools• Blocks file preview as a security feature

• eDiscovery not possible/difficult• Content workflow will be limited

• Complicates UX• Encourages adoption of unsanctioned

tools

• Secure, reliable, on-demand

• Software-based approach

• Simple, configurable in 30

minutes

Introducing Box KeySafefor customer-managed encryption

How Box Encryption worksA comparison of approaches

CUSTOMER

FileUploaded

1

DEK

Unique DEK Generated

2

File Encryptedwith DEK

3

DEK Encrypted with Box KEK

5

DEK

Encrypted

DEK Stored

6

EncryptedFile Stored

4

Na

tive

Bo

x E

ncry

ptio

n

CUSTOMER

Backup HSM

Amazon Web Services

File Uploaded1

LOG

Ke

yS

afe

with

A

WS

Clo

ud

HS

M

Gemalto

Safenet HSM

File encrypted with Box Key

2

Box Key encrypted with Customer Key(includes Audit Params)

3

Audit LogsUpdated

3

CUSTOMER

Backup HSM

Amazon Web Services

File Uploaded1

LOG

Ke

yS

afe

with

AW

S K

MS

File encrypted with Box Key

2

Box Key encrypted with Customer Key(includes Audit Params)

3

Audit LogsUpdated

3

KMS

AWS CloudHSM vs. AWS KMS

CloudHSM KMS

Request Rate

(crypto + audit

logging)

Audit logging increases latency Default limit is 100 rps but can be increased

Audit Logging Separate requests (higher latency) Same request

Reliability Customer must manage patching and HA

Box must support every HSM version

No observed problems so far

Durability Back up HSM + possible multi-region

setup

Trust Amazon or import own key to KMS

Integration

Complexity

1k lines + SDK + multiple RPMs 200 lines + SDK

Code architecture

HSM 1K

eyS

afe

Arc

hitectu

re

HSM 2

HSM 3

Custo

mer

1

HSM

Connector

Customer 1

HSM

Connector

Customer 2HSM 1

HSM 2

HSM 3

Custo

mer

2

Key

Encryption

Decryption

Service

(KEDS)

AWS KMS

KMS code samples – health checking

KMS code samples – CloudTrail logging

annotation: {

box-req: "50F8B0EA6BF3F",box-oid: "file_345678",box-uid: "12345",box-eid: "67890"

}

AWS CloudTrail Log

KMS challenges

Key rotation concerns

• Native key rotation is supported, but…

• Only yearly supported natively

• Some customers want quarterly rotation

• Changing the master key quarterly is really cumbersome

• Some compliance schemes require re-encrypt after rotation

• Bulk re-encrypt operations are problematic• Only CloudTrail knows if key rotation happens

• No way to know if encrypted blob was created before or after key

rotation

• Only way to be safe is to re-encrypt all the data keys every year

Key availability concerns

• KMS keys are regionally isolated

• HA within region but no customer backup

• Some customers want more control

• Key import supports multi-region• Same key material can be imported to multiple regions, but

each region’s key has unique keyId

• Lack of multiple imported key versions breaks simple key

rotation, and requires creation of multiple master keyIds

• Not easy to automate on customer side or Box side

KeySafe summary

• Integrating with AWS CloudHSM and KMS allows Box

• Guaranteed audit trail

• Ultimate access control delegated to customers

• Easy to incorporate into envelope encryption

• Tradeoffs

• Minor latency increase

• Availability surface area increase

Thank you!

Email me at

[email protected]

with any questions!

mailto:[email protected]

Remember to complete

your evaluations!

Remember to complete

your evaluations!

aws re:invent 2016: get the most from aws kms: architecting applications for high security (sec303)

Technology