aws re:invent 2016: get the most from aws kms: architecting applications for high security (sec303)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ken Beer, General Manager, AWS Key Management Service
Cory Minkovich, Staff Software Engineer, Box Inc.
SEC303
Get the Most from AWS KMSArchitecting Applications for High Security
November 29, 2016
What to expect from this short talk
• How to approach secure application design
• Best practices for using AWS KMS
• New key management feature – Import Key
• A partner shares their experience using AWS KMS
Confidentiality – only authorized users can access data
Integrity – data can’t be changed without detection
Availability – data is accessible when needed
Goals for secure application design
• Access control on systems and/or data itself
• Principal, Action, Resource, Condition
• Encryption
• Renders data inaccessible without a key
• Authenticated encryption protects data from modification
• Easier to tightly control access to a key than the data
• Independent controls for keys and data
Confidentiality
• Physical integrity
• Replicate across independent systems
• Mitigates risk of data corruption or code errors
• Logical integrity
• Checksum
• Message authentication code (MAC)
• Digital signature
Integrity
• Ability to access ANY copy of the data
• How much time can your users live with zero access?
• Latency of access to primary copy of the data
• How much time can your users wait for normal access?
Availability
Sample application requirements
1. Retrieve multiple encrypted secrets and deploy to instance
(e.g. database passwords, credentials to a 3rd-party service)
2. Decrypt material and provision plaintext secrets on the instance
Implications for security…
• C – Don’t store plaintext secrets on disk
• C – Don’t decrypt secrets anywhere but the instance
• I – Keep ciphertext of secrets in multiple locations
• I – Ensure secrets haven’t changed since last used
• A – If instance can launch, secrets should be accessible
• A – Time to provision all secrets to instance < 1 minute
Mapping KMS features to requirements
“Don’t store plaintext secret on disk” and
“Don’t decrypt secret anywhere but the instance”
Implies…
• Encryption and decryption of secret should happen within your
application code running on your instance – no server-side encryption
• KMS-integrated client-side options:
• AWS Encryption SDK
• S3 Encryption Client
• DynamoDB Encryption Client
Client integration with KMS
Two-tiered key hierarchy using envelope encryption
• Unique data key encrypts customer data
• KMS master keys encrypt data keys
Benefits
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master
keys than millions of data keys
• Centralized access and audit of key activity
Customer master
keys
Data key 1
S3 object EBS
volume
Amazon
Redshift
cluster
Data key 2 Data key 3 Data key 4
Custom
application
KMS
Mapping KMS features to requirements
“Keep ciphertext of secrets in multiple locations”
Implies…
Use a redundant storage architecture
- S3 is designed to provide 99.999999999% durability
- Backup copy in DynamoDB (or vice versa)
Mapping KMS features to requirements
“Ensure secrets haven’t changed since last used”
Implies…
• Use an authenticated encryption method (e.g. AES-GCM)
• Use KMS Encryption Context as input for signing ciphertext: a string-string pair submitted with kms.Encrypt, kms.GenerateDataKey*
and kms.Decrypt calls
• KMS Encryption Context values can be enforced via policy and they
show up in AWS CloudTrail logs
“requestParameters": {“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, “encryptionContext":"volumeid-123abcd4”}
Mapping KMS features to requirements
“If instance can launch, secrets should be accessible” and
“Time to provision plaintext secrets to instance < 1 minute”
Implies…
• Use KMS endpoints in the same region as EC2 instance
• Measure request latencies and decide whether to cache data keys
in memory for faster encrypt/decrypt times
• Note: Be very careful that you understand how/when keys are re-used
Best practices for client-side use of KMS
• Encoding
• If using AWS CLI – understand base64 behavior; AWS SDKs using
KMS APIs assume raw bytes
• Request rates
• KMS throttles at 100 rps per calling account for encrypt/decrypt
operations – we can make exceptions depending on your use case
• Use key aliases instead of 32-char keyId
• Enables you to re-use code in multiple regions, even with different
KMS master keyIds across regions
• Note: Aliases aren’t supported in KMS key or IAM policies
Authorization logic in KMS
• Key Policy is King!
• You can choose delegate to IAM policies
• KMS grants are policy objects designed to be
programmatically created and revoked as
resources are placed “in use” and “at rest”
• IAM policies must reference the KMS keyId
• Don’t expect to use aliases
• Avoid using Resource: “*” this gives
permission to use ALL keys in your account
1. KMS Key Policy
IAM Policy
referencing this
keyId?
2. KMS Grants
Is this user/group/role
allowed to perform this
action on this master key?
Key management options
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
Comparison of key management options
KMS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS, or imported by
you
In AWS, on a 3rd party
HSM that you control
Your network or in
EC2 instance
Your network or in
EC2 instance
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced by AWS
SafeNet-specific
access controls
Vendor-specific
access controls
You implement
access controls
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per master key +
usage
Up front + per hour Variable Variable
KMS Import Key – giving you more control
• You control how master keys are generated
• You store the master copy of the keys
• You import the key into KMS and set an optional expiration time
• You use imported keys with all KMS-integrated services and SDKs
• You can delete and re-import the key at any time to control when
you or AWS can use it to encrypt/decrypt data on your behalf
• Works with standards-based key management infrastructure,
including SafeNet Gemalto and Thales e-Security
Import Key workflow
Import encrypted key material
under the KMS CMK keyId;
set optional expiration period
Import
Your key material
protected in KMS
Download a public
wrapping key
KMS
Download
RSA Public Key
Create customer master key
(CMK) container
Empty CMK container
with unique keyId
KMS
Creates
Export your key material
encrypted under the public
wrapping key Your key
management
infrastructure
Export
Your 256-bit key
material encrypted
under KMS public Key
Getting the most from KMS
• Identify your C-I-A requirements up front
• Use envelope encryption as a way to limit blast radius of
any single data key
• Think carefully about data key re-use when trying to
improve performance
• Use Encryption Context where practical
• Use Import Key for more control (if you have existing key
management infrastructure)
• Verify that AWS CloudTrail logs tell you what you need
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cory Minkovich
Staff Software Engineer, Box Inc.
November 29, 2016
Box KeySafeHow KMS saved us from managing HSMs
Box is a modern content management platform that transforms
how organizations work and collaborate to achieve results faster.
Box is a Content Platform
for the Modern Enterprise
• Built for cloud and mobile
• Connects to all your business apps
• Centralized security controls
• Comes with unlimited storage for
users
Powering digital transformation in every industry
Healthcare Provider
Content Management
Collaboration
Advanced Security
Custom Application Patients
Customer-managed encryption is hard
Historically the choice was between…
Client-side agent
Works well for basic storage, but not
collaborative cloud services or multiple devices
(ex: nCrypted Cloud, Microsoft RMS)
Proxy-based
Works well for selective encryption, but breaks
many cloud applications
(ex: most CASBs)
API – after upload
Also best suited for selective encryption
and also breaks cloud apps
(ex: most CASBs)
Drawbacks of historic solutions
Productivity & Ease of Use
Governance Controls
Incentive for Shadow IT
• Breaks file preview• Breaks mobile access • Breaks 3rd -party app
integrations
Overall Security• Breaks antivirus• Breaks DLP tools• Blocks file preview as a security feature
• eDiscovery not possible/difficult• Content workflow will be limited
• Complicates UX• Encourages adoption of unsanctioned
tools
• Secure, reliable, on-demand
• Software-based approach
• Simple, configurable in 30
minutes
Introducing Box KeySafefor customer-managed encryption
How Box Encryption worksA comparison of approaches
CUSTOMER
FileUploaded
1
DEK
Unique DEK Generated
2
File Encryptedwith DEK
3
DEK Encrypted with Box KEK
5
DEK
Encrypted
DEK Stored
6
EncryptedFile Stored
4
Na
tive
Bo
x E
ncry
ptio
n
CUSTOMER
Backup HSM
Amazon Web Services
File Uploaded1
LOG
Ke
yS
afe
with
A
WS
Clo
ud
HS
M
Gemalto
Safenet HSM
File encrypted with Box Key
2
Box Key encrypted with Customer Key(includes Audit Params)
3
Audit LogsUpdated
3
CUSTOMER
Backup HSM
Amazon Web Services
File Uploaded1
LOG
Ke
yS
afe
with
AW
S K
MS
File encrypted with Box Key
2
Box Key encrypted with Customer Key(includes Audit Params)
3
Audit LogsUpdated
3
KMS
AWS CloudHSM vs. AWS KMS
CloudHSM KMS
Request Rate
(crypto + audit
logging)
Audit logging increases latency Default limit is 100 rps but can be increased
Audit Logging Separate requests (higher latency) Same request
Reliability Customer must manage patching and HA
Box must support every HSM version
No observed problems so far
Durability Back up HSM + possible multi-region
setup
Trust Amazon or import own key to KMS
Integration
Complexity
1k lines + SDK + multiple RPMs 200 lines + SDK
Code architecture
HSM 1K
eyS
afe
Arc
hitectu
re
HSM 2
HSM 3
Custo
mer
1
HSM
Connector
Customer 1
HSM
Connector
Customer 2HSM 1
HSM 2
HSM 3
Custo
mer
2
Key
Encryption
Decryption
Service
(KEDS)
AWS KMS
KMS code samples – health checking
KMS code samples – CloudTrail logging
annotation: {
box-req: "50F8B0EA6BF3F",box-oid: "file_345678",box-uid: "12345",box-eid: "67890"
}
AWS CloudTrail Log
KMS challenges
Key rotation concerns
• Native key rotation is supported, but…
• Only yearly supported natively
• Some customers want quarterly rotation
• Changing the master key quarterly is really cumbersome
• Some compliance schemes require re-encrypt after rotation
• Bulk re-encrypt operations are problematic• Only CloudTrail knows if key rotation happens
• No way to know if encrypted blob was created before or after key
rotation
• Only way to be safe is to re-encrypt all the data keys every year
Key availability concerns
• KMS keys are regionally isolated
• HA within region but no customer backup
• Some customers want more control
• Key import supports multi-region• Same key material can be imported to multiple regions, but
each region’s key has unique keyId
• Lack of multiple imported key versions breaks simple key
rotation, and requires creation of multiple master keyIds
• Not easy to automate on customer side or Box side
KeySafe summary
• Integrating with AWS CloudHSM and KMS allows Box
• Guaranteed audit trail
• Ultimate access control delegated to customers
• Easy to incorporate into envelope encryption
• Tradeoffs
• Minor latency increase
• Availability surface area increase
Remember to complete
your evaluations!
Remember to complete
your evaluations!