Cloud Data Security-AWS

Cloud Data security is the process of protecting data from unauthorised access and keeping the data corruption free in the cloud by using encryption, hashing, tokenisation and key management practices. Data is a valuable asset and data protection is the shared responsibility of both cloud providers and customers.AWS offers many data protection services/tools to safeguard data. Customer is responsible to protect data at rest (data stored in disk) and in-transit (as it travels to and from AWS) in the cloud.

The purpose of this post is to explain the configuration steps and best practices that can be applied to AWS data protection services to protect data at rest and in transit.

What are the data protection services in AWS ?
AWS offers the following data protection services.

How to protect data using AWS Macie?
AWS Macie is a fully managed powerful data security service that uses machine learning and pattern matching to automatically discover and protect the sensitive data such as personally identifiable information (PII) stored in AWS. It also provides summary of publicly accessible buckets, unencrypted buckets and shared buckets.

The diagram depicted below shows recommended data protection set up to alert security administrator with Macie’s finding and automatic clean up of sensitive data from S3 buckets.

1. Configure AWS Macie to scan customer data buckets for sensitive data.
2. Configure rule to fire step function whenever sensitive data discovered in customer data.
3. Set up the first lambda function to send notification to Microsoft Teams channel dedicated to security team (SecOps).
4. Set up second lambda function to copy the offending objects in customer bucket to quarantine bucket.
5. Set up third lambda function to remove the offending objects from customer bucket.
6. Set up next lambda function to send remediation success / failure notification to security team.

How to protect data using AWS KMS?
AWS KMS is a managed regional service that uses hardware security model (validated under FIPS 140–2), allows to create, store and control cryptographic keys. It seamlessly integrates with AWS services and provides keys to encrypt customer data across AWS services at rest.

KMS contains customer master keys (CMKs) and key materials. The CMK is a logical representation of a master key. By default, CMK uses key material generated by KMS service and also it is possible to create CMK without key material and then import your own key material into that CMK. There are three types of CMKs: customer managed CMKs, AWS managed CMKs, and AWS owned CMKs.

Customer managed CMKs: Created and managed by customer
AWS managed CMKs: Created and managed by AWS on behalf of customer.
AWS owned CMKs: Collection of CMKs owned and managed by AWS and used in multiple AWS accounts

CMKs are limited to encrypt/decrypt up to 4kb data. AWS KMS allows to generate data keys to encrypt data and the data key is encrypted using CMK.

The following diagram describes how the data is protected at rest in AWS services using AWS KMS.

1. AWS services integrates with AWS KMS and allow to set encryption keys (CMKs) while provisioning. Customer applications use AWS SDK to establish connection to AWS KMS.
2. Upon receiving data, service/application requests data key from AWS KMS.
3. KMS generates plaintext data key and encrypted data key using CMK and return them to service/application.
4. Service/application encrypts customer data using plaintext encryption key.
5. Service/application persists encrypted data and encrypted key in the store.
6. Service/application will remove plaintext key from memory.

How to protect data using AWS Cloud HSM?
AWS CloudHSM is a fully managed cloud-based hardware security module (HSM) service that allows to create and manage customer owned encryption keys using a cluster of FIPS 140–2 Level 3 validated HSMs which run directly in your Amazon Virtual Private Cloud (VPC). It integrates with the applications using industry-standard API.

AWS KMS can be configured to use AWS CloudHSM cluster as a custom key store instead of the standard KMS key store, which allows easy integration of KMS and AWS services/application to encrypt data with the CMKs in AWS CloudHSM cluster.

AWS CloudHSM protects your encryption keys and keys are accessible only by you. Using this key, the data can be protected as shown below in the diagram.

1. Custom key store is created using an AWS CloudHSM cluster
2. KMS customer master keys (CMKs) is stored in custom key store.
3. AWS KMS is configured to use custom key store instead of standard key.
4. Service/Application data encryption process is the same as described in AWS KMS section.

How to protect data using AWS Certificate Manager?
AWS Certificate Manager (ACM) allows to easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers, AWS CloudFront and API Gateway and automates the encryption of data in transit.

The following diagram describes how ACM protect data as it moves from/to AWS (data in transit).

1. SSL/TLS certificates are created in AWS certificate manager (ACM) and it handles the renewal of SSL/TLS certificates.
2. Certificates are deployed to CloudFront, Load balancers and API Gateway from ACM.
3. Users communicate with CloudFront over HTTPS. CloudFront terminates the SSL/TLS connection at the edge location.
4. CloudFront can be configured to communicate to the origin over HTTP or HTTPS.
5. Client services communicate with API gateway over HTTPS.
6. Internal apps communicate with load balancer over SSL.

How to protect data using AWS secrets manager?
AWS Secrets Manager allows to securely encrypt, store, rotate and retrieve credentials for the databases and other services. It uses KMS to encrypt secrets, that is rotated automatically. It easily integrates with Amazon RDS, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials to provide secure access to data in database.

The diagram below shows how to protect database credentials and access to data in database.

1. Database credentials are created on the database by administrator.
2. These credentials are stored as secret in AWS secrets manager
3. AWS secrets manager encrypts the credentials using KMS and keeps it as protected secret text.
4. Services that use database, queries AWS Secrets Manager for the secret.
5. AWS Secrets Manager retrieves the secret, decrypts the protected secret text, and returns the secret.
6. Services use the retrieved secret to connect to database.
7. AWS Secrets Manager rotates credentials periodically and reset credentials in database.