View
226
Download
3
Category
Preview:
Citation preview
1
AWS Black Belt Online Seminar AWS Key Management Service
(AWS KMS)
2016.09.28
2
2016928AWS(http://aws.amazon.com)
AWSAWS
AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to change in accordance with the AWS Customer Agreement available at http://aws.amazon.com/agreement/. Any pricing information included in this document is provided only as an estimate of usage charges for AWS services based on certain information that you have provided. Monthly charges will be based on your actual use of AWS services, and may vary from the estimates provided.
3
KMS KMS KMS KMSTIPS HSM
4
KMS KMS KMS KMSTIPS HSM
5
(Data encryption in transit)
SSL/TLS IPSec LAN
(Data Encryption at rest)
in transit
at rest
6
? AWS
AWS
? AWS
7
Key Management Infrastructure KMI(Key Management infrastructure)
KMI
(HSM)
8
AWSKMI
KMI KMI KMI
AWS
A B C
9
AWS Key Management Service (AWS KMS)
AWS
S3, EBS, RedshiftAWS SDK AWS CloudTrail
10
KMS Customer Master KeyCMK
KMS KMS/4KB
Customer Data Key (CDK) CMK
Envelope Encryption /
CMK
CMK
11
KMS
2-Tier
AWS KMS
Envelope Encryption
Envelope Encryption
Customer Master Key(s)
Data Key 1
Amazon S3 Object
Amazon EBS
Volume
Amazon Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
Custom Application
AWS KMS
12
KMS
host
host
host
HS
HSAHSA
(Hardened Security Appliance)
Customer Master Keys
KMS Interface
Domain
13
Durable
Encrypted Key Store
+ Data key Encrypted data key
KMS
1. AWSKMSIDkms:GenerateDataKey Call
2. KMS3. HSA4. KMS
5.
KMS
AWS
Client AuthN and AuthZ
2
3
4
5 HSA
KMS Interface KMS host
KMS/
4KB AWS
4KB
15
KMSAWS
https://aws.amazon.com/jp/kms/details/
Amazon S3, Amazon EBS, AWS Import/Export Snowball
Amazon RDS, Amazon Redshift, AWS Database Migration Service
AWS CodeCommit
Amazon EMR, Amazon Kinesis Firehose
Amazon Elastic Transcoder, Amazon SES
Amazon WorkSpaces, Amazon WorkMail
2016/09 CodeCommitAWS
AWS
KMS API
API CreateKey, CreateAlias DisableKey EnableKeyRotation PutKeyPolicy ListKeys, DescribeKey
API Encrypt Decrypt ReEncrypt GenerateDataKey
26 API actions and growing
http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
17
KMS KMS KMS KMSTIPS HSM
18
KMS
DescriptionCMK
IAM
IAM
CMK//
1
CMK
hosthosthost
KMS KMS
Domain Key(DK) HSA
HSA Backing Key(HBK) CMK CMKHSA HSA Export
Exported Key Token(EKT) DKHBK KMSDurable Storage HSA
CMK() HBKEKT
CMKCDK
CMK1
EKT1
Durable storage
Hardened Security Appliance (HSA)
Customer Data KeyHBK
Exported Key Token
Domain Key
HBK1 HBK2
CDK2
CT2
CMK2
EKT2
HSA Backing Key()
20
CMK
Create Key Key Generation
Rotation
Active
ActiveActiveDeactivated
CMK
Schedule key for deletion
Deleted
CMK() CMKActive
CDK
21
IAMEncryption Keys
IAM User IAM Role AWS
Key
132 /
aws
Description 256
22
Enable/Disable
$ aws kms generate-data-key --key-id cc00b8b3-f647-4090-99ab-0ab58XXXXXX --key-spec AES_256
A client error (DisabledException) occurred when calling the GenerateDataKey operation: arn:aws:kms:us-east-1:336580663XXX:key/cc00b8b3-f647-4090-99ab-0ab58eeXXXXX is disabled.
Enable/Disable
Disable
Disable
23
Disable
7-30 30
CloudTrail
24
CMK
Key ID,Alias ReEncrypt API
AWS CLI enable-key-rotation --key-id
(Key Summary Page)
25
CMKEKT1EKT2.
Durable storageDomain Key
HBK1 HBK2 HBKn HBKn+1
CDK1CT1
CDK2CT2
CDKnCTn
Hardened Security Appliance (HSA)
HBK
HBK
Active
26
Bring Your Own Keys(2016/8/11)
CMK KMI
KMSAWS
256bit
CMK
Import
KMSImport
CMK
RSA public key
KMS
KMS
KMS 256bit
KMI
27
CMK(1/3)
CMK IAMImportCMK
Advanced OptionsKey Material OriginExternal()
CMKIAM
28
CMK(2/3) Wrapping keyImport token KMI
RSAES_OAEP_SHA_256() RSAES_OAEP_SHA1 RSAES_PKCS1_V1_5
wrapping keyimport token
Import token24Expire CMK
3zip README__.txt importToken__ wrappingKey__
29
CMK(3/3)
()opensslRSAES_OAEP_SHA_1
ImportToken
UTC
Pending ImportEnable
$opensslrsautl-encrypt-inplain_text_aes_key.bin-oaep\-inkeywrappingKey__\-pubin-keyformDER-outenc.aes.key
30
CMK
KMI
256bit KMS
CMKImport CMK
(7-30)CMK Import
KMS()KMS
HBK ID
31
Key Policy CLI/SDK
GetKeyPolicy PutKeyPolicy
Key PolicyIAM UserIAM RolePolicy
32
{ "Id": "key-consolepolicy-2", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::336580663xxx:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::336580663xxx:user/SuperUser" ] },
"Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::336580663xxx:user/Dev","arn:aws:iam::336580663xxx:role/EC2_Admin","arn:aws:iam::912412960xxx:root" ] },
AWS rootdefault policy
33
"Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::33658066XXXX:user/Dev","arn:aws:iam::33658066XXXX:role/EC2_Admin","arn:aws:iam::91241296XXXX:root" ] },
"Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ]}
KMS AWS
IAM User/Role
Default Policy
KMSIAMPolicy Allow Deny(Deny)
Deny < Allow < Deny
Policy
35
Grant Key Policy
CMKPrincipal AWSKMS
5 Key ID GranteePrincipal Operations Constraints GrantsCondition RetiringPrincipal rantsretire
CreateGrant GrantGrant
36
Encryption Context KMSKey/Value
Additional Authenticated Data(AAD)
CloudTrailEncryption Context
GrantsConstraints EncryptionContextSubsetEncryptionContext EncryptionContextEqualsEncryptionContext EBSvolume IDGrants
37
Constraints EncryptionContextSubset {Department:Finance, classification:critcal}
{Department:Finance, classification:critical, customer:12345} -> OK{Department: Finance } -> NG
EncryptionContextEquals {Department:Finance, classification:critical}
{Department:Finance, classification:critical} -> OK{Department: Finance, classification:critical, customer:12345} -> NG
38
Grants"eventName":"CreateGrant","awsRegion":"us-east-1","sourceIPAddress":"AWS Internal","userAgent":"AWS Internal","requestParameters":{
"retiringPrincipal":"137640147550","constraints":{"encryptionContextSubset":{"aws:ebs:id":"vol-9a98axxx}},"operations":["Decrypt"],"granteePrincipal":"33658066xxxx:aws:ec2-infrastructure:i-5439cxxx","keyId":"arn:aws:kms:us-east-1:33658066xxxx:key/6f712a31-88ba-4975-a4bf-0a87faxxxx
},
EBSVolume
39
AWS
aws/
ex) EBS
3
40
KMS KMS KMS KMSTIPS HSM
41
KMS
KMS HSA
HSA /
AES-GCM 256bit
KMS
host
host
host
HSHSA
HSA(Hardened Security
Appliance)
Customer Master Keys
KMS Interface
42
KMSAPI
Encrypt API API
KB
HBKIDEncryption Context AWS
Decrypt API API CMK
CMK AWS
GenerateDataKey CDK Encrytpt API
Plaintext
Ciphertext
KMS
Header Encrypted Data
EC
Encrypt
Plaintext
KMS Ciphertext
Decrypt
CMK ID,EC
HBKIDHBK
43
KMS(1/2)
KMS
AppKMS
44
KMS(2/2)
KMS KMS
App
KMS
45
Client-side encryption KMS
AWS SDK SDKEnvelope Encryption
AWS Encryption SDK Amazon S3 Client
AWS SDK for Java, .NET, Ruby Amazon EMR File System (EMRFS) Client-side Encryption for Amazon DynamoDB
https://github.com/awslabs/aws-dynamodb-encryption-java Server-side encryption
AWSKMS :
S3, Amazon Elastic Block Store (Amazon EBS), Amazon RDS, Amazon Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail, Amazon Simple Email Service (Amazon SES), Amazon Elastic Transcoder, AWS Import/Export Snowball, Amazon Kinesis Firehose, Amazon EMR
KMS
AWS SDKClient-side Encryption
KMS
Envelope Encryption
47
AWS Encryption SDK AWS
API
(DEK)
SDK SDK
(AWS KMSCloudHSM)
Java https://github.com/awslabs/aws-encryption-sdk-java
48
AWS Encryption SDK
encrypted data key
AwsCrypto.encryptData()
encrypted data
MasterKeyProvider.getMasterKey()
MasterKey.generateDataKey()
plaintext data key
AWS Encryption SDK
SDK
Envelope Encryption
AWS Encryption SDKKMSClient-side Encryption
// final AwsCrypto crypto = new AwsCrypto();
// KmsMasterKeyProvider final KmsMasterKeyProvider prov = new KmsMasterKeyProvider(keyId);
// final byte[] ciphertext = crypto.encryptData(prov, message);
final AwsCrypto crypto = new AwsCrypto();
final KmsMasterKeyProvider prov = new KmsMasterKeyProvider(keyId);
// final CryptoResult res = crypto.decryptData(prov, ciphertext);
//if (!res.getMasterKeyIds().get(0).equals(keyId)) {
throw new IllegalStateException("Wrong key id!");
}
byte[] plaintext = res.getResult();
KMSKey ID
SDK SDK
KMSMasterKeyProvider
ciphertext
50
create-volume [--dry-run | --no-dry-run] [--size ] [--snapshot-id ] --availability-zone [--volume-type ] [--iops ] [--encrypted | --no-encrypted] [--kms-key-id ] [--cli-input-json ] [--generate-cli-skeleton]
Console
AWS CLI/SDK
AWSServer-side Encryption with KMSEBS
CMK Envelope Encryption
51
AWSServer-Side Encryption with KMS
EBS1. EBSTLS
KMSKMSEBS(EBS)
2. EBSEC2
3. KMSEC2
4. EBS/
52
KMS KMS KMS KMSTIPS HSM
53
KMS AWS AWS Support Center
http://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/limits.html
CMK 1000()
1100()
CMKGrant 2500
CMKGrant 30
1(Encrypt/Decrypt/ReEncrypt/GenerateRandom/GenerateDataKey/GenerateDataKeyWithoutPlaintext100)
54
KMS TIPS /4KB
Envelope Encryption API
EBSS3Upload/Download
https://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/limits.html
55
KMS with AWS TIPS Amazon EBS
CMK
CMK
AWS CMK
KMSCMK 1CMK30
http://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/EBSEncryption.html
56
KMS with AWS TIPS Amazon RDS
(Aurora) /
Aurora MySQLAurora KMS AWS
CMK https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
Disable DisableTerminal
http://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/Overview.Encryption.html
57
KMS with AWS TIPS Amazon S3
KMSVersion4 ETagMD5 SSE-KMS
s3:PutObjects3:x-amz-server-side-encryption:aws:kms
Amazon SES KMS
S3S3 Encryption ContextID
SESCMK SESS
S3 Clienthttps://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/services-ses.html
58
KMS KMS KMS KMSTIPS HSM
59
CloudTrailKMS CloudTrailKMSSDKAPI
CreateAlias CreateGrant CreateKey Decrypt DeleteAlias DescribeKey DisableKey EnableKey Encrypt GenerateDataKey GenerateDataKeyWithoutPlaintext GenerateRandom GetKeyPolicy ListAliases ListGrants ReEncrypt
http://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/logging-using-cloudtrail.html
CloudTrail
API AWS AWS
60
KMS
Amazon AWS CloudTrail KMS:
Service Organization Control (SOC 1) PCI-DSS AWS
AWS KMSCloud HSMAWS CloudHSM AWS Key Management Service
VPC Safe Net Luna SA 7000 HSM)
Root of trust root of trust root of trustAWS
FIPS 140-2 2 EAL4+CloudTrail
CloudTrail
CloudHSM CLICLI
SDKAWS CLI
EBSSafeNet ProtectV ApacheMicrosoft SQL Server
AWS SDK
AWS Redshift, RDS(Oracle TDE) S3, EBS, RDS(,Redshift, Elastic Transcoder, WorkMail , EMRFS
61
62
CloudHSMKMS
SafeNetHSM
CloudHSM
AWS CloudTrail
KMS
63
KMS
$1/key version/ KMS $1
key AWS CMK
GenerateDataKey/GenerateDataKeyWithoutPlaintextCDK
$0.03 per 10,000 API (Gov Cloud) 20,000 req/()
20169CloudTrailAPIS3,SNS
http://aws.amazon.com/jp/kms/pricing/
64
KMS KMS KMS KMSTIPS HSM
65
1.S3EBSAWSSSE
2.UserS3CSE
3.Cloud HSM
Hardware
AWS Key Management Service1.AWSSecureUser2.SDK3rd Party3.KMI
KMS
66
AWS Key Management Service
AWS
CloudTrail
67
AWS Key Management Service Developer Guidehttp://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/overview.html
AWS Key Management Service API Reference http://docs.aws.amazon.com/ja_jp/kms/latest/APIReference/Welcome.html
AWS Key Management Service FAQhttp://aws.amazon.com/jp/kms/faqs/
AWS Key Management Service Pricinghttp://aws.amazon.com/jp/kms/pricing/
AWS Key Management Service whitepaper https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
68
AWS
http://aws.amazon.com/jp/aws-jp-introduction/
AWS Solutions Architect Q&A http://aws.typepad.com/sajp/
69
Twitter/FacebookAWS
@awscloud_jp
http://on.fb.me/1vR8yWm
70
AWS AWShttps://aws.amazon.com/jp/contact-us/aws-sales/
AWS
Recommended