-
1
AWS Black Belt Online Seminar AWS Key Management Service
(AWS KMS)
2016.09.28
-
2
2016928AWS(http://aws.amazon.com)
AWSAWS
AWS does not offer binding price quotes. AWS pricing is publicly
available and is subject to change in accordance with the AWS
Customer Agreement available at http://aws.amazon.com/agreement/.
Any pricing information included in this document is provided only
as an estimate of usage charges for AWS services based on certain
information that you have provided. Monthly charges will be based
on your actual use of AWS services, and may vary from the estimates
provided.
-
3
KMS KMS KMS KMSTIPS HSM
-
4
KMS KMS KMS KMSTIPS HSM
-
5
(Data encryption in transit)
SSL/TLS IPSec LAN
(Data Encryption at rest)
in transit
at rest
-
6
? AWS
AWS
? AWS
-
7
Key Management Infrastructure KMI(Key Management
infrastructure)
KMI
(HSM)
-
8
AWSKMI
KMI KMI KMI
AWS
A B C
-
9
AWS Key Management Service (AWS KMS)
AWS
S3, EBS, RedshiftAWS SDK AWS CloudTrail
-
10
KMS Customer Master KeyCMK
KMS KMS/4KB
Customer Data Key (CDK) CMK
Envelope Encryption /
CMK
CMK
-
11
KMS
2-Tier
AWS KMS
Envelope Encryption
Envelope Encryption
Customer Master Key(s)
Data Key 1
Amazon S3 Object
Amazon EBS
Volume
Amazon Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
Custom Application
AWS KMS
-
12
KMS
host
host
host
HS
HSAHSA
(Hardened Security Appliance)
Customer Master Keys
KMS Interface
Domain
-
13
Durable
Encrypted Key Store
+ Data key Encrypted data key
KMS
1. AWSKMSIDkms:GenerateDataKey Call
2. KMS3. HSA4. KMS
5.
KMS
AWS
Client AuthN and AuthZ
2
3
4
5 HSA
KMS Interface KMS host
-
KMS/
4KB AWS
4KB
-
15
KMSAWS
https://aws.amazon.com/jp/kms/details/
Amazon S3, Amazon EBS, AWS Import/Export Snowball
Amazon RDS, Amazon Redshift, AWS Database Migration Service
AWS CodeCommit
Amazon EMR, Amazon Kinesis Firehose
Amazon Elastic Transcoder, Amazon SES
Amazon WorkSpaces, Amazon WorkMail
2016/09 CodeCommitAWS
AWS
-
KMS API
API CreateKey, CreateAlias DisableKey EnableKeyRotation
PutKeyPolicy ListKeys, DescribeKey
API Encrypt Decrypt ReEncrypt GenerateDataKey
26 API actions and growing
http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
-
17
KMS KMS KMS KMSTIPS HSM
-
18
KMS
DescriptionCMK
IAM
IAM
CMK//
1
CMK
-
hosthosthost
KMS KMS
Domain Key(DK) HSA
HSA Backing Key(HBK) CMK CMKHSA HSA Export
Exported Key Token(EKT) DKHBK KMSDurable Storage HSA
CMK() HBKEKT
CMKCDK
CMK1
EKT1
Durable storage
Hardened Security Appliance (HSA)
Customer Data KeyHBK
Exported Key Token
Domain Key
HBK1 HBK2
CDK2
CT2
CMK2
EKT2
HSA Backing Key()
-
20
CMK
Create Key Key Generation
Rotation
Active
ActiveActiveDeactivated
CMK
Schedule key for deletion
Deleted
CMK() CMKActive
CDK
-
21
IAMEncryption Keys
IAM User IAM Role AWS
Key
132 /
aws
Description 256
-
22
Enable/Disable
$ aws kms generate-data-key --key-id
cc00b8b3-f647-4090-99ab-0ab58XXXXXX --key-spec AES_256
A client error (DisabledException) occurred when calling the
GenerateDataKey operation:
arn:aws:kms:us-east-1:336580663XXX:key/cc00b8b3-f647-4090-99ab-0ab58eeXXXXX
is disabled.
Enable/Disable
Disable
Disable
-
23
Disable
7-30 30
CloudTrail
-
24
CMK
Key ID,Alias ReEncrypt API
AWS CLI enable-key-rotation --key-id
(Key Summary Page)
-
25
CMKEKT1EKT2.
Durable storageDomain Key
HBK1 HBK2 HBKn HBKn+1
CDK1CT1
CDK2CT2
CDKnCTn
Hardened Security Appliance (HSA)
HBK
HBK
Active
-
26
Bring Your Own Keys(2016/8/11)
CMK KMI
KMSAWS
256bit
CMK
Import
KMSImport
CMK
RSA public key
KMS
KMS
KMS 256bit
KMI
-
27
CMK(1/3)
CMK IAMImportCMK
Advanced OptionsKey Material OriginExternal()
CMKIAM
-
28
CMK(2/3) Wrapping keyImport token KMI
RSAES_OAEP_SHA_256() RSAES_OAEP_SHA1 RSAES_PKCS1_V1_5
wrapping keyimport token
Import token24Expire CMK
3zip README__.txt importToken__ wrappingKey__
-
29
CMK(3/3)
()opensslRSAES_OAEP_SHA_1
ImportToken
UTC
Pending ImportEnable
$opensslrsautl-encrypt-inplain_text_aes_key.bin-oaep\-inkeywrappingKey__\-pubin-keyformDER-outenc.aes.key
-
30
CMK
KMI
256bit KMS
CMKImport CMK
(7-30)CMK Import
KMS()KMS
HBK ID
-
31
Key Policy CLI/SDK
GetKeyPolicy PutKeyPolicy
Key PolicyIAM UserIAM RolePolicy
-
32
{ "Id": "key-consolepolicy-2", "Version": "2012-10-17",
"Statement": [ { "Sid": "Enable IAM User Permissions", "Effect":
"Allow", "Principal": { "AWS": [ "arn:aws:iam::336580663xxx:root" ]
}, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for
Key Administrators", "Effect": "Allow", "Principal": { "AWS": [
"arn:aws:iam::336580663xxx:user/SuperUser" ] },
"Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*",
"kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*",
"kms:Disable*", "kms:Get*", "kms:Delete*" ], "Resource": "*" }, {
"Sid": "Allow use of the key", "Effect": "Allow", "Principal": {
"AWS": [
"arn:aws:iam::336580663xxx:user/Dev","arn:aws:iam::336580663xxx:role/EC2_Admin","arn:aws:iam::912412960xxx:root"
] },
AWS rootdefault policy
-
33
"Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*",
"kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, {
"Sid": "Allow attachment of persistent resources", "Effect":
"Allow", "Principal": { "AWS": [
"arn:aws:iam::33658066XXXX:user/Dev","arn:aws:iam::33658066XXXX:role/EC2_Admin","arn:aws:iam::91241296XXXX:root"
] },
"Action": [ "kms:CreateGrant", "kms:ListGrants",
"kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": {
"kms:GrantIsForAWSResource": true } } } ]}
KMS AWS
-
IAM User/Role
Default Policy
KMSIAMPolicy Allow Deny(Deny)
Deny < Allow < Deny
Policy
-
35
Grant Key Policy
CMKPrincipal AWSKMS
5 Key ID GranteePrincipal Operations Constraints GrantsCondition
RetiringPrincipal rantsretire
CreateGrant GrantGrant
-
36
Encryption Context KMSKey/Value
Additional Authenticated Data(AAD)
CloudTrailEncryption Context
GrantsConstraints EncryptionContextSubsetEncryptionContext
EncryptionContextEqualsEncryptionContext EBSvolume IDGrants
-
37
Constraints EncryptionContextSubset {Department:Finance,
classification:critcal}
{Department:Finance, classification:critical, customer:12345}
-> OK{Department: Finance } -> NG
EncryptionContextEquals {Department:Finance,
classification:critical}
{Department:Finance, classification:critical} ->
OK{Department: Finance, classification:critical, customer:12345}
-> NG
-
38
Grants"eventName":"CreateGrant","awsRegion":"us-east-1","sourceIPAddress":"AWS
Internal","userAgent":"AWS Internal","requestParameters":{
"retiringPrincipal":"137640147550","constraints":{"encryptionContextSubset":{"aws:ebs:id":"vol-9a98axxx}},"operations":["Decrypt"],"granteePrincipal":"33658066xxxx:aws:ec2-infrastructure:i-5439cxxx","keyId":"arn:aws:kms:us-east-1:33658066xxxx:key/6f712a31-88ba-4975-a4bf-0a87faxxxx
},
EBSVolume
-
39
AWS
aws/
ex) EBS
3
-
40
KMS KMS KMS KMSTIPS HSM
-
41
KMS
KMS HSA
HSA /
AES-GCM 256bit
KMS
host
host
host
HSHSA
HSA(Hardened Security
Appliance)
Customer Master Keys
KMS Interface
-
42
KMSAPI
Encrypt API API
KB
HBKIDEncryption Context AWS
Decrypt API API CMK
CMK AWS
GenerateDataKey CDK Encrytpt API
Plaintext
Ciphertext
KMS
Header Encrypted Data
EC
Encrypt
Plaintext
KMS Ciphertext
Decrypt
CMK ID,EC
HBKIDHBK
-
43
KMS(1/2)
KMS
AppKMS
-
44
KMS(2/2)
KMS KMS
App
KMS
-
45
Client-side encryption KMS
AWS SDK SDKEnvelope Encryption
AWS Encryption SDK Amazon S3 Client
AWS SDK for Java, .NET, Ruby Amazon EMR File System (EMRFS)
Client-side Encryption for Amazon DynamoDB
https://github.com/awslabs/aws-dynamodb-encryption-java
Server-side encryption
AWSKMS :
S3, Amazon Elastic Block Store (Amazon EBS), Amazon RDS, Amazon
Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail,
Amazon Simple Email Service (Amazon SES), Amazon Elastic
Transcoder, AWS Import/Export Snowball, Amazon Kinesis Firehose,
Amazon EMR
KMS
-
AWS SDKClient-side Encryption
KMS
Envelope Encryption
-
47
AWS Encryption SDK AWS
API
(DEK)
SDK SDK
(AWS KMSCloudHSM)
Java https://github.com/awslabs/aws-encryption-sdk-java
-
48
AWS Encryption SDK
encrypted data key
AwsCrypto.encryptData()
encrypted data
MasterKeyProvider.getMasterKey()
MasterKey.generateDataKey()
plaintext data key
AWS Encryption SDK
SDK
Envelope Encryption
-
AWS Encryption SDKKMSClient-side Encryption
// final AwsCrypto crypto = new AwsCrypto();
// KmsMasterKeyProvider final KmsMasterKeyProvider prov = new
KmsMasterKeyProvider(keyId);
// final byte[] ciphertext = crypto.encryptData(prov,
message);
final AwsCrypto crypto = new AwsCrypto();
final KmsMasterKeyProvider prov = new
KmsMasterKeyProvider(keyId);
// final CryptoResult res = crypto.decryptData(prov,
ciphertext);
//if (!res.getMasterKeyIds().get(0).equals(keyId)) {
throw new IllegalStateException("Wrong key id!");
}
byte[] plaintext = res.getResult();
KMSKey ID
SDK SDK
KMSMasterKeyProvider
ciphertext
-
50
create-volume [--dry-run | --no-dry-run] [--size ]
[--snapshot-id ] --availability-zone [--volume-type ] [--iops ]
[--encrypted | --no-encrypted] [--kms-key-id ] [--cli-input-json ]
[--generate-cli-skeleton]
Console
AWS CLI/SDK
AWSServer-side Encryption with KMSEBS
CMK Envelope Encryption
-
51
AWSServer-Side Encryption with KMS
EBS1. EBSTLS
KMSKMSEBS(EBS)
2. EBSEC2
3. KMSEC2
4. EBS/
-
52
KMS KMS KMS KMSTIPS HSM
-
53
KMS AWS AWS Support Center
http://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/limits.html
CMK 1000()
1100()
CMKGrant 2500
CMKGrant 30
1(Encrypt/Decrypt/ReEncrypt/GenerateRandom/GenerateDataKey/GenerateDataKeyWithoutPlaintext100)
-
54
KMS TIPS /4KB
Envelope Encryption API
EBSS3Upload/Download
https://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/limits.html
-
55
KMS with AWS TIPS Amazon EBS
CMK
CMK
AWS CMK
KMSCMK 1CMK30
http://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/EBSEncryption.html
-
56
KMS with AWS TIPS Amazon RDS
(Aurora) /
Aurora MySQLAurora KMS AWS
CMK
https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
Disable DisableTerminal
http://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/Overview.Encryption.html
-
57
KMS with AWS TIPS Amazon S3
KMSVersion4 ETagMD5 SSE-KMS
s3:PutObjects3:x-amz-server-side-encryption:aws:kms
Amazon SES KMS
S3S3 Encryption ContextID
SESCMK SESS
S3
Clienthttps://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/services-ses.html
-
58
KMS KMS KMS KMSTIPS HSM
-
59
CloudTrailKMS CloudTrailKMSSDKAPI
CreateAlias CreateGrant CreateKey Decrypt DeleteAlias
DescribeKey DisableKey EnableKey Encrypt GenerateDataKey
GenerateDataKeyWithoutPlaintext GenerateRandom GetKeyPolicy
ListAliases ListGrants ReEncrypt
http://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/logging-using-cloudtrail.html
CloudTrail
API AWS AWS
-
60
KMS
Amazon AWS CloudTrail KMS:
Service Organization Control (SOC 1) PCI-DSS AWS
-
AWS KMSCloud HSMAWS CloudHSM AWS Key Management Service
VPC Safe Net Luna SA 7000 HSM)
Root of trust root of trust root of trustAWS
FIPS 140-2 2 EAL4+CloudTrail
CloudTrail
CloudHSM CLICLI
SDKAWS CLI
EBSSafeNet ProtectV ApacheMicrosoft SQL Server
AWS SDK
AWS Redshift, RDS(Oracle TDE) S3, EBS, RDS(,Redshift, Elastic
Transcoder, WorkMail , EMRFS
61
-
62
CloudHSMKMS
SafeNetHSM
CloudHSM
AWS CloudTrail
KMS
-
63
KMS
$1/key version/ KMS $1
key AWS CMK
GenerateDataKey/GenerateDataKeyWithoutPlaintextCDK
$0.03 per 10,000 API (Gov Cloud) 20,000 req/()
20169CloudTrailAPIS3,SNS
http://aws.amazon.com/jp/kms/pricing/
-
64
KMS KMS KMS KMSTIPS HSM
-
65
1.S3EBSAWSSSE
2.UserS3CSE
3.Cloud HSM
Hardware
AWS Key Management Service1.AWSSecureUser2.SDK3rd Party3.KMI
KMS
-
66
AWS Key Management Service
AWS
CloudTrail
-
67
AWS Key Management Service Developer
Guidehttp://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/overview.html
AWS Key Management Service API Reference
http://docs.aws.amazon.com/ja_jp/kms/latest/APIReference/Welcome.html
AWS Key Management Service
FAQhttp://aws.amazon.com/jp/kms/faqs/
AWS Key Management Service
Pricinghttp://aws.amazon.com/jp/kms/pricing/
AWS Key Management Service whitepaper
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
-
68
AWS
http://aws.amazon.com/jp/aws-jp-introduction/
AWS Solutions Architect Q&A http://aws.typepad.com/sajp/
-
69
Twitter/FacebookAWS
@awscloud_jp
http://on.fb.me/1vR8yWm
-
70
AWS AWShttps://aws.amazon.com/jp/contact-us/aws-sales/
AWS
