AWS Security Basics - AWS KMS, Client/Server Side Encryption, CMK, Data Key, Real World Use | Demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys Roger back with another video I am an enterprise solutions architect working at AWS today I asked you guys one question what differentiates a real Enterprise Architect from a pen and paper architect the answer is knowledge of security all enterprise solutions have to be secure so one fine day you started studying security and then you come across all these terms such as client-side encryption server-side encryption came as master key devaki etc let's demystify all of those in this video let's start from beginning so you have this super-sensitive file which has people's name and credit card and you want to store it in some AWS storage for example s3 let's look at high-level flow of encryption so you have this plaintext data and you have this key using this key you run some kind of encryption algorithm and you encrypt the data now the question is who will do this very generally speaking you can do this in two ways a client-side encryption where the client for example your application which is running in ec2 maintains the keys encrypts the data and sends the encrypted file into AWS storage and then it gets towed second option is server side encryption you send this plaintext data securely using HTTP to say AWS storage and the data gets encrypted in the AWS Storage note that there are two states of security when data is in transit and when data is addressed in this video we are going to talk about security in rest remember the encryption key we used to encrypt the plain text file to the cipher file this key is really like a house key if you lose the key you are in trouble so in case you manage the key yourself the keys need to be rotated periodically so even if the key gets compromised it reduces the duration and possibility of abuse number two you have to make it harder to obtain the key for intruders so let's dive deep on this point so encrypt the key itself with another key and if you want you can encrypt this key with another key and that key with another key you got the idea this is also known as envelope encryption but eventually one key must remain in plain text so you can decrypt the keys and your data this top-level plaintext key encryption key is known as the master key and this master key has to be stored in a super secure place so if we go back to managing the key ourselves you also have to track and log your keys usage so that you can detect anomalies so you can see where you manage your key yourselves it could be quite intense and you probably want to focus on business logic and not managing your keys and rotating and all that stuff so with managed AWS service AWS can do the heavy lifting this manage AWS service is known as kms or key management system AWS kms is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data the customer master keys that you create in AWS kms are protected by hardware security modules or HSMs so what are some of the features of kms it is fully managed you control access to your encrypted data by defining permissions to use keys while AWS cameras and forces your permissions and handles the durability and physical security of your keys it is a centralized key management AWS cameras presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications you can easily create import rotate delete and manage permissions and keys from the AWS management console or by using their SS SDK or CLI integration with other AWS service AWS kms is integrated with AWS services to simplify using your keys to encrypt data across your AWS worthless camus logs all use of keys to AWS cloud trail to give you an independent view of who access their encrypted data including AWS services using them on your behalf and it is secure and compliant AWS cameras have been certified under multiple compliant schemes to simplify your own compliance obligations so let's get back to our super secret file you encrypted the data with a key this key is known as data key because well you encrypted some data with it then we used envelope encryption where your plaintext data key is turned into an encrypted data key using a customer master key AWS kms helps you to protect your master keys by storing and managing them securely master key stored in AWS cameras known as customer master keys RCM cares they never leave the AWS kms validated hardware security modules unencrypted do not get confused between customer master key and customer manage keys when we say cmk we always mean customer master key this cmk a customer master key can be wait for it AWS managed or customer managed you will hear this term customer manage cmk basically which means customer managed custom master key so what are some differences between AWS - cmk and customer - cmk AWS - CM case are identified by the name ADA blueish slash name of the service customer - cmk can be given any name aw Sh - cm case RA SS generated this ones customer created AWS - CM case cannot be deleted customer - CM case can be deleted enabled and disabled AWS - CM k cannot be bet into custom roles customer - CM case can baked into custom roles AWS - CM case are rotated once every three years automatically customer may not see and case are rotated once a year automatically our on-demand manually don't worry we are gonna see these points in action when we go to the demo okay enough theory let's jump into action okay we type in cameras to go into the cameras console here we go key management service so on the left you can see AWS manage keys and customer manage keys remember AWS manage keys the name always starts with AWS slash service name so how do you go these are all the default keys and see there is no way for me to delete anything right so if I click it there is no options affair so let's go back to customer manage keys and then we click this create key okay we can give any name so we are gonna say kms s3 game okey okay if we click Advanced Options the key material origin could be came as external or Cloud HSM so for this cloud HSM custom key store I need to generate a cloud adjacent cluster I'm just gonna keep it as kms for this demo and click Next okay not giving any tags so key admin so defined key administrative permissions so basically who can administer this ski through kms api's so I'll give that access to maybe developer Tina and then allow key administrator to delete this key click next define key usage so here it says select I am users and roles that can use the cmk to encrypt and decrypt data with the AWS kms api c this is where you can say which role and which I am users can use this to encrypt and decrypt data so let's say we're gonna give this access to developer Tina as well and if we want we can give this to a role as well so we click Next and it shows you the key policy if I scroll down it says allow use up the key allow basically this role and this developer Tina I am user and they could do encrypt decrypt and some other operations okay let's click finish so what I'm going to do is upload a file into an s3 bucket both encrypted and unencrypted and then I will try to access it from both developer Bob and developer Tina and see what happens okay so we have this s3 bucket kms s3 demo I am logged in as the root user and I'm gonna upload a file to this bucket okay I click Next click Next encryption so for the first test I'm gonna click the encryption as none click next click upload now let me login as develop our Bob and see if he can access it okay we are logged in as developer Bob who does not have access to the cameras key now going to the s3 bucket remember this file is not encrypted by any kms so let's click this lets click open okay so we can read the file let's click download and the file is downloaded okay now let's encrypt this file with the canvas key okay we're back to the root account click this file click properties click encryption click AWS kms and we are gonna select the key kms s 3 demo key clicks now I'm gonna go back to develop a bomb and see if you still can access it okay we are back to developer Bob this is the file now let's try to click open nope access denied let's see if we can download it access denied why because developer Bob does not have access to the chemists key that we created now let's log in as developer Tina who we gave access to for the kms key encrypt and decrypt and see if she can access the file ok we are logged in as developer Tina who has access to the kms let's click this click open hairy girl she can open the file hammer download let's click download she can also download the file ok guys so you guys see how using customer magnet cmk you can give access to encrypt and decrypt to certain users and certain roles ok now that the demo is done let's delete our kms key remember for customer magnet cmk we said you can delete it so if I select this key action schedule key deletion so you have to wait seven days before you can delete the cameras key confirm scheduled deletion now that you have seen how is customer man at cmk can be backed into a roll using encrypt and decrypt policy how do you use it in a real light project so let's say you're a project team a and project team B project team a has a customer man at cmk with the name CM care - and project team B has the customer - cmk with name CM care - B and this cm care - a is backed into the ec2 role for the project team a for with the name role a so basically this role a can encrypt and decrypt data using cmk a and that application is running in ec2 writing data to s3 so only the applications running with this roll a can decrypt the data from s3 and similarly for project team B only the role with the with C mkb can decrypt data from s3 so that's how you keep this two project separate even though there may be sharing a semi SS account all right guys that is the video if you liked this video please like the video and subscribe more videos are coming soon hope this helps your AWS journey peace
Info
Channel: Cloud With Raj
Views: 28,939
Rating: undefined out of 5
Keywords: AWS, KMS, encryption, Customer Master Key, Data Key, Envelope Encryption, Agent of Change, amazon web services, cloud computing, security, aws training, key management, aws basics, simplilearn, linux academy, aws tutorial for beginners, server side encryption, client side encryption, Edureka, Intellipath, Academind, aws edureka, aws kms how it works, k m s, aws kms encrypt decrypt example
Id: SOnJyqwGn1I
Channel Id: undefined
Length: 14min 2sec (842 seconds)
Published: Sun Jul 07 2019
Related Videos
AWS re:Inforce 2019: The Fundamentals of AWS Cloud Security (FND209-R)
Amazon Web Services
91K
Kubernetes Interview Questions Answers (From Container Specialist) | Moderate to Advanced
Cloud With Raj
26K
AWS IAM Tutorial | IAM Group, Policy, User, Role | Amazon Web Services Basics
Cloud With Raj
12K
Don't Talk to the Police
Regent University School of Law
16M
Mastering Chaos - A Netflix Guide to Microservices
InfoQ
1.8M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Encryption and Key Management in AWS
Amazon Web Services
75K
But how does bitcoin actually work?
3Blue1Brown
11M
System Design on AWS Course
Cloud With Raj
5.6K
Everything You Need to Know About Big Data: From Architectural Principles to Best Practices
Amazon Web Services
31K
Are You Well-Architected? - AWS Virtual Workshop
AWS Online Tech Talks
16K
Containers on AWS Overview: ECS | EKS | Fargate | ECR
TechWorld with Nana
164K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.