Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

AWS Security Services

Other
A.J. Houtman

AWS Security Services

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
AWS Security Services by Mind Map: AWS Security Services

1. Cognito

2. Secrets Manager

3. Directory Service

4. Amazon Macie

5. WAF & Shield

6. Detective

7. Inspector

8. AWS Single Sign-On

9. GuardDuty

10. Artifact

11. Resource Access Manager

12. Certificate Manager

12.1. A service that simplifies provisioning, managing, and deploying public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

13. CloudHSM

13.1. A fully managed HSM service that integrates with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extension (JCE), and Microsoft CryptoNG (CNG) libraries

14. Security Hub

15. Detective

16. IAM

17. Key Management Service

17.1. With the Master Key, you can generate Data Keys, which in turn are used for the encryption

17.2. Data Keys are used for encrypting data. A Data Key is in plain text, so needs to be secured

17.3. Disable, delete and manage the lifecycle of the keys

17.4. Master Keys can encrypt max 4KB of data

17.5. Master Keys can also be used for encryption of data such as passwords

17.6. Types of Keys: once created by AWS and keys created by the account owner.

17.6.1. Customer Master Keys (CMK)

17.6.1.1. CMK is a logical representation of a master key

17.6.1.2. Creation Steps

17.6.1.2.1. Create alias and description

17.6.1.2.2. Create a Tag

17.6.1.2.3. Define Key Administrative Permissions: Users who have Admin Privileges for the Key.

17.6.1.2.4. Define User Permissions

17.6.1.2.5. Preview Key Policy

17.6.1.3. Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys

17.6.1.4. Key Material is the underlying algorithm for encryption and decryption. You can create your own Key Material and import and use it for a AWS CMK

17.6.2. AWS Managed CMK

17.6.2.1. AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS.

17.6.2.2. No actions can be done on these keys and are used internally by AWS Services.

17.6.3. AWS Owned CMK

17.6.3.1. AWS owned CMKs are not in your AWS account. They are part of a collection of CMKs that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned CMKs to protect your data.

17.7. Encrypting and Decrypting

17.7.1. AWS CLI (Command Line Interface) can be used

17.7.2. AWS Encryption SDK is a client-side encryption library that integrates with KMS to make it easier to implement encryption best practices in your applications

17.8. Key Policies

17.8.1. If a new feature is added to KMS, it is automatically added to the default Key Policy. For older keys this has to be done manually

17.8.2. Default policies are created, providing admin permissions to the root user

17.9. Audit and Logging

17.9.1. Cloudtrail logs can be used to check the usage of the keys. This is not available in all regions.

17.10. KMS & S3 Buckets

17.10.1. S3 Encryption Process

17.10.1.1. S3 request plaintext and encrypted Data Key from KMS

17.10.1.2. S3 encrypts te object with the plaintext data key and deletes the plaintext key

17.10.1.3. The encrypted Data Key is stored with the encrypted data

17.10.2. S3 Decryption Process

17.10.2.1. S3 sends encrypted Data Key to KMS

17.10.2.2. KMS send plaintext key from to S3 based on Customer Master Key

17.10.2.3. S3 decrypts the object with the plaintext Data Key, and deletes it asap

17.10.3. Encryption on bucket level does not encrypt the existing objects in that bucket

17.11. KMS & EBS

17.11.1. By default AWS uses CMK when encrypting EBS vokumes. You can also choose the Key for the encryption

17.11.2. Encryption process uses the encrypted Data Key from the chosen CMK received from the KMS and attach it as metadata to the EBS volume.

17.11.3. Decryption occurs when the EBS volume is attached to the EC2 instance. The encrypted Data Key is sent to KMS and a plaintext Data Key is received and stored in the hypervisor memory to encrypt disc I/O on the disc volume

17.11.4. When the Key is disabled, the current volume will still be able to be decrypted by the EC2 instanced. BUT if the volume is detached from the instance the decryption will not work anymore

17.12. Key Rotation

17.12.1. AWS rotates the backend key and keeps the initial Key ID. Key ID is a pointer to the CMK

17.12.2. When a key is deleted, a schedule for the deletion is created. AWS will delete it between 7 and 30 days. Deletion is irreversible

17.12.3. Disable the Key instead of deleting. You can always re-enable a key

17.13. Key Caching

17.13.1. Key caching can be used within the SDK to reduce costs

17.13.2. By requesting multiple Data Keys, you achieve a higher Security Level

17.14. DynamoDB Encryption at rest

17.14.1. Encryption can only be done when the table is created.

17.14.2. Encryption is also done for the indexes

17.14.3. Metadata from S3 objects is not encrypted. A solution is to store it in a DynamoDB table and encrypt.

17.15. General Notes

17.15.1. KMS is a region-wise service. Keys defined in one region cannot be used in another region

17.15.2. KMS uses FIPS 140-2 validated hardware security modules to generate and store your keys

17.15.3. KMS is integrated with AWS CloudTrail to provide a consolidated record of all key management activities and any attempt to use your keys