© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Patrick McDowell, AWS

Tim Sandage, AWS

Jacobi Carter, Okta

November 29, 2016

Advanced Techniques for

Managing Sensitive Data in

the Cloud

GPST403

Build Your Own Self Defending Environment

• DevSecOps turns security and compliance into

code

• Security now moves at the speed of Lambda –

milliseconds!

• Serverless & AWS high level services (KMS,

Lambda, CWE) do the heavy lifting

• Automation IS your 24/7 SOC!

How can you protect 1000s of customer’s data?

• KMS gives you advanced Key Management via an API

• Built for the enterprise, simple enough for everyone!

• HSA Backed Service

• Integrates with EBS and S3 seamlessly

• You Control the Key Lifecycle

• Auditable via AWS CloudTrail

• Import Keys from On-Premises

“Key” Strategies for Dealing with N-customers

• Use one key per customer

• Gives Customers the guarantee that nobody else shares

their key

• Enable Rotation on an annual basis

Mapping KMS key hierarchy to Okta key hierarchy

• Region master key

• Unique per region

• Encrypts tenant master key

• Tenant master key

• Unique per tenant

• Encrypts tenant data key

• Tenant data key

• Encrypts data

Multiregion encryption and decryption

• Encrypt & store tenant key

encrypted by each region key

• Decrypt talks to closest KMS

region

• RSA public key used for

encrypt only

• Private key provided to

service only in event of KMS

outage

Service

KMS East KMS West

Region master keyRegion master key

Tenant master key

RSA Key

Region master key

DB

Okta’s Multi-Region Key Strategy

KMS requests by region

https://trust.okta.com

Separation of Duties for Cryptographic Keys

• Do not allow operators to manage key policies

• This gives too much power to operators, their ability should

only be ‘may use key X to perform Y function’

• Designate Key Custodians whom only manage the

lifecycle of keys

• Custodians can never operationalize keys

• Use IAM Roles to decrypt data via KMS Key

• Individuals should not have this power – leave it to your

application!

Use KMS for Crypto in Your Own Code

• Client Side Encryption is for YOUR engineering teams

• They need to generate a key and encrypt data

• Then protect that key after it was used

• Use the AWS Encryption SDK to make development of

applications handling secure data easy

• Use these tools to encrypt data anywhere in any service

• KMS is a publically available API

DevSecOps, KMS, and Incident Response

• Security is code. Response is automatic.

• Integrate KMS into your Security and Incident Response

Procedures

• KMS protects data in ways there were never possible

before

• Leverage CWE and Lambda to notify your security

teams and react instantly to key misuse

The Triggers: CloudWatch Events & CloudTrail

• Amazon CloudWatch Events delivers a near real-time

stream of system events

• AWS CloudTrail records AWS API calls

• Your threat model should include high impact events

from each source

• CWE adds velocity to your response

Critical KMS Events or Incidents to Automate

• Bulk decryption of data with a single key (E.g. entire

transaction history of a customer)

• Decryption of data across sets of customers from many

or all keys

• Key Deletion

• Uncorrelated App & AWS Logs

Security & Incident Response Scenario

• Privileged User or Role with access to KMS keys

• Typically this principal would operate within the confines

of a single key

• CWE starts notifying you of an unusual number of

‘Decrypt’ calls

Lambda, Serverless, and DevSecOps

• Parse CloudWatch Events through Lambda

• Lambda has the custom code to detect if bulk decryption

of data is occurring

• Lambda could then:

• Use SNS to fan out alerts to mail, SIEM Tools, ticketing

system, or APIs

• Stop suspicious behavior immediately via IAM ‘AttachPolicy’

• Correlate and enrich with CloudTrail

Attach a ‘Deny’ IAM Policy to Remediate

Your new 24/7 SOC is “Serverless”!

CloudTrail

KMS CloudWatch

Events

DynamoDB

Lambda

(detect)

Lambda

(respond)

SNS SNS

…and now a Demo

Advanced Use Cases for your 24/7 SOC

Anomaly Detection in CloudTrail Events

• Time of day

• novel or new events

• IP geolocation

Thinks outside of KMS as well:

• Security Groups

• Gateways

• IAM Admins….and Root Account!

Automating - Security RequirementsAWS has partnered with CIS Benchmarks to create consensus-based, technical security

configuration guide which align to multiple security frameworks globally.

https://www.cisecurity.org/

The Benchmarks are:

Technical security control rules/values for

hardening AWS services, auditing and

remediate configurations.

Automating and Enforcing IAM Configurations

Example CIS Check - The "root" account is has unrestricted access to all

resources in the AWS account. It is highly recommended that the use of this

account be avoided.

1.1 Avoid the use of the "root" account (Scored)

• CLI Audit command:

1.13 Ensure no root account access key exists (Scored)

• CLI Audit command:

Automated Security Operations

AWS Labs has created a GitHub repo:

awslabs/aws-config-rules

• Current release for AWS Config Rules

(http://amzn.to/2aFZZw2), periodic rules can now be

triggered without the need for a configuration snapshot.

Example Config Rules check:

https://github.com/awslabs/aws-config-rules

Automated Security Operations Cont…

2.1 Ensure CloudTrail is enabled in all regions (Scored)

2.2 Ensure CloudTrail log file validation is enabled (Scored)

• CLI Audit command:

• Ensure IsMultiRegionTrail is set too true

• Ensure LogFileValidationEnabled is set too true for each trail.

Example Config Rules check:

•

Config Rules DEMO

Thank you!Thank you!Thank you!

Remember to complete

your evaluations!

Remember to complete

your evaluations!