Amazon AWS Certified SysOps Administrator Associate – Security and Compliance for SysOps Part 6

13. KMS For SysOps

So here are a few additional things you need to know about Kms regarding the Sysaps exam. So first of all, you cannot change the encryption key used by an EBS volume. If you wanted to do so, you would need to create an EBS snapshot. And then you create a new EBS volume and from it you specify a new Kms key. So this is very similar to what we’ve seen.

We would create a snapshot from an already encrypted EBS volume which would have the same CMK being used. But then when we create a new volume, we can decrypt and reencrypt it with a new CMK. And this is how we would do to switch the Kms key from one volume from one volume to another. The second thing that we’ve seen is around sharing Kms snapshots that are encrypted across accounts.

So to do so, we need to share it with the target accounts, but also create a key policy to allow the target accounts to access our snapshot. So here is what’s happening. We’re going to create a key policy on our CMK to allow another account specified in it to do the encrypt decrypt operations and so on. And therefore, when we share our, for example, RDS DB snapshot that’s encrypted, the other accounts can access it because the CMK is accessible.

And therefore we can create a DB instance from that encrypted snapshot into our other account. Something we haven’t seen yet is around Kms key deletions. So you can schedule a CMK for deletion, and then you have a waiting period between seven and 30 days. This is in case you want to cancel the deletion, because you realize that you still need the CMK. So when you go into a deletion, the first state is going to be pending deletion period. And during that waiting period, the CMK cannot be used for any cryptographic operation.

That means that if you have an objective, Amazon is free that’s Kms encrypted with that CMK, then this is going to fail. And this is something the exam will test you on. And if the key is planned for rotation, then it will not happen. Now, if you realize that somehow you are indeed using that CM carrier, you want to use it, then you can cancel the key deletion. And so this is why it’s always very important to maybe disable your key first instead of deleting it if you’re not sure. And so a cool automation you can build is around figuring out whether or not after being deleted, the key is still being used.

So for this, when we do and we delete a key and it goes into the pending deletion state, we’re going to set up a cloud trail on top of it. So that, for example, if a user wants to use a cryptographic operation for our key, for example a decrypt or an encrypt operation, then the API call is going to be denied and we are going to log that API call into Cloud Trail. Now, Cloud Trail will send its logs into CloudWatch Logs and we can set up a metric filter to look for the keywords. The key is spending deletion. Now, if this metric filter has any occurrences other than one, then set up a CloudWatch alarm and trigger it to, for example, send us an SMS alert into an email notification.

And with this whole schedule, what’s going to happen is that every time you delete a CMK and you implement the solution in case someone tries to use a CMK, you’re going to receive an alert and then you can drill down and maybe be understand that this seems.

14. [SAA] CloudHSM Overview

So we have seen Kms for encryption, but now let’s look at cloud HSM. So with Kms, AWS will manage the software for the encryption and will have control over the encryption keys. But with cloud HSM, AWS will provision some encryption hardware. It’s called an HSM device. So a dedicated hardware, which is a hardware security module, and then we are going to manage our own encryption keys entirely, not AWS. So we have full control over the encryption keys. The HSM device is going to be set up within the cloud of AWS, but it is temper resistant with FIPS 1042 level three compliance, which means that if anyone tries to access your HSM device manually, then they’re going to be stopped and blocked. The cloud HSM device supports both symmetric and asymmetric encryption keys. So that means that you can have, for example, SSL and TLS keys on top of it.

There is no free tier. And to use the cloud HSM device, you need to use the client software, which is quite complicated and out of scope. Right now, there is an integration between redshift and cloud HSM. If you wanted to leverage collegesm for your database encryption and key management, cloud HSM is a really, really good candidate. If you want to implement SSEC type of encryption on top of S three, for example, because you are managing your own encryption keys and you are storing them into this cloud HSM. So with the cloud SSM, AWS will manage your hardware, whereas the service itself can be used on your own.

The cloud client is something you have to use to establish a connection into the cloud SSM service. And then you are going to manage the keys overall. So the IAM permissions are going to be used to do a create, read, update or delete of an HNM cluster at a high level. But then you’re going to use your cloud HSM software to manage the keys and manage the users and their permissions to access the keys, which is different from Kms, because in Kms, well, everything is managed using IAM. Now, the cloud HSM clusters can have high availability and they’re spread across multiple AZ, so they’re ha, and this is super important to understand. So you can have two AZ. One is going to be replicated from another, and your HSM client can connect to either.

Okay, so if we compare cloud HSM and Kms, the tenancy of Kms is multitenant, whereas for cloud HSM, it’s single tenants. They both have the same standard. The master keys are of three kinds. On Kms, they’re AOS owned, AOS managed and customer managed CMK, whereas for cloud HSM, it’s only customer managed CMK. Because AWS cannot access your HSM device in terms of key type, it is very similar symmetric asymmetric and digital signing for Kms, and symmetric asymmetric and digital signing and hashing for cloud HSM. The only thing that you need to note is that right now, if you wanted to import an Asymmetric key, you can only do it in Cloud HSM.

So if you have an on premises key management system that uses Asymmetric keys and you wanted to import it into AWS, the only option would be to use AWS cloud HSM. In terms of key accessibility, well, Kms is accessible in multiple regions, but because Cloud HSM is deployed in a VPC, you can share it across VPCs using VPC for sharing and so that means that it’s going to be accessible across multiple regions. If you wanted to for cryptographic acceleration, well, you can set up none on Kms, but with Cloud HSM you have SSL and TLS acceleration you can use at your load balancer level, or you can use oracle and TDE acceleration as well.

For your database that is oracle based for access. In authentication, you have Im for Kms, whereas Cloud HSM has its own security mechanism to manage users and their permissions and their keys. And then finally for High Availability, while Kms is a managed service and is always available, and Cloud HSM will have multiple HSM devices over different Availability Zones, other capability is Cloudural and Cloud Watch for Kms, whereas we have MSS support as well for Cloud HSM. Finally, Kms is part of the free tier in AWS, whereas Cloud HSM is not. So that’s it for Cloud HSM. I hope you liked it and I will see you in the next lecture.

15. [CCP] AWS Artifact Overview

So now let’s talk about AWS Artifact, which is not really a service, but it is presented as one in the console. So what is it? It is a portal that will give you the customer access on demand to the compliance reports and AOS agreements. So these artifact reports can be downloaded and they represent a risk security and compliance documents from third party auditors such as the AOS ISO certifications, the payment card industries with PCI reports and the SoC reports.

There’s also Artifacts agreements, which is allowing you to review, accept and track the status of alias agreements, such as the Baa agreement, or the Health Insurance Portability and Accountability Act, which is HIPAA. You will see this maybe in the exam for an individual account or in your organization. And so these reports can be used to support internal audits capabilities within your company. Or compliance needs to show that your compliance by using the AWS cloud. So if you go into artifact for AWS, as we can see, this is a global service, and we can get started with the artifact.

We can view the reports or view the agreement. So if I click on reports, I can see 61 reports right now that I can download. For example, I can say, oh, I really want to get this report right now, I’m going to download it. And I say, okay, I accept the NDA. And then I download this report. And here I am, I have a report that I can use for compliance internally.

Or also I can go into agreements and find different agreements. For example, three account agreements, and we don’t have any organization agreements. So I can take one of these agreements, for example, this one, the Bia agreement, accept the agreement and then download it. I scroll down, I accept it, and then I download it. So it’s very, very simple. It’s not really a service, it’s a way for you to download compliance documents. I just wanted to show you once, and then you have to remember it. And that will be it for this lecture. I will see you in the next lecture.