SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 3

6. AWS Key Management Service – Part 03

Hey everyone and welcome back. In today’s video we will be discussing about the Kms architecture. And also throughout the course we will also be discussing about the Envelope encryption. So the overall Kms architecture consists of three major components. One is the Kms interface. So Kms interface is where we interact to. So we can interact via console, we have via CLI SDK. So this all terminates at the Kms interface level. Now, Kms interface is interconnected with the Kms host and Kms host in the back end is interconnected with the HSM. So even Kms at the back end, it uses HSM very extensively. Now, what really happens is that let’s say you have the data to encrypt. Let’s say the data is that this is Kplabs. So this is the data. So you want to encrypt the data. So you send the data to the Kms interface.

Now, Kms interface in the back end it interacts with the Kms host. You have the Customer Master key which is associated with the Kms host and near the HSM. And then together this component becomes the Kms backend. So from there you have the encrypted data. Now, encrypted data is encoded in base 64 and it is sent back to you. Now, this entire part of data being sent over the network, it also brings certain disadvantages because you have the data and you are sending the data over the network. Now, along with that, one important part to remember is that the Kms will only accept the TLS connection. So you cannot really have a plaintext connection there. It only accepts the TLS connection over the network. Now, since there is a network which has been involved, there are certain disadvantages.

One among them is definitely the latency part. Now, let’s look into some of the caveats. The first one is that we can encrypt maximum of four KB of data with the help of CMK. So if you want to encrypt a huge amount of data, there is an alternate method. Now, the second point which we discuss is that since the data travels over the network, there will be latency which can be involved. And this is the reason why. So AWS basically suggests the way of using the CMK, which is the Customer Master key plus data keybase approach. Now, let’s look into how exactly this works. So this is also referred as the Envelope encryption. What happens here is that first we generate one Customer Master key. All right? Now, once our CMK is generated, we go ahead and generate the data keys.

Now, when we basically send the request of generating the data keys, AWS basically returns a plain text and the ciphertext version of the data key. So you have two data keys which are returned. One is the plain text and second is the cipher text. Let’s assume the green one is plain text and the gray one is a cipher text. Now, we can use the plaintext data key to encrypt the files in the server, right? Because these are the two keys which are generated. Now, do remember that these two keys are directly associated with the CMK. So you can make use of this plaintext data key to encrypt the data. So you have your plaintext data and encrypt with the plaintext data key. And now what you have is you have the ciphertext data. So now what you can do is you can store the ciphertext data with the ciphertext key. So this is the ciphertext key.

So you can store both of them together. And once you have stored both of these things together, you can go ahead and delete the plaintext data and you can delete the plaintext key. All right, so this is the encryption part. So after you have complete the encryption process at the output, you have the encrypted data and you have the encrypted key. So at this specific point, even though if your data is stolen by an attacker, all he has is he has an encrypted data and encrypted key. So he’ll not be able to do anything here. So now let’s look into the decryption steps. Now, in order for you to decrypt this data, you have to call the decrypt interface because this key is still encrypted and in order to decrypt the data, you have to have the decrypted key. All right? So you call the decrypt interface. Kms will again send you the plaintext key.

You make use of the plaintext key to decrypt your data in your server or at the end point. So this is the high level overview steps about how you can make use of the envelope of encryption, which basically make use of the customer master key plus the data key approach. So let me quickly show you on how exactly this might look like. So I’m in the Kms CLI page now, let’s go a bit down. And these are the available commands. Now, we are more interested in the generate data key earlier because this is what we were discussing about. Now, the generate data key is something which does what we were discussing. It basically once we send the general data keys based API call, it gives us the plain text and the ciphertext version of the key. So let’s look into the synopsis. So you have the general data key.

We also have to specify the key ID. And along with that, we’ll also have to basically specify the key spec. So let’s do one thing. I’ll copy up the key ID here and let’s try it out. I’ll do AWS Kms generate data key. I’ll specify the key ID here. All right? And I’ll also specify this key spec, which can typically be 256 or 128 base AES. All right. So now what has happened here, it has returned as the plain text version and the cipher text version of the key. So now once you have both of them, you can go ahead and encrypt your data with this plaintext version of the key. Once your data is encrypted, what you can do is you can store the encrypted data and this encrypted key within your database or your location and that’s about it.

So during the decryption time you can call the decrypt interface yet again and you will have this plain text key through which you’ll be able to decrypt the data. So this is the high level overview about the Kms architecture as well as the envelope encryption. Now do remember that envelope encryption is an extremely important topic in Kms. And typically, if you go in or organizations, if they are using Kms at a larger scale, envelope encryption is something that probably they would be using. Because one of the advantages of using the data keys is that the restriction of the data size does not really appear over there. So this is the high level overview. I hope this video has been informative for you and I look forward to see you in the next video.

7. AWS Key Management Service – Data Key Caching

Everyone and welcome back to the Knowledge Pool video series. And in today’s lecture we will be looking into one of the very important aspects that will help you when you are using Kms extensively, which is the data key caching. So this is quite an important topic even for the exams are concerned. So let’s look into what exactly Data key Caching is all about. About in AWS Kms. So there are a lot of organizations which uses Kms very extensively. So I’ll give you one of the examples of the organizations that I have been working with. So I used to work in one of the payments organization which was basically a payment gateway and typically in such type of architectures of payment gateways or for the organizations which are storing like credit card information.

Generally the way in which the encryption mechanism works is that they use the involve based encryption and there used to be a separate data key that was used for encrypting each row of database in a database. So every row of data was encrypted with a separate data key. So if there are ten rows in the database, there were ten data keys which were used to encrypt each of these ten rows. However, when you talk about bigger organizations like Pay main gateways, typically as a minimum, they have like thousands of rows. So for thousands of rows they would need thousands of data keys which would encrypt each and individual row within the database. Now generally after six to seven months, when the popularity of the website increased, we typically had more than millions of customers.

And for millions of customers there were millions of rows and for millions of rows there was a separate data key for each of the rows. So there were millions of data keys. So this might sound quite possible in theory, but when it comes into the practical part, this will lead to certain amount of challenges. So when we reached the higher amount of threshold, as far as the data keys are concerned, there was a lot of latency and slowness which got introduced in the encrypt and decrypt operations. So Kms also has its limits. So it’s not like you can send x amount of requests together and you will get a response in a very short time. There is a latency which gets involved. Kms also has its own threshold. So if you cross the threshold then there will be a latency and even slowness that will be introduced.

Now the question is latency and slowness is generally not a recommended one for bigger organizations like Payments Finance. So what is the ideal approach that one should take when they are going about the threshold value? And the answer to this is the Data key caching. So AWS has introduced a feature called as Data Key Caching in its AWS encryption SDK. So what data key Caching allows us it basically allows us to reuse the data key that protects our data instead of generating new data key for each of the encrypt operation. So again, we’ll take an example of ten rows of data within the database. So in the earlier use case, for ten rows, we used to have a separate data key for each row. So there would be ten separate data key.

However, when you make use of data key caching, you specify the reuse value. So let’s assume that you specify the reuse value of two. That means each data key can be used to encrypt two rows. So if you have ten rows, then instead of ten data key getting used, now there will be only five data keys which would achieve the use case. So again, this is one of the ways which is recommended if you have millions and if you’re crossing the threshold limits. But this row does work perfectly. However, it comes with a security trade off as the encryption best practice discourages extensive reuse of data key. So here what we are doing is we are reusing the same data key to encrypt multiple objects. So how exactly that would look like, let’s look into it. So in AWS Encryption SDK, by default there is a new data key generated for each encrypt operation that is performed.

So this is very important. For every encrypt operation, there is a new data key that is generated. So this is the default secure configuration which is part of the Encryption SDK. However, again, we have already discussed that it would bring overhead related to latency slowness as well when the amount of data and the amount of encrypt operations are huge. So let’s look into the two use case. First use case is where there is no data key caching used. And second use case is where the data key caching is used. So in the first use case, where there is no caching, where you have clients per region, you have 500 clients per region, you generate an individual data key for individual client. So for 500 client, the total number of requests which would be made per second would be 500. So if you have 500 clients per region, you would have 500 requests which will be generated.

Now, in the second use case, we are making use of the data keys again. So this is where the data key caching is coming into picture, where you are using one data key for 100 users. So single data key is used for 100 times. So if there are 500 clients, then the total amount of requests would be just five. So now in this kind of a scenario, you see, in the first row, you have 500 requests, and in the second use case of data key caching, you just have five requests. So the amount of requests, the difference is huge. And this plays a major factor in a lot of use cases where the amount of clients are typically in tens of millions for organizations. For them, data key caching is a very important trade off that they take. So there are certain important pointers that you need to remember as far as data key caching is concerned.

So data key caching basically saves the plaintext and the ciphertext version of the data key you use in a configurable cache. So this plain text and the cipher text data would be stored in the cache of that EC two instance itself. So no API call is made to the Kms to generate a new data key. So this is one important factor. Second is when you need a key to encrypt or decrypt data, you can reuse the data key from the cache instead of creating a new data key. So if you have already generated a data key, that data key will be stored in the cache and in the next encrypt operation you can use the data key which is already stored in cache to perform the new encrypted decrypt operation. And the third and the most important point is that generally data key caching is preferred when there is a high frequency of API calls which are needed which would reach either the threshold limits or it is causing the slowness within your application.

So if there is a high frequency needed, latency is involved or there is a slow master key operation. So in this cases you should be using data keys. So again, this is quite an important topic for the exam. You might get a use case where there is an organization which is facing slowness within the application due to latency or slowness in the encrypted decrypt functions which have been made. So what is the best trade off that an organization can in order to make things faster? So in such type of use case, data keycatching is one of the right approaches which you should be selecting. So this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.

8. AWS Key Management Service – Scheduled CMK Deletion

Hey, everyone, and welcome to the Knowledgeable video series. So continuing with our Kms journey today, we’ll be looking into one more important topic related to Kms, which is the deletion of the customer master key. So let’s look into the process that would get involved. Typically, when you want to delete the customer master key, so deleting a CMK is in AWS. Kms would basically delete the key material and all the associated metadata associated with the CMK. So this process is basically irreversible. So once you delete the customer master key from Kms, there is no way in which you can retrieve the key back. So even if you have some important data that you have already encrypted and you have deleted the CMK, then your encrypted data will always remain encrypted.

So this is the reason why after a CMK is deleted, we can no longer decrypt that data that was encrypted by the CMK. So this process is irreversible. And due to this specific aspect, AWS has made it mandatory to have a certain waiting period before you can go ahead and delete the CMK. So because the process of deletion of CMK is irreversible, AWS Kms enforces this waiting period. Now, waiting period can be from minimum seven days up to maximum of 30 days. So by default, it is of 30 days. So tomorrow a manager comes in and say, okay, delete the CMK right now. This specific aspect is not possible. You cannot directly delete the CMK on an immediate basis. You have to go through a specific waiting period.

So, as we have discussed, there is a minimum of seven days and maximum of 30 days.Let’s look into how it would really look like. So I am in my IAM console, and if you go to the encryption keys, I have one Kms CMK with the alias KP Labs. So let’s assume that I want to delete this key. So I’ll click here, I’ll go to Key actions, and I’ll select the scheduled key deletion. So when you press the scheduled key deletion, so the waiting period here arrives. So you see the enter a waiting period between seven and 30 days. So this is quite important. So if there is a use case where you want to delete the key right now, this is something which is not possible. You have to go through a waiting period. However, one of the things that you can do is you can disable this specific key if it is no longer needed.

In case you have a doubt that there is certain data which is encrypted with this specific CMK which you are not aware about. Now, one more important point that you need to remember is that during the waiting period, CMK cannot be used in any cryptographic operation. So if you have already scheduled your CMK for the deletion during that waiting period, your CMK will not be able to encrypt, nor will it be able to decrypt any kind of data. So these are some of the important pointers that you need to remember as far as the key deletion is concerned. So, a short lecture, but quite important one for the exams. So this is it. About this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.