AWS Enterprise Account Purchase: Use AWS KMS (Key Management Service) to encrypt S3 buckets and EBS EVS disks with one click
In cloud computing and enterprise-level architecture, "data security" is always a red line that cannot be bypassed. When many teams first move their business to AWS, they often only pay attention to whether the network firewall (security group, ACL) is worthy of death, but ignore the last step of the line of defense--
Encryption of data at rest (Encryption at Rest)
.
Imagine: if a hacker bypasses the peripheral network, or if a former employee directly copies your underlying EBS cloud hard disk snapshot by some means, or if the confidential contract in your S3 bucket is accidentally leaked, if the data is stored in clear text, the company will directly face the disaster of extinction.
In the security ecology of AWS, the soul component, which is dedicated to managing all encryption keys and realizing "data landing and encryption", is called
Amazon KMS(Key Management Service, Key Management Service)
.
Let's not talk about obscure cryptographic formulas today. Starting from the actual combat, take you hand-in-hand to use AWS KMS to give the two core storage assets of the enterprise--
S3 Bucket
with
EBS Cloud Hard Disk
, weld an indestructible "one-key encryption" line of defense.
The first stage: hit the bottom and understand KMS's "envelope encryption" black technology.
Before you do the configuration, you must first understand how the AWS bottom layer plays with the password, otherwise you will be blind when choosing the key later. The KMS core uses
"Envelope Encryption (Envelope Encryption)"
Mechanism:
Customer master key (KMS Key / CMK): This is your "mother key", which is generated and held by KMS inside a dedicated hardware security module (HSM). No one (including you and AWS officials) can download this master key locally.
Data Key: When you want to encrypt a 10GB file, the master key is not directly used. KMS uses the master key to derive a data key in real time ".
Packaging and sealing: The data key is responsible for encrypting files. After the encryption is completed, the plaintext of the data key is immediately destroyed, leaving only a ciphertext of the data key encrypted by the master key and pasted with the encrypted file.
Core Security Conclusion: This is like locking your precious necklace into a safe (data encryption), then putting the safe key into a small envelope, and then locking the envelope with a more advanced lock (master key). Without the authorization of the master key, anyone who gets the underlying hard disk or S3 file will see only irregular garbled codes.
Phase II: Actual Combat Exercise I-One-Click Lock of S3 Bucket
S3 buckets are often used to store company images, sensitive user-uploaded IDs, or financial statements. In the past, S3 encryption required the development of complex encryption logic written in code, and now AWS is at the bottom.
Layer to achieve a "one-click no sense of encryption".
1. Understand the difference between the two keys
When configuring S3 encryption, the console will let you choose one of two:
AWS Managed Key (aws/s3): Free, AWS automatically manages it for you. The disadvantage is that it cannot be authorized across accounts, and you cannot control its rotation strategy.
Customer Managed Key (SSE-KMS): Enterprise-class standard. Created by you in KMS, it supports fine-grained IAM permission control and perfect CloudTrail behavior auditing.
2. S3 landing encryption three-step quick pass
Log on to the AWS console, enter the KMS service, click "Create Key", select "Symmetric Key", and name it Company-S3-Key. The next step is to create it.
Switch to the S3 console and click Enter the bucket where you store your core data.
Click the "Properties (Properties)" tab, go down to "Default Encryption (Default encryption)", and click Edit: Encryption Type: Select "Use Default AWS Key Management Service Key (SSE-KMS)". KMS Key: Select from your existing KMS keys to select the Company-S3-Key you have just created. Bucket Key: Select Enable ". Guide to Saving Money and Avoiding Pits: If your S3 reads and writes millions of times a day, knocking on KMS's door frequently will result in a large KMS request fee. After Bucket Key is enabled, S3 caches the temporary key at the bucket level to directly cut off more than 90% of the KMS traffic bill.
Click Save. From then on, any file uploaded to this bucket through the console or API will be automatically encrypted at the moment it is dropped. When you have permission to download files from the back-end App, S3 will automatically find KMS decryption in the background,
Application side code zero modification, completely no sense
.
Phase III: Actual Combat Exercise II-Global Encryption of EBS EVS Disk and Snapshot
The EBS cloud hard disk mounted on the EC2 server (equivalent to the server's C disk and D disk) contains your operating system, database data, and application logs.
1. Scenario A: One-click encryption when purchasing a new server
When purchasing EC2 instance configuration storage (Storage), expand Advanced options:
Check "Encryption (Encryption)".
Key Select your custom KMS key. In this way, the entire system disk of this server is physically encrypted from the date of its birth.
2. Scene B: How to encrypt the old plaintext hard disk halfway?
AWS does not allow direct "in-place encryption" of an existing plaintext EBS hard drive ". If you have a clear data disk that has been running for half a year,
How do you safely encrypt it? We use the "snapshot springboard" method ".
Top-Level Operations Standard Operating Procedures:
Take a snapshot: On the EC2 instance page, select the plaintext hard disk and click Actions-> "Create Snapshot".
Cross-examination paper copy (injection encryption): go to the "snapshot list" to find the snapshot just generated, and click operation-> "copy snapshot". In the Copy dialog box, select Encrypt this snapshot and select your KMS customer management key. Click to copy. AWS will copy the data at the bottom layer while arming the new snapshot with your KMS key.
Restore a new disk from an encrypted snapshot: Select the copied snapshot with the word "encrypted" and click Actions-> "Create Volume from Snapshot". Uninstall the old plaintext hard disk from the server (Detach) and mount the new hard disk with full blood encryption (Attach).
Perfect finish. The entire server has unknowingly completed the physical upgrade from plaintext to ciphertext, and the data has not been damaged.
The fourth stage: large factory level high-level play-open account level "forced encryption iron law"
As the chief architect, the thing you fear most must be: "Although I have set the security standard, my new developer is easy to do. I forgot to check the encryption when building a new server or a new storage bucket, causing fish to run naked on the public network."
AWS provides a global defense strategy that can eliminate this hidden danger from the source:
1. Turn on global EBS automatic encryption
On the right side of the EC2 console, click
"Data Settings"-> "EC2 Settings"-> "Encrypted by Default"
.
Check Enable and specify your default KMS key. When this switch is turned on,
Under this Region, AWS will force all newly created EBS hard disks to be fully encrypted at the bottom even if anyone omits or forgets to select encryption.
, directly refuse to create without encryption.
2. Write an S3 Bucket Policy for Physical Defense
In the S3 bucket's Permissions, paste the following policy. Its logic is:
As long as it is found that the upload request does not carry the encrypted request header (I .e. those who want to transfer the plaintext file), it will be unconditionally rejected (Deny)
:
JSON
{
"Version": "2012-10-17 ",
"Statement ": [
{
"Sid": "DenyUnencryptedObjectUploads ",
"Effect": "Deny ",
"Principal": "* ",
"Action": "s3:PutObject ",
"Resource": "arn:aws:s3 ::: yours
Bucket name/* ",
"Condition ": {
"StringNotEquals ": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}
Phase 5: A Painful, Real-World Guide to Avoiding Pitfalls in Daily Operations and Maintenance
Don't delete the key by mistake, it is suicide: KMS customer management key in order to prevent accidental deletion, when you click delete, the system will never immediately erase, but will forcibly enter the "waiting for deletion isolation period" of 7 to 30 days ". Blood Tears Warning: If no one fished it during this period, once the key is physically destroyed, no one in the world can retrieve S3 files and EBS hard disks encrypted with it! Even finding the top security experts at AWS headquarters won't help. Therefore, the KMS key in the production environment must be equipped with IAM permissions. KMS: ScheduleKeyDeletion permissions are blocked.
Automatic rotation of KMS keys (Key Rotation): In order to cope with compliance audits (such as financial PCI-DSS authentication), remember to check "Automatically rotate this key" when creating a key ". AWS will automatically help you derive a new master key version every year in the background to encrypt new data, while the old version is used to decrypt old data. The whole process also does not affect any business, fully automatic.
Summary
The biggest charm of using AWS KMS for static data encryption is that "the bottom layer is extremely hardcore, and the surface layer is a one-click fool". With the extremely low KMS key management fee and S3 bucket key saving technology, you can put a layer of bulletproof vests on all the hard disks and network disks of the company in an afternoon. Security is not a big deal. Hold the dominant power in your own hands. The code will be encrypted when it falls on the disk. From then on, no matter what compliance check you encounter, you will be as stable as Mount Tai.
