In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest.
Sometimes, despite all efforts to the contrary, data can be compromised. This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks. Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified. Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered. The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess. Let’s discuss how AWS makes it easy to encrypt data wherever it may be.
Encrypting data in transit
When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure. If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted.
Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions. Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes. (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi). Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection).
AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM). Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.” What Is AWS Certificate Manager? - AWS Certificate Manager (amazon.com). These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway. Consequently, all Internet bound traffic to and from these resources will be secure.
Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets. However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity. To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets.
Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest.
Encrypting data at rest
One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest. Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS. The service used to perform these actions is called AWS Key Management Service (AWS KMS).
Thus, if for some reason your data was exposed to the world, it would be illegible without the encryption key that only AWS can access on your behalf. A quick Google search on the Internet will reveal that the amount of time used to crack a common AES-256 encryption key would take modern computers trillions of years – even with the world’s fastest supercomputers.
If laws, regulations, or corporate policy require you to manage your own encryption keys, AWS has other options. Through KMS, AWS customers can import their own key material for AWS to use for encryption on their behalf. If customers do not want AWS to have any access to their encryption keys, AWS also offers hardware security modules (HSMs). These can be provisioned and used like a utility with an hourly cost.
AWS HSMs are certified as FIPS 140-2 compliant. For those unfamiliar with this designation, it refers to rigorous testing to meet government approved security standards. To learn more about AWS KMS click here: Key Usage — AWS Key Management Service — Amazon Web Services. To learn more about AWS HSM, click here: Security HSM | AWS CloudHSM | Amazon Web Services.
As such, considering the multitude of options and ease of use to encrypt data at rest, there simply is not an excuse to not encrypt data wherever it is stored.
Tying everything together
In this article, we have discussed three easy steps every business or governmental entity can pursue to dramatically improve their AWS security posture. As a recap, these steps are to 1) set up and use IAM properly, 2) avoid direct Internet access to vulnerable AWS resources, and 3) encrypt data in transit or at rest. It goes without saying that these steps are not exhaustive. They are merely the steps that this author believes to be the most impactful.
Many other security mechanisms exist that AWS customers can pursue. For more advanced AWS security help, you are encouraged to engage AT&T’s cybersecurity consulting division for support. We are ready, willing, and able to help you with your AWS cybersecurity needs. To get more information about AT&T cybersecurity consulting, please click here: Cybersecurity Consulting Services | AT&T Business (att.com).
Thank you for taking the time to read this blog series. I sincerely hope you found it informative and useful.
AWS – https://aws.amazon.com
A Cloud Guru – https://acloudguru.com
Article Link: Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest | AT&T Cybersecurity