Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS Storage Security data-protection (Securing Data at Rest (Data stored…

- - - - AWS KMS provides a central location for key management
      - KMS uses Customer Master Keys (CMKs) to encrypt and decrypt S3 objects
      - It integrates with Amazon S3 and IAM in order to provide complete control over how keys are used
      - It also provides key usage auditing, rotation, and the ability to disable keys
      - NOTE!
        
        Encryption keys can be created and managed by the customer, or default service keys can be used instead
        
        Data keys used to encrypt S3 data is also encrypted and stored with the data itself
      - API
        
        Encrypting objects with AWS KMS requires the use of this header: x-amz-server-side-encryption with value aws:kms
        
        x-amz-server-side-encryption-aws-kms-key-id : This header gives ability to specify the ID of of the AWS KMS master encryption key to be used for an object (otherwise the default key is used)
    - - Amazon S3 still manages the encryption and decryption process but customers provide the keys
      - S3 does not store the encryption key provided
        
        This allows S3 validate requests
        
        If the customer loses the key, they lose the object
        
        Instead it stores a randomly salted HMAC value of the encryption key
      - This method gives customers complete control over their encryption keys
      - Retrieving Objects
        
        This method requires HTTPS requests to encrypt the key in-transit
        
        The customer is responsible for tracking which key is used to encrypt which object because S3 does not
        
        Decrypting objects requires the same encryption key to be provided with the request
        
        The Amazon Console cannot be used to upload or modify objects with this method. The API or SDKs must be used.
      - Encryption key information must be provided with these headers
        
        x-amz-server-side-encryption-customer-key
        
        x-amz-server-side-encryption-customer-key-MD5
        
        x-amz-server-side-encryption-customer-algorithm
    - - Those unique keys are themselves encrypted with a master key
      - The master key is regularly rotated
      - Each object is encrypted with a unique key
      - Amazon S3 uses the 256-bit Advanced Encryption Standard (AES-256)
      - Encrypting data with this method via the REST API requires this header: x-amz-server-side-encryption
  - - - Client gets a unique encryption key for each object
      - On Download
        
        Client downloads the encrypted object from S3 with the cipher blob stored in metadata
        
        The client then sends that cipher blob to AWS KMS to get the plain text
        
        Plain text is used to decrypt the object
      - On Upload
        
        Client sends a request to AWS KMS for a key
        
        AWS KMS returns an encryption key (plain text used to encrypt object data, and a cipher blob to upload to S3 as object metadata)
    - - On Upload
        
        S3 client generates a random data key and encrypts it with the master key
        
        S3 client encrypts the data using the data key, and uploads a material description as part of the object metadata
        
        Client provides a master key to the Amazon S3 encryption client
      - On Download
        
        That metadata tells the client which master key to use to decrypt
        
        Using that master key, the client decrypts the data key
        
        Client downloads encrypted object along with its metadata
        
        The data key is used to decrypt the object
      - Master keys and unencrypted data are never sent to AWS
- - - - Resources - which resource(s) the policy applies to
      - Effect - to allow or deny; allows user to perform the PutObject on a user_financial bucket
      - Actions - which actions to allow or deny; each AWS service has actions