AWS Storage Security 
Securing Data at Rest
Data stored in persistent storage is considered "at rest"
Amazon S3 and Glacier can use encryption to protect data at rest
Server-side encryption and access control
AWS IAM (Identity and Access Management) can be used to control access to resources
Securing Data in-transit
Data in-transit is data flowing through networks
Data needs to be protected while it is being transferred
Amazon S3 Server-Side Encryption
Amazon S3 encrypts at the object level as it writes data to disk in its data centers
S3 decrypts the data on retrieval as long as a user or service has permissions to retrieve it
There are three options for dealing with encryption keys
AWS KMS-Managed (SSE-KMS)
Customer-Provided Keys (SSE-C)
Amazon S3-Managed Keys (SSE-S3)
Those unique keys are themselves encrypted with a master key
The master key is regularly rotated
Each object is encrypted with a unique key
Amazon S3 uses the 256-bit Advanced Encryption Standard (AES-256)
Encrypting data with this method via the REST API requires this header: x-amz-server-side-encryption
AWS KMS provides a central location for key management
KMS uses Customer Master Keys (CMKs) to encrypt and decrypt S3 objects
It integrates with Amazon S3 and IAM in order to provide complete control over how keys are used
It also provides key usage auditing, rotation, and the ability to disable keys
NOTE!
Encryption keys can be created and managed by the customer, or default service keys can be used instead
Data keys used to encrypt S3 data is also encrypted and stored with the data itself
API
Encrypting objects with AWS KMS requires the use of this header: x-amz-server-side-encryption with value aws:kms
x-amz-server-side-encryption-aws-kms-key-id : This header gives ability to specify the ID of of the AWS KMS master encryption key to be used for an object (otherwise the default key is used)
Amazon S3 still manages the encryption and decryption process but customers provide the keys
S3 does not store the encryption key provided
This method gives customers complete control over their encryption keys
This allows S3 validate requests
If the customer loses the key, they lose the object
Instead it stores a randomly salted HMAC value of the encryption key
Retrieving Objects
This method requires HTTPS requests to encrypt the key in-transit
The customer is responsible for tracking which key is used to encrypt which object because S3 does not
Decrypting objects requires the same encryption key to be provided with the request
The Amazon Console cannot be used to upload or modify objects with this method. The API or SDKs must be used.
Encryption key information must be provided with these headers
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-server-side-encryption-customer-algorithm
Amazon Glacier Encryption
Encryption uses AES-256
Customers wanting to manage their own keys can encrypt data before uploading it, and decrypt data upon retrieval
All data stored in Glacier is encrypted and key management is managed for the customer
IAM can be used to protect data inside Glacier
Protecting Data in-Transit with Amazon S3
Use an AWS KMS-Managed CMK
Use a client-side master key
Client gets a unique encryption key for each object
On Download
On Upload
Client sends a request to AWS KMS for a key
AWS KMS returns an encryption key (plain text used to encrypt object data, and a cipher blob to upload to S3 as object metadata)
Client downloads the encrypted object from S3 with the cipher blob stored in metadata
The client then sends that cipher blob to AWS KMS to get the plain text
Plain text is used to decrypt the object
On Upload
On Download
Master keys and unencrypted data are never sent to AWS
S3 client generates a random data key and encrypts it with the master key
S3 client encrypts the data using the data key, and uploads a material description as part of the object metadata
Client provides a master key to the Amazon S3 encryption client
That metadata tells the client which master key to use to decrypt
Using that master key, the client decrypts the data key
Client downloads encrypted object along with its metadata
The data key is used to decrypt the object
SSL/TLS Encryption
HTTPS is HTTP within SSL/TLS
SSL/TLS establishes an encrypted link between a client and a server
If we communicate via HTTPS, we are communicating via a secured tunnel
Sensitive information can be sent via HTTPS in order to encrypt it
Amazon Glacier also supports SSL transmissions
IAM
IAM Users
Users can be used by a person or a service in order to interact with AWS
Users can have credentials and permissions
There can be multiple users per AWS account
A user can only be associated with one AWS account
If a user needs access to another AWS account, they can be granted cross-account access or a separate user can be created in that other AWS account
Users do not have separate billing from the main account
IAM Roles
A role is meant to be assumable by anyone or anything which needs it instead of being uniquely tied to one person
Multiple resources can assume the same role
Delegation : when user from first AWS account can access the second AWS account's resources
Federation : can be used with 3rd party sign ins (i.e. Facebook, Google, etc.). Our user can access AWS account with one of the these services assuming/using authentication from them.
IAM Policies
Policies are JSON documents we can apply to roles, users, groups, and resources in order to specify permissions
Policies let you specify
Resources - which resource(s) the policy applies to
Effect - to allow or deny; allows user to perform the PutObject on a user_financial bucket
Actions - which actions to allow or deny; each AWS service has actions
The principal specifies who the effect and actions apply to - which is only necessary when applied to a resource