Saturday, March 13, 2021

AWS - KMS - Key Management Service

 AWS - KMS 3-13-2021
class notes


KMS
- SEC

key - cryptography

csa

google - aws securiy certification


KMS - Key Management Service
Encription
- EBS
- EFS
- LB
- RDS
- ELB
 
Go to aws console and search for KMS

What is cryptopgraphy?
- one of the field in security workd
- whatever data you have, other folks can't read easily.
(in greek write-graphy)
crypto-secure
- We keep our money, jewellery our secure box, and lock the box or store in the bank.

Box -> keep object (file/directory) -> Lock -> key -> unique key -> locker (vault)

- only unique key helps you to open the box
- You only have this key

we have our file
- text/plain text/ data

to secure
- we lock it, locking is encription in computer world.
- When you encript, other people can read but on different form possible in binary format.

when it is encripted, this called cipher text
- you need to use key to convert into plain text

plain tet ----> Algorithum ------------> cipher text (CT)

- data - lock -> key
if key is stolen or other people know it, they can decript (unlock) and read the content of the file.


We use same key to encript and decript , same key to lock and unlock, this is called symatric key

Some algotherium
- DES - faster but may break
- AES (Bank and other use it, more secure)


google - symmetric key algorithum

symmetric keys are very dangerous too.
- we store data
- we encript (lock) this file.
- and we store on hard disk
- we store cipher text on the hard disk.
- say hard disk stole, and someone try to see the file
- but they can't read the content but they can remove it.

only way to get data back is to get the exact same key (symmetric key)
so, you have one key to lock and unlock

Asymmetric algorithum
- We will have two keys to encript and decript

Keys
- symmetric Key
- Asymmetric Key
   - Private Key
   - Public Key

here, the focus is the key. in either case, you need key to lock and unlock the key.
- keys are so sensitive
- if someone found, other people can read.
- personal data may not be that critical but bank customer info is very critical.
- security of the key is very important.
- where should you keep these keys.

Keeping keys
- There are company created physical hardware
- Hardware (appliance)
Thales - a company created appliance
google for hsm appliance

hardware security module
- Keep the key secure
- Buy 2 modules
- Cluster them
- These are costly devices

- say data on mySQL -> Database -> stored on storage -> use key to decript
so company employee can access the appliance, and go to database and decript the key


rather than buying hardware, lease it -> pay as you go plan
managed services
- Pay as you go model (Rent)

hsm cloud
- service from aws
- managed hardware security module (HSM) in the cloud

google for cloudHSM pricing
cloudHSM
-> create
service setting
total no.of hsm - 2

create - specify the vpc
-> Specify AZ
select at least two AZs.

cluster - create new cluster

click on your hsm
- initialize
- select the AZ where you want to keep key

now, you can not change VPC or subnet.
- you can use this device to keep keys.
- your cluster is not active until you keep the keys
- this is a per hour basic (about $2/hrs)

how to keep the keys? There are two ways
1. You manage the key
- Keep on your own HSM
- Keep on cloudHSM

2. Give your key to cloud providers (Service provider)
- you relie on cloud provider
- You also create my keys use case to use case
- Store, manage and secure the key

AWS provide this kind of service called KMS
- They say, we create, manage the key
- Store these keys in a box secure.
- We cna create symetric or asymetric key

google for "dedicated tenancy"
- no sharing with other organizations
- They give you dedicated hardware for your organization in this case

so you either buy hardware or rent the hardware
- the main purpose is the keep and secure the key

go to aws management console
- search for kms
- create a key

or
- click on (there is a facility called) customer managed keys on left side on KMS

if you want to lock some of your data, you can lock your data

Free tools
openssl
certutil

symmetric - aes

kms console
- aws managed keys
- customer managed keys
- custom key stores
  - You can integrate with CloudHMS
  -


Go to customer managed key
- Encript
- plain --- encript -> cipher

Customer managed keys provides
key
- who create the
- keep it secure
- who provide when needed

click on customer managed keys
- create key
- Select symmetric key
- click on advance option

key material origini (who will create the key)
if you select custom key store (CloudHSM)
in this option you have to set up Custom key store

we wil lnot go this option. there is almost $2 per hour charge

you select external
- you create the key
- you can upload your key here..

but the key might be on your laptop/ or on server, and may be stolen..
if you are migrating your application and keys to the cloud, this option is good

now there is another option key
select key
- next
keyname
alias: mykey1
- next
key administrator
- we have lots of users - IAM users
who is going to admin/manage the key?
 - add/remove/manage key

- specify the user
either use existing user or create new

in IAM - user is also a principal

 review the JSON file content

now, the key is secured by aws
as a user, you decide what data to lock (encript)
you use key to encript the data and convert that data to cipher.

lets go ahead and see the content how to encript

lets go to aws cli
> aws configure

configure your account
> aws kms help

read through and look at the example
> mkdir mysecuredir; cd mysecuredir

> notepad myfile.txt
creadit card
citi bank:
username
pw:

US bank:
username
pw:

BOA bank:
username
pw:

> aws kms help
google aws kms cli
look for encripting

lets look for symmetci cm
default
look for synopsis
plain text option, spefcify text or file

for text
> aws kms encript --plaintext "Hello"

for file
> aws kms encript --plaintext fileb://myfile.txt

it failed
asks you to provide variable too
you also have to specify the key too
- every key comes with unique ID and you have to supply .
> aws kms encript --plaintext fileb://myfile.txt --key-id <Key-ID>

now, file is now encripted.

they returned the ciphertextblob

lets query
> aws kms encript --plaintext fileb://myfile.txt --key-id <Key-ID> --query CiphertextBlob

> aws kms encript --plaintext fileb://myfile.txt --key-id <Key-ID> --query CiphertextBlob --output table


> aws kms encript --plaintext fileb://myfile.txt --key-id <Key-ID> --query CiphertextBlob --output text

save ciher data to a file
> aws kms encript --plaintext fileb://myfile.txt --key-id <Key-ID> --query CiphertextBlob --output text > secure.txt

now, this is a cipher text.

you can view the data but its on different format.

you can use this file by using decripting
yo cna remove original file

lets go ahd find how to decript

> aws kms decript --ciohertext=blob fileb://secure.txt

it fails because you need a key

> aws kms decript --ciohertext=blob fileb://secure.txt --key-id <the_key-id>
get the key-id from aws key

we got error

see, we have sensitive data say our password
when you have critical data, do not show data directly.
convert these data in other form.
encode it

there is a form called base64

you can decode it.

encript/decript and encode/decode are different terms

if someone quickly print the output, someone may see it and rememebr
but if we print the key and convert to real data, this is a secure way to deal with data.

input in code (base64) format for extra security
rather than really showing the real password.

google "base64 encode"
base64encode.org

type 'hello' on the box

base64 data at the end of the line you will see = sign.

google for decode and decode the data

base64decode.org

so, now lets go back

decode our data to cipher data and decript
using base64 decode

you can use openssl, base64 or other tool to decode

In windows there is a tool certutil to decode

> certutil -h
> certutil -decode secure.txt secure_d.txt

now, open this file
> notepad secure_d.txt
this is actually a binary data

actual encription

our cipher text is on secure_d.txt


> aws kms decript --ciohertext=blob fileb://secure_d.txt

we see the text but its hard to know the meaning of this output
now, just get this plaintext data and go to base64 decode and convern, you will see the actual date.


lets say we have data in lambda and want to encript it

go to Lambda -> create a function
function: mysecure

Run time: phtyon 3.8

create a code

function code

x="hello"
return x

run and test

there is no error
response: hello


lets modify x to different value
import json

def lambda_handler(event, context):
    db= "redhat"    # keep your pw here and no one should able to see/read it.

    return db

we can convert this data into cipher text

amazon has an option
lock/unlock environmental variable

on windows, you can go to environment variables and add the value there.
but we don't have capcability to go to lambda os. but there is a capability to add env variable

edit env variable
key: value
mayname Jay



in python there is a module os

import jason
import os

def lambda_handler(event, context):
  y = os.environ["MYNAME"]
  return y

run your code again and you retieven the output


encription at rest

you have data at hard disk


you can eidt the
enable helper for encript

the encription on transit is enable

aws kms key to encript at rest
- default aws/lambda is selected
- use a customer master key
- specify the master key


import jason
import os

def lambda_handler(event, context):
  y = os.environ["MYNAME"]
  return y

you can not use this way too

go to encript and and get the code to decript the data

and include before this values under JSON code



when you run it fails.
because lambda funcation fails if it runs more than 3 sec
because encription takes time
go to function and change the time to about 10 sec

run it again, it will successeds
this time it failed too. lets revie wthe log
is shows access deny

now we have to give extra power to lambda

go to lambda -> permission
- click on role
permission
- add inline plicy

create policy
add kms
select decript

reources:
- specifc
- all resources

get the arm and copy it

review and create

this role is attached to lambda

now, go back to lambda
go to permission, you have two roles

go to rile and execute the code

..........................

Note: key is per reagion

create snapshot ->


asymmetric Key
-----------

go and kms slect asymmetric key
-------------------------------------------

Max encript data size with symmetric key is 4KB

if you try to encript the file with larger than 4KB it will give you an error.

there is a way to increase the size using envolop encription



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Git branch show detached HEAD

  Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03)   00 2. Run re-set hard $ git reset --hard 3. ...