0.1
Encryption is about protecting your data from unauthorized access so you will learn how to apply encryption in a practical way through automation.
Before I dive into this lesson, I want to share a common perspective about security and compliance – in general – at most enterprises.
In many enterprises, security is something that is the responsibility of a separate team or it might be multiple teams that are further downstream in the software development life cycle.
For example, they might have a development team writing code, writing tests, and maybe they are performing continuous integration. They might be doing this over a period of a few weeks or so and then they are ready to release. It goes to QA, then it might go to a change advisory board, internal audit, and in some cases, it might go to a separate security team that gets involved.
The problem with all of this is that there is often a significant amount of time between when a developer commits the code and when there might be any kind of security and compliance checks that are applied – that are comprehensive in nature. Even if there are some security control directives that are well documented, it does not mean that they are always run for every release nor run the exact same way every single time. It might also have been weeks before the developer who made that change learns about the security issue. Software engineers will likely lack context if the security or other team brings it up. There is often pressure to release the software to users along with other constraints.
The reason this occurs in many organizations is because of the cost of processes that might require human intervention – even if it is just one thing that they have to do so these compliance checks often get batched and they get scheduled across all the different application service teams and these central security, operations, and audit teams have to support these changes. Another reason is that there might simply be the lack of knowledge that you can perform this automation. It is not just sort of the old style data centers, non-cloud types of companies, but even companies that are using AWS might lack the knowledge that they can actually just check a box or automate this through the SDK or through CloudFormation.
As Werner Vogels - CTO of Amazon.com - describes, security is everyone's job, and the beauty of this now is that AWS gives you the tools to bake the security and compliance into every step of the software development process. From the standpoint of encryption, you can automate all the encryption as a part of your software development process. You can also automate things like static analysis and runtime checks against your software in order to ensure that you are always in compliance with your encryption directives. As Werner also says, you can "dance like no one's watching, but we encrypt like everyone is". As of 2019 – there are over 117 AWS services that now integrate with the AWS Key Management Service (KMS). As of now, there are over 200 total services on the AWS platform and well over half of these services provide this integration with KMS. These might be storage services like S3, EBS, and database services like RDS and DynamoDB. The plan is to eventually have all the services have this capability.
In terms of what you will learning, I will be describing about how to automate all encryption as part of a software delivery life cycle. For example, how do you use tools like AWS CloudFormation? How do you use the SDK or how did you access AWS' API in order to make this a part of that software development process? How do developers apply things like client-side encryption or manage secrets? We will go over that a little bit in terms of client-side encryption. Once you need to send data over the wire and you need to encrypt in transit, we will be talking about things like AWS Certificate Manager and CloudFront. Next, how do you encrypt that data at rest, through database services like RDS, DynamoDB, EBS, S3, etc.?
The underlying service that allows you to encrypt all these resources is KMS, so you will learn the basics of KMS and also how to give fine-grained permission to keys and fine-grained permission to the service itself. Then when it gets into production and you want to detect whether or not encryption is enabled or not against all your AWS accounts, we will cover AWS Config Rules and CloudWatch Event Rules as well to detect encrypted resources. Finally, we will talk about logging. You can log all of your API calls, but then – from an encryption standpoint – how do you know when those keys are used and then any of the mitigations you might have to go through as a result of that monitoring and logging.
There is a heuristic that we use when we look at really anything that we are building in deploying, testing, and releasing into production. There are three steps to this heuristic.
- The first is to codify: you codify all the things. Whether it is in an AWS service or application code, configuration, infrastructure, or the data: we can codify all that. We can use things like AWS CloudFormation to automate the provisioning configuration of these services: whether it is database or storage, or it is the pipeline itself, containers and things like that. How do we codify all of that?
- Second, how do you create a pipeline out of this? And not just how do you code it and version it, but how do you put it through a series of stages and actions in which your building, testing, deploying, and getting it out to end users and the users might not just be end users of the services and applications that your customers consume, but it also might be internally within AWS and some of the security services or even AWS accounts. You might put these services through a deployment pipeline as well.
- Third, how do you secure it? How do you ensure that security is run as a part of your pipelines? How do you ensure that you have security of the pipeline through hardened-build images and that you are ensuring that everything goes through the proper checks? How do you ensure that you give fine-grained permission to all the resources in your AWS accounts? These are the three steps that we consider, and, from an encryption standpoint, we are going to look at how to codify that encryption. How do you put the encryption through a pipeline and then how do you secure that?
You will see all of these aspects in this LiveLesson.