0.1
Encryption is about protecting your data from unauthorized access so you will learn how to apply encryption in a practical way through automation.
Before we get into this, I want to share a perspective of what we often see when it comes to security and compliance - in general - at most enterprises.
In the enterprises we first come across, security is something that is the responsibility of a separate team or it might be multiple teams that are further downstream in the software development life cycle.
For example, they might have a development team writing code, writing tests, and maybe they are performing continuous integration. They might be doing this over a period of a few weeks or so and then they are ready to release, so let's just say it goes to QA, then it might go to a change advisory board, internal audit, and in some cases, it might go to a separate security team that gets involved.
The problem with all of this is that there is often a significant amount of time between when a developer commits the code and when there might be any kind of security and compliance checks that are applied – that are comprehensive in nature. Even if there are some security control directives that are well documented, it does not mean that they are always run for every release nor run the exact same way every single time. It might also have been weeks before the developer who made that change learns about the security issue. They will likely lack context if the security or other team brings it up. There is often pressure to release the software to users along with other constraints. The reason this occurs in many organizations is because of the cost of processes that might require human intervention - even if it is just one thing that they have to do so these compliance checks often get batched and they get scheduled across all the different application service teams and these central security, operations, and audit teams have to support these changes. Another reason is that there might simply be the lack of knowledge that you can perform this automation. So it is not just sort of the old style data centers, non-cloud types of companies, but even companies that are using AWS might lack the knowledge that they can actually just check a box or automate this through the SDK or through CloudFormation.
As Werner Vogels talks about, the bottom line of all this is that security is everyone's job, and the beauty of this now is that AWS gives you the tools to bake the security and compliance into every step of the software development process. From the standpoint of encryption, you can automate all the encryption as a part of your software development process. You can also automate things like static analysis and runtime checks against your software in order to ensure that you are always in compliance with your encryption directives. As Werner also says, you can "dance like no one's watching, but we encrypt like everyone is". As of 2019 – there are over 117 AWS services that now integrate with the AWS Key Management Service (KMS). As of now, there are close to 200 total services on the AWS platform and so much more than half of these services provide that provide this integration with KMS. These might be storage services like S3, EBS, database services like RDS and DynamoDB. The plan is to eventually have all the services have this capability.
In terms of I will be covering, I will be talking about how do you automate all of this. How do you incorporate this into the software development lifecycle, how to use things like AWS CloudFormation? How do you use the SDK or how did you access AWS' API in order to make this a part of that software development process. How do developers apply things like client-side encryption or manage secrets – things like that. We will go over that a little bit in terms of client-side encryption. Once that you need to send data over the wire, you need to encrypt in transit we will be talking about things like AWS Certificate Manager and CloudFront. And then how do you encrypt that data at rest, through database services like RDS, DynamoDB, EBS, S3 and so forth. And then the underlying service that allows you to encrypt all these resources is KMS. We will go over KMS and also how to give fine-grained permission to keys and fine-grained permission to the service itself. Then when it gets into production and you want to detect whether or not encryption is enabled or not against all your AWS accounts, we will cover AWS Config Rules and CloudWatch Event Rules as well to detect encrypted resources. Finally, we will talk about logging. You can log all of your API calls, but then – from an encryption standpoint – how do you know when those keys are used and then any of the mitigations you might have to go through as a result of that monitoring and logging.
There is a heuristic that we use when we look at really anything that we are building in deploying, testing, and releasing into production. There are three steps to this heuristic.
The first is to codify: you codify all the things. Whether it is in an AWS service or it is application code, configuration, infrastructure, or the data: we can codify all that. We can use things like AWS CloudFormation to automate the provisioning configuration of these services: whether it is database or storage, or it is the pipeline itself, containers and things like that. How do we codify all of that?
The next thing we consider as a part of this heuristic is then how do you create a pipeline out of this? And not just how do you code it and version it, but how do you put it through a series of stages and actions in which your building, testing, deploying, and getting it out to end users and the users might not just be end users of the services and applications that your customers consume but it also might be internally within AWS and some of the security services or even AWS accounts. You might put these services through a deployment pipeline as well.
The last part of this is then how do you secure it? How do you ensure that security is run as a part of your pipelines? How do you ensure that you have security of the pipeline through hardened-build images and that you are ensuring that everything goes through the proper checks, how to give fine-grained permission to all the resources in your AWS accounts. So these are the three steps that we consider and, from an encryption standpoint, we are gonna look at how do you codify that encryption. How do you put the encryption through a pipeline and then how do you secure that?
You will see all of these aspects in this course.