This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.
Want more? Try a Lab Playground or do a Lab Challenge!
Learning Objectives
- Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
- Understand how to configure and monitor AWS WAF
- Learn about AWS Firewall Manager and its components
- Learn how to configure AWS Shield
- Learn the fundamentals of AWS Cognito
Before we dive into the AWS Key Management Service itself and how it can be used to encrypt your data in AWS, I feel it would be beneficial to those who are new to encryption to understand the basics of encryption methods used by KMS.
Unencrypted data is data that can be read and seen by anyone who has access to it either when the data is at rest, or in transit between two or more locations. This unencrypted data is commonly known as ‘plain text’ or ‘clear text’ data as the data is plain to see and can be read by any recipient. There is no problem with data being unencrypted as long as the data does not contain sensitive or confidential information preventing it from being restricted. However, on the other hand if you have data that does contain sensitive information, such as customer data or financial records, then you need to ensure that the contents of that file is only viewable by those who are authorized. To enhance the data security around the object then you should add a level of encryption to that data.
Data encryption is the mechanism in which information is altered, rendering the plain text data unreadable through the use of mathematical algorithms and encryption keys. When encrypted, the original plain text is now known as cipher text which is unreadable. To decrypt the data, an encryption key is required to revert the cipher text back into a readable format of plain text.
An encryption key is simply a string of characters used in conjunction with an encryption algorithm, and the longer the key the more robust the encryption. Encryption methods involving keys can be categorized by either being symmetric cryptography or asymmetric cryptography, and interestingly AWS KMS uses both of these methods.
Let's take a look at each of these to see how they differ.
With symmetric encryption, a single key is used to both encrypt and also decrypt the data. So for example if someone was using a symmetric encryption method, they would encrypt the data with a key and then when that person needed to access that data, they would use the same key that they used to encrypt the data to decrypt the data. This means that if the encrypted data was being read by a different recipient, that recipient would need to be issued with the same key. Remember, the same key is needed to decrypt the data that was used to encrypt it. As a result, this key must be sent securely between recipients, and here it exposes a potential weakness in this method. If the key is intercepted by anyone during that transmission that hasn’t been sent using an in-transit encryption method, then that third party could easily decrypt any data associated with that key. AWS KMS helps to resolve this issue by acting as a central repository, governing and storing the keys required and only issuing the decryption keys to those who have sufficient permissions to do so.
Some common symmetric cryptography algorithms that are used are AES which is Advanced Encryption Standard, Digital Encryption Standard (DES), Triple DES and Blowfish.
Now let's compare this to asymmetric encryption which involves two separate keys, where one is used to encrypt the data and a separate key is used to decrypt the data. These keys are created at the same time and are linked through a mathematical algorithm. One key is considered the private key and should be kept by a single party and should never be shared with anyone else. The other key is considered the public key and this key can be given and shared with anyone, it’s public for a reason.
Unlike with the symmetric encryption, this public key does not have to be sent over secure transmission. It doesn't matter who has access to this public key as without the private key, any data encrypted with it cannot be accessed. So how does it work?
If another party wanted to send you an encrypted message or data, they would encrypt the message using your own public key which is made freely available to them. The message is then sent to you where you will use your own private key which has the mathematical relationship with your public key, enabling you to decrypt the data. This allows you to receive encrypted data without the risk of exposing your private key, resolving the issue highlighted with symmetric encryption.
The advantage that symmetric has over asymmetric is the speed of encryption and decryption. Symmetric is a lot faster from a performance perspective. However, it does carry an additional risk as highlighted. Some common examples of asymmetric cryptography algorithms are RSA, Diffie-Hellman, and Digital Signature Algorithm.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.