In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Security services currently available in AWS that are relevant to the PAS-C01 exam.
- Understand the purpose of AWS user and identity management
- Identify resources and capabilities for AWS network security
- Understand how to evaluate the security of an AWS environment
- Describe AWS services used to create a comprehensive security solution for SAP deployments
The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Security services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Before we dive into the AWS Key Management Service itself and how it can be used to encrypt your data in AWS, I feel it would be beneficial to those who are new to encryption to understand the basics of encryption methods used by KMS.
Unencrypted data is data that can be read and seen by anyone who has access to it either when the data is at rest, or in transit between two or more locations. This unencrypted data is commonly known as ‘plain text’ or ‘clear text’ data as the data is plain to see and can be read by any recipient. There is no problem with data being unencrypted as long as the data does not contain sensitive or confidential information preventing it from being restricted. However, on the other hand if you have data that does contain sensitive information, such as customer data or financial records, then you need to ensure that the contents of that file is only viewable by those who are authorized. To enhance the data security around the object then you should add a level of encryption to that data.
Data encryption is the mechanism in which information is altered, rendering the plain text data unreadable through the use of mathematical algorithms and encryption keys. When encrypted, the original plain text is now known as cipher text which is unreadable. To decrypt the data, an encryption key is required to revert the cipher text back into a readable format of plain text.
An encryption key is simply a string of characters used in conjunction with an encryption algorithm, and the longer the key the more robust the encryption. Encryption methods involving keys can be categorized by either being symmetric cryptography or asymmetric cryptography, and interestingly AWS KMS uses both of these methods.
Let's take a look at each of these to see how they differ.
With symmetric encryption, a single key is used to both encrypt and also decrypt the data. So for example if someone was using a symmetric encryption method, they would encrypt the data with a key and then when that person needed to access that data, they would use the same key that they used to encrypt the data to decrypt the data. This means that if the encrypted data was being read by a different recipient, that recipient would need to be issued with the same key. Remember, the same key is needed to decrypt the data that was used to encrypt it. As a result, this key must be sent securely between recipients, and here it exposes a potential weakness in this method. If the key is intercepted by anyone during that transmission that hasn’t been sent using an in-transit encryption method, then that third party could easily decrypt any data associated with that key. AWS KMS helps to resolve this issue by acting as a central repository, governing and storing the keys required and only issuing the decryption keys to those who have sufficient permissions to do so.
Some common symmetric cryptography algorithms that are used are AES which is Advanced Encryption Standard, Digital Encryption Standard (DES), Triple DES and Blowfish.
Now let's compare this to asymmetric encryption which involves two separate keys, where one is used to encrypt the data and a separate key is used to decrypt the data. These keys are created at the same time and are linked through a mathematical algorithm. One key is considered the private key and should be kept by a single party and should never be shared with anyone else. The other key is considered the public key and this key can be given and shared with anyone, it’s public for a reason.
Unlike with the symmetric encryption, this public key does not have to be sent over secure transmission. It doesn't matter who has access to this public key as without the private key, any data encrypted with it cannot be accessed. So how does it work?
If another party wanted to send you an encrypted message or data, they would encrypt the message using your own public key which is made freely available to them. The message is then sent to you where you will use your own private key which has the mathematical relationship with your public key, enabling you to decrypt the data. This allows you to receive encrypted data without the risk of exposing your private key, resolving the issue highlighted with symmetric encryption.
The advantage that symmetric has over asymmetric is the speed of encryption and decryption. Symmetric is a lot faster from a performance perspective. However, it does carry an additional risk as highlighted. Some common examples of asymmetric cryptography algorithms are RSA, Diffie-Hellman, and Digital Signature Algorithm.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.