{"id":3223,"date":"2019-09-02T11:14:52","date_gmt":"2019-09-02T11:14:52","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=3223"},"modified":"2020-05-02T05:21:16","modified_gmt":"2020-05-02T05:21:16","slug":"network-and-data-security-in-aws","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/","title":{"rendered":"Network and Data Security in AWS"},"content":{"rendered":"\n<p>AWS provides several security capabilities and services to increase privacy and control network access. Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to instances and applications.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"177\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-58.png\" alt=\"\" class=\"wp-image-3425\"\/><\/figure>\n\n\n\n<p><strong>Benefits of AWS Security<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Keep Data Safe &#8211; The AWS infrastructure puts strong safeguards in place to help protect customer privacy. <\/li><li>AWS Compliance &#8211; AWS manages dozens of compliance programs in its infrastructure. <\/li><li>Cost Savings &#8211; Maintain the highest standard of security without having to manage own facility.<\/li><li>Quick Scaling &#8211; Security scales with AWS cloud usage.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"578\" height=\"400\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-59-578x400.png\" alt=\"\" class=\"wp-image-3426\" srcset=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-59-578x400.png 578w, https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-59.png 624w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/figure><\/div>\n\n\n\n<p>Server side encryption at rest<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Data is encrypted after being received by the server<\/li><li>Data is decrypted before being sent<\/li><li>It is stored in an encrypted form thanks to a key (usually a data key)<\/li><li>The encryption\/decryption keys must be managed somewhere and the server must have access to it <\/li><\/ul>\n\n\n\n<p>Client side encryption<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Data is encrypted by the client and never\ndecrypted by the server<\/li><li>Data will be decrypted by a receiving client<\/li><li>The server should not be able to decrypt the\ndata<\/li><li>Could leverage Envelope Encryption<\/li><li>Client library such as the Amazon S3 Encryption\nClient<\/li><li>Clients must encrypt data themselves before\nsending to S3<\/li><li>Clients must decrypt data themselves when\nretrieving from S3<\/li><li>Customer fully manages the keys and encryption\ncycle<\/li><\/ul>\n\n\n\n<p>S3 object encryption methods<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SSE-S3: encrypts S3 objects using keys handled\n&amp; managed by AWS<\/li><li>SSE-KMS: leverage AWS Key Management Service to\nmanage encryption keys<\/li><li>SSE-C: when you want to manage own encryption\nkeys<\/li><li>Client Side Encryption<\/li><\/ul>\n\n\n\n<p><strong>SSE-S3<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SSE-S3: encryption using keys handled &amp; managed by AWS S3<\/li><li>Object is encrypted server side<\/li><li>AES-256 encryption type<\/li><li>Must set header: x \u201cx- &#8211; amz- &#8211; server- &#8211; side- &#8211; <\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"353\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-60.png\" alt=\"\" class=\"wp-image-3427\"\/><\/figure><\/div>\n\n\n\n<p><strong>SSE-KMS<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SSE-KMS: encryption using keys handled &amp; managed by KMS<\/li><li>KMS Advantages: user control + audit trail<\/li><li>Object is encrypted server side<\/li><li>Must set header: x \u201cx- &#8211; amz- &#8211; server- &#8211; side- &#8211; encryption&#8221;: \u201d aws:kms&#8221; &#8220;<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"312\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-61.png\" alt=\"\" class=\"wp-image-3428\"\/><\/figure><\/div>\n\n\n\n<p><strong>SSE-C<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS<\/li><li>Amazon S3 does not store the encryption key you provide<\/li><li>&nbsp;HTTPS must be used<\/li><li>Encryption key must provided in HTTP headers, for every HTTP request made<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"353\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-62.png\" alt=\"\" class=\"wp-image-3429\"\/><\/figure><\/div>\n\n\n\n<p><strong>Encryption in transit (SSL)<\/strong><\/p>\n\n\n\n<p>AWS S3 exposes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>HTTP endpoint: non encrypted<\/li><li>HTTPS endpoint: encryption in flight<\/li><\/ul>\n\n\n\n<p>AWS KMS (Key Management Service)<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Anytime you hear \u201cencryption\u201d for an AWS service, it\u2019s most likely KMS<\/li><li>Easy way to control access to data, AWS manages keys for us<\/li><li>Fully integrated with IAM for authorization<\/li><li>Seamlessly integrated into:<\/li><li>Amazon EBS: encrypt volumes<\/li><li>Amazon S3: Server side encryption of objects<\/li><li>Amazon Redshift: encryption of data<\/li><li>Amazon RDS: encryption of data<\/li><li>Amazon SSM: Parameter store<\/li><li>You can also use the CLI \/ SDK<\/li><li>KMS can be used to decrypt\/encrypt up to 4KB of data. <\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"366\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-63.png\" alt=\"\" class=\"wp-image-3430\"\/><\/figure><\/div>\n\n\n\n<p><strong>Steps to\nimplement Envelope Encryption <\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Create\na new CMK, or re-use an existing CMK. This can be done the AWS Console, or with\nCLI using create-key.<\/li><li>Use\ngenerate-data-key to get a data key.<\/li><li>This\nreturns the plain text data key, and also an encrypted (with the specified CMK)\nversion of the data key. The encrypted version is referred to as a\nCipherTextBlob. Store the returned CipherTextBlob (we will need it later). The\nCipherTextBlob has metadata which tells KMS which CMK was used to generate it.\nStore this CipherTextBlob.<\/li><li>Use\nthe plain-text data key to encrypt any amount of data.<\/li><li>Throw\naway the plain-text data key, but be sure to store the CipherTextBlob along\nside the encrypted data.<\/li><li>To\ndecrypt, use the Decrypt API, sending it the CipherTextBlob from step (3).<\/li><li>The\nabove step will return the plain text data key (the same one we threw away).\nUse this key to decrypt the data.<\/li><li>Throw\naway the plain-text data key.<\/li><li>To\nencrypt more data, repeat steps 6, 7, 8 except use the plain text key to\nencrypt instead of decrypt.<\/li><\/ol>\n\n\n\n<p><strong>When to Use KMS<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Use AWS KMS to create and manage master keys (CMKs). You can establish policies that determine who can use CMKs and how they can use them. You can track their use in transaction and audit logs, such as AWS CloudTrail.<\/li><li>You can use CMKs to encrypt small amounts of data (up to 4096 bytes). However, CMKs are typically used to generate, encrypt, and decrypt the data keys that encrypt data. Unlike CMKs, data keys can encrypt data of any size and format, including streamed data.<\/li><\/ul>\n\n\n\n<p><strong>When not to use\nKMS<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AWS KMS does not store or manage data keys, and you cannot use KMS to encrypt or decrypt with data keys. To use data keys to encrypt and decrypt, use the AWS Encryption SDK.<\/li><li>AWS KMS CMKs are backed by FIPS-validated hardware service modules (HSMs) that KMS manages. To manage own HSMs, use AWS CloudHSM.<\/li><li>AWS KMS only supports symmetric encryption. If you want to use asymmetric encryption, use AWS CloudHSM. <\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>AWS provides several security capabilities and services to increase privacy and control network access. Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to instances and applications. Benefits of AWS Security Keep Data Safe &#8211; The AWS infrastructure puts strong safeguards in&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":2471,"menu_order":37,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,558],"class_list":["post-3223","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-data-security-in-aws"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Network and Data Security in AWS - Testprep Training Tutorials<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Network and Data Security in AWS - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"AWS provides several security capabilities and services to increase privacy and control network access. Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to instances and applications. Benefits of AWS Security Keep Data Safe &#8211; The AWS infrastructure puts strong safeguards in...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-02T05:21:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-58.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/\",\"name\":\"Network and Data Security in AWS - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-09-02T11:14:52+00:00\",\"dateModified\":\"2020-05-02T05:21:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified Solutions Architect Professional (SAP-C02)\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Network and Data Security in AWS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Network and Data Security in AWS - Testprep Training Tutorials","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/","og_locale":"en_US","og_type":"article","og_title":"Network and Data Security in AWS - Testprep Training Tutorials","og_description":"AWS provides several security capabilities and services to increase privacy and control network access. Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to instances and applications. Benefits of AWS Security Keep Data Safe &#8211; The AWS infrastructure puts strong safeguards in...","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2020-05-02T05:21:16+00:00","og_image":[{"url":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-58.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/","name":"Network and Data Security in AWS - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-09-02T11:14:52+00:00","dateModified":"2020-05-02T05:21:16+00:00","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/network-and-data-security-in-aws\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified Solutions Architect Professional (SAP-C02)","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-solutions-architect-professional-sap-c01\/"},{"@type":"ListItem","position":3,"name":"Network and Data Security in AWS"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=3223"}],"version-history":[{"count":4,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3223\/revisions"}],"predecessor-version":[{"id":5205,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3223\/revisions\/5205"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/2471"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=3223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=3223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=3223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}