AWS DevOps — Part 4 KMS, Encryption, Security

The final subject is DevOps Security (OpsSec), an important component of maintaining the integrity of an AWS system. AWS’s Key Management Service (KMS) provides encryption services. Encryption is a key component of cyber security.
Encryption
Encryption ensures that data cannot be processed without an encryption key. Decryption can occur at different points of transit.
In Flight (SSL) — data is encrypted before being sent and decrypted by the receiver. SSL cert help prevent man in the middle attacks.
Server Side Encryption — Data is encrypted after being received and decrypted before being sent.
Client Side Encryption — data encrypted by client and decrypted by the receiver.
Encryption Keys
Encryption keys encrypt and decrypt data sent between network endpoints (for instance a client service requesting information from database). Data passed between these endpoints would not be readable until it is decrypted using the encryption key.
KMS
Key Management Service (KMS) is a fully managed key management service. KMS creates, rotates, enables, and disables keys. CloudTrail can also be integrated with KMS to audit key usage and CloudWatch to notify IT of events such as increased key usage. KMS secrets can be stored as environment variables so they are not exposed in the code, by default only 4KB data per call be encrypted, but an encryption envelope can encrypt more by calling the GenerateDataKey API.
There are three types of Customer Master Keys (CMKs). There is a cost of $0.03 per 10,000 calls.
- AWS managed keys through the SDK — Free
- User created key from KMS — $1/month
- 256-bit symmetric imported keys — $1/month
User created or imported keys may be used to add an increased layer of security or compatibility with non-AWS services. KMS works in conjunction with IAM to ensure a client has permissions to access the secrets protected by KMS.
KMS & DevOps
KMS in conjunction with IAM policies protect data by providing encryption keys that protect data while it is being passed between network endpoints. KMS is pivotal for maintaining the security of data such as passwords or financial information by ensuring data is read by those with permissions to read it, validating credentials with an encryption key. Encryption keys can be implemented in a number of ways, but serve the same encrypt/decrypt principles.
KMS is a crucial component to the DevOps model as it ensures proprietary information is protected in a development environment as well as customer secrets in a production environment. KMS can be used by many services including Lambda and DynamoDB and works in conjunction with IAM as well as other services such as CloudTrail.
DevOps in AWS
AWS facilitates the modern software development practice of DevOps, a model of continuous integration, continuous deployment by offering several keys services managed by AWS. The Code-Series (CodeBuild, CodeDeploy, etc) tools facilitate pipelines that mature code and deploy it to a system. Monitoring and messaging services such as X-Ray or Kinesis control the flow of data within or between applications. Container services ECS creates a standalone environment that the application can be run on a variety of hosts. KMS provides encryption key management ensuring data in transit is protected.
