Cloud Computing

# Cloud Computing --- # PPT STRUCTURE `要加入問題，需要是開放式的問題。` ### slide 0 * 在應用程式中，要怎麼保護資料的安全性呢？ ### Protect data at rest `* Describe how to protect data at rest and in transit.` * how to 保護機密資料? * 開發者**數位簽章或是加密**-->**確保資料的完整性** * **最小權限原則**-->避免**意外或是惡意**檔案被刪除。 * **外在因素**導致系統、硬體和軟體被破壞-->確保能夠從副本**還原資料**。因此將資料變得非常重要，避免重要資訊被駭客攻擊。 ### GRANTIGN PERMISSIONS * 為了系統的安全，開發者需要**控管權限**，因此AMAZON的S3提供**access control的機制**。 * **身份為原則**&**資源為原則**去控管。 ### amazon s3 block public access `* Identify Amazon Simple Storage Service (Amazon S3) protection features.` * 幫助user**存取物件時給予權限的設定**。 * 4 --> user 需求，不一樣選擇 ### Protection through encryption `* Encrypt data in Amazon S3.` * 說到保護資料，最常見的方法就是加密。 * 加密/ (對稱式＆非對稱式) * aws上面的加密流程 * 1:file儲存到s3 (跳下一頁)--> * 使用者端加密 * 2:request說我要加密，kms金鑰管理服務 * KMS:管理及保護金鑰的服務 * 3:生成金鑰 * 4:kms發送兩個副本到s3 * 5:留下金鑰加密的密文副本，刪除明文的副本。 * Amazon的伺服端加密方式有提供3種型態。 * SSE-C：使用者提供的金曜進行加密，**使用者自行保管** * SSE-S3：上傳的**每個物件**都會進行加密 * SSE-KMS：和S3方式類似，幫你**管理金鑰，檢查異常**。 * 說明解密是如何操作的 * 1:requet 開啟物件 * 2:s3發現這個reques的物件已被加密。 * 3:將這個副本傳到kms * 4:在kms中進行解密 * 5:金鑰傳回s3 * 6:s3解密 ### lab: aws kms * 介紹實驗的四個部分，和流程。 * amazon s3 * aws kms:創建mykmskey * amazon EBS:加解密過程中製作副本是如何運行的。 * CloudTrail:紀錄操作過程中的日誌檔。 * task1:創建aws kms的金鑰。 * pic1:mykmskey是user新建的金鑰。 * pic2:我們對這個金鑰的相關設定（包含權限等等） * task2:將加密後的物件儲存到S3裡面 * pic1\2:可以看到使用者創建的物件已經被AWS KMS加密。 * S3設定這個檔案**預設**為“block all public access”，所以現在從外部訪問這個網址，會被擋掉。 * Invalid Argument（无效参数）錯誤，因為這個物件已經被加密，如果沒有密鑰也無法讀取資料。 * task4:解密 * 經過使用者驗證後，對這個物件進行解密。 * 紅色字體的url就是成功解密的明文。 * task5:使用 CloudTrail 監控 AWS KMS 的活動 * 分析加密物件的事件記錄 * 分析解密物件的事件記錄 ### question * 講解完資料的重要性和概念後。 * 有沒有被駭客攻擊或是資料被竊取的經驗？（例：帳號被盜） * 楓之谷，道具“輪迴”被盜，四萬元飛了。 * 沒有的話，或是有沒有讓你最印象深刻的資安事件新聞可以和大家分享～ --- ### slide 1: title slide * Title: Security in AWS Cloud * group/Name/date * abstract：Focus on AWS Academy Implementations ### slide 2: Introduction * What is Cloud Computing? * Introduction to Security on AWS * Importance of security in the cloud * Security Pillar of AWS Well-Architected Framework * Shared Responsibility Model * AWS Managed Service Provider (MSP) Program ### slide 3: Securing Access to Cloud Resources * AWS Identity and Access Management (IAM) * Security Best Practices in IAM * Policies and Permissions in IAM * Identity Federation in AWS ### slide 4: Securing Your Infrastructure * Amazon Virtual Private Cloud (VPC) * Network Security: Security Groups, NAT, Internet Gateways * Elastic Load Balancing and Amazon Inspector * Experiment ? ### slide 5: Protecting Data in Your Application * Data Protection in Amazon S3 * Encryption using AWS Key Management Service (KMS) * AWS Secrets Manager for Secure Credential Management * Experiment ? ### slide 6: Logging and Monitoring * AWS CloudTrail for Audit Trails * VPC Flow Logs and Application Load Balancer Access Logs * Amazon CloudWatch and AWS Security Hub for Monitoring ### slide 7: Responding to and Managing an Incident * AWS Trusted Advisor and Amazon GuardDuty * AWS Shield for DDoS Protection * AWS Systems Manager and AWS CloudFormation for Incident Response ## slide 8: conclusion * Recap of key security concepts in AWS * Importance of staying up-to-date with AWS security features ### q&a * 融入slide中 ### references - [ ] 工作分配？ - [ ] Q & A ? --- # module 5 protecting data in your application ### content: * Describe how to protect data at rest and in transit. * Identify Amazon Simple Storage Service (Amazon S3) protection features. * Encrypt data in Amazon S3. * Differentiate between client-side encryption (CSE) and server-side encryption (SSE). * Identify Amazon Web Services (AWS) services that help protect your data. ### sections * Protect data at rest * Amazon S3 protection features * Protection through encryption * Protect data in transit * Best practices to protect data in Amazon S3 * Additional data protection services ### bank busuness scenario * Let’s discuss how the concepts in this module are applicable to the bank business scenario. * John was receptive to María’s presentation and appears supportive of her plan to secure the bank’s assets from outside attacks.However, María noticed that John still seemed unsure of the security capabilities inherent to AWS. * John explained that, at his previous employer, a disgruntled employee had inappropriately accessed some inadequately secured user data.This wasn’t discovered until after the employee had left the company. This breach cost the company a large amount of money in fines and settlements. * For John to be comfortable with migrating to the cloud, he needs to understand how user data would be protected in the AWS Cloud.For their next meeting, María wants to explain how they can secure user data that’s stored in the cloud. * ![截圖 2024-03-15 晚上8.46.56](https://hackmd.io/_uploads/SkPLQT-A6.png) * For accessibility:Shared responsibility model listing customer and AWS responsibilities. Customer is responsible for security in the cloud. This includes customer data. Platform, applications, identity and access management. Operating system, network, and firewall configuration. Client-side data encryption and data integrity, authentication. Server-side encryption of file system and data. Networking traffic protection, to include encryption, integrity, and identity. AWS is responsible for security of the cloud. This includes the AWS foundation services for compute, storage, databases, and networking. And the AWS Global Infrastructure, to include Regions, Availability Zones, and Edge Locations. End of accessibility description.This module covers two portions of the shared responsibility model: client-side encryption and data integrity, including authentication, and server-side encryption (file system and data). The customer is responsible to secure these portions --- # protect data at rest It's important to encrypt data at rest. This ensures the security of the data even if an unauthorized party gains access to it. Encrypting data at rest makes it much more difficult for attackers to compromise data, even if they can compromise an endpoint. Also, you might need to protect your data at rest due to business or compliance requirements. The following list identifies the most common issues that make it necessary to protect your data at rest. The list also describes how to protect against each issue: * Information disclosure: Limit the number of users who can access data, and use policies to manage access to resources. Use encryption to protect confidential data. * Data integrity compromise: Use resource permissions to limit the scope of users who can modify data. Implement digital signature and encryption. Restore data from backup, or, in the case of Amazon S3, from a previous object version. * Accidental or malicious deletion: Use the correct permissions and the principle of least privilege. Restore data from backup, or, in the case of Amazon S3, from a previous object version. * System, hardware, and software availability: In the case of a system failure or natural disaster, restore your data from replicas. ### Data at rest in Amazon S3 * By default, all Amazon S3 resources—buckets, objects, and related subresources (for example,lifecycleconfiguration andwebsiteconfiguration)—are private. Only the resource owner, the AWS account that created it, can access the resource.The resource owner can grant access permissions to others by writing an access policy. * You can modify bucket policies to allow additional access, and AWS provides a number of tools to configure buckets for a wide variety of workloads. For example, the S3 Block Public Access feature acts as an additional layer of protection to prevent accidental exposure of data. * In addition, consider encrypting data at rest in Amazon S3 ### Granting permission ### key points Key takeaways from this section of the module include the following: * Encrypting data at rest makes it more difficult for attackers to compromise data. * Data stored in Amazon S3 is private by default and requires AWS credentials for access. * Amazon S3 supports two types of access control mechanisms: * Identity based (or user based) * Resource based --- # Amazon S3 protection features ### Amazon S3 Block Public Access * help you manage public access to S3 resources * 4 settings * BlockPublicAcls: Prevent any new operations to make buckets or objects public through bucket or object ACLs. Existing policies and ACLs for buckets and objects are not modified. * IgnorePublicAcls:Ignore all public ACLs on a bucket and any objects that it contains. * BlockPublicPolicy: Reject calls to PUT a bucket policy if the specified bucket policy allows public access. (Enabling this setting doesn't affect existing bucket policies.) * RestrictPublicBuckets:Restrict access to a bucket with a public policy to only AWS services and authorized users within the bucket owner's account. * https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html ### Amazon S3 Versioning * https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html ### Amazon S3 Object Lock * https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html#object-lock-overview ### key points * Block Public Access ensures that objects never have public access, now and in the future. * Versioning preserves, retrieves, and restores every version of every object stored in an S3 bucket. * Object Lock prevents an object version from being deleted or overwritten for a fixed amount of time or indefinitely --- # protection through encryption ### encryption: what, how, and why * Encryption works by using an algorithm with a key to convert plaintext data into unreadable data (ciphertext) that can only become readable again with the right key. For example, a simple phrase such as “Hello World!” might look like “1c28df2b595b4e30b7b07500963dc7c” when encrypted. * Several different encryption algorithms exist, all using different types of keys. A strong encryption algorithm relies on mathematical properties to produce ciphertext that can’t be decrypted by using any practically available amount of computing power without also having the necessary key. Therefore, protecting and managing the keys becomes a critical part of any encryption solution ### comparing client-side and server-side encryption * client-side encryption (CSE) * server-side encryption (SSE) ### types of amzon * SSE with customer-provided keys (SSE-C) * SSE with Amazon S3 managed keys (SSE-S3) * SSE with AWS KMS keys (SSE-KMS) * https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html ### encryption overview ### decryption overview ### AWS Key Management Service ### AWS KMS example - Amazon EBS ### Key points * AWS supports both client-side and server-side encryption. * CSE: You encrypt your data before sending it to AWS. * SSE: AWS encrypts data on your behalf after receiving it. * AWS provides three types of SSE: * SSE with customer-provided keys (SSE-C) * SSE with Amazon S3 managed keys (SSE-S3) * SSE with AWS KMS keys (SSE-KMS) * AWSKMS can create and control the keys used to encrypt your data. --- # Lab: Encrypting Data at Rest by Using AWS KMS ### Lab: Tasks In this lab, you will complete the following tasks: * 1.Creating an AWS KMS key * 2.Storing an encrypted object in an S3 bucket * 3.Attempting public access to the encrypted object * 4.Attempting signed access to the encrypted object * 5.Monitoring AWS KMS activity by using CloudTrail * 6.Encrypting the root volume of an existing EC2 instance * 7.Disabling the encryption key and observing the effects --- # Protect data in transit ### why protect data in transit * your communications might go through the public internet. * the risks * Accidental information disclosures * Data integrity compromises * Identity compromises * Man-in-middle (MITM) attacks * Identity spoofing ### protecting data in transit * use Secure Sockets Layer (SSL) endpoints over Transport Layer Security (TLS)(HTTPS). * use encryption * use Amazon Virtual Private Cloud (Amazon VPC ) endpoints to limit access to your bucket. ### protecting remote connections to servers * Remote Desktop Protocol (RDP) is typically used for windows * Secure Shell (SSH) is typically used for Linux servers. ### AWS Certificate Manager (ACM) * Provides a single interface for you to manage both public and private certificates * Makes it easy to deploy certificates * Protects and stores private certificates * Minimizes downtime and outages with automatic renewals ### AWS Certificate Manager Private Certificate Authority ![截圖 2024-03-15 晚上9.56.27](https://hackmd.io/_uploads/SJucQAWAp.png) ### ACM Private CA considerations ![截圖 2024-03-15 晚上9.57.59](https://hackmd.io/_uploads/S1Qx4CZ0a.png) ### key points * Protect data in transit by using SSL or client-side encryption when you run applications in the cloud. * Use VPC endpoints to limit access to S3 buckets. * The ACM service handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications. * ACM Private CA can manage the lifecycle of your private certificates centrally and in a highly available way. --- # Module Summary In this module, you learned how to do the following: * Describe how to protect data at rest and in transit. * Identify Amazon S3 protection features. * Encrypt data in Amazon S3. * Differentiate between CSE and SSE. * Identify AWS services that help protect your data. # suggestion ### slide 0 Introduction * Briefly introduce the importance of data protection. * Protecting Data at RestMention the data protection mechanisms offered by AWS. ### slide 1 保護靜態數據 Protecting Data at Rest * 講述數據加密的重要性，即使非授權方訪問也能保護數據安全 * 強調符合業務或合規要求的必要性重點: 信息洩露: 限制訪問數據的用戶數量數據完整性妥協: 使用資源權限來限制可以修改數據的用戶範圍 ### slide 2 Amazon S3的保護功能 Amazon S3 Protection Features * 默認所有S3資源（存儲桶、對象等）為私有 * 通過訪問策略授予他人訪問權限 * 提到S3 Block Public Access等功能作為防止數據意外曝露的附加保護層 ### slide 3 加密保護 Protection Through Encryption * 描述加密的作用：使用密鑰將明文數據轉化為不可讀的密文 * 區分客戶端加密（CSE）和服務器端加密（SSE） * 介紹AWS提供的三種SSE類型：SSE-C、SSE-S3、SSE-KMS ### slide 4 保護傳輸中的數據 Protecting Data in Transit * 講述通過公共互聯網進行通訊時保護數據的重要性 * 介紹使用SSL/TLS（HTTPS）和加密來保護傳輸中的數據 * 提到使用Amazon Virtual Private Cloud (VPC) 端點來限制對S3存儲桶的訪問 ### slide 5 lab experiment * 介紹創建AWS KMS鑰匙、在S3存儲桶中存儲加密對象等 ### slide 6 conclusion * 總結如何在AWS中保護靜態和傳輸中的數據 * 強調AWS提供的數據保護服務和功能 * 提出保護Amazon S3中數據的最佳實踐