SEC 9: How do you protect your data at rest?
Protect your data at rest by defining your requirements and implementing controls, including encryption, to reduce the risk of unauthorized access or loss.
Define data management and protection at rest requirements: Define data management and protection at rest requirements, such as encryption and data retention, to meet your organizational, legal, and compliance requirements.
Implement secure key management: Encryption keys must be stored securely, and rotated with strict access control; for example, by using a key management service such as AWS Key Management Service. Consider using different keys for segregation of different data classification levels and retention requirements.
Enforce encryption at rest: Enforce your defined encryption requirements based on the latest standards and best practices to help protect your data at rest.
Enforce access control: Enforce access control with least privileges and mechanisms, including backups, isolation, and versioning, to help protect your data at rest. Consider what data you have that is publicly accessible.
Provide mechanisms to keep people away from data: Keep all users away from directly accessing sensitive data. For example, provide a dashboard instead of direct access to a data store, and provide tools to indirectly manage the data.
Define data at rest protection requirements
Define requirements that will help you protect your data in transit.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
- Identify AWS compliance resources: Identify resources that AWS has available to assist.
AWS cloud compliance
- Define encryption standards: Define your encryption standard based on the latest available and supported encryption ciphers and protocols.
- Define key management solution: Define a key management solution; for example for workloads using Amazon S3, consider using AWS Key Management Service (AWS KMS) for encryption at rest.
AWS Key Management Service
- Define data protection controls: Protect data according to its classification level; for example, secure publicly accessible data by using best practices while protecting sensitive data with additional controls.
- Define data retention requirements: Define your data retention requirements. These include the length of time you need to keep different types of data, and the number of previous versions and copies. For example, log files containing transactional information may only need a single copy to be stored for many years.
- Identify data management tools: Identify tools that will help you manage your data at rest.
- Define mechanisms to keep people away from data: Keep all users away from directly accessing sensitive data. For example, provide a dashboard instead of direct access to a data store, and provide tools to indirectly manage the data.
Implement data at rest protection
Implement controls to help protect your data at rest.
- Enforce encryption at rest: Enforce your defined encryption requirements based on the latest standards and best practices. For example, implement an S3 bucket policy that only allows objects encrypted by
AWS KMS to be stored.
Protecting data using server-side encryption with AWS KMS-managed keys (SSE-KMS)
- Enforce access control: Enforce access control with least privileges, including access to encryption keys.
Introduction to Managing Access Permissions to Your Amazon S3 Resources
- Use AWS Secrets Manager: AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets.
Secrets can be database credentials, passwords, third-party API keys, and even arbitrary
AWS Secrets Manager
- Separate data based on different classification levels: Use different AWS accounts for data classification levels.
AWS Multiple Account Security Strategy
- Implement mechanisms to keep people away from data: Mechanisms include using dashboards such as Amazon QuickSight to display data to end users, and automated configuration for administrators such
as AWS CloudFormation.
- Review AWS KMS policies: Review the level of access granted in AWS KMS policies.
Overview of managing access to your AWS KMS resources
- Configure encryption in Amazon S3: For Amazon S3 you can encrypt objects using client-side or server-side techniques
S3 object encryption
- Review S3 bucket and object permissions: Regularly review the level of access granted in Amazon S3 bucket policies. Best practice is to not have publicly readable or writeable buckets. Consider using AWS Config to detect buckets that are open, and Amazon CloudFront to serve content from S3
AWS Config Rules
Amazon S3 + Amazon CloudFront: A Match Made in the Cloud
- Enable Amazon S3 versioning
- Configure encrypted Amazon Machine Images (AMIs): Copying an existing AMI with encryption enabled will automatically encrypt root volumes
AMIs with encrypted Snapshots
- Review Amazon EBS and AMI sharing permissions: Sharing permissions can allow images and volumes to be shared to AWS accounts external
to your workload.
Sharing an Amazon EBS Snapshot
- Configure Amazon RDS encryption: Configure encryption for your Amazon RDS DB clusters and snapshots at rest by enabling the encryption option.
Encrypting Amazon RDS resources
- Configure Amazon DynamoDB encryption: DynamoDB encryption at rest encrypts data at rest using an AWS KMS managed encryption key.
Amazon DynamoDB encryption at rest
- Consider AWS Encryption SDK: Use the AWS Encryption SDK with AWS KMS integration when your application needs to encrypt data client-side.
AWS Encryption SDK