One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8302490 |
| Date de publication | 2023-01-19 11:00:00 (vue: 2023-01-19 11:07:26) |
| Titre | Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest |
| Texte | In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest. Sometimes, despite all efforts to the contrary, data can be compromised. This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks. Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified. Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered. The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess. Let’s discuss how AWS makes it easy to encrypt data wherever it may be. Encrypting data in transit When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure. If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted. Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions. Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes. (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi). Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection). AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM). Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.” What Is AWS Certificate Manager? - AWS Certificate Manager (amazon.com). These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway. Consequently, all Internet bound traffic to and from these resources will be secure. Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets. However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity. To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets. Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest. Encrypting data at rest One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest. Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS. The se |
| Envoyé | Oui |
| Condensat | “handles in 140 256 509 able about access acm actions actor actors adequate advanced aes algorithm algorithms all also amazon amount any api applications approved apps are article at&t at&t’s att attacks author available avoid avoiding aws before behalf being believes between beyond blog blogs bound breaking browser buckets business called can can’t certificate certificates certified click clicks cloud cloudfront cloudhsm coffee com common communicating communication complexity compliant compromised computer computers connection connections connectivity consequently considering consulting contrary convenient corporate cost could crack creating customers cybercriminals cybersecurity data decipher deciphered decrypting default defenses designation despite devices direct discuss discussed discussion division dramatically due during ease easiest easy eavesdrop efforts elbs enable encouraged encrypt encrypted encrypting encryption enforce engage engineering entity even every everything example exception exchange excuse exhaustive exist exposed exposures eyes fastest faulty feature final fips first fortunately found from furthermore gateway generation get goes google government governmental guru hardware has have help here: higher hope host hosts hourly how however hsm hsms http https https://acloudguru https://aws iam icon illegible impactful import improve industry information informative initiate intercept intercepted internet key keys kms know laptops laws leakage learn let’s like literally lock lost maintained major make makes malicious man manage managed management manager many material may means measures mechanisms meet merely middle modern modules more most mouse move multitude need needs negotiate network not note: now nullified occur occurs offer offers one only options other over own owned parties per perform permit place please policies policy portable possess posture private process properly properly setting protect protected provider provides provisioned prying public publicly pursue put quick read ready reason recap recommended references: refers regulations renewing require resources rest restrict reveal rigorous saying scope search secure security see sense sent series service services sessions set shop simply since sincerely small social some sometimes ssl/tls standards statement step steps storage stored stores storing such supercomputers support systems tackle take taking testing thank these those three through thus time tls together toolbar topic traffic transit trillions trusted two tying unfamiliar updated usage use used useful using utility virtual visit visiting vpn vulnerable want way we’ll web website websites what when wherever why wifi will willing without world world’s would years your |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.