데이터 보안 (Data Security)
데이터에 대한 암호화 적용 및 안전한 접근 통제를 비롯하여 다양한 데이터 보안 기능을 제공하는 영역입니다. 이 영역에 해당하는 AWS 보안 서비스들에는 다음과 같은 것들이 있습니다.
AWS KMS(Key Management Service)
데이터 암호화에 사용되는 키를 생성하고 관리하는 기능을 제공합니다. AWS KMS를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Key Management Service의 보안
- AWS KMS의 암호화 세부 정보 소개
- NIST FIPS 140-2 AWS KMS Validation Certificate - FIPS 140-2 Overall level 2 인증서
- FIPS 140-2 Non-Proprietary Security Policy - AWS KMS HSM - KMS의 FIPS 인증 내역에 대한 문서
- 동영상 [AWS Summit Seoul 2018] - AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략
- GIT - DIY code signing using AWS KMS and ACM Private CA
- GIT - aws-kms-pkcs11
- 가이드 - Monitor and remediate scheduled deletion of AWS KMS CMKs
- Blog - Are KMS custom key stores right for you? - CloudHSM과 KMS를 합친 기능인 KMS Custom Key Store에 대해 설명
- Blog - How to Use the New AWS Encryption SDK to Simplify Data Encryption and Improve Application Availability
- Blog - Encrypting messages published to Amazon SNS with AWS KMS
- Blog - Control Access to Your Data with Slack Enterprise Key Management and AWS KMS -Slack Enterprise Key Management환경과 AWS KMS간 연계를 설명
- Blog - How to Connect Directly to AWS Key Management Service from Amazon VPC by Using an AWS PrivateLink Endpoint
- Blog - Post-quantum TLS now supported in AWS KMS - S2N에 반영된 post-quantum 하이브리드 키교환 방식을 KMS의 퍼블릭 엔드포인트에 적용했다는 것을 알리는 블로그
- Blog - Digital signing with the new asymmetric keys feature of AWS KMS
- Blog - Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys
- Blog - Combining encryption and signing with AWS KMS asymmetric keys
- Blog - Round 2 post-quantum TLS is now supported in AWS KMS
- Blog - Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability
- Blog - How to verify AWS KMS asymmetric key signatures locally with OpenSSL
- Blog - Encrypt global data client-side with AWS KMS multi-Region keys
- Blog - Managing permissions with grants in AWS Key Management Service
- Blog - How to sign Ethereum EIP-1559 transactions using AWS KMS
- Blog - How to protect HMACs inside AWS KMS
AWS CloudHSM
AWS상에서 고객 전용의 HSM(Hardware Security Module)을 관리형 서비스로 제공합니다. AWS CloudHSM을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS CloudHSM의 보안
- What Is AWS CloudHSM Classic?
- Support - CloudHSM 클러스터를 다른 AWS 계정과 공유
- 백서 - Security of AWS CloudHSM Backups
- 백서 - Migrating to AWS CloudHSM
- GIT - aws-cloudhsm-jce-examples
- GIT - aws-cloudhsm-pkcs11-examples
- GIT - SSL Offloading to CloudHSM - Step by Step Guide
- Blog - How to migrate a digital signing workload to AWS CloudHSM
- Blog - How to migrate your EC2 Oracle Transparent Data Encryption (TDE) database encryption wallet to CloudHSM
- Blog - How to run AWS CloudHSM workloads on Docker containers
- Blog - Security of Cloud HSMBackups
- Blog - How to Update AWS CloudHSM Devices and Client Instances to the Software and Firmware Versions Supported by AWS
- Blog - Understanding AWS CloudHSM Cluster Synchronization
- Blog - Using AWS CloudHSM-backed certificates with Microsoft Internet Information Server - MS IIS에 SSL구성시 인증서 개인키를 CloudHSM에 보관 활용하는 방법
- Blog - How to clone an AWS CloudHSM cluster across regions - 멀티리전간 HSM 클러스터의 Cloning을 통해 가용성 제공 방안
- Blog - How to run AWS CloudHSM workloads on AWS Lambda
- Blog - How to lower costs by automatically deleting and recreating HSMs
- Blog - How to deploy CloudHSM to securely share your keys with your SaaS provider
- Blog - How to migrate symmetric exportable keys from AWS CloudHSM Classic to AWS CloudHSM
- Blog - Signing executables with HSM-backed certificates using multiple Windows instances
- Blog - Integrate CloudHSM PKCS #11 Library 5.0 with serverless workloads
- Blog - CloudHSM best practices to maximize performance and avoid common configuration pitfalls
- Blog - Migrate and secure your Windows PKI to AWS with AWS CloudHSM
- Blog - Signing Data Using Keys Stored in AWS CloudHSM with Python
Amazon Macie
기계 학습(Machine Learning)기반으로 민감한 중요 데이터를 발견 및 분류하고 불법적인 유출을 방지하는 서비스입니다. Amazon Macie를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- Security in Amazon Macie
- What Is Amazon Macie Classic?
- GIT - Amazon Macie Activity Generator – Amazon Macie 데모를 위해 time-series activities, noise addition, anomaly injection 등의 이벤트를 발생
- Blog - Classify sensitive data in your environment using Amazon Macie – Amazon Macie를 Custom하게 훈련(내부 규정이나 개인/기밀정보 패턴등을 Macie에게 학습)시키기 위해 샘플 데이터 셋을 만드는 방법에 대한 소개
- Blog - Discover sensitive data by using custom data identifiers with Amazon Macie
- Blog - BBVA: Architecture for Large-Scale Macie Implementation
- Blog - Use Macie to discover sensitive data as part of automated data pipelines
- Blog - Detecting sensitive data in DynamoDB with Macie
- Blog - Deploy an automated ChatOps solution for remediating Amazon Macie findings
- Blog - Creating a notification workflow from sensitive data discover with Amazon Macie, Amazon EventBridge, AWS Lambda, and Slack
- Blog - Automate the archival and deletion of sensitive data using Amazon Macie
- Blog - Enabling data classification for Amazon RDS database with Macie
AWS Secret Manager
DB암호, API키 같은 인증정보들을 안전하게 보관, 교체, 조회하는 기능을 제공합니다. 온프레미스나 3rd Party제품의 자격증명들도 이용할 수 있습니다. AWS Secret Manager를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Secrets Manager의 보안
- GIT - AWS Secrets Manager Rotation Lambda Function Samples
- GIT - AWS Secrets Manager Java caching client
- GIT - AWS Secrets Manager JDBC Library
- GIT - AWS Secrets Manager Python caching client
- GIT - AWS Secrets Manager Caching Client for .NET
- GIT - AWS Secrets Manager Go Caching Client
- GIT - secret-sidecar - ECS Secret들을 Secret Manager에 안전하게 보관/관리하는 샘플
- GIT - secret-sidecar - Secret Manager와 EKS 연계
- GIT - AWS EKS Secrets injector - Secret Manager와 EKS 연계
- GIT - Native Secrets - Secret Manager와 EKS 연계
- Support - 계정 간에 Secrets Manager 보안 공유
- 가이드 - Manage credentials using AWS Secrets Manager
- Blog - Rotate Amazon RDS database credentials automatically with AWS Secrets Manager
- Blog - How to rotate Amazon DocumentDB and Amazon Redshift credentials in AWS Secrets Manager
- Blog - Enable password authentication for AWS Transfer for SFTP using AWS Secrets Manager
- Blog - Improve availability and latency of applications by using AWS Secret Manager’s Python client-side caching library
- Blog - How to automate replication of secrets in AWS Secrets Manager across AWS Regions
- Blog - How to rotate a WordPress MySQL database secret using AWS Secrets Manager in Amazon EKS
- Blog - How to use AWS Secrets Manager to securely store and rotate SSH key pairs
- Blog - GoDaddy - Kubernetes External Secrets - EKS Secret들을 Secret Manager에 저장,관리하는 방법에 대한 GoDaddy 블로그
- Blog - How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts
- Blog - Identify, arrange, and manage secrets easily using enhanced search in AWS Secrets Manager
- Blog - Use AWS Secrets Manager to simplify the management of private certificates
- Blog - How to replicate secrets in AWS Secrets Manager to multiple Regions
- Blog - Design patterns to access cross-account secrets stored in AWS Secrets Manager
- Blog - Manage your AWS DMS endpoint credentials with AWS Secrets Manager
- Blog - How to configure rotation windows for secrets stored in AWS Secrets Manager
- Blog - Securely retrieving secrets with AWS Lambda
AWS Certificate Manager
AWS서비스들에 SSL/TLS 인증서를 무료로 발급, 관리해 주는 기능을 제공합니다. AWS Certification Manager를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Certificate Manager의 보안
- AWS::CertificateManager::Certificate
- Amazon Trust Services – Amazon Root CA에 대한 정보를 제공하는 싸이트
- GIT - s2n
- Blog - ACM인증서 Certificate Transparency 지원
- Blog - How to use AWS Certificate Manager with AWS CloudFormation
- Blog - How to deploy public ACM certificates across multiple AWS accounts and Regions using AWS CloudFormation StackSets
- Blog - How to monitor expirations of imported certificates in AWS Certificate Manager (ACM)
- Blog - How to tune TLS for hybrid post-quantum cryptography with Kyber
AWS Certificate Manager Private Certificate Authority
사설 CA환경을 관리형으로 제공해 드리는 ACM의 서브 서비스입니다. AWS Certification Manager Private Certificate Authority를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Certificate Manager Private Certificate Authority의 보안
- GIT - DIY code signing using AWS KMS and ACM Private CA
- Blog - Enabling SSL encrypted connections to Microsoft SQL Server using AWS Certificate Manager Private Certificate Authority
- Blog - How to host and manage an entire private certificate infrastructure in AWS
- Blog - Maintaining Transport Layer Security all the way to your container part 2: Using AWS Certificate Manager Private Certificate Authority
- Blog - Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys
- Blog - Monitoring AWS Certificate Manager Private CA with AWS Security Hub
- Blog - Using ACM Private Certificate Authority in a multi-account environment by using IAM roles
- Blog - How to use AWS RAM to share your ACM Private CA cross-account
- AWS Certificate Manager Private Certificate Authority, 계정 간에 공유되는 CA에 대해 더 많은 유연성 지원 시작
- Blog - How to Prepare for AWS’s Move to Its Own Certificate Authority
- Blog - Create a portable root CA using AWS CloudHSM and ACM Private CA
- Blog - How to securely create and store your CRL for ACM Private CA
- Blog - How to create certificates with custom extensions using AWS Certificate Manager Private CA
- Blog - How to secure an enterprise scale ACM Private CA hierarchy for automotive and manufacturing
- Blog - How to incorporate ACM PCA into your existing Windows Active Directory Certificate Services
AWS Site-to-Site VPN
기본적으로 Amazon VPC로 시작하는 인스턴스는 자체(원격) 네트워크와 통신할 수 없습니다. VPC에 가상 프라이빗 게이트웨이를 연결하고 사용자 지정 라우팅 테이블을 생성하며 보안 그룹 규칙을 업데이트하고 AWS Site-to-Site VPN(Site-to-Site VPN) 연결을 생성하여 VPC에서 원격 네트워크에 액세스하도록 할 수 있습니다. Site-to-Site VPN을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
- AWS Site-to-Site VPN의 보안
- 고객 게이트웨이 디바이스
- Support - VPN을 통한 BGP 문제 해결
- Blog - Scaling VPN throughput using AWS Transit Gateway
- Blog - Improve VPN Network Performance of AWS Hybrid Cloud with Global Accelerator
- Blog - How do I troubleshoot VPN tunnel inactivity or instability on my customer gateway device?
- Blog - Simulating Site-to-Site VPN Customer Gateways Using strongSwan
- Blog - Simulating Site-to-Site VPN customer gateways using strongSwan part 2: Certificate-based authentication
- Blog - Introducing AWS Site-to-Site VPN Private IP VPNs
AWS Client VPN
AWS Client VPN은 AWS 리소스와 온프레미스 네트워크 리소스를 안전하게 액세스할 수 있게 해주는 관리형 클라이언트 기반 VPN 서비스입니다. AWS Client VPN을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
- AWS Client VPN의 보안
- Blog - Authenticate AWS Client VPN users with SAML
- Blog - How to Integrate AWS Client VPN with Azure Active Directory
- Blog - Using Microsoft Active Directory MFA with AWS Client VPN
- Blog - Accessing an Amazon RDS instance remotely using AWS Client VPN
- Blog - How to restrict IAM roles to access AWS resources from specific geolocations using AWS Client VPN
- Blog - Enforcing VPN access policies with AWS Client VPN connection handler
- Blog - 보안성 높은 재택근무 환경을 위한 AWS 아키텍처 구성하기
- Blog - Building Multi-Region AWS Client VPN with Microsoft Active Directory and Amazon Route 53
- Blog - Securely Connect your Mobile Device to your AWS environment with AWS Client VPN
Server Side Encryption
AWS서비스가 관리하는 키, AWS KMS가 관리하는 키, 또는 고객이 관리하는 키 등을 이용하여 데이터를 암호화 할 수 있는 옵션 기능입니다. AWS Server Side Encryption을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- Amazon S3가 관리하는 암호화 키(SSE-S3)를 사용하는 서버 측 암호화로 데이터 보호
- Amazon S3 인벤토리 – 버킷 또는 Prefix 단위로 암호화 설정 상태 표시
- Amazon DynamoDB Encryption at Rest – DynamoDB 저장 데이터에 대한 Server Side 암호화 방법
- SQS 서버 측 암호화
- Amazon EBS Encryption
- Amazon RDS 리소스 암호화
- RDS Oracle TDE
- RDS MS-SQL TDE
- Redshift로 암호화된 데이터 업로드
- Athena 암호화 옵션 구성
- RedShift - Changing Cluster Encryption - RedShift의 비 암호화 클러스터에 대해 KMS기반 암호화를 적용하는 방법, GDPR 이슈 대응
Encryption SDK
AWS Encryption SDK 는 업계 표준과 모범사례를 따라서 누구나 쉽게 Client-side 암호화를 구현할 수 있도록 지원하는 암호화 라이브러리입니다. AWS Encryption SDK에 대한 유용한 내용들은 아래와 같습니다.
Bookmark
- What is the AWS Encryption SDK?
- AWS Encryption SDK for C
- AWS Encryption SDK for Java
- AWS Encryption SDK for JavaScript
- AWS Encryption SDK for Python
- AWS Encryption SDK Command Line Interface
- AWS Encryption SDK CLI Syntax and Parameter Reference
- Encryption SDK Data Key Caching – KMS 암,복호화 Limit에 대한 대안으로 키를 캐슁하는 방법
- Data Key Caching Example
- How is the AWS Encryption SDK different from the AWS SDKs?
- How is the AWS Encryption SDK different from the Amazon S3 encryption client?
- How much overhead does the AWS Encryption SDK message format add to my encrypted data?
- AWS Encryption SDK Algorithms Reference
- Blog - How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C
- Blog - AWS Encryption SDK: How to Decide if Data Key Caching Is Right for Your Application - 어떤 경우에 제한적으로 EncryptionSDK를 사용해야 하는지에 대한 가이드
- Blog - How to Encrypt and Decrypt Your Data with the AWS Encryption CLI – CLI형태로 암,복호화 기능 적용
- Blog - How to Use the New AWS Encryption SDK to Simplify Data Encryption and Improve Application Availability
- Blog - Improved client-side encryption: Explicit KeyIds and key commitment
- GIT - AWS Encryption SDK for Java
- GIT - aws-encryption-sdk-cli
- GIT - aws-encryption-sdk-python
DynamoDB Encryption Client
Bookmark
AWS Signer
Bookmark
- Security in AWS Signer
- Blog - Code Signing, a Trust and Integrity Control for AWS Lambda
- Blog - Best practices and advanced patterns for Lambda code signing
데이터 보안과 관련된 기타 유용한 링크들
- What is Cryptography?
- Cryptography Concepts
- Cryptographic Algorithms
- AWS Cryptographic Services and Tools
- DynamoDB Encryption Client
- Other AWS Services that use Cryptography
- How to Choose an Encryption Tool or Service
- AWS PKI Services
- What is Public Key Infrastructure?
- PKI Concepts
- AWS Public Key Infrastructure (PKI) Services and Tools
- Other AWS Services that use X.509 Public Key Certificates
- How to Choose a PKI Service
- GIT - Post-quantum cryptography for s2n - post-quantum 하이브리드 키교환 방식 코드를 담고 있는 s2n GIT hub 링크
- GIT - encryption-workshop
- 가이드 - Scan Git repositories for sensitive information and security issues by using git-secrets
- Ext. Blog - S3 Ransomware Part 1: Attack Vector
- Blog - Architecting for database encryption on AWS
- Blog - TLS 1.2 will be required for all AWS FIPS endpoints beginning March 31, 2021
- Blog - Ransomware mitigation: Top 5 protections and recovery preparation actions
- Blog - Assess your security posture to identify and remediate security gaps susceptible to ransomware
- Blog - The Five Ws episode 2: Data Classification whitepaper
- Blog - Introducing s2n-quic, a new open-source QUIC protocol implementation in Rust
- Blog - TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
- Blog - Preparing today for a post-quantum cryptographic future
Remarks
- 이 사이트의 모든 내용은 바뀌거나 수정될 수 있습니다.
- 공식적인 상세한 내용은 http://aws.amazon.com 의 내용을 참조하십시오.
- 제공되는 내용에 이견이 있거나 잘못된 링크를 발견하시면, 관리자(gisunlim@amazon.com)에게 메일을 주시면 대단히 감사하겠습니다.
개인 정보 보호 정책 | 사이트 이용 약관 | © 2020, Amazon Web Services, Inc. 또는 자회사. All rights reserved.