Encryption in Cloud Computing Environments

Dear IT Auditors, Database Audit and Encryption Review Data is only as safe as the encryption that protects it. When encryption controls fail or are poorly implemented, even strong firewalls and access controls cannot stop data exposure. That’s why auditing database encryption processes is a key part of every IT and cybersecurity audit. 📌 Start with the Encryption Policy Begin by reviewing the organization’s data encryption policy. It should define which data must be encrypted, the standards to follow, and the roles responsible for managing encryption keys. Policies that lack detail often lead to inconsistent implementation. 📌 Encryption at Rest Verify that sensitive data stored in databases is encrypted at rest. Review configurations in tools such as Transparent Data Encryption (TDE) for SQL, Oracle, or cloud-managed databases. Ensure encryption algorithms like AES-256 are used rather than weaker ones. 📌 Encryption in Transit Data moving between applications and databases should be encrypted using secure protocols such as TLS 1.2 or higher. Auditors should test whether unencrypted connections (HTTP, FTP, or old JDBC strings) are still in use. Any plaintext transmission is a data leak waiting to happen. 📌 Key Management Controls Strong encryption is meaningless if the keys are weak or mishandled. Review how encryption keys are generated, stored, rotated, and retired. Confirm that keys are held in a secure vault or Hardware Security Module (HSM). Keys should never be hard-coded into scripts or shared via email. 📌 Access to Keys and Certificates Only a limited number of trusted individuals should access encryption keys. Review access lists for key vaults and certificate repositories. Each access should be logged and periodically reviewed. 📌 Backup Encryption Backups often contain full copies of production data. Verify that backup files and storage devices are also encrypted. If backups are sent to third parties or cloud storage, ensure that the same encryption controls are applied. 📌 Decryption and Recovery Testing Encryption isn’t complete without successful decryption. Review whether periodic recovery tests are performed to confirm that encrypted backups and databases can be restored correctly. Unrecoverable encryption is as dangerous as no encryption. 📌 Audit Evidence Key evidence includes encryption configuration files, key management procedures, access control lists for key stores, and decryption test reports. These show that encryption controls are both effective and maintained. Effective database encryption builds resilience. It ensures that even if an attacker gains access, the data remains unreadable and useless. Strong encryption is both a commitment to trust and a technical safeguard. #DatabaseSecurity #Encryption #CyberSecurityAudit #ITAudit #CyberVerge #CyberYard #DataProtection #RiskManagement #KeyManagement #DataGovernance #GRC #InformationSecurity

🎉 𝗩𝗲𝗿𝘆 𝐩𝐫𝐨𝐮𝐝 to 𝐩𝐮𝐛𝐥𝐢𝐬𝐡 my 𝐟𝐢𝐫𝐬𝐭 𝗮𝗿𝘁𝗶𝗰𝗹𝗲 on the official 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐁𝐥𝐨𝐠! 🛡️ It’s been an incredible journey exploring the evolution of HSM and cloud cryptography in Azure—and I’m thrilled to share this deep dive with you! 📢 𝐀𝐳𝐮𝐫𝐞 𝐈𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐞𝐝 𝐇𝐒𝐌 marks a 𝗺𝗮𝗷𝗼𝗿 𝘀𝗵𝗶𝗳𝘁 in how 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝗶𝗰 𝗸𝗲𝘆𝘀 are handled—moving from 𝗰𝗲𝗻𝘁𝗿𝗮𝗹𝗶𝘇𝗲𝗱 𝗰𝗹𝘂𝘀𝘁𝗲𝗿𝘀 to 𝗹𝗼𝗰𝗮𝗹, 𝘁𝗮𝗺𝗽𝗲𝗿 𝗿𝗲𝘀𝗶𝘀𝘁𝗮𝗻𝘁 𝗺𝗼𝗱𝘂𝗹𝗲𝘀 𝗲𝗺𝗯𝗲𝗱𝗱𝗲𝗱 directly in virtual machines. 🗝️ ✨ This 𝗻𝗲𝘄 𝗺𝗼𝗱𝗲𝗹 brings 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝗶𝗰 𝗮𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲 closer to the workload, 𝗿𝗲𝗱𝘂𝗰𝗶𝗻𝗴 𝗹𝗮𝘁𝗲𝗻𝗰𝘆, 𝗶𝗻𝗰𝗿𝗲𝗮𝘀𝗶𝗻𝗴 𝘁𝗵𝗿𝗼𝘂𝗴𝗵𝗽𝘂𝘁, and 𝗿𝗲𝗱𝗲𝗳𝗶𝗻𝗶𝗻𝗴 𝘄𝗵𝗮𝘁’𝘀 𝗽𝗼𝘀𝘀𝗶𝗯𝗹𝗲 for secure applications in the cloud. ⚡🔐 🧭 But this 𝗶𝘀𝗻’𝘁 𝗷𝘂𝘀𝘁 𝗮 𝗻𝗲𝘄 𝗳𝗲𝗮𝘁𝘂𝗿𝗲 — it’s the 𝗹𝗮𝘁𝗲𝘀𝘁 𝗰𝗵𝗮𝗽𝘁𝗲𝗿 in a 𝗱𝗲𝗰𝗮𝗱𝗲 𝗹𝗼𝗻𝗴 𝗲𝘃𝗼𝗹𝘂𝘁𝗶𝗼𝗻. 🚀 🕰️ From the launch of 𝗔𝘇𝘂𝗿𝗲 𝗞𝗲𝘆 𝗩𝗮𝘂𝗹𝘁 𝗣𝗿𝗲𝗺𝗶𝘂𝗺 in 2015 backed by 𝙣𝘾𝙞𝙥𝙝𝙚𝙧 𝙃𝙎𝙈𝙨 (Thales → Entrust), through the 𝗗𝗲𝗱𝗶𝗰𝗮𝘁𝗲𝗱 𝗛𝗦𝗠 appliance model powered by 𝑺𝒂𝒇𝒆𝑵𝒆𝒕 𝑳𝒖𝒏𝒂 𝑯𝑺𝑴𝒔 (#Gemalto → Thales), to the rise of 𝗔𝗞𝗩 𝗠𝗮𝗻𝗮𝗴𝗲𝗱 𝗛𝗦𝗠 and 𝗖𝗹𝗼𝘂𝗱 𝗛𝗦𝗠 built on Marvell Technology 𝑳𝒊𝒒𝒖𝒊𝒅𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚… Microsoft has quietly built one of the 𝗺𝗼𝘀𝘁 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲 𝗛𝗦𝗠 𝗽𝗼𝗿𝘁𝗳𝗼𝗹𝗶𝗼𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗹𝗼𝘂𝗱. 💨 🔒 Now with 𝗔𝘇𝘂𝗿𝗲 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗲𝗱 𝗛𝗦𝗠, Microsoft shifts 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝗶𝗰 𝗮𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲 from external clusters to embedded silicon — integrating custom HSM chips directly into AMDv7 virtual machines. ⚡ 🧾 Validated to 𝗙𝗜𝗣𝗦 𝟭𝟰𝟬 𝟯 𝗟𝗲𝘃𝗲𝗹 𝟯, these chips bring cryptographic operations inside the VM boundary — unlocking 𝘂𝗹𝘁𝗿𝗮 𝗹𝗼𝘄 𝗹𝗮𝘁𝗲𝗻𝗰𝘆, 𝗵𝗶𝗴𝗵 𝘁𝗵𝗿𝗼𝘂𝗴𝗵𝗽𝘂𝘁, and a 𝗻𝗲𝘄 𝗹𝗲𝘃𝗲𝗹 𝗼𝗳 𝗶𝘀𝗼𝗹𝗮𝘁𝗶𝗼𝗻. 🔥 💡 My article is also a deep dive into the 𝗲𝘃𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗼𝗳 𝗛𝗦𝗠 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲. 🔛 📌 𝗜𝗳 𝘆𝗼𝘂 𝘄𝗼𝗿𝗸 in 𝗰𝗹𝗼𝘂𝗱 𝘀𝗲𝗰𝗿𝗶𝘁𝘆, 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲, 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲, 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 services, or are simply curious about how Microsoft is 𝗿𝗲𝘀𝗵𝗮𝗽𝗶𝗻𝗴 𝗛𝗦𝗠 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲… 𝙄 𝙝𝙤𝙥𝙚 𝙩𝙝𝙞𝙨 𝙞𝙨 𝙤𝙣𝙚 𝙮𝙤𝙪’𝙡𝙡 𝙬𝙖𝙣𝙩 𝙩𝙤 𝙗𝙤𝙤𝙠𝙢𝙖𝙧𝙠! 🙏🧷 ⬇️ 𝗥𝗲𝗮𝗱 𝗺𝘆 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲 𝗵𝗲𝗿𝗲 ⬇️ 🔐 𝘈𝘻𝘶𝘳𝘦 𝘐𝘯𝘵𝘦𝘨𝘳𝘢𝘵𝘦𝘥 𝘏𝘚𝘔: 𝘈 𝘕𝘦𝘸 𝘊𝘩𝘢𝘱𝘵𝘦𝘳 & 𝘚𝘩𝘪𝘧𝘵 𝘧𝘳𝘰𝘮 𝘊𝘦𝘯𝘵𝘳𝘢𝘭𝘪𝘻𝘦𝘥 𝘏𝘚𝘔 𝘊𝘭𝘶𝘴𝘵𝘦𝘳𝘴 𝘵𝘰 𝘌𝘮𝘣𝘦𝘥𝘥𝘦𝘥 𝘚𝘪𝘭𝘪𝘤𝘰𝘯-𝘵𝘰-𝘊𝘭𝘰𝘶𝘥 𝘛𝘳𝘶𝘴𝘵: https://aka.ms/AzHSMs Microsoft Security #Cybersecurity #CloudSecurity #KeyManagement #Cryptography #HSM #CEK #BYOK #Compliance #FIPS140 | Mark Russinovich, Omar Khan, Bryan Kelly (NCSA), Simran Parkhe, Karen Chen, Keith Prunella, Osama Shaikh, Vasu Jakkal, Charlie Bell, Scott Guthrie, Sarah Bird, Shawn Bice, David Weston, Bharat Shah

🔐 Unlocking Cloud Security: Introducing Automated AWS Key Rotation in CipherTrust Cloud Key Management (CCKM) from Darshana Manikkuwadura (Dash) I provide an in-depth exploration of how the latest Amazon Web Services (AWS) Key Rotation capability in Thales CipherTrust Cloud Key Management (CCKM) is transforming cloud-native security for modern enterprises. As organizations face increasingly sophisticated cyber threats and rising regulatory demands, the need for automated, scalable, and auditable key management has never been more urgent. The article explains why cryptographic key rotation is a foundational security practice, reducing exposure windows, strengthening compliance alignment, and ensuring long-term data protection across distributed cloud environments. It highlights how the new Amazon Web Services (AWS) Key Rotation feature in CCKM automates the entire lifecycle of Amazon Web Services (AWS) KMS keys—allowing security teams to define rotation schedules, manage keys across accounts and regions, and generate audit-ready logs with minimal operational overhead. The article also delves into the powerful AWS Key Discovery Tool, which helps organizations uncover key sprawl, identify dormant or orphaned keys, and centralize governance for thousands of cryptographic assets. Through detailed insights, practical examples, and a cloud security expert’s perspective, the article demonstrates how Thales and Amazon Web Services (AWS) together enable stronger data sovereignty, operational efficiency, and zero-trust alignment. It is an essential read for CISOs, cloud architects, security engineers, and compliance leaders shaping their cloud security strategy for the future. #CloudSecurity #DataSecurity #CyberSecurity #Encryption #KeyManagement #AWS #AWSCloud #AWSKMS #Thales #ThalesCipherTrust #CCKM #CloudCompliance #DataSovereignty #ZeroTrust #InfoSec #CyberResilience #SecurityAutomation #MultiCloud #HybridCloud #CloudGovernance #DigitalTrust #SecurityArchitecture #CloudStrategy #EnterpriseSecurity #RiskManagement #CISO #CloudInnovation #SecurityEngineers #CloudTransformation #CyberDefense #darshanamanikkuwadura Darshana Manikkuwadura (Dash)

3 years ago we realized that the best way to protect data was to encrypt every single sensitive value with a different key. That means if you use CipherStash every email address, dob, medicare number or SSN stored in your database is encrypted using a different key. 1000 email addresses = 1000 keys. Nuts, right!? We thought so too at first but it turns out this approach has some powerful advantages. And because CipherStash is so fast, it's very practical as well. In traditional systems, a single key will be used to encrypt thousands or even millions of values. This is the only practical solution for current cloud-based tools because lack the performance for anything more granular. The problem is that for security teams, knowing if a key was used doesn't provide any information about what data was decrypted. Audit logs are therefore broad-brushed: they can only record if one of perhaps 1000s of unique values or customer records were accessed. 🔑 Key per value encryption solves that! Because every key can uniquely identify what data was accessed, audit logs become powerfully precise. Now it's possible to identify exactly how data is being accessed without knowing anything about the data itself! For many of our customers having this visibility has revealed some surprising results in how their data is being accessed. Plus, because everything remains encrypted they get none of the risks of traditional access logging tools. It turns out having a bold idea can pay off if you stick at it :)

I'm delighted to share this update on the SEQUESTERED ENCRYPTION (SE) project. SE is a full-spectrum data privacy technology that supports, in one programmer-friendly package, encrypted computation (like FHE), verified computation (like ZKP), and safe disclosures. I am attaching a presentation I gave this week in the privacy-enhanced technology (PETs) class I am teaching this semester. The SE project is a collaboration between UM, Agita Labs, AAiT, Princeton, NYU, and Intel Labs. The SE data privacy technology centers on the SE Enclave, a 190k-gate software-free enclave that extends a CPU to support cryptographically secure *encrypted computation* that programmers and IT staff cannot see. SE computation is PROOF-CARRYING VERIFIED COMPUTATION, such that any value computed attests to how it was computed, allowing data owners to verify that shared data is only used as they allow. In addition, data owners can supply the SE enclave that allows pre-approved computation results to be SAFELY DISCLOSED if those results can be proven to be computed as agreed. The security profile of the SE enclave is exceptional. SE computation is cryptographically secure against software and hardware hacking. SE is not vulnerable to any known form of software hacking (since software can only see ciphertext), and any data or dataflow manipulation will be immediately detected by the verified computation. Data disclosures are only permitted once the computation result is cryptographically proven to be from a pre-approved computation. The SE enclave has been red-teamed in collaboration with DARPA and In-Q-Tel for three months with zero vulnerabilities detected. Additionally, a complete end-to-end formal security verification of the design was published with Princeton in an award-winning research paper. Sequestered encryption has been commercially deployed by Agita Labs in the Amazon AWS and Microsoft Azure clouds. A reduced-capability software-only version of sequestered encryption is available in the KEVLAR library (https://lnkd.in/dFHGkMMB). And an ongoing project with @nyu and @intel is working toward an integration of SE and FHE technologies that will provide consumer-grade and military-grade secure computation in a single enclave. Here are the presentation slides. To learn more about SE, there is a full bibliography at the end of the presentation: https://lnkd.in/dZN8uwuD To learn more about the commercial version of SE, please visit Agita Labs (http://agitalabs.com), or reach out to me. #privacy #cryptography #fhe #security #computerarchitecture #hardwaresecurity

🔐 Data in Use --Protection Strategies ⚠️ The Challenge When data is being processed in memory (RAM/CPU), it’s usually decrypted, which makes it vulnerable to: 💥 Insider threats 💥 Malware/memory scraping 💥 Cloud provider access ✅ Solutions for Data in Use 1. Homomorphic Encryption (HE) Data stays encrypted even during computation. Supports analytics, AI/ML, and calculations without exposing raw values. 💥 Use case: A hospital can run statistics on encrypted patient data without seeing individual records. Downside: Very slow for large-scale real-time workloads (still improving). 2. Secure Enclaves / Trusted Execution Environments (TEEs) Hardware-based isolation → a secure “enclave” inside the CPU where data is decrypted and processed. Even the system admin or cloud provider cannot see inside. ✨ Examples: 💥 Intel SGX 💥 AMD SEV 💥 AWS Nitro Enclaves → lets you isolate EC2 instances for secure key management, medical data processing, payment transactions, etc. 💥 Use case: A bank can run fraud detection models on sensitive financial data in the cloud without exposing it to AWS staff. 3. Confidential Computing Broader concept: combines TEEs, encrypted memory, and sometimes HE. Ensures that data remains protected throughout its lifecycle (rest, transit, use). ✨ Cloud examples: 💥 AWS Nitro Enclaves 💥 Azure Confidential Computing 💥 Google Confidential VMs 4. Secure Multi-Party Computation (MPC) Multiple parties compute a function jointly without revealing their private inputs. Often used in cryptocurrency custody, federated learning, and zero-knowledge proofs. 💥 Example: Banks collaboratively detect fraud patterns without sharing customer records. #learnwithswetha #encryption #datainuse #learning #dataprotection #privacy

𝗣𝗮𝗿𝘁 𝟭: 𝗗𝗮𝘁𝗮 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗶𝗻 𝗔𝗪𝗦: 𝗬𝗼𝘂𝗿 𝗕𝗹𝘂𝗲𝗽𝗿𝗶𝗻𝘁 𝘁𝗼 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝗖𝗹𝗼𝘂𝗱 𝗔𝘀𝘀𝗲𝘁𝘀 Data is the crown jewel of the cloud 🌟 and encryption is your fortress. Whether safeguarding customer data or meeting strict compliance mandates, AWS equips you with tools to lock down your workloads. Let's break down core strategies: 1️⃣ 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗮𝘁 𝗥𝗲𝘀𝘁: 𝗟𝗼𝗰𝗸 𝗗𝗼𝘄𝗻 𝗦𝘁𝗼𝗿𝗲𝗱 𝗗𝗮𝘁𝗮 Ensure data is encrypted by default across AWS services: • 𝗔𝗺𝗮𝘇𝗼𝗻 𝗦𝟯: Enable server-side encryption (SSE) using AWS-managed keys (SSE-S3) or customer-managed keys (SSE-KMS) for granular control. • 𝗔𝗺𝗮𝘇𝗼𝗻 𝗥𝗗𝗦: Activate encryption during database creation via AWS KMS; no retroactive option! • 𝗔𝗺𝗮𝘇𝗼𝗻 𝗘𝗕𝗦: Encrypt volumes at creation (it's seamless!) to protect storage-layer data. 🔑 𝗣𝗿𝗼 𝗧𝗶𝗽: Use IAM policies to enforce encryption and prevent accidental exposure of unencrypted resources. 2️⃣ 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗶𝗻 𝗧𝗿𝗮𝗻𝘀𝗶𝘁: 𝗚𝘂𝗮𝗿𝗱 𝗗𝗮𝘁𝗮 𝗼𝗻 𝘁𝗵𝗲 𝗠𝗼𝘃𝗲 Secure data as it travels between services or to users: • 𝗧𝗟𝗦 𝗢𝗻𝗹𝘆: Mandate TLS for API calls, database connections, and inter-service communication. • 𝗖𝗹𝗼𝘂𝗱𝗙𝗿𝗼𝗻𝘁 & 𝗦𝟯: Enforce HTTPS for content delivery via CloudFront and use S3 bucket policies to block non-HTTPS requests. • 𝗗𝗮𝘁𝗮𝗯𝗮𝘀𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Enable SSL/TLS for RDS, Redshift, and DynamoDB connections. ⚠️ 𝗗𝗶𝗱 𝗬𝗼𝘂 𝗞𝗻𝗼𝘄? S3 encrypts data in transit by default via HTTPS, but double-check bucket policies! 3️⃣ 𝗠𝗮𝘀𝘁𝗲𝗿 𝗞𝗲𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗔𝗪𝗦 𝗞𝗠𝗦 Centralize control without sacrificing flexibility: • 𝗖𝘂𝘀𝘁𝗼𝗺𝗲𝗿-𝗠𝗮𝗻𝗮𝗴𝗲𝗱 𝗞𝗲𝘆𝘀 (𝗖𝗠𝗞𝘀): Define policies, track usage, and rotate keys manually or enable annual auto-rotation for symmetric keys (AWS auto-rotates its own keys). • 𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲: Restrict key access via IAM policies and audit usage with CloudTrail. • 𝗖𝗿𝗼𝘀𝘀-𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗔𝗰𝗰𝗲𝘀𝘀: Share keys securely across accounts for hybrid workflows. 🔍 𝗣𝗿𝗼 𝗧𝗶𝗽: Use KMS key aliases to simplify key updates without changing code. 𝗜𝗻 𝗣𝗮𝗿𝘁 𝟮, we'll explore how to manage sensitive information, automate compliance checks, and summarize some key points to remember. 👀 #AWS #awscommunity #CloudSecurity #Encryption #DataProtection #TechTips

🚨CISA & NSA release Crucial Guide on Network Segmentation and Encryption in Cloud Environments🚨 In response to the evolving requirements of cloud security, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a comprehensive Cybersecurity Information Sheet (CSI): "Implement Network Segmentation and Encryption in Cloud Environments." This document provides detailed recommendations to enhance the security posture of organizations operating within cloud infrastructures (that probably means you). Key Takeaways Include: 🔐 Network Encryption: The document underscores the importance of encrypting data in transit as a defense mechanism against unauthorized data access. 🌐 Secure Client Connections: Establishing secure connections to cloud services is fundamental. 🔎 Caution on Traffic Mirroring: While recognizing the benefits of traffic mirroring for network analysis and threat detection, the guidance cautions against potential misuse that could lead to data exfiltration and advises careful monitoring of this feature. 🛡️ Network Segmentation: Stressed as a foundational security principle, network segmentation is recommended to isolate and contain malicious activities, thereby reducing the impact of any breach. This collaboration between NSA and CISA provides actionable recommendations for organizations to strengthen their cloud security practices. The emphasis is on strategically implementing network segmentation and end-to-end encryption to secure cloud environments effectively. Information security leaders are encouraged to review this guidance to understand better the measures necessary to protect cloud-based assets. Implementing these recommendations will contribute to a more secure, resilient, and compliant cloud infrastructure. Access the complete guidance provided by the NSA and CISA to fully understand these recommendations and their application to your organization’s cloud security strategy. 📚 Read CISA & NSA's complete guidance here: https://lnkd.in/eeVXqMSv #cloudcomputing #technology #informationsecurity #innovation #cybersecurity

𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐧𝐠 𝐃𝐚𝐭𝐚 𝐰𝐢𝐭𝐡 𝐀𝐖𝐒 𝐊𝐌𝐒 – 𝐇𝐚𝐧𝐝𝐬-𝐨𝐧 𝐂𝐥𝐨𝐮𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 Today I worked on a project focused on one of the most critical aspects of cloud computing: data security and encryption. In this hands-on exercise, I explored how 𝐀𝐖𝐒 𝐊𝐞𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 (𝐊𝐌𝐒) works alongside 𝐀𝐦𝐚𝐳𝐨𝐧 𝐃𝐲𝐧𝐚𝐦𝐨𝐃𝐁 and 𝐀𝐖𝐒 𝐈𝐀𝐌 to protect sensitive data stored in the cloud. The goal was to understand 𝘯𝘰𝘵 𝘰𝘯𝘭𝘺 𝘩𝘰𝘸 𝘦𝘯𝘤𝘳𝘺𝘱𝘵𝘪𝘰𝘯 𝘸𝘰𝘳𝘬𝘴, but also 𝘩𝘰𝘸 𝘢𝘤𝘤𝘦𝘴𝘴 𝘤𝘰𝘯𝘵𝘳𝘰𝘭 𝘢𝘯𝘥 𝘦𝘯𝘤𝘳𝘺𝘱𝘵𝘪𝘰𝘯 𝘱𝘰𝘭𝘪𝘤𝘪𝘦𝘴 𝘪𝘯𝘵𝘦𝘳𝘢𝘤𝘵 𝘵𝘰 𝘴𝘦𝘤𝘶𝘳𝘦 𝘥𝘢𝘵𝘢 𝘱𝘳𝘰𝘱𝘦𝘳𝘭𝘺. 💡 𝐖𝐡𝐚𝐭 𝐈 𝐢𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐞𝐝 𝐚𝐧𝐝 𝐥𝐞𝐚𝐫𝐧𝐞𝐝: • Created and configured a 𝐂𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐝 𝐊𝐌𝐒 𝐊𝐞𝐲 • Integrated the key with 𝐀𝐦𝐚𝐳𝐨𝐧 𝐃𝐲𝐧𝐚𝐦𝐨𝐃𝐁 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐚𝐭 𝐫𝐞𝐬𝐭 • Explored the differences between 𝐀𝐖𝐒 𝐨𝐰𝐧𝐞𝐝, 𝐀𝐖𝐒 𝐦𝐚𝐧𝐚𝐠𝐞𝐝, 𝐚𝐧𝐝 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐦𝐚𝐧𝐚𝐠𝐞𝐝 𝐤𝐞𝐲𝐬 • Observed how 𝐭𝐫𝐚𝐧𝐬𝐩𝐚𝐫𝐞𝐧𝐭 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 allows authorized users to read data while it remains encrypted at rest • Configured 𝐈𝐀𝐌 𝐩𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐊𝐌𝐒 𝐤𝐞𝐲 𝐩𝐨𝐥𝐢𝐜𝐢𝐞𝐬 to control access to encrypted data • Tested security by creating a 𝐫𝐞𝐬𝐭𝐫𝐢𝐜𝐭𝐞𝐝 𝐈𝐀𝐌 𝐮𝐬𝐞𝐫 and validating that access fails without proper KMS permissions • Granted controlled permissions to allow the user to successfully decrypt the data One of the most interesting parts of this project was seeing how 𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐚𝐜𝐜𝐞𝐬𝐬 𝐜𝐨𝐧𝐭𝐫𝐨𝐥 𝐰𝐨𝐫𝐤 𝐭𝐨𝐠𝐞𝐭𝐡𝐞𝐫. Even when a user had full DynamoDB permissions, they still couldn't access the data without the correct 𝐊𝐌𝐒 𝐤𝐞𝐲 𝐩𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧𝐬. It was a great demonstration of how layered security protects cloud resources. 🛠 𝐓𝐞𝐜𝐡𝐧𝐨𝐥𝐨𝐠𝐢𝐞𝐬 𝐮𝐬𝐞𝐝: AWS KMS | Amazon DynamoDB | AWS IAM | Encryption | Key Policies | Access Control This project reinforced how essential  𝐞𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧, 𝐤𝐞𝐲 𝐦𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭, 𝐚𝐧𝐝 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐩𝐞𝐫𝐦𝐢𝐬𝐬𝐢𝐨𝐧 are when designing secure cloud systems. Excited to keep building and strengthening my 𝐜𝐥𝐨𝐮𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐀𝐖𝐒 𝐚𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐞 𝐬𝐤𝐢𝐥𝐥𝐬. #AWS #CloudSecurity #AWSKMS #DynamoDB #IAM #CloudComputing #CyberSecurity #Encryption #AWSProjects #LearningInPublic