Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Categories
Blogs

AWS Key Management Service (KMS) Part Two

Unlocking the Power of AWS Key Management Service (KMS) Part Two

In today’s digital landscape, robust security solutions are essential as organizations migrate to the cloud. Encryption is crucial for protecting sensitive data in transit and at rest. Amazon Web Services (AWS) provides a comprehensive encryption solution with its Key Management Service (KMS). This article explores what AWS KMS is and how it can enhance your security posture. Additionally, we will demonstrate how to create KMS customer-managed keys and encrypt simple plain text data stay tuned.

What is KMS

AWS Key Management Service (KMS) is a managed service that makes it easy to create, manage, and control cryptographic keys used to encrypt your data. It provides centralized control over the encryption keys used to protect your data across a wide range of AWS services and in your applications. AWS KMS is designed to simplify key management and maintain a high level of security and compliance.

Key features of AWS KMS include:

Centralized Key Management: Manage encryption keys centrally, controlling their lifecycle from creation to deletion.

Integration with AWS Services: Seamlessly integrate with various AWS services like Amazon S3, Amazon EBS, and Amazon RDS to facilitate encryption.

Scalability: Handle a vast number of keys efficiently, scaling with your needs.

Access Control and Policies: Utilize AWS Identity and Access Management (IAM) policies and KMS-specific key policies for fine-grained access control.

Audit and Compliance: Leverage AWS CloudTrail to log all key usage and management activities, aiding in compliance and visibility.

Encryption Using the CMK

Create CMK on AWS. This will be the key that will be used to encrypt your data.

Encode your message with Base64. This common step in most encryption procedures ensures that binary data can be transported over channels without modification.

Encrypt your message using the CMK by calling the AWS KMS encrypt command.

let’s proceed as follows.

Log in to the management console and in the search box, type KMS then select key management service under services.

In the KMS dashboard on the left side of the navigation pane, click customer managed keys. 

Then in the customer-managed keys dashboard, click Create key.

We will create a symmetric key and key usage will be encrypt and decrypt. Make sure these options are selected then click the advanced options dropdown button.

in the advanced option, we have an option of selecting single region and multi-region keys. For this demo, we will move with the single region keys. But in case you want to use your key for multi-region, you can select that option and then click next.

An alias is a friendly name you can give your key, so under an alias, I will call my key demokms-alias. We will use this alias in the API call for encrypting and decrypting our data. Click next.

Next, we will define a key administrator, I will select one of the I AM users and make him admin for this KMS key we are creating. Make sure the box on allow key administrators to delete this key is checked.

Next, we will define key usage permission so here we select I AM users and AWS services we want to use this KMS key. You do this by just ticking the boxes and then click next.

Review your key creation.

In the review section, we can see a key policy was generated for us depending on the boxes we ticked.
Click Finish to finish creating your key.

Congratulations, we have successfully created our KMS key.

We will now use this created KMS key to encrypt plain text data.
We will leverage cloud shell to achieve this, so open cloud shell environment. When your cloud shell is ready, then you can echo some text documents as shown.

When we list the contents of our terminal we can see the text file.

Then to encrypt our data we will run the below command.

Listing contents of our we can see our rdspaswwad.txt. encrypted.

When we cat the contents of the encrypted file, we can now not see the plain text.

Run this command to decrypt your encrypted file.

Listing contents a gain we can see our decrypted data.

When we cat the contents of our encrypted file, we can now again read our plain text since it has been decrypted.

Thats it. To now delete our KMS key, remember you cannot immediately delete a KMS key but only schedule the key deletion period.
This is to avoid accidentally deleting keys that are in use.
So, select your kms key click the key action drop-down button then select schedule key deletion.

For the key deletion period, select 7 days then check the confirmation box that you want to schedule key deletion. Then select schedule key deletion.

And that’s it we have successfully scheduled our key for deletion.

Conclusion

AWS KMS provides a secure manageable solution for handling cryptographic keys in the cloud. It simplifies encryption, enhances data protection, and ensures efficient key management aiding in security and compliance.
This brings us to the end of this blog, thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at [email protected].

Thank you!

Categories
Blogs

Cisco Umbrella

Cisco Umbrella

Cisco Umbrella

In today’s fast-paced digital world, the need for robust security measures is more critical than ever. Cisco Umbrella, a cloud-delivered security service, is one of the leading solutions in providing secure internet access and controlling cloud app usage from your network, branch offices, and roaming users. This article delves into the configuration of Cisco Umbrella, ensuring your organization remains protected against cyber threats.

Understanding Cisco Umbrella

Cisco Umbrella offers a range of security functionalities, including secure web gateways, DNS-layer security, firewall, and cloud access security broker (CASB) capabilities. It blocks malware, phishing, and command-and-control callbacks over any port or protocol, preventing potential attacks before they even occur.

Components of Cisco Umbrella

Before diving into policy configuration, it’s crucial to understand the key components of Cisco Umbrella:

  1. DNS Security: Umbrella uses the Domain Name System (DNS) to block malicious domains before a connection is ever established.
  2. Secure Web Gateway (SWG): Provides deeper inspection of web traffic to prevent malware from being downloaded or data from being exfiltrated.
  3. Cloud-Delivered Firewall: Manages and enforces application, URL, and IP-based policies to restrict inappropriate access.
  4. Cloud Access Security Broker (CASB): Offers visibility and control over the use of sanctioned and unsanctioned cloud services.
  5. API Integrations: Integrates with other security solutions to provide comprehensive protection.

Configuring Cisco Umbrella Policies

Configuring policies in Cisco Umbrella involves setting rules that dictate how traffic is handled. These policies help in controlling access to malicious sites, enforcing acceptable use policies, and securing sensitive data. Here’s a step-by-step guide to configuring these policies:

  1. Accessing the Umbrella Dashboard:
    • Log in to your Cisco Umbrella account.
    • Navigate to the Dashboard, where you can manage and configure your policies.
  2. Creating Policy Sets:
    • Go to the Policies section and select Policy Components.
    • Click on Create New Policy Set. Name your policy set to reflect its purpose, such as “Corporate Office” or “Remote Workers.”
  3. Defining Policy Rules:
    • Within the policy set, you can define specific rules based on your organization’s needs.
    • Security Settings: Enable DNS-layer security to block malicious domains and prevent malware, phishing, and command-and-control callbacks.
    • Content Filtering: Use content categories to block access to inappropriate or non-work-related websites. For example, you can restrict access to social media, gambling, or adult content.
    • Application Settings: Control access to cloud applications using the CASB feature. You can define which applications are allowed, monitored, or blocked.
  4. Setting Up SafeSearch and YouTube Restrictions:
    • Under the Content Filtering section, enable SafeSearch to ensure inappropriate content is filtered out from search engine results.
    • Enable YouTube Restricted Mode to prevent users from viewing adult or inappropriate content on YouTube.
  5. Configuring Firewall Policies:
    • Navigate to the Firewall section.
    • Create rules to control traffic based on IP addresses, ports, and protocols. This helps in blocking unwanted or potentially harmful traffic.
  6. Applying the Policy:
    • Once the policy set is configured, apply it to specific networks, user groups, or devices.
    • Use the Identity Management section to assign policies to different user identities, such as Active Directory users, network devices, or roaming clients.
  7. Monitoring and Reporting:
    • Cisco Umbrella provides comprehensive reporting tools. Regularly monitor these reports to understand the effectiveness of your policies and to make necessary adjustments.
    • Use the Reports section to view details on blocked requests, security threats, and overall internet activity within your organization.
    • Monitoring can also be found right at the main Dashboard screen, see below for an example:security-category-graph

Best Practices for Policy Configuration

  • Regularly Update Policies: Cyber threats evolve, and so should your policies. Regularly review and update your policies to address new risks and vulnerabilities.
  • User Education: Educate users about the importance of these policies and the role they play in maintaining organizational security.
  • Leverage Integrations: Integrate Cisco Umbrella with other security tools for a more comprehensive defense strategy.
  • Test Policies: Before applying new policies organization-wide, test them in a controlled environment to ensure they don’t disrupt business operations.

Conclusion

Configuring Cisco Umbrella is essential for maintaining a secure and resilient IT environment. By understanding the various components and carefully setting up policies, organizations can effectively protect against a wide range of cyber threats. Regular monitoring and updates ensure that these protections remain robust in the face of evolving challenges, providing peace of mind and a secure digital experience for all users.

If you have any questions concerning this article or would like for us to assist you with your Cisco Umbrella installation and configuration, please reach out to us by emailing us at [email protected] or call us at 415-408-6111 and we can have an initial discovery call to discuss your requirements.