With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it. Show
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so. To use field-level encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.) When the HTTPS request with field-level encryption is forwarded to the origin, and the request is routed throughout your origin application or subsystem, the sensitive data is still encrypted, reducing the risk of a data breach or accidental data loss of the sensitive data. Components that need access to the sensitive data for business reasons, such as a payment processing system needing access to a credit number, can use the appropriate private key to decrypt and access the data. To use field-level encryption, your origin must support chunked encoding. CloudFront field-level encryption uses asymmetric encryption, also known as public key encryption. You provide a public key to CloudFront, and all sensitive data that you specify is encrypted automatically. The key you provide to CloudFront cannot be used to decrypt the encrypted values; only your private key can do that. Topics
Overview of field-level encryptionThe following steps provide an overview of setting up field-level encryption. For specific steps, see Setting up field-level encryption.
Setting up field-level encryptionFollow these steps to get started using field-level encryption. To learn about quotas (formerly known as limits) on field-level encryption, see Quotas.
Step 1: Create an RSA key pairTo get started, you must create an RSA key pair that includes a public key and a private key. The public key enables CloudFront to encrypt data, and the private key enables components at your origin to decrypt the fields that have been encrypted. You can use OpenSSL or another tool to create a key pair. The key size must be 2048 bits. For example, if you’re using OpenSSL, you can use the following command to generate a key pair with a length of 2048 bits and
save it in the file
The resulting file contains both the public and the private key. To extract the public key from that file, run the following command:
The public key file ( Step 2: Add your public key to CloudFrontAfter you get your RSA key pair, add your public key to CloudFront. To add your public key to CloudFront (console)
You can add more keys to use with CloudFront by repeating the steps in the procedure. Step 3: Create a profile for field-level encryptionAfter you add at least one public key to CloudFront, create a profile that tells CloudFront which fields to encrypt. To create a profile for field-level encryption (console)
Step 4: Create a configurationAfter you create one or more field-level encryption profiles, create a configuration that specifies the content type of the request that includes the data to be encrypted, the profile to use for encryption, and other options that specify how you want CloudFront to handle encryption. For example, when CloudFront can’t encrypt the data, you can specify whether CloudFront should block or forward a request to your origin in the following scenarios:
In a configuration, you can also specify whether providing a profile as a query argument in a URL overrides a profile that you’ve mapped to the content type for that query. By default, CloudFront uses the profile that you’ve mapped to a content type, if you specify one. This lets you have a profile that’s used by default but decide for certain requests that you want to enforce a different profile. So, for example, you might specify (in your configuration) You can create up to 10 configurations for a single account, and then associate one of the configurations to the cache behavior of any distribution for the account. To create a configuration for field-level encryption (console)
Step 5: Add a configuration to a cache behaviorTo use field-level encryption, link a configuration to a cache behavior for a distribution by adding the configuration ID as a value for your distribution. To link a field-level encryption configuration to a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP
For more information, see Values that you specify when you create or update a distribution. Decrypting data fields at your originCloudFront encrypts data fields by using the AWS Encryption SDK. The data remains encrypted throughout your application stack and can be accessed only by applications that have the credentials to decrypt it. After encryption, the ciphertext is base64 encoded. When your applications decrypt the text at the origin, they must first decode the ciphertext, and then use the AWS Encryption SDK to decrypt the data. The following code example illustrates how applications can decrypt data at your origin. Note the following:
Sample code
What type of encryption is used by mobile applications to encrypt data in transit?For example, Transport Layer Security (TLS) is often used to encrypt data in transit for transport security, and Secure/Multipurpose Internet Mail Extensions (S/MIME) is used often for email message encryption.
What type of threat does disk level encryption protect against?Disk encryption protects information stored on a disk drive—such as an external hard drive, laptop, or even enterprise storage—by preventing the drive from being accessed without the proper password or authentication credentials.
How do I encrypt app data?Select Settings > Security > Encrypt Device from the drop-down menu. To access the encrypt option on some phones, go to Storage > Storage encryption or Storage > Lock screen and security > Other security settings. To finish the process, follow the on-screen directions.
What type of network uses tunneling to encrypt data to protect communications between two endpoints that are sent through a public network?A VPN uses tunneling protocols to encrypt data at the sending end and decrypts it at the receiving end. The originating and receiving network addresses are also encrypted to provide better security for online activities. VPN apps are often used to protect data transmissions on mobile devices.
|