AWS Crypto Training

Day 1

Module 01

• Introduction to Cryptography
• Symmetric Encryption and Asymmetric Encryption
• Hash Functions and Digital Signatures
• Security design principles and Shared responsibility model in AWS
• DevOps integration of Terraform with AWS
• Introduction to PKI environment – On-Premises, Cloud, and Hybrid
• Introduction to AWS Crypto Services and tools (KMS, CloudHSM, and ACM Private CA)

Module 02: Deep dive into AWS KMS

• Pre-requisites and Custom-built application integration
• Data Protection and Industry compliance (FIPS, SOC, PCI, HIPPA etc.) standard
• Functionality, Architecture and Design Considerations for Key Management as-a-service in AWS
• Understanding the Client-side and Server-side encryption techniques
• Understanding Customer Managed Keys, AWS Managed Keys, and Key Rotation Policies
  • Lab 01: Creation of AWS Managed CMKs and Customer Managed CMKs in AWS environment
• Understanding Symmetric and Asymmetric keys
  • Lab 02: Creation of Symmetric and Asymmetric Customer Managed Key (CMK)
• Understanding the concept of BYOK (Bring Your Own Key), and integration of KMS with HSM
• Management of Keys (AWS Managed CMKs and Customer Managed CMKs) as per FIPS 140-2 L2/L3 compliances
  • Lab 03: Integration of Customer Managed Key with FIPS 140-2 Level3 compliant HSM
• Integration of authentication and access control policy with various policies (Key, IAM, and grants)

AWS KMS use cases

• Lab 04: Encryption of S3 buckets using CMK
• Lab 05: Integration of AWS S3 bucket encryption with CMK using CloudHSM as a key storage
• Lab 06: Integration of Amazon EBS (Elastic Block Store) with CMK
• Lab 07: Digital Signing and verification of contents using CMK-Asymmetric feature
• Troubleshooting for CloudTrail logs, S3 permissions and HSM audit logs

Day 2

Module 03: Deep dive into AWS CloudHSM

AWS CloudHSM

• Pre-requisites and Multi-Service Integration
• Data Protection, FIPS, and PCI-DSS Compliance
• Software Vs Hardware based HSMs
• Various CloudHSM Models
• Functionality, Architecture and Design Considerations for HSM as-a-service in AWS
• Application integration using Software Libraries to HSM
• CloudHSM prerequisite environment
  • Lab 01: Setting up a prerequisite for CloudHSM environment
• CloudHSM Cluster provisioning and management
  • Lab 02: Deploying CloudHSM cluster in Multi-AZ environment
• Install CloudHSM client Software
  • Lab 03: Installing CloudHSM client Software on Windows and Linux
• Provisioning HSMs (Hardware Security Modules) in the Cluster
  • Lab 04: Deploying HSMs in the CloudHSM cluster
• Learn with hands-on exercise on CloudHSM management and Key management command line tools
  • Lab 05: Activate the CloudHSM cluster using CloudHSM management CLI tool and crypto key operations using Key management CLI tool

CloudHSM use cases

• Lab 06: To provide private key protection of a Windows CA server with AWS CloudHSM service
• Lab 07: Bring your own key (BYOK) use case with CloudHSM
• Troubleshooting for CloudHSM client logs, CloudTrail logs and HSM audit logs

Day 3

Module 04: Deep dive into AWS PKI Service (ACM Private CA)

AWS ACM Private CA

• Pre-requisites and Multi-Service Integration
• Cloud Security and Data protection
• Certificate Verification and Certificate Chaining
• Simple Storage Service (S3) as-a-CRL-Service Provider
• Various Cloud PKI Models in AWS
• Key factors in development of CP/CPS document to architect the PKI infra including Certificates and their attributes
• Key considerations to outline the Key ceremony document for Root CA
• Functionality, Architecture and Design Considerations for PKI as-a-service

ACM-PCA use case:

• Lab 01: Deploying 2 tier PKI architecture hands-on lab in AWS environment
• Troubleshooting of CloudTrail logs, Windows CA Server logs, S3 permissions