ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
Implement Encryption By Using AWS Services | ๐Ÿ—๏ธ Create A KMS Customer Managed Key
Dev.toDev.to
Security

KMS ๊ธฐ๋ฐ˜ Envelope Encryption์„ ํ†ตํ•œ ๋Œ€์šฉ๋Ÿ‰ ๋ฐ์ดํ„ฐ ๋ณด์•ˆ ์„ค๊ณ„

Implement Encryption By Using AWS Services | ๐Ÿ—๏ธ Create A KMS Customer Managed Key

Ntombizakhona Mabaso2026๋…„ 6์›” 3์ผ9๋ถ„intermediate

Context

AWS ์„œ๋น„์Šค ์ „๋ฐ˜์—์„œ ๋ฐ์ดํ„ฐ ๋ณดํ˜ธ๋ฅผ ์œ„ํ•ด Encryption at Rest ๋ฐ In Transit ๊ตฌํ˜„ ํ•„์š”์„ฑ ์ฆ๋Œ€. ํŠนํžˆ KMS์˜ ์ง์ ‘ ์•”ํ˜ธํ™” ์šฉ๋Ÿ‰ ์ œํ•œ์ธ 4 KB๋ฅผ ์ดˆ๊ณผํ•˜๋Š” ๋Œ€์šฉ๋Ÿ‰ ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ ์‹œ์˜ ์•„ํ‚คํ…์ฒ˜์  ํ•œ๊ณ„ ์กด์žฌ.

Technical Solution

  • 4 KB ์ดˆ๊ณผ ๋ฐ์ดํ„ฐ ์ฒ˜๋ฆฌ๋ฅผ ์œ„ํ•ด Data Key๋ฅผ ์ƒ์„ฑํ•˜์—ฌ ๋ฐ์ดํ„ฐ๋ฅผ ์•”ํ˜ธํ™”ํ•˜๊ณ  Key ์ž์ฒด๋ฅผ ๋‹ค์‹œ ์•”ํ˜ธํ™”ํ•˜๋Š” Envelope Encryption ๊ตฌ์กฐ ์ฑ„ํƒ
  • S3 ์ €์žฅ ์‹œ ๊ด€๋ฆฌ ํŽธ์˜์„ฑ์„ ์œ„ํ•œ SSE-S3, ๊ฐ์‚ฌ ์ถ”์  ๋ฐ ์ œ์–ด๊ถŒ ํ™•๋ณด๋ฅผ ์œ„ํ•œ SSE-KMS, ๊ณ ๊ฐ ์ง์ ‘ ํ‚ค ๊ด€๋ฆฌ๋ฅผ ์œ„ํ•œ SSE-C ์˜ต์…˜์˜ ์ „๋žต์  ๋ถ„๋ฆฌ
  • ๋ฐ์ดํ„ฐ ๋ฌด๊ฒฐ์„ฑ๊ณผ ๊ฐ€์šฉ์„ฑ ํ™•๋ณด๋ฅผ ์œ„ํ•ด Key ID ๋ณ€๊ฒฝ ์—†์ด Key Material๋งŒ ๊ต์ฒดํ•˜๋Š” Automatic Key Rotation ์ ์šฉ
  • ์ธํ”„๋ผ ๊ฐ„ ์ธ์ฆ ๋ณด์•ˆ ๊ฐ•ํ™”๋ฅผ ์œ„ํ•ด ACM์„ ํ†ตํ•œ Public SSL/TLS ์ธ์ฆ์„œ ์ž๋™ ๊ฐฑ์‹  ๋ฐ ๋ฐฐํฌ ๊ตฌ์กฐ ์„ค๊ณ„
  • Client-Side Encryption ๋„์ž…์„ ํ†ตํ•ด ์Šคํ† ๋ฆฌ์ง€ ๊ณ„์ธต์— ๋Œ€ํ•œ ์‹ ๋ขฐ๊ฐ€ ๋‚ฎ์€ ํ™˜๊ฒฝ์—์„œ ๋ฐ์ดํ„ฐ ์ „์†ก ์ „ ์•”ํ˜ธํ™” ์ˆ˜ํ–‰

1. 4 KB ์ด์ƒ์˜ ๋ฐ์ดํ„ฐ ์•”ํ˜ธํ™” ์‹œ AWS Encryption SDK๋ฅผ ํ†ตํ•œ Envelope Encryption ์ ์šฉ ๊ฒ€ํ† 

2. ๊ฐ์‚ฌ ์ถ”์ ์ด ํ•„์š”ํ•œ ์ค‘์š” ๋ฐ์ดํ„ฐ์˜ ๊ฒฝ์šฐ SSE-S3 ๋Œ€์‹  SSE-KMS์™€ CloudTrail ์—ฐ๋™ ๊ตฌ์„ฑ

3. ํ‚ค ๊ต์ฒด ์‹œ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์ฝ”๋“œ ์ˆ˜์ •์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด KMS Alias ๊ธฐ๋ฐ˜์˜ ์ถ”์ƒํ™” ๊ณ„์ธต ์šด์šฉ

4. ํผ๋ธ”๋ฆญ ์„œ๋น„์Šค์˜ ์ธ์ฆ์„œ ๊ด€๋ฆฌ๋Š” ACM์˜ ์ž๋™ ๊ฐฑ์‹  ๊ธฐ๋Šฅ์„ ํ™œ์šฉํ•˜์—ฌ ์šด์˜ ๊ณต์ˆ˜ ์ œ๊ฑฐ

์›๋ฌธ ์ฝ๊ธฐ