creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.6 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
implementing-envelope-encryption-with-aws-kms Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting cybersecurity cryptography
cryptography
encryption
aws
kms
envelope-encryption
key-management
1.0 mahipal Apache-2.0
PR.DS-01
PR.DS-02
PR.DS-10
T1600
T1573
T1553
T1078.004
T1530

Implementing Envelope Encryption with AWS KMS

Overview

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

When to Use

  • When deploying or configuring implementing envelope encryption with aws kms capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Understand the envelope encryption pattern and its advantages
  • Generate data encryption keys using AWS KMS GenerateDataKey
  • Encrypt/decrypt data locally using DEKs
  • Store encrypted DEK alongside ciphertext
  • Implement key caching to reduce KMS API calls
  • Handle key rotation with automatic re-encryption
  • Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

  1. Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
  2. Use plaintext DEK to encrypt data locally (AES-256-GCM)
  3. Store encrypted DEK alongside ciphertext
  4. Discard plaintext DEK from memory
  5. For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect Direct KMS Envelope Encryption
Max data size 4 KB Unlimited
Latency Network round-trip per operation Local encryption
Cost $0.03/10,000 requests Fewer KMS requests
Offline Not possible Yes (with cached DEKs)

KMS Key Types

  • AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
  • Customer Managed: You create and manage policies
  • Custom Key Store: Backed by CloudHSM cluster

Security Considerations

  • Never store plaintext DEK; only keep encrypted DEK
  • Use key policies to restrict who can call GenerateDataKey and Decrypt
  • Enable AWS CloudTrail logging for all KMS API calls
  • Implement key rotation (automatic annual rotation for CMKs)
  • Use encryption context for authenticated encryption metadata
  • Handle KMS throttling with exponential backoff

Validation Criteria

  • GenerateDataKey returns plaintext and encrypted DEK
  • Data encrypts correctly with plaintext DEK using AES-256-GCM
  • Encrypted DEK can be decrypted via KMS Decrypt API
  • Decrypted DEK recovers the original data
  • Plaintext DEK is wiped from memory after use
  • Encryption context is validated during decryption
  • Key rotation re-encrypts DEKs with new master key
Reference in New Issue View Git Blame Copy Permalink