mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00

Files

T

mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills

Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)

2026-04-06 11:17:40 +02:00

3.5 KiB

Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf

name

description

domain

subdomain

Implementing Envelope Encryption with AWS KMS

Overview

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

When to Use

When deploying or configuring implementing envelope encryption with aws kms capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Understand the envelope encryption pattern and its advantages
Generate data encryption keys using AWS KMS GenerateDataKey
Encrypt/decrypt data locally using DEKs
Store encrypted DEK alongside ciphertext
Implement key caching to reduce KMS API calls
Handle key rotation with automatic re-encryption
Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
Use plaintext DEK to encrypt data locally (AES-256-GCM)
Store encrypted DEK alongside ciphertext
Discard plaintext DEK from memory
For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect	Direct KMS	Envelope Encryption
Max data size	4 KB	Unlimited
Latency	Network round-trip per operation	Local encryption
Cost	$0.03/10,000 requests	Fewer KMS requests
Offline	Not possible	Yes (with cached DEKs)

KMS Key Types

AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
Customer Managed: You create and manage policies
Custom Key Store: Backed by CloudHSM cluster

Security Considerations

Never store plaintext DEK; only keep encrypted DEK
Use key policies to restrict who can call GenerateDataKey and Decrypt
Enable AWS CloudTrail logging for all KMS API calls
Implement key rotation (automatic annual rotation for CMKs)
Use encryption context for authenticated encryption metadata
Handle KMS throttling with exponential backoff

Validation Criteria

GenerateDataKey returns plaintext and encrypted DEK
Data encrypts correctly with plaintext DEK using AES-256-GCM
Encrypted DEK can be decrypted via KMS Decrypt API
Decrypted DEK recovers the original data
Plaintext DEK is wiped from memory after use
Encryption context is validated during decryption
Key rotation re-encrypts DEKs with new master key

3.5 KiB Raw Blame History