VPC Encryption compliments VPC Inter-Region Peering, which we've been similarly encrypting (with similar key derivation) from the day it launched. Underneath, and in addition to, all of this is the Lever Link Encryption Project.
-
Show this thread
-
The Lever Link Encryption Project has been a truly massive endeavor to strongly encrypt, for now and all time, every network link that is in any way out of AWS physical control.
1 reply 1 retweet 18 likesShow this thread -
Physical control means inside a facility we own and operate; and sometimes it means secure ducting over short distances with cool lasers that can detect any interference.
1 reply 2 retweets 16 likesShow this thread -
If a link is outside our premises, or crossing an ocean, we encrypt it. For encryption, we use AES-256 again, with MACsec or Optical Layer encryption, with some more clever key agreement schemes that we had to invent! But don't worry, they are reassuringly boring.
2 replies 3 retweets 16 likesShow this thread -
Incidentally "Lever" is named for https://en.wikipedia.org/wiki/Mavis_Batey …pic.twitter.com/4AxSWVa9h5
1 reply 8 retweets 31 likesShow this thread -
Lever encryption and VPC Encryption or Inter-Region Peering often happen at the same time, e.g. packets crossing between AZs or regions. That's two layers of no-configuration required pervasive cryptography.
1 reply 1 retweet 9 likesShow this thread -
h/t to my colleague and Lever lead David Sinn for all that info!
1 reply 1 retweet 12 likesShow this thread -
Now, none of this means that you should not use TLS or other encryption protocols in your own applications. Network Encryption is awesome, but does not provide anti-replay, or application-to-application authentication. These new protocols are designed to fill gaps.pic.twitter.com/uP9NXXz9sj
2 replies 17 retweets 61 likesShow this thread -
Of course it's great too to have a built-in mechanism to protect legacy traffic that is not encrypted at all.
1 reply 1 retweet 9 likesShow this thread -
These are first features I've ever worked on where is no API, nothing for you to do. This is all under the hood. There is no change to your experience running on AWS. Customers never see the encrypted traffic, we do the encryption and decryption for you.
2 replies 2 retweets 25 likesShow this thread
All of the encryption and decryption happens in hardware; and for VPC Encryption, it's custom silicon designed and built by Annapurna labs as part of our Nitro security system. That means we can all of this with no impact on performance. We've been in production for months!
-
-
O.k. there you have it. VPC Encryption, Lever Link Encryption, Multi-Party key distribution, AES-256, no API or settings, just "on". AMA.
11 replies 2 retweets 56 likesShow this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Replying to @colmmacc
Didn't the Annapurna labs team build the graviton chip for the newer ARM instances in EC2? If so, AWS got an amazing return on acqui-hiring them however many years ago. That's amazing.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.