Blog | G5 Cyber Security

Secure AES Keys for Multi-Tenant Web APIs

G5 Cyber Security

TL;DR

Store AES keys per tenant in a secure key management system (KMS) like AWS KMS, Azure Key Vault, or HashiCorp Vault. Access keys using the tenant ID to ensure isolation and control. Avoid storing keys directly in your application code or database.

Solution Guide: Secure AES Keys for Multi-Tenant Web APIs

  1. Understand the Risk
    • Storing AES keys insecurely is a major security vulnerability. If compromised, all tenant data encrypted with that key is at risk.
    • Multi-tenancy adds complexity because you need to isolate keys so one tenant’s compromise doesn’t affect others.
  2. Choose a Key Management System (KMS)
    • AWS KMS: Good if you are already on AWS. Offers strong security and integration with other AWS services.
    • Azure Key Vault: Similar to AWS KMS, but for Azure environments.
    • HashiCorp Vault: A more general-purpose secret management tool that can be used across different cloud providers or on-premises.
  3. Key Generation and Storage
    1. For each new tenant, generate a unique AES key within your chosen KMS. Do not use the same key for multiple tenants.
    2. The KMS handles the secure storage of the keys. You will interact with it through its API, not directly with the keys themselves.
  4. Key Access Control
    1. Configure access policies in your KMS to restrict key usage based on tenant ID.
    2. Your application should authenticate itself to the KMS (e.g., using IAM roles in AWS, Managed Identities in Azure).
    3. The application then requests decryption/encryption operations for a specific tenant’s key, identified by its Tenant ID.
  5. Implementation Steps (Example with AWS KMS)
    1. Create an IAM Role: Create an IAM role that your web API can assume to access KMS. This role should have permissions limited to decrypting and encrypting keys for specific tenants.
    2. Generate Keys per Tenant: When a new tenant signs up, use the AWS KMS API to generate a unique key. 
      aws kms create-key --description "AES Key for Tenant X"
    3. Store Tenant ID Mapping: Store a mapping between the Tenant ID and the corresponding KMS Key ID in your database. Do not store the actual key itself!
    4. Encryption/Decryption Logic: In your web API, when encrypting or decrypting data for a tenant:
      1. Retrieve the KMS Key ID from your database using the Tenant ID.
      2. Use the AWS KMS API to perform the encryption or decryption operation. 
        aws kms encrypt --key-id  --plaintext "Your data here"
        aws kms decrypt --key-id  --ciphertext
  6. Rotation of Keys
    • Regularly rotate your AES keys (e.g., every 90 days) to limit the impact of a potential compromise. KMS systems often provide automated key rotation features.
  7. Auditing and Monitoring
    • Enable auditing in your KMS to track all key access events. Monitor these logs for suspicious activity.
Exit mobile version