AWS KMS is a managed encryption service that allows creation and control of encryption keys to enable encryption of data easily .
KMS is a shared hardware tenancy - your keys are in their own partition of an encryption module shared with other AWS customers, each with their own isolated partition.
KMS provides a highly available key storage, management, and auditing solution to encrypt the data across AWS services & within applications.
Customer master keys (CMK) are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program
KMS is also integrated with AWS CloudTrail to provide encryption key usage logs to help meet auditing, regulatory and compliance needs.
KMS Keys are only stored and used in the region in which they are created. They cannot be transferred to another region.
KMS enforces usage and management policies, to control which IAM user, role from the account or other accounts who can manage and use keys.
AWS cloud services integrated with AWS KMS use a method called envelope encryption to protect the data. Envelope encryption is an optimized method for encrypting data that uses two different keys (Master key and Data key). A in AWS KMS.
KMS does support sending data less than 4 KB to be encrypted, envelope encryption can offer significant performance benefits
Keys can be generated or imported from the key management infrastructure.
Command to create the key: aws kms create-key
Command to create one alias: aws kms create-alias alias-name alias/example-alias target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Command to encrypt: aws kms encrypt key-id 1234abcd-12ab-34cd-56ef-1234567890ab plaintext fileb://ExamplePlaintextFile output text query CiphertextBlob | base64 decode > ExampleEncryptedFile
Command to decrypt: aws-encryption-cli --decrypt --input secret.txt.encrypted \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --output .
Command to disable the key: aws kms disable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Customer Master Keys (CMKs) : AWS KMS customer master keys (CMKs) are 256-bit Advanced Encryption Standard (AES) symmetric keys that are not exportable.
CMK is a logical representation of a master key in AWS KMS.
CMKs are created in AWS KMS and never leave AWS KMS unencrypted.
CMK to encrypt and decrypt up to 4 KB (4096 bytes) of data
CMKs to generate, encrypt, and decrypt the data keys that are used outside of AWS KMS to encrypt the data [Envelope Encryption]
CMK contains the Key Material used to encrypt and decrypt data; master key’s identifiers and other metadata including its creation date, description, and key state.
CMK can be created without key material
We need to pay 1 dollar by Moth per Key.
The disabled keys aren't billed.
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
Key Policies help determine who can use and manage that CMK add, remove, or change permissions at any time for a customer managed CMK, cannot edit the key policy for an AWS managed CMK.
Grants; Provides permissions, an alternative to the key policy, helps to give long-term access that allows AWS principals to use the customer managed CMKs.
Grant Tokens; help mitigate the potential delay with grant. Use the grant token received in the response to CreateGrant API request to make the permissions in the grant take effect immediately
AWS KMS managed CMK automatically rotated every 3 years, cannot be deleted. This is for some AWS services. User access is using IAM.
CMKs with generated key material are rotated every year, can be deleted. Controlled using KM/IAM policies. User access is using IAM.
CMKs with imported key material or keys generated in an CloudHSM cluster using the KMS custom key store feature do not support automatic key rotation. For manually rotated keys, data has to be re-encrypted depending on the application’s configuration
Primary way to manage access to AWS KMS CMKs is with policies.
AWS KMS required you attach resource-based policies to the customer master keys (CMKs), called key policies
KMS CMKs access can be controlled using: Use the key policy, IAM policies with the key policy and use grants in combination with the key policy (to allow users to delegate their access to others ).
To allow access to a KMS CMK, key policy MUST be used, either alone or in combination with IAM policies or grants.
Create keys with a unique alias and description
Import your own keys
Control which IAM users and roles can manage keys
Control which IAM users and roles can use keys to encrypt & decrypt data
Choose to have AWS KMS automatically rotate keys on an annual basis
Temporarily disable keys so they cannot be used by anyone
Re-enable disabled keys
Delete keys that you no longer use
Audit use of keys by inspecting logs in AWS CloudTrail
To make AWS KMS responsive and performant for all users, AWS KMS applies two types of quotas, resource quotas and request quotas.
Resource Quotas:
AWS KMS keys : 10000
Aliases per KMS key : 50
Grants per KMS key : 50000
Key policy document size : 32 KB (32,768 bytes)
Request Quotas:
Cryptographic operations (symmetric) request rate: 5,500 (shared), 10,000 (shared)