KMS
encryption and key management service
Last updated
encryption and key management service
Last updated
KMS uses Hardware Security Modules (HSM) to protect and validate your AWS KMS keys.
Need to set IAM Policy & Key Policy to allow a user or role to access a KMS key (encrypt or decrypt data using the key)
Does not support versioning of keys (cannot get back the old key).
AWS-owned
Symmetric: a 256-bit key that is used for encryption and decryption.
AWS managed key. These keys have alias start with aws/***
. e.g: aws/ebs
Customer managed key
Asymmetric:
Public (Encrypt) and Private Key (Decrypt) pair. an RSA key pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key pair that is used for signing and verification.
manual rotation.
Encrypt and decrypt
Generate and verify MAC
Copies of the same KMS key in different AWS Regions.
You need to create the alias of the key in the region you want to use key. The alias can be different with the primary key.
Allow which users, services can use the keys.
Specify which services can decrypt key data. Remember to add kms decrypt policy to the key itselft.
Enable to rotate the key every year.
Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in a CloudHSM cluster using the AWS KMS custom key store feature.
If you choose to import keys to AWS KMS or asymmetric keys or use a custom key store, you can manually rotate them by creating a new KMS key and mapping an existing key alias from the old KMS key to the new KMS key.
Encrypt
: can only encrypt data under 4 KB
Decrypt
: can only be used on data that have been encrypted with a KMS key.
GenerateDataKey
: creates data key using a KMS key and returns two versions of it: a plaintext and a ciphertext data key.
GenerateDataKeyWithoutPlaintext
: creates data key using a KMS key and returns only the encrypted version of it.
Pay for the number of API calls made to KMS. Charge per / 10000 requests.
if you want a more secure solution than KMS key, use CloudHSM key.
KMS and CloudHSM are both FIPS compliant.
KMS is level 2, CloudHSM is level 3.
You CANNOT immediately delete a KMS key. You need to schedule a range from 7 ~ 30 days to delete it.
If you update a key's policy, remember to re-create resources that use that key. If not, the resource is still using the key with old policy.
You CANNOT rotate AWS Managed key, but CAN rotate Customer managed key.
Encrypt up to 4KB of data per API call (if data > 4 KB, use envelope encryption)
Envelope encryption: is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key. You must store the encrypted form of the data key so that you can use the data key to decrypt the encrypted data in the database.