DevOps

KMS

encryption and key management service

Document | Multi-region key |

Overview

  • KMS uses Hardware Security Modules (HSM) to protect and validate your AWS KMS keys.

  • Need to set IAM Policy & Key Policy to allow a user or role to access a KMS key (encrypt or decrypt data using the key)

  • Does not support versioning of keys (cannot get back the old key).

Types of key

  • AWS-owned

  • Symmetric: a 256-bit key that is used for encryption and decryption.

    • AWS managed key. These keys have alias start with aws/***. e.g: aws/ebs

    • Customer managed key

  • Asymmetric:

    • Public (Encrypt) and Private Key (Decrypt) pair. an RSA key pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key pair that is used for signing and verification.

    • manual rotation.

Key usage

  • Encrypt and decrypt

  • Generate and verify MAC

Features

Multi-regions key

  • Copies of the same KMS key in different AWS Regions.

  • You need to create the alias of the key in the region you want to use key. The alias can be different with the primary key.

KMS Policy

  • Allow which users, services can use the keys.

  • Specify which services can decrypt key data. Remember to add kms decrypt policy to the key itselft.

Key rotation

Enable to rotate the key every year.

Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in a CloudHSM cluster using the AWS KMS custom key store feature.

If you choose to import keys to AWS KMS or asymmetric keys or use a custom key store, you can manually rotate them by creating a new KMS key and mapping an existing key alias from the old KMS key to the new KMS key.

KMS API

  • Encrypt: can only encrypt data under 4 KB

  • Decrypt: can only be used on data that have been encrypted with a KMS key.

  • GenerateDataKey: creates data key using a KMS key and returns two versions of it: a plaintext and a ciphertext data key.

aws kms generate-data-key --key-id alias/MyKeyAlias --key-spec AES_256

  • GenerateDataKeyWithoutPlaintext: creates data key using a KMS key and returns only the encrypted version of it.

Pricing

Pay for the number of API calls made to KMS. Charge per / 10000 requests.

Trivia

  • if you want a more secure solution than KMS key, use CloudHSM key.

    • KMS and CloudHSM are both FIPS compliant.

    • KMS is level 2, CloudHSM is level 3.

  • You CANNOT immediately delete a KMS key. You need to schedule a range from 7 ~ 30 days to delete it.

  • If you update a key's policy, remember to re-create resources that use that key. If not, the resource is still using the key with old policy.

  • You CANNOT rotate AWS Managed key, but CAN rotate Customer managed key.

  • Encrypt up to 4KB of data per API call (if data > 4 KB, use envelope encryption)

Concepts

  • Envelope encryption: is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key. You must store the encrypted form of the data key so that you can use the data key to decrypt the encrypted data in the database.

PreviousInspectorNextMacie

Last updated