AWS Key Management Service (KMS) is a managed service that enables you to create and control cryptographic keys used to encrypt your data across AWS services and applications.
**Key Concepts:**
1. **Customer Master Keys (CMKs)**: These are the primary resources in KMS. They can be AWS managed, cu…AWS Key Management Service (KMS) is a managed service that enables you to create and control cryptographic keys used to encrypt your data across AWS services and applications.
**Key Concepts:**
1. **Customer Master Keys (CMKs)**: These are the primary resources in KMS. They can be AWS managed, customer managed, or AWS owned. Customer managed keys provide more control over rotation, policies, and auditing.
2. **Data Keys**: KMS generates data keys that you use to encrypt large amounts of data. KMS uses envelope encryption where a data key encrypts your data, and the CMK encrypts the data key.
3. **Key Policies**: JSON-based policies that define who can use and manage keys. Every CMK must have a key policy.
4. **Grants**: Temporary permissions that allow AWS principals to use CMKs under specific conditions.
**Key Features:**
- **Integration**: KMS integrates with services like S3, EBS, RDS, Lambda, and CloudTrail for seamless encryption.
- **Automatic Key Rotation**: Customer managed keys can be rotated annually. AWS managed keys rotate every three years.
- **Audit Capabilities**: All API calls to KMS are logged in CloudTrail, providing complete audit trails.
- **Regional Service**: Keys are stored and used within specific AWS regions, though multi-region keys are available.
**Exam-Relevant Points:**
- Understand the difference between symmetric (AES-256) and asymmetric keys
- Know envelope encryption patterns
- Recognize when to use KMS versus CloudHSM (KMS for most use cases, CloudHSM for dedicated hardware requirements)
- API calls like Encrypt, Decrypt, GenerateDataKey are essential
- Be aware of KMS request quotas and throttling
**Security Best Practices:**
- Apply least privilege to key policies
- Enable key rotation
- Use separate keys for different applications
- Monitor key usage through CloudTrail
AWS KMS (Key Management Service) - Complete Guide
Why AWS KMS is Important
AWS Key Management Service (KMS) is a critical component of AWS security infrastructure. It enables you to create, manage, and control cryptographic keys used to protect your data across AWS services and applications. Understanding KMS is essential because:
• Data Protection: KMS provides centralized control over encryption keys, ensuring sensitive data remains secure at rest and in transit • Compliance: Many regulatory frameworks (HIPAA, PCI-DSS, SOC) require proper key management practices • Integration: KMS integrates seamlessly with most AWS services, making encryption implementation straightforward • Audit Capability: Every use of a KMS key is logged in AWS CloudTrail, providing a complete audit trail
What is AWS KMS?
AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data. Key features include:
• KMS Keys (formerly CMKs): The primary resource in KMS, representing a logical key that can be used for cryptographic operations • AWS Managed Keys: Created, managed, and used on your behalf by AWS services (prefixed with aws/) • Customer Managed Keys: Keys you create, own, and manage with full control over policies • Data Keys: Encryption keys used to encrypt large amounts of data outside KMS • Key Policies: Resource-based policies that control access to KMS keys • Grants: Temporary permissions to use KMS keys
How AWS KMS Works
Envelope Encryption: KMS uses envelope encryption, where data is encrypted with a data key, and that data key is encrypted with a KMS key. This approach allows encrypting large data sets efficiently.
The process works as follows: 1. You request a data key from KMS using GenerateDataKey API 2. KMS returns a plaintext data key AND an encrypted copy of that key 3. You use the plaintext key to encrypt your data 4. You store the encrypted data key alongside your encrypted data 5. You discard the plaintext data key from memory 6. For decryption, you send the encrypted data key to KMS to get the plaintext key back
Key Types: • Symmetric Keys (AES-256): Single key for encryption and decryption, never leaves KMS unencrypted • Asymmetric Keys (RSA, ECC): Public/private key pairs for encryption or signing operations
Key Rotation: • AWS managed keys rotate automatically every year • Customer managed keys can have automatic rotation enabled (rotates every year) • Manual rotation is possible by creating new keys and updating aliases
Multi-Region Keys: • Replicate keys across multiple AWS regions • Same key material in different regions • Useful for disaster recovery and global applications
Key Policies and Access Control
Access to KMS keys is controlled through: • Key Policies: Required for every KMS key, defines who can administer and use the key • IAM Policies: Work in conjunction with key policies to grant access • Grants: Programmatic delegation of key access, often used by AWS services
Important API Calls: • Encrypt: Encrypts data up to 4KB • Decrypt: Decrypts ciphertext • GenerateDataKey: Returns plaintext and encrypted data key • GenerateDataKeyWithoutPlaintext: Returns only encrypted data key • ReEncrypt: Decrypts and re-encrypts under a different key
Exam Tips: Answering Questions on AWS KMS
Key Concepts to Remember:
1. 4KB Limit: KMS can only encrypt data up to 4KB. For larger data, use envelope encryption with data keys
2. Regional Service: KMS keys are region-specific unless you use multi-region keys. Cross-region encryption requires key replication or multi-region keys
3. Key Policy Requirement: Every KMS key must have a key policy. The default policy gives the AWS account root user full access
4. Automatic Rotation: Only available for symmetric customer managed keys. Asymmetric keys and imported key material do not support automatic rotation
5. Imported Key Material: You can import your own key material but lose automatic rotation capability and must manage expiration
6. Deletion: KMS keys have a mandatory waiting period (7-30 days) before deletion. During this time, the key is disabled but can be recovered
7. CloudTrail Integration: All KMS API calls are logged, providing audit trails for compliance
Common Exam Scenarios:
• S3 Encryption: Questions about SSE-KMS use customer managed or AWS managed KMS keys • Cross-Account Access: Requires both key policy permissions AND IAM permissions in the accessing account • EBS Encryption: Encrypted volumes use KMS keys; snapshots inherit encryption • RDS Encryption: Must be enabled at creation time; uses KMS for key management
Remember: KMS is about managing encryption keys, not encrypting data itself. The actual encryption happens in AWS services or your applications using the keys that KMS manages and protects.