Customer Managed Keys (CMKs) in AWS Key Management Service (KMS) are encryption keys that you create, own, and manage within your AWS account. These keys provide granular control over data encryption across various AWS services and applications.
As a SysOps Administrator, understanding CMKs is ess…Customer Managed Keys (CMKs) in AWS Key Management Service (KMS) are encryption keys that you create, own, and manage within your AWS account. These keys provide granular control over data encryption across various AWS services and applications.
As a SysOps Administrator, understanding CMKs is essential for implementing robust security and compliance strategies. Unlike AWS managed keys, customer managed keys offer complete control over the key lifecycle, including creation, rotation, deletion, and access policies.
Key features of Customer Managed Keys include:
**Key Policies and IAM Integration**: You can define detailed key policies that specify which principals can use or manage the key. These policies work alongside IAM policies to provide fine-grained access control.
**Automatic Key Rotation**: CMKs support automatic annual rotation, where AWS generates new cryptographic material while retaining old material for decryption of previously encrypted data. This enhances security posture while maintaining backward compatibility.
**Auditing and Compliance**: All CMK usage is logged in AWS CloudTrail, providing a complete audit trail of who accessed which key and when. This is crucial for meeting compliance requirements like HIPAA, PCI-DSS, and SOC standards.
**Cross-Account Access**: CMKs can be shared across AWS accounts through key policies, enabling secure data sharing between different organizational units or partner accounts.
**Key States and Deletion**: CMKs can be enabled, disabled, or scheduled for deletion. The deletion process includes a mandatory waiting period (7-30 days), providing a safety net against accidental key loss.
**Cost Considerations**: Customer managed keys incur monthly charges plus per-request fees for cryptographic operations, unlike AWS managed keys which have no monthly fee.
For SysOps Administrators, properly configuring CMKs ensures data-at-rest encryption meets organizational security requirements while maintaining operational efficiency through automation and centralized key management.
Customer Managed Keys (CMKs) are encryption keys stored in AWS Key Management Service (KMS) that you create, own, and manage. Unlike AWS managed keys or AWS owned keys, CMKs give you full control over the key lifecycle, including creation, rotation, deletion, and access policies.
Why are Customer Managed Keys Important?
CMKs are critical for several reasons:
• Compliance Requirements: Many regulatory frameworks (HIPAA, PCI-DSS, SOC) require organizations to maintain control over their encryption keys • Granular Access Control: You can define precisely who can use, manage, and administer each key through key policies and IAM policies • Audit Capabilities: All key usage is logged in AWS CloudTrail, providing a complete audit trail • Cross-Account Access: CMKs can be shared across AWS accounts for centralized key management • Custom Key Rotation: You control when and how keys are rotated
How Customer Managed Keys Work
Key Creation: CMKs can be created in two ways: • KMS-generated key material: AWS generates and manages the underlying cryptographic material • Imported key material: You generate keys externally and import them into KMS
Key Components: • Key ID: Unique identifier for the key • Key ARN: Amazon Resource Name used for cross-account access • Key Policy: Resource-based policy defining permissions • Key Material: The actual cryptographic data used for encryption
Encryption Process: 1. Application sends data to AWS service with CMK reference 2. AWS service calls KMS to generate a data encryption key (DEK) 3. KMS returns plaintext DEK and encrypted DEK (wrapped by CMK) 4. Service encrypts data with plaintext DEK 5. Service stores encrypted data with encrypted DEK 6. Plaintext DEK is discarded from memory
Decryption Process: 1. Service retrieves encrypted data and encrypted DEK 2. Service sends encrypted DEK to KMS 3. KMS decrypts DEK using CMK 4. KMS returns plaintext DEK 5. Service decrypts data using plaintext DEK
Key Features of CMKs
• Automatic Key Rotation: Can be enabled for annual rotation (365 days) - only works with KMS-generated key material • Manual Key Rotation: Create new CMK and update aliases for more frequent rotation • Key Aliases: Friendly names that point to CMKs, making key rotation transparent to applications • Key States: Enabled, Disabled, Pending Deletion, Pending Import • Deletion Scheduling: 7-30 day waiting period before permanent deletion
Key Policies vs IAM Policies
Key Policies: Resource-based policies attached to CMKs - every CMK must have one IAM Policies: Identity-based policies that can grant KMS permissions if the key policy allows
Both must allow access for a principal to use a CMK (unless key policy grants access alone).
Exam Tips: Answering Questions on Customer Managed Keys
1. Know the Key Types: Understand the difference between AWS owned keys, AWS managed keys, and customer managed keys. CMKs offer the most control and flexibility.
2. Key Rotation Questions: Remember automatic rotation is annual (365 days) and only works with symmetric CMKs with KMS-generated material. Imported key material requires manual rotation.
3. Cross-Account Scenarios: When questions mention sharing encrypted resources across accounts, CMKs require both key policy AND IAM policy permissions in the target account.
4. Deletion Questions: CMKs have a mandatory waiting period (7-30 days, default 30). During pending deletion, the key cannot be used. This is a recovery mechanism.
5. Cost Awareness: CMKs cost $1/month per key. AWS managed keys are free. Questions about cost optimization might suggest using AWS managed keys when custom control is not required.
6. CloudTrail Integration: All CMK API calls are logged. If a question asks about auditing encryption key usage, CloudTrail is the answer.
7. Regional Scope: CMKs are regional resources. Multi-region keys exist but are separate CMKs. For cross-region scenarios, consider multi-region keys or re-encryption.
8. Envelope Encryption: KMS uses envelope encryption - understand that the CMK encrypts data keys, not the data itself (for large data).
9. Grant vs Policy: Grants provide temporary, programmatic access to CMKs. Key policies and IAM policies provide persistent access.
10. Disabled vs Deleted: A disabled key can be re-enabled. A deleted key is permanently gone after the waiting period. For temporary access removal, disable the key.