AWS KMS Flashcards
KMS arch
Part of AWS public zone and exists as a separate service in each region
KMS is used
To create, store and manage cryptography keys.
Cryptographic Operations
Can handle Symmetric and Asymmetric Keys
Cryptographic operations for encrypting, decrypting, and others.
Where does the Keys in KMS stay ?
Keys never leave the KMS Service
KMS Security Level compliance standard
Security Standards compliance : FIPS 140-2 (L2)
KMS mainly manages
CMK (Customer Master Key)
KMS contains
Physical master keys
Two types of CMK
AWS-Managed
Created automatically when you enable server-side encryption of a resource
Customer-Managed.
Created by you when necessary.
CMKs Rotation
CMKs support rotation
Process when the physical material is changed.
For AWS-managed CMK the rotation happens once every 3 years
For Customer-managed CMK rotation is optional but once enabled, it is an annual change
CMK’s are made of
ID
Date
Policy
Description
State (active or not).
Aliases
Allow creation alias at the region that points to a CMK and your application can use that alias instead of the direct CMK name.
This allows you to change the CMK without changing the application.
Key Policies
Resource policy for keys and revert CMK has its Key Policy
IAM users and KMS
User needs: Key Policy + IAM Policy
Data Encryption Key (DEK)
Type of key that KMS generates using a CMK
GenerateDateKey operation generate keys (DEK) that work for bigger than 4KB
KMS never stores the DEK, it provides to you and discards it because it does not use it, you are responsible to use DEK to encrypt and decrypt data
Encry/Decry
To encrypt data outside of KMS: Generate the plain data key and ciphertext version of the keys using the GenerateDataKey Operation, use the plain key to encrypt the data and discard it, and store the encrypted key with the data.
To decrypt data outside KMS: Get the encrypted key and use the decrypt operation of KMS to receive the plaintext of the key, use the plaintext data key to decrypt the data and discard it.
