AWS KMS Flashcards
(34 cards)
AWS Key Management Store (KMS) is a
AWS Key Management Store (KMS) is a managed service that enables you to easily encrypt your data.
AWS KMS provides a highly available
AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.
customer master keys (CMKs)
AWS KMS allows you to centrally manage and securely store your keys. These are known as AWS KMS keys (formerly known as customer master keys (CMKs).
A KMS key consists of:
- Alias.
- Creation date.
- Description.
- Key state.
- Key material (either customer provided or AWS provided).
KMS keys are the primary resources in AWS KMS.
The KMS key includes metadata, such as the key ID, creation date, description, and key state.
KMS key Size
A KMS key can encrypt data up to 4KB in size.
Data Encryption Keys
A KMS key can generate, encrypt, and decrypt Data Encryption Keys (DEKs).
AWS Managed KMS keys:
Customer managed KMS keys:
- These provide the ability to implement greater flexibility.
- You can perform rotation, governing access, and key policy configuration.
- You are able to enable and disable the key when it is no longer required.
Customer Managed KMS keys Principles
Customer managed KMS keys are KMS keys in your AWS account that you create, own, and manage.
You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS key, and scheduling the KMS keys for deletion.
Customer managed KMS keys incur a monthly fee and a fee for use in excess of the free tier.
AWS Managed KMS keys
AWS managed KMS keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS.
You cannot manage these KMS keys, rotate them, or change their key policies.
You also cannot use AWS managed KMS keys in cryptographic operations directly; the service that creates them uses them on your behalf.
You do not pay a monthly fee for AWS managed KMS keys. They can be subject to fees for use in excess of the free tier, but some AWS services cover these costs for you.
AWS Owned KMS Keys
AWS owned KMS keys are a collection of KMS keys that an AWS service owns and manages for use in multiple AWS accounts.
Although AWS owned KMS keys are not in your AWS account, an AWS service can use its AWS owned KMS keys to protect the resources in your account.
You do not need to create or manage the AWS owned KMS keys.
However, you cannot view, use, track, or audit them.
You are not charged a monthly fee or usage fee for AWS owned KMS keys and they do not count against the AWS KMS quotas for your account.
Data Encryption Keys
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
You can use AWS KMS keys to generate, encrypt, and decrypt data keys.
AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.
You must use and manage data keys outside of AWS KMS.
The GenerateDataKey API can be used to create a data encryption key using a KMS key
KMS Details
You set usage policies on the keys that determine which users can use them to encrypt and decrypt data and under which conditions.
Key material options:
- KMS generated.
- Import your own.
KMS Generation
You can generate KMS keys in KMS, in an AWS CloudHSM cluster, or import them from your own key management infrastructure.
KMS Encrypt Data
You can submit data directly to KMS to be encrypted or decrypted using these master keys.
symmetric VS asymmetric
KMS now has the option for symmetric and asymmetric keys.
KMS Rest Principle
KMS is for encryption at rest only (not in transit, use SSL).
KMS is tightly integrated into
KMS is tightly integrated into many AWS services like Lambda, S3, EBS, EFS, DynamoDB, SQS etc.
KMS Data Key Principles
Data keys are not retained or managed by KMS.
AWS services encrypt your data and store an encrypted copy of the data key along with the data it protects.
When a service needs to decrypt your data they request KMS to decrypt the data key using your master key.
If the user requesting data from the AWS service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data and return it in plaintext.
KMS Logging
All requests to use your master keys are logged in AWS CloudTrail so you can understand who used which key under which context and when they used it.
You can control who manages and accesses keys via IAM users and roles.
You can audit the use of keys via CloudTrail.
Encryption Regional.
Encryption keys are regional.
Key Management with KMS
Data Encryption Scenarios
Typically, data is encrypted in one of the following three scenarios:
- You can use KMS APIs directly to encrypt and decrypt data using your master keys stored in KMS.
- You can choose to have AWS services encrypt your data using your master keys stored in KMS. In this case data is encrypted using data keys that are protected by your master keys in KMS.
- You can use the AWS Encryption SDK that is integrated with AWS KMS to perform encryption within your own applications, whether they operate in AWS or not.
Custom Key Store
he AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS.
You can configure your own CloudHSM cluster and authorize KMS to use it as a dedicated key store for your keys rather than the default KMS key store.
When you create keys in KMS you can chose to generate the key material in your CloudHSM cluster. Master keys that are generated in your custom key store never leave the HSMs in the CloudHSM cluster in plaintext and all KMS operations that use those keys are only performed in your HSMs.
In all other respects master keys stored in your custom key store are consistent with other KMS keys.
