KMS Flashcards
Resilience of KMS
Regionally and Public Service (within in AWS Public Zone, but still requires permissions to access the service)
Main role of KMS
Create, Store and Manage Keys.
KMS is used for
Encryption and decryption (plain text to cipher text and vice versa)
features of KMS
Supports both asymmetric and symmetric encryption Cryptographic operations (encryptions and decryption)
Security of KMS
Keys never leave KMS
Provides FIPS 140-2 (L2) US security standard.
Uses of CMK
KMS uses CMKs for cryptographic operations, also used by user, application and AWS services.
CMK is
Logical and it is just a container which has the physical backing key.
CMK contains
Key Policy Key ID Key Date Description State (active or inactive) Key
Features of CMK
CMK contain physical backing key which is managed by KMS and used for cryptographic operations.
Physical key can be imported or generated by KMS.
Can be used to perform cryptographic operations on data of size 4KB.
Security of CMK
CMK is restricted within KMS (in a particular region created) and cannot be extracted outside KMS.
Types of CMK and Key rotation.
AWS Managed CMK (Completely managed by AWS)
Key Rotated - Once in 3 years (Enabled by default)
Customer Managed CMK (Can edit the key policy to allow other AWS accounts to access our key)
Key Rotated - Once a year. (Optional to enable or disable)
What is Key rotation ?
Process of changing the physical backing key.
CMK will retain all the previous keys and the current keys.
Alias
Can create a alias for CMK (Regionally Resilient)
Working of CMK and KMS
Choose a region and create a new key which will creates CMK using createKey operation (creates a container contains a physical backing key)
This is what KMS Creates,Stores and Manages.
CMKs are not stored without encryption on disk permanently.
Encryption using CMK
User will request Encrypt Operation by providing data and specifying the CMK and KMS accepts the data assuming the user has permissions to perform encrypt
operation.
Then decrypts the key and uses the key along with the data to generate cipher text.
Decryption using CMK
User will request decrypt operation by only providing the data (CMK data is encoded within the encrypted data), then KMS decrypts the corresponding CMK and decrypts the encrypted data and generate plain text.
assuming the user has permissions to perform decrypt operation.
Security of CMK and KMS
CMKs never leave KMS and every operation requires permissions
Role separation
User 1 -> Only creating and managing keys.
User 2-> Only perform cryptographic operations.
DEKs
KMS generate -> CMK -> CMKs generate DEK using generateDataKey operation.
All three linked so KMS knows which DEK belongs to which CMK.
But KMS does not manage store DEK (only generates DEKs) we or the AWS service should handle cryptographic operations using on our data.
Condition for DEK
Used to perform cryptographic operations on data size greater than 4KB
Versions of DEKs
Plain text Key and Encrypted Key
Working of DEKs
DEK is encrypted by CMK when it is generated and decrypted key can be generated by CMK assuming we have permissions.
Encryption using DEK
Encrypt plain text data with plain text version of DEK and get the cipher text and discard plain text DEK.
So we have encrypted DEK and cipher text.
this process is not handled by KMS we have to handle it or the service.
We can use the same DEK for millions of files.
Decryption using DEK
Pass the encrypted DEK to KMS and call decrypt operation using the corresponding CMK and get the plain text DEK and decrypt the data and then discard the decrypted DEK.
