All Notes
AWS
AWS
  • AIM
  • General Stuff about AWS
  • AWS Global Infrastructure
  • Interacting with AWS
  • AWS Identity and Access Management
    • AWS Organizations
    • Users
    • Policies and Permissions
    • Groups and Roles
    • Federation
    • Access Control (via available tools)
    • AWS Cognito
    • AWS IAM Identity Center
  • Networking and Content Delivery in AWS
    • AWS VPC
    • AWS Route 53
    • Elastic Load Balancing
    • AWS CloudFront
    • Amazon API Gateway
  • AWS Storage Services
    • Amazon EBS
    • Amazon EFS
    • Amazon FSx
    • S3
    • AWS Databases Services
      • Amazon RDS
      • Amazon DymanoDB
      • Amazon Elasticache
      • Amazon RedShift
      • Amazon DocumentDB
  • AWS Compute Services
    • EC2
    • Elastic BeanStalk
    • AWS Lambda
    • Container Services
      • ECR and ECS
      • EKS
      • AppRunner
  • Other AWS Services
    • CloudFormation
    • AWS Key Management Services (KMS)
    • AWS Secrets Manager
    • AWS Certificate Manager (ACM)
    • AWS Messaging Services
      • AWS SNS (Simple Notification Service)
      • AWS Simple Queue Service (SQS)
    • AWS Systems Manager
      • Application Management
      • Node Management
    • Logging and Monitoring
      • AWS CloudTrail
      • AWS CloudWatch
    • AWS Macie
    • AWS Inspector
    • AWS GuardDuty
Powered by GitBook
On this page
  • Steps for triggering creation of AWS managed (KMS key/Customer Master key):
  • Steps for creating KMS generated Customer managed (KMS key/Customer Master key):
  • Steps for importing customer uploaded Customer managed (KMS key/Customer Master key):
  • Steps for using customer provided data encryption key:
  1. Other AWS Services

AWS Key Management Services (KMS)

PreviousCloudFormationNextAWS Secrets Manager

Last updated 7 months ago

When data is moved into the cloud, it is best to secure it at both the stages - when data is in transit and when the data is at rest and one of the services from AWS that can be foundational into dealing with keys for encryption is KMS or Key Management Service, mainly used to provide, store and manage encryption keys for data at rest.

Note that KMS also allows auditing of who used the KMS keys with the help of . It is also possible to exercise access control to KMS keys by creating usage policies.

KMS allows centralized key management that has compatibility to a variety of other AWS services.

AWS KMS facilitates the creation of both Symmetric key and Asymmetric keys (like for EC2 access over ssh)

KMS keys can be of two types:

  • Customer Master Keys (CMKs) - It can be customer managed (uploaded by the customer or generated by KMS for the customer) or AWS-managed (generated in KMS by AWS whenever required). It can act as one of the input in generating unique data keys as well as used to encrypt and decrypt the generated data keys, i.e. CMKs can act as Key encryption keys and this process is known as Envelope Encryption

  • Data Encryption Keys - It is also known as data keys, which is used to encrypt and decrypt the data. Note that master key never leaves the KMS and DEK generated each time is unique, for better security.

Using the keys in KMS, AWS encrypts and decrypts the data in S3 or s3 glacier or EBS or EFS or FSx or RedShift or RDS or Amazon EMR and even CloudTrail. This process is called Server-Side Encryption. Different flavours of SSE are as follows:

  • Server Side Encryption using AWS Managed Keys (SSE-KMS) - Data Encryption key (DEK) is used, which itself is encrypted using Customer Master Key.

  • Server Side Encryption using Customer Provided Encryption key (SSE-C) - The customer generated key is uploaded into KMS is used for encryption data directly, unlike in previous case, where DEK (data encryption key) is generated using Customer Master key

Note that in most data at rest cases, let's just say s3; so when data is uploaded into s3, the DEK is part of metadata for the encrypted s3 object in the bucket, therefore when required access to the encrypted object is requested, AWS s3 should be able able to get that quickly

There is something called Client-Side Encryption, where the client only supplies 256-bit key and key encrypting key and encrypt the data and encrypted blob is directly uploaded as it is (encrypted) in s3.

Please note that it is essential for KMS Administrative tasks such as

  • Control access to IAM users and role that can administer and may or may not use the key

  • Rotate the keys

  • Disable keys and Re-enable keys when required

  • Audit the usage of keys

AWS Console for KMS keys shows the following options:

Steps for triggering creation of AWS managed (KMS key/Customer Master key):

Steps for creating KMS generated Customer managed (KMS key/Customer Master key):

Steps for importing customer uploaded Customer managed (KMS key/Customer Master key):

<-will be added later->

Steps for using customer provided data encryption key:

<-will be added later->

CloudTrail
EBS