Amazon KMS

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Study Guides > AWS Cybersecurity Notes > Amazon KMS

Overview

  • Data encryption is the most critical aspect.
  • Must know KMS and the API calls used in the service


Customer Master Keys

  • Contain key material for encryption and decryption.
  • CMKs are managed in KMS
  • KMS provides a way to store and manage keys.


  • They are used to manage encryption keys for data.
  • KMS protects the CMKs
  • CMKs integrate with AWS services.
  • They can also be used outside of AWS.


  • Two different types of CMK exist:
  • Customer managed.
  • AWS managed.



  • CMKs support envelope encryption.
  • A data key is generated for the data.
  • The data key is encrypted with the CMK.


  • Key usage is logged in CloudTrail and CloudWatch


AWS Managed CMKs

  • Owned and used by AWS services
  • Independent from the customer account.
  • Can be used by services inside an account.


  • They are rotated at least once per year.
  • No control over when these keys roll.
  • These keys are region specific.


Examples of AWS Managed CMKs

  • AWS managed CMK for S3 - Used in data buckets.
  • AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.


Customer Managed Keys

  • Provides the customer total control over the key.


The key Policy can be defined:

  • Rotation schedules.
  • Permissions.


  • These keys are not tied to any feature or service.


  • It is the customer responsibility to protect customer managed keys.


Selecting a key type

  • Policy will dictate the key type.


  • AWS managed keys may be ok if complete control is not needed.
  • AWS managed keys have no charge.


  • If policy states keys must be rotated on demand (after an incident) customer managed is best.


Data Encryption Keys

  • These are generated by KMS for encrypting data.
  • The are used in conjunction with customer-managed keys.
  • A DEK is short-lived and used for a specific operation.
  • Provides an extra layer of security.
DEK encrypts data
CMK encrypts the DEK


DEK facts

  • A DEK is generated by KMS.
  • A DEK is random.
  • Envelope encryption.
  • Data encrypted with DEK / DEK encrypted with CMK
  • A DEK is fast and efficient.
  • Can be used with various AWS services.
  • KMS manages the DEK lifecycle
  • DEK's are symmetric keys (they they are fast)

Key Material

AWS creates the material for the KMS key. [1]

  • The customer can delete the key but not the key material.
  • Key material cannot be exported, viewed or managed - it is secret!


KMS automatically creates the key material.

When you create your own CMK you can import your own key material.

  • This key material must be encrypted with a symmetric encryption key.


Key Policies

These contol access to the KMS keys.

  • Each KMS key is associated with a policy.
  • Policy defines who can access they key.
  • Policy helps enforce secure access to keys.
  • Defines what users, roles and accounts can access a key.
  • Also defines who can encrypt, decrypt and rotate.


  • Each key can only have a single key policy associated with it.
  • The primary function of a key policy is control of who can perform operations with the key.
  • Without a key policy their is no control over the CMKs

Grants

  • These define who can perform functions.
  • Provide fine grained controls.
  • Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key.

Envelope encrpytion in KMS

  • The master key - Customer Master Key protects the data.
  • A DEK is generated - the DEK is random.
  • The DEK encrypts the data.
  • The DEK is encrypted with the master key (CMK).


  • The DEK is read when the data needs to be decrypted.
  • The DEK is stored seperate from the data.


KMS Roles

Key Administrators.

  • Complete control over their keys.
  • Can define policies
  • Configure key rotation schedules.


Key Managers

  • Can create and manage CMKs
  • Can define polices and rotation schedules.
  • Role is combined admin / user.


IAM Users and Roles

  • Assigned permissions to keys.
  • Granular access is provided.
  • Its important to implement separation of duties here.


Cross Region Key Management

  • Cross region replication must be enabled.
  • Select a primary region.
  • Use a consistent key policy.
  • Data transfer and latency will be factors.
  • Understand compliance and data residency laws.
Retrieved from "https://cramsession.net/index.php?title=Amazon_KMS&oldid=1119"