Amazon KMS: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 160: | Line 160: | ||
:* Also defines who can encrypt, decrypt and rotate. | :* Also defines who can encrypt, decrypt and rotate. | ||
* Each key can only have a single key policy associated with it. | |||
* The primary function of a key policy is control of who can perform operations with the key. | |||
* Without a key policy their is no control over the CMKs | |||
== Grants == | == Grants == | ||
| Line 168: | Line 174: | ||
* Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key. | * Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key. | ||
= Envelope encrpytion in KMS = | = Envelope encrpytion in KMS = | ||
| Line 197: | Line 202: | ||
Key Managers | Key Managers | ||
* Can create and | * Can create and manage CMKs | ||
* Can define polices and | * Can define polices and rotation schedules. | ||
* Role is combined admin / user. | * Role is combined admin / user. | ||
| Line 206: | Line 211: | ||
* Assigned permissions to keys. | * Assigned permissions to keys. | ||
* Granular access is provided. | * Granular access is provided. | ||
:* Its important to implement | :* Its important to implement separation of duties here. | ||
= Cross Region Key Management = | |||
* Cross region replication must be enabled. | |||
* Select a primary region. | |||
* Use a consistent key policy. | |||
* Data transfer and latency will be factors. | |||
* Understand compliance and data residency laws. | |||
Latest revision as of 22:53, 2 June 2025
Study Guides > AWS Cybersecurity Notes > Amazon KMS
Overview
- Data encryption is the most critical aspect.
- Must know KMS and the API calls used in the service
Customer Master Keys
- Contain key material for encryption and decryption.
- CMKs are managed in KMS
- KMS provides a way to store and manage keys.
- They are used to manage encryption keys for data.
- KMS protects the CMKs
- CMKs integrate with AWS services.
- They can also be used outside of AWS.
- Two different types of CMK exist:
- Customer managed.
- AWS managed.
- CMKs support envelope encryption.
- A data key is generated for the data.
- The data key is encrypted with the CMK.
- Key usage is logged in CloudTrail and CloudWatch
AWS Managed CMKs
- Owned and used by AWS services
- Independent from the customer account.
- Can be used by services inside an account.
- They are rotated at least once per year.
- No control over when these keys roll.
- These keys are region specific.
Examples of AWS Managed CMKs
- AWS managed CMK for S3 - Used in data buckets.
- AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.
Customer Managed Keys
- Provides the customer total control over the key.
The key Policy can be defined:
- Rotation schedules.
- Permissions.
- These keys are not tied to any feature or service.
- It is the customer responsibility to protect customer managed keys.
Selecting a key type
- Policy will dictate the key type.
- AWS managed keys may be ok if complete control is not needed.
- AWS managed keys have no charge.
- If policy states keys must be rotated on demand (after an incident) customer managed is best.
Data Encryption Keys
- These are generated by KMS for encrypting data.
- The are used in conjunction with customer-managed keys.
- A DEK is short-lived and used for a specific operation.
- Provides an extra layer of security.
- DEK encrypts data
- CMK encrypts the DEK
DEK facts
- A DEK is generated by KMS.
- A DEK is random.
- Envelope encryption.
- Data encrypted with DEK / DEK encrypted with CMK
- A DEK is fast and efficient.
- Can be used with various AWS services.
- KMS manages the DEK lifecycle
- DEK's are symmetric keys (they they are fast)
Key Material
AWS creates the material for the KMS key. [1]
- The customer can delete the key but not the key material.
- Key material cannot be exported, viewed or managed - it is secret!
KMS automatically creates the key material.
When you create your own CMK you can import your own key material.
- This key material must be encrypted with a symmetric encryption key.
Key Policies
These contol access to the KMS keys.
- Each KMS key is associated with a policy.
- Policy defines who can access they key.
- Policy helps enforce secure access to keys.
- Defines what users, roles and accounts can access a key.
- Also defines who can encrypt, decrypt and rotate.
- Each key can only have a single key policy associated with it.
- The primary function of a key policy is control of who can perform operations with the key.
- Without a key policy their is no control over the CMKs
Grants
- These define who can perform functions.
- Provide fine grained controls.
- Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key.
Envelope encrpytion in KMS
- The master key - Customer Master Key protects the data.
- A DEK is generated - the DEK is random.
- The DEK encrypts the data.
- The DEK is encrypted with the master key (CMK).
- The DEK is read when the data needs to be decrypted.
- The DEK is stored seperate from the data.
KMS Roles
Key Administrators.
- Complete control over their keys.
- Can define policies
- Configure key rotation schedules.
Key Managers
- Can create and manage CMKs
- Can define polices and rotation schedules.
- Role is combined admin / user.
IAM Users and Roles
- Assigned permissions to keys.
- Granular access is provided.
- Its important to implement separation of duties here.
Cross Region Key Management
- Cross region replication must be enabled.
- Select a primary region.
- Use a consistent key policy.
- Data transfer and latency will be factors.
- Understand compliance and data residency laws.
