Amazon KMS: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 113: | Line 113: | ||
* A DEK is short-lived and used for a specific operation. | * A DEK is short-lived and used for a specific operation. | ||
* Provides an extra layer of security. | |||
: DEK encrypts data | |||
: CMK encrypts the DEK | |||
== DEK facts == | |||
* A DEK is generated by KMS. | * A DEK is generated by KMS. | ||
| Line 128: | Line 129: | ||
* KMS manages the DEK lifecycle | * KMS manages the DEK lifecycle | ||
* DEK's are symmetric keys (they they are fast) | * DEK's are symmetric keys (they they are fast) | ||
= Key Material = | |||
AWS creates the material for the KMS key. [https://repost.aws/questions/QUONBkdQZ5RCapsT9p2K0x7w/what-is-kms-key-material] | |||
* The customer can delete the key but not the key material. | |||
* Key material cannot be exported, viewed or managed - it is secret! | |||
KMS automatically creates the key material. | |||
When you create your own CMK you can import your own key material. | |||
* This key material must be encrypted with a symmetric encryption key. | |||
= Key Policies = | |||
These contol access to the KMS keys. | |||
* Each KMS key is associated with a policy. | |||
:* Policy defines who can access they key. | |||
:* Policy helps enforce secure access to keys. | |||
:* Defines what users, roles and accounts can access a key. | |||
:* Also defines who can encrypt, decrypt and rotate. | |||
* Each key can only have a single key policy associated with it. | |||
* The primary function of a key policy is control of who can perform operations with the key. | |||
* Without a key policy their is no control over the CMKs | |||
== Grants == | |||
* These define who can perform functions. | |||
* Provide fine grained controls. | |||
* Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key. | |||
= Envelope encrpytion in KMS = | |||
* The master key - Customer Master Key protects the data. | |||
* A DEK is generated - the DEK is random. | |||
* The DEK encrypts the data. | |||
:* The DEK is encrypted with the master key (CMK). | |||
* The DEK is read when the data needs to be decrypted. | |||
*: The DEK is stored seperate from the data. | |||
= KMS Roles = | |||
Key Administrators. | |||
* Complete control over their keys. | |||
* Can define policies | |||
* Configure key rotation schedules. | |||
Key Managers | |||
* Can create and manage CMKs | |||
* Can define polices and rotation schedules. | |||
* Role is combined admin / user. | |||
IAM Users and Roles | |||
* Assigned permissions to keys. | |||
* Granular access is provided. | |||
:* Its important to implement separation of duties here. | |||
= Cross Region Key Management = | |||
* Cross region replication must be enabled. | |||
* Select a primary region. | |||
* Use a consistent key policy. | |||
* Data transfer and latency will be factors. | |||
* Understand compliance and data residency laws. | |||
Latest revision as of 22:53, 2 June 2025
Study Guides > AWS Cybersecurity Notes > Amazon KMS
Overview
- Data encryption is the most critical aspect.
- Must know KMS and the API calls used in the service
Customer Master Keys
- Contain key material for encryption and decryption.
- CMKs are managed in KMS
- KMS provides a way to store and manage keys.
- They are used to manage encryption keys for data.
- KMS protects the CMKs
- CMKs integrate with AWS services.
- They can also be used outside of AWS.
- Two different types of CMK exist:
- Customer managed.
- AWS managed.
- CMKs support envelope encryption.
- A data key is generated for the data.
- The data key is encrypted with the CMK.
- Key usage is logged in CloudTrail and CloudWatch
AWS Managed CMKs
- Owned and used by AWS services
- Independent from the customer account.
- Can be used by services inside an account.
- They are rotated at least once per year.
- No control over when these keys roll.
- These keys are region specific.
Examples of AWS Managed CMKs
- AWS managed CMK for S3 - Used in data buckets.
- AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.
Customer Managed Keys
- Provides the customer total control over the key.
The key Policy can be defined:
- Rotation schedules.
- Permissions.
- These keys are not tied to any feature or service.
- It is the customer responsibility to protect customer managed keys.
Selecting a key type
- Policy will dictate the key type.
- AWS managed keys may be ok if complete control is not needed.
- AWS managed keys have no charge.
- If policy states keys must be rotated on demand (after an incident) customer managed is best.
Data Encryption Keys
- These are generated by KMS for encrypting data.
- The are used in conjunction with customer-managed keys.
- A DEK is short-lived and used for a specific operation.
- Provides an extra layer of security.
- DEK encrypts data
- CMK encrypts the DEK
DEK facts
- A DEK is generated by KMS.
- A DEK is random.
- Envelope encryption.
- Data encrypted with DEK / DEK encrypted with CMK
- A DEK is fast and efficient.
- Can be used with various AWS services.
- KMS manages the DEK lifecycle
- DEK's are symmetric keys (they they are fast)
Key Material
AWS creates the material for the KMS key. [1]
- The customer can delete the key but not the key material.
- Key material cannot be exported, viewed or managed - it is secret!
KMS automatically creates the key material.
When you create your own CMK you can import your own key material.
- This key material must be encrypted with a symmetric encryption key.
Key Policies
These contol access to the KMS keys.
- Each KMS key is associated with a policy.
- Policy defines who can access they key.
- Policy helps enforce secure access to keys.
- Defines what users, roles and accounts can access a key.
- Also defines who can encrypt, decrypt and rotate.
- Each key can only have a single key policy associated with it.
- The primary function of a key policy is control of who can perform operations with the key.
- Without a key policy their is no control over the CMKs
Grants
- These define who can perform functions.
- Provide fine grained controls.
- Evelope encryption is used. Data is encrypted with a key, the key is encrypted with another key.
Envelope encrpytion in KMS
- The master key - Customer Master Key protects the data.
- A DEK is generated - the DEK is random.
- The DEK encrypts the data.
- The DEK is encrypted with the master key (CMK).
- The DEK is read when the data needs to be decrypted.
- The DEK is stored seperate from the data.
KMS Roles
Key Administrators.
- Complete control over their keys.
- Can define policies
- Configure key rotation schedules.
Key Managers
- Can create and manage CMKs
- Can define polices and rotation schedules.
- Role is combined admin / user.
IAM Users and Roles
- Assigned permissions to keys.
- Granular access is provided.
- Its important to implement separation of duties here.
Cross Region Key Management
- Cross region replication must be enabled.
- Select a primary region.
- Use a consistent key policy.
- Data transfer and latency will be factors.
- Understand compliance and data residency laws.
