Amazon KMS: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
|||
| Line 129: | Line 129: | ||
* KMS manages the DEK lifecycle | * KMS manages the DEK lifecycle | ||
* DEK's are symmetric keys (they they are fast) | * DEK's are symmetric keys (they they are fast) | ||
= Key Material = | |||
AWS creates the material for the KMS key. [https://repost.aws/questions/QUONBkdQZ5RCapsT9p2K0x7w/what-is-kms-key-material] | |||
* The customer can delete the key but not the key material. | |||
* Key material cannot be exported, viewed or managed - it is secret! | |||
KMS automatically creates the key material. | |||
When you create your own CMK you can import your own key material. | |||
* This key material must be encrypted with a symmetric encryption key. | |||
Revision as of 23:08, 30 May 2025
Study Guides > AWS Cybersecurity Notes > Amazon KMS
Overview
- Data encryption is the most critical aspect.
- Must know KMS and the API calls used in the service
Customer Master Keys
- Contain key material for encryption and decryption.
- CMKs are managed in KMS
- KMS provides a way to store and manage keys.
- They are used to manage encryption keys for data.
- KMS protects the CMKs
- CMKs integrate with AWS services.
- They can also be used outside of AWS.
- Two different types of CMK exist:
- Customer managed.
- AWS managed.
- CMKs support envelope encryption.
- A data key is generated for the data.
- The data key is encrypted with the CMK.
- Key usage is logged in CloudTrail and CloudWatch
AWS Managed CMKs
- Owned and used by AWS services
- Independent from the customer account.
- Can be used by services inside an account.
- They are rotated at least once per year.
- No control over when these keys roll.
- These keys are region specific.
Examples of AWS Managed CMKs
- AWS managed CMK for S3 - Used in data buckets.
- AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.
Customer Managed Keys
- Provides the customer total control over the key.
The key Policy can be defined:
- Rotation schedules.
- Permissions.
- These keys are not tied to any feature or service.
- It is the customer responsibility to protect customer managed keys.
Selecting a key type
- Policy will dictate the key type.
- AWS managed keys may be ok if complete control is not needed.
- AWS managed keys have no charge.
- If policy states keys must be rotated on demand (after an incident) customer managed is best.
Data Encryption Keys
- These are generated by KMS for encrypting data.
- The are used in conjunction with customer-managed keys.
- A DEK is short-lived and used for a specific operation.
- Provides an extra layer of security.
- DEK encrypts data
- CMK encrypts the DEK
DEK facts
- A DEK is generated by KMS.
- A DEK is random.
- Envelope encryption.
- Data encrypted with DEK / DEK encrypted with CMK
- A DEK is fast and efficient.
- Can be used with various AWS services.
- KMS manages the DEK lifecycle
- DEK's are symmetric keys (they they are fast)
Key Material
AWS creates the material for the KMS key. [1]
- The customer can delete the key but not the key material.
- Key material cannot be exported, viewed or managed - it is secret!
KMS automatically creates the key material.
When you create your own CMK you can import your own key material.
- This key material must be encrypted with a symmetric encryption key.
