Study Guides > AWS Cybersecurity Notes > Amazon KMS

Overview

• Data encryption is the most critical aspect.

• Must know KMS and the API calls used in the service

Customer Master Keys

• Contain key material for encryption and decryption.

• CMKs are managed in KMS

• KMS provides a way to store and manage keys.

• They are used to manage encryption keys for data.

• KMS protects the CMKs

• CMKs integrate with AWS services.

• They can also be used outside of AWS.

• Two different types of CMK exist:

• Customer managed.

• AWS managed.

• CMKs support envelope encryption.

• A data key is generated for the data.

• The data key is encrypted with the CMK.

• Key usage is logged in CloudTrail and CloudWatch

AWS Managed CMKs

• Owned and used by AWS services

• Independent from the customer account.

• Can be used by services inside an account.

• They are rotated at least once per year.

• No control over when these keys roll.

• These keys are region specific.

Examples of AWS Managed CMKs

• AWS managed CMK for S3 - Used in data buckets.

• AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.

Customer Managed Keys

• Provides the customer total control over the key.

The key Policy can be defined:

• Rotation schedules.

• Permissions.

• These keys are not tied to any feature or service.