Amazon KMS: Difference between revisions

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials
No edit summary
Line 108: Line 108:


* These are generated by KMS for encrypting data.
* These are generated by KMS for encrypting data.
* The are used in conjunction with customer-managed keys.
* A DEK is short-lived and used for a specific operation.
:* Proved an extra layer of security.
:: DEK encrypts data
:: CMK encrypts the DEK
* A DEK is generated by KMS.
* A DEK is random.
* Envelope encryption.
:* Data encrypted with DEK / DEK encrypted with CMK
* A DEK is fast and efficient.
* Can be used with various AWS services.
* KMS manages the DEK lifecycle
* DEK's are symmetric keys (they they are fast)

Revision as of 22:50, 30 May 2025

Study Guides > AWS Cybersecurity Notes > Amazon KMS

Overview

  • Data encryption is the most critical aspect.
  • Must know KMS and the API calls used in the service


Customer Master Keys

  • Contain key material for encryption and decryption.
  • CMKs are managed in KMS
  • KMS provides a way to store and manage keys.


  • They are used to manage encryption keys for data.
  • KMS protects the CMKs
  • CMKs integrate with AWS services.
  • They can also be used outside of AWS.


  • Two different types of CMK exist:
  • Customer managed.
  • AWS managed.



  • CMKs support envelope encryption.
  • A data key is generated for the data.
  • The data key is encrypted with the CMK.


  • Key usage is logged in CloudTrail and CloudWatch


AWS Managed CMKs

  • Owned and used by AWS services
  • Independent from the customer account.
  • Can be used by services inside an account.


  • They are rotated at least once per year.
  • No control over when these keys roll.
  • These keys are region specific.


Examples of AWS Managed CMKs

  • AWS managed CMK for S3 - Used in data buckets.
  • AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.


Customer Managed Keys

  • Provides the customer total control over the key.


The key Policy can be defined:

  • Rotation schedules.
  • Permissions.


  • These keys are not tied to any feature or service.


  • It is the customer responsibility to protect customer managed keys.


Selecting a key type

  • Policy will dictate the key type.


  • AWS managed keys may be ok if complete control is not needed.
  • AWS managed keys have no charge.


  • If policy states keys must be rotated on demand (after an incident) customer managed is best.


Data Encryption Keys

  • These are generated by KMS for encrypting data.
  • The are used in conjunction with customer-managed keys.
  • A DEK is short-lived and used for a specific operation.


  • Proved an extra layer of security.
DEK encrypts data
CMK encrypts the DEK


  • A DEK is generated by KMS.
  • A DEK is random.
  • Envelope encryption.
  • Data encrypted with DEK / DEK encrypted with CMK
  • A DEK is fast and efficient.
  • Can be used with various AWS services.
  • KMS manages the DEK lifecycle
  • DEK's are symmetric keys (they they are fast)
Retrieved from "https://cramsession.net/index.php?title=Amazon_KMS&oldid=1065"