Study Guides > AWS Cybersecurity Notes > Amazon KMS

Overview

• Data encryption is the most critical aspect.

• Must know KMS and the API calls used in the service

Customer Master Keys

• Contain key material for encryption and decryption.

• CMKs are managed in KMS

• KMS provides a way to store and manage keys.

• They are used to manage encryption keys for data.

• KMS protects the CMKs

• CMKs integrate with AWS services.

• They can also be used outside of AWS.

• Two different types of CMK exist:

• Customer managed.

• AWS managed.

• CMKs support envelope encryption.

• A data key is generated for the data.

• The data key is encrypted with the CMK.

• Key usage is logged in CloudTrail and CloudWatch

AWS Managed CMKs

• Owned and used by AWS services

• Independent from the customer account.

• Can be used by services inside an account.

• They are rotated at least once per year.

• No control over when these keys roll.

• These keys are region specific.

Examples of AWS Managed CMKs

• AWS managed CMK for S3 - Used in data buckets.

• AWS KMS Default CMK - used for default encryption in EBS, RDS and Redshift.

Customer Managed Keys

• Provides the customer total control over the key.

The key Policy can be defined:

• Rotation schedules.

• Permissions.

• These keys are not tied to any feature or service.

• It is the customer responsibility to protect customer managed keys.

Selecting a key type

• Policy will dictate the key type.

• AWS managed keys may be ok if complete control is not needed.

• AWS managed keys have no charge.

• If policy states keys must be rotated on demand (after an incident) customer managed is best.

Data Encryption Keys

• These are generated by KMS for encrypting data.

• The are used in conjunction with customer-managed keys.

• A DEK is short-lived and used for a specific operation.

• Provides an extra layer of security.

DEK encrypts data

CMK encrypts the DEK

DEK facts

• A DEK is generated by KMS.
• A DEK is random.
• Envelope encryption.

• Data encrypted with DEK / DEK encrypted with CMK

• A DEK is fast and efficient.
• Can be used with various AWS services.
• KMS manages the DEK lifecycle
• DEK's are symmetric keys (they they are fast)

Key Material

AWS creates the material for the KMS key. [1]

• The customer can delete the key but not the key material.

• Key material cannot be exported, viewed or managed - it is secret!

KMS automatically creates the key material.

When you create your own CMK you can import your own key material.

• This key material must be encrypted with a symmetric encryption key.

Key Policies

These contol access to the KMS keys