Skip to content

Key Management Service

  • Regional and Public Service (AWS public zone)
  • create, store and manage keys
  • symmetric and asymmetric keys
  • cryptographic operations (encrypt, decrypt, ...)
  • keys never leave KMS
  • complies with FIPS 140-2 L2

Customer Master Key : CMK - isolated to a region - AWS Managed CMK - created automatically by AWS when a service that uses encryption is used - rotates every 3 years - Customer Managed CMK - created explicitly by customer - configurable through key policies - rotation is optional, 1 year cycles - alias : shortcut to a particular CMK, scoped per region - used by user and application in encryption operations - container for actual physical master keys - logical : ID, date, policy, desc & state - backed by physical key material - generated or imported - used for up to 4KB of data

Key Policies - KMS has to be explicitly told that keys trust the aws account they are in - key trust accounts, which then allows account to manage it by applying iam permission policies to iam users in the account - can grant one group the ability to create keys, and others to use them, at different granularity's for role separation

Data Encryption Keys : DEKs - generated by KMS using CMK - used to encrypt data larger than 4kb - steps - kms create two version of dek - a plaintext and a cipher-text version - cipher-text version is encrypted by a CMK that can eventually decrypt it - plaintext version is used to encrypt data and is immediately discarded - encrypted data and key are then stored side-by-side - send encrypted key to KMS that decrypts it with the same CMK that created it - then use the newly decrypted key to decrypt that data - discard the data encrypted key

Encryption Approaches

Encryption at Rest - protect data while it is being stored

Encryption in Transit - protect data while it is being transferred - sender encrypts data before sending, receiver decrypts when it receives

  • Plaintext : Un-encrypted data
  • Algorithm : code that takes plain text and an encryption key to generate encrypted data
  • Key : password
  • Cipher text : encrypted data that is created by an algorithm taking a key and plaintext

Symmetric Encryption - same key is used to encrypt and decrypt data

Asymmetric Encryption - public and private key - public encrypts but cannot decrypt, private key decrypts - more computationally difficult than symmetric - sometimes used to initially agree on a symmetric key, and then the symmetric key is used

Signing - used to prove identity - sender signs message with his private key - receiver can use sender public key to verify that the private key was used to sign the message

Steganography - used to hide the fact that encryption was used - cipher text is embedded in another plaintext data that serves as a medium of transportation