AWS Key Management Service (AWS KMS)
Learn how to create and control cryptographic keys using AWS Key Management Service.
We'll cover the following
AWS Key Management Service (KMS) is a fully managed encryption service offered by Amazon Web Services (AWS) that enables users to easily create and control cryptographic keys to encrypt data.
KMS offers a scalable and highly available key management solution that integrates seamlessly with other AWS services, such as Amazon S3, Amazon EBS, Amazon RDS, and Amazon Redshift, allowing users to encrypt their data at rest and in transit. It provides strong security controls and compliance capabilities, including integration with AWS Identity and Access Management (IAM), key usage audits, and integration with AWS CloudTrail for logging and monitoring.
KMS key
A KMS key is a root key used to perform all KMS-related operations within AWS. We need a KMS key to encrypt data within AWS and to create other keys that can be used to encrypt data outside of AWS.
There are two types of KMS keys, which are as follows:
AWS-managed keys: These are created and managed by AWS automatically. Users have limited control over the configuration of these keys.
Customer-managed keys: These are created and managed by AWS users, and they have complete control over the configuration of these keys. These keys can either be
symmetric A single shared key used for both encryption and decryption. asymmetric A pair of keys (public and private) used for encryption and decryption.
Even though a KMS key can be used to encrypt data, it can encrypt only up to 4 KB of data and cannot be exported or used outside of AWS. This is because the basic operation of KMS keys is not to encrypt data but to encrypt passwords and other encryption keys. To encrypt data, we have data keys. These keys are generated using KMS keys and can be exported from AWS for external use.
In a typical workflow, a plaintext key is used for encryption, and once the data is encrypted, the plaintext key is securely deleted, while the encrypted data key is retained for decryption purposes.
How does KMS encryption work?
Let’s look at the data encryption process in detail:
-
For data at rest: This refers to encrypting the data that’s to be stored. For this type of encryption, we delete the plaintext data key after encrypting our data so that in case our system gets compromised, the attacker only gets the encrypted data and encrypted key. Because the attacker won’t have access to our customer managed key, there’s no way for them to get their hands on the plaintext key that was used for encryption. So even though they got their hands on the encrypted data, it’s useless to them.
In case we want to decrypt the encrypted data, we’ll first decrypt the key to get a plaintext key and then use that key to decrypt our data.
-
For data to be transmitted: This refers to encrypting the data that’s to be transmitted. For this type of encryption, we send the encrypted data and encrypted data key to the receiver. Now, even if our message gets intercepted by an attacker, they’ll only have access to the encrypted data and encrypted data key. Therefore, just like in the previous case, they won’t be able to decrypt the key and our encrypted data will remain in encrypted form.
If the receiver receives the message and wants to decrypt it, they’ll use our customer managed key to decrypt the key and then use the resultant plaintext key to decrypt the message.
Note: The KMS key has a key policy that specifies the users allowed to use it and also the operations those users are allowed to perform using that key. Only the administrator of the key can change that policy, which makes use of a KMS key by multiple AWS users secure.
This integration expands our data security practices, ensuring that our data remains protected at all levels within the AWS ecosystem.
Best practices
Here are some best practices to be followed while using KMS:
Key rotation: Regularly rotate the encryption keys to mitigate the risk of long-term exposure. AWS KMS provides automated key rotation for many key types.
Least privilege: Follow the principle of least privilege when granting permissions to access keys. Assign only the necessary permissions to users and roles to reduce the risk of unauthorized access.
Key usage auditing: Enable AWS CloudTrail to monitor and audit key usage. This helps track who is accessing keys and for what purposes, aiding in compliance and security investigations.
Enable key policies: Utilize key policies to define fine-grained access controls on individual keys. This allows you to specify which AWS principals (such as IAM users or roles) can use the key and what actions they can perform.
Protect key material: Safeguard the key material and never expose it to unauthorized users. Utilize AWS CloudHSM for hardware-based key storage and protect key material in transit and at rest using industry-standard cryptographic protocols.
Get hands-on with 1300+ tech skills courses.