[AWS Architect] (27) Key Management Service (KMS)

Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.

  • KMS is a regional service, not a global one.
  • KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
  • You are charged per API call.
  • KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.

CloudHSM

KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.

  • CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
  • It conforms FIPS 140-2 level 3.
  • Customers manage the keys, and the keys are irretrievable if lost.
  • It uses industry-standard APIs to access (no AWS APIs).

CMK and DEK

  • KMS manages Customer Master Keys (CMK).
    • CMK is created and managed in a region.
    • CMK can encrypt/decrypt data up to 4KB.
  • KMS can generate a Data Encryption Key (DEK) using a CMK.
    • DEK is used to encrypt/decrypt data of any size.
    • The encrypted DEK and encrypted data (Base64) can be stored together. KMS decrypts the DEK, which decrypts data.

Types of Customer Master Keys

  • Customer Managed CMK
    • A customer manages the key.
    • It supports granular management, such as key rotation and key policies.
  • AWS Managed CMK
    • It is free and used by default.
    • Only the linked AWS service can use the keys directly.
    • Format: aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
  • AWS Owned CMK
    • Keys are used by AWS on a shared basis across many accounts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s