Key Management Service (KMS) is a secure key management service (FIPS 140-2 level 2 validated). It helps you to create and control encryption keys that are used to encrypt and decrypt data. KMS also uses a HSM (Hardware Security Module) to protect the security of your keys.
KMS is integrated with most of other AWS services.
Features
KMS provides centralized control over the lifecycle and permission of the encryption keys to encrypt your data (EBS, S3, and RDS).
- KMS is NOT an ideal place to save database passwords and API keys.
- Use Secrets Manager or Systems Manager Parameter Store.
- You are charged per API call.
- KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.
CMK and DEK
Customer Master Keys (CMK) is a logical representation of a master key.
Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use to encrypt your data. This strategy is known as envelope encryption.
- CMK contains the key material used to encrypt and decrypt a data key.
- CMK also has metadata.
- the key ID (alias), creation date, description, and key state (enabled, disabled, pending deletion)
- CMK can encrypt/decrypt data up to 4KB.
- Key Types
- Symmetric: a single key is used for encryption and decryption
- Asymmetric: a public and private key pair
- Key material origin
- KMS
- External
- Download a public key (wrapping key) and import token
- Encrypt the key material
- Import the key material to the CMK
- Custom key store (Cloud HSM)
KMS can generate a Data Encryption Key (DEK) using a CMK.
- DEK is used to encrypt/decrypt data of any size.
- The encrypted DEK and encrypted data (Base64) can be stored together.
- KMS decrypts the DEK, which decrypts data.
Types of Customer Master Keys
- Customer Managed CMK
- A customer manages the key.
- It supports granular management, such as key rotation and key policies.
- The value of the KeyManager field of the “DescribeKey” API response is “CUSTOMER“.
- AWS Managed CMK
- It is free and used by default.
- You can view the managed keys but you cannot modify the keys.
- The automatic rotation – every year – is enabled and you cannot change the setting.
- The value of the KeyManager field of the “DescribeKey” API response is “AWS“.
- Format
- aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
- AWS Owned CMK
- Keys are used by AWS on a shared basis across many accounts.
HSM
HSM is a physical device that has one or more secure cryptoprocessor chips.
- It manages keys and performs encryption and decryption.
CloudHSM
KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.
- CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
- It conforms FIPS 140-2 level 3.
- Generate and manage your own encryption keys
- Customers manage the keys, and the keys are irretrievable if lost.
- AWS does not have access to your keys.
- It uses industry-standard APIs to access (no AWS APIs).
- It is used to meet compliance requirements for data security by using dedicated hardware.
| KMS | CloudHSM |
|---|---|
| KMS uses a shared tenancy of underlying hardware. | You will get a dedicated HSM. You have full control of underlying hardware. |
| KMS supports automatic key rotation. | No automatic key rotation. |
Generate a CMK
You can control the lifecycle of the CMK and the permission – who can use and who can manage – of it.
There are three ways to generate a CMK (key materials).
- AWS creates the CMK. AWS uses the HSM to generate the key material.
- You can import key material from your infrastructure and associate it with a CMK.
- A CMK can be created in the AWS CloudHSM cluster using the AWS KMS custom key store feature.
Key Rotation
If the CMK is generated with AWS KMS, you can rotate the CMK every year automatically by AWS KMS.
- Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster.
Use Key Policies
- All KMS CMKs have a key policy, which is a resource-based policy.
- Who can administer the key
- Who can use the key
- (Example) Working with encrypted files in EC2 instances
- The key policy must allow the instance role to use the CMK.
- The EC2 instance must have an instance role which has permission to run the decrypt operation.
KMS API
== Encrypts plaintext of up to 4,096 bytes using a KMS key
> aws kms encrypt --key-id {YOURKEYID} ...
== Decrypts ciphertext that was encrypted by a KMS key
> aws kms decrypt ...
== Enables automatic rotation of the key material
> aws kms enable-key-rotation --key-id {YOURKEYID}
> aws kms get-key-rotation-status --key-id {YOURKEYID}
== Returns a unique symmetric data key for use outside of KMS
> aws kms generate-data-key --key-id {YOURKEYID} --key-spec AES_256
Multi-Region Replica Keys
KMS Key is regional but you can replica keys in other regions.
- You can replicate a key (primary key) with the same Key Id and Key material.
- No need to re-encrypt data in the cross-region scenarios
- You can encrypt in one region and decrypt in another region.
- It is NOT that you are using a global key.
- There is only one primary key.
- Other keys are replicas but are used independently in each region.
- Use Cases
- Disaster Recovery
- Global Data Management such as DynamoDB Global Tables
Scriptorium 