Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.
KMS provides centralized control over the lifecycle and permission of the encryption keys to encrypt your data (EBS, S3, and RDS).
- KMS is a regional service, not a global one.
- KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
- You are charged per API call.
- KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.
CMK and DEK
Customer Master Keys (CMK) is a logical representation of a master key.
- CMK contains the key material used to encrypt and decrypt data.
- CMK also has metadata. the key ID, creation date, description, and key state.
KMS manages CMK.
- CMK is created and managed in a region.
- CMK can encrypt/decrypt data up to 4KB.
KMS can generate a Data Encryption Key (DEK) using a CMK.
- DEK is used to encrypt/decrypt data of any size.
- The encrypted DEK and encrypted data (Base64) can be stored together. KMS decrypts the DEK, which decrypts data.
Types of Customer Master Keys
- Customer Managed CMK
- A customer manages the key.
- It supports granular management, such as key rotation and key policies.
- AWS Managed CMK
- It is free and used by default.
- Only the linked AWS service can use the keys directly.
- Format: aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
- AWS Owned CMK
- Keys are used by AWS on a shared basis across many accounts.
HSM is a physical device that has one or more secure cryptoprocessor chips.
- It manages keys and performs encryption and decryption.
KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.
- CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
- It conforms FIPS 140-2 level 3.
- Generate and manage your own encryption keys
- Customers manage the keys, and the keys are irretrievable if lost.
- AWS does not have access to your keys.
- It uses industry-standard APIs to access (no AWS APIs).
- It is used to meet compliance requirements for data security by using dedicated hardware.
|KMS uses a shared tenancy of underlying hardware.||You will get a dedicated HSM. You have full control of underlying hardware.|
|KMS supports automatic key rotation.||No automatic key rotation.|
Generate a CMK
You can control the lifecycle of the CMK and the permission – who can use and who can manage – of it.
There are three ways to generate a CMK.
- AWS creates the CMK. AWS uses the HSM to generate the key material.
- You can import key material from your infrastructure and associate it with a CMK.
- A CMK can be created in the AWS CloudHSM cluster using the AWS KMS custom key store feature.
If the CMK key is generated with AWS KMS HSM, you can use to rotate the CMK every year automatically by AWS KMS.
- Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster.
Use Key Policies
- All KMS CMKs have a key policy – Who can access the key -.
- In AWS KMS, resource-based policies must be attached to CMKs.