Key Management Service (KMS)

Overall

• Regional & public service (every region is isolated)
• create, store and manage cryptographic keys (both symmetric & asymmetric)
• cryptographic operations on keys (encrypt, decrypt…)
• KMS ensure KMS keys never leave KMS in a region for security purpose
  • provides FIPS 140-2 (L2) compliance service, which is a U.S. government computer security standard used to approve cryptographic modules
• can create alias to refer a key, but also regionally unique
• rotation is optional to customer-managed key but default in AWS-managed key
• every KMS key has a resource policies to explicitly trust a specific account
• Unlike SSE-S3 keys, SSE-KMS can be used with IAM policies to control the specific user restriction.

KMS keys

• logical keys contain ID, date, policy, desc & state
• backed by physical key material (the data held by KMS that used to encrypt and decrypt)
• generated by KMS or imported by you
• used for up to 4kb of data (small to generate other key)

Symmetry

• Symmetric key (AES-256 keys)
  • single key is used to encrypt and decrypt
  • AWS services that are integrated with KMS use this
  • never get access to the KMS key unencrypted
• Asymmetric (RSA & ECC key pairs)
  • public (encrypt) and private key (decrypt) pair
  • public key is downloadable, but cannot access private key unencrypted
  • used when encryption outside of AWS b users who can’t call the KMS API

Type of keys

• AWS Owned key
• AWS managed key
• Customer managed keys created in KMS
• Customer managed keys imported to KMS

Data Encryption Keys (DEKs)

• linked to KMS keys that created them
• two version
  • Plaintext version: use to encrypt the data then discard
  • Ciphertext/ encrypted version: give back to KMS for decrypt

Cross-regions snapshot encryption

• as key is regional specific, each region has a unique key
• so the snapshot has to be re-encrypted when moving to a new region