AWS KMS Amazon Web Service Key Management System
Posted By Aftab Alam | 23-Jun-2019
KMS (Key Management Service) is an AWS(Amazon Web Services) cloud service which allows us to create, enable and disable keys. AWS KMS is a secure service that uses FIPS (Federal Information Processing Standard) 140-2 validated hardware security module to protect underlying keys. These keys can be used to encrypt/decrypt data with AWS service(s) and outside AWS service(s). AWS KMS is integrated with AWS CloudTrail to provide logs of key usage in AWS service(s).
The intention of AWS KMS cloud service is to ensure the security of other AWS service(s). The keys, which are created and managed by AWS KMS, can be used for encryption/decryption in AWS and other.service(s).
The scope of this documentation is to explore the use of AWS KMS cloud service with AWS and other services.
4. Key Feature(s):- AWS KMS service offers the following key feature(s).
AWS KMS is highly secured service because it uses FIPS (Federal Information Processing Standard) 140-2 validated hardware security module to protect underlying keys.
4.2. Centralised Key Management
AWS KMS provides a single point of keys management and it also provides policies for their management and usages.
AWS KMS is integrated with AWS CloudTrail to record all APIs request which includes key management actions and usage of your keys.
4.4. Fully Managed
You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys.
4.5. Manage Encryption For AWS Service(s)
AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.
4.6. Encrypt Data in Your Application
AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run.
The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.
4.8. Low Cost
There is no commitment and no upfront charges to use AWS KMS. You only pay USD(United State Dollar) $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier.
5. AWS KMS Keys
AWS KMS keys have been categorised into two categories.
5.1. Customer Master Key
Customer Master Key is the primary resource in AWS-KMS which never leaves AWS-KMS Service. It can be used to encrypt/decrypt data up to 4KB but it is generally used to encrypt/decrypt data key(s). It also has been divided into four categories.
5.1.1. AWS Owned Customer Master Key
AWS Owned Customer Master Key is not in the user’s AWS account. It is a part of the collection of Customer Master Keys that AWS owns and manages to be used in multiple AWS accounts. It can be used by AWS services to protect their data.
5.1.2. AWS Managed Customer Master Key
AWS Managed Customer Master Key is a Customer Master Key which is created, managed and used on your behalf by AWS service which integrates AWS KMS Service. It can be identified by its alias as AWS/cryptDBMasterKey.
5.1.3. Customer Managed Customer Master Key
Customer Managed Customer Master Key is a Customer Master Key in the user’s AWS account. User has full control over it. It can be created, owned, and managed by the user.
5.2. Data Key
Data Key is an encryption key which can be used to encrypt/decrypt data. It can be used to encrypt/decrypt a large amount of data and encryption key for other data.
AWS Customer Master Key is used to create, encrypt, and decrypt data key(s). AWS KMS doesn’t store, manage, and keep track of data key(s) and it even doesn’t perform any cryptographic operation on data key.
User must use and manage data key outside AWS KMS service.
6. Use Case
In the market, all services, even all AWS services, don’t support AWS KMS integration. If a service which supports AWS KMS integration, then, in this case, AWS/Customer Managed Customer Master Key can be used but in the case when service doesn’t support AWS KMS integration can use data key which is generated using AWS/Customer Managed Customer Master Key.
For example, AWS RDS service supports AWS KMS integration for encryption at the database level. So AWS/Customer Managed Customer Master Key can be used with AWS RDS service. In other cases, when it is not supported by service then it can be implemented at the application level by using data key.