AWS Key Management Service – KMS
AWS Key Management Service – KMS
AWS Key Management Service (KMS) is a managed encryption service that allows you to create and control encryption keys to enable data encryption.
KMS is a highly-available key storage, management and auditing solution that encrypts data across AWS services and within applications.
KMS uses hardware security module (HSMs), to protect and validate KMS keys using the FIPS 140-2 Cryptographic Modul Validation Program.
KMS seamlessly integrates to many AWS services, making it easy to encrypt data in those services.
KMS can also be integrated with AWS CloudTrail in order to provide encryption key usage logs that can be used to meet auditing, regulatory, and compliance requirements.
KMS Keys can only be stored and used within the region where they were created. They cannot be transferred to other regions.
KMS enforces usage policies and management policies to control who can use IAM, what role they have, and which accounts can manage and use keys.
KMS allows you to create and manage AWS KMS keys.
Key policies, IAM policies and grants can be used to control access to the KMS keys. AWS KMS supports attribute-based control (ABAC). Condition keys can be used to refine policies.
You can create, delete, list, or update aliases for KMS keys.
For cost tracking, identification, and automation, tag the KMS keys
KMS keys can be enabled and disabled.
You can enable or disable automatic rotation of cryptographic material using KMS keys.
To complete the key lifecycle, delete KMS keys
KMS supports the following cryptographic operations: Encrypt, decrypt, re-encrypt data using symmetric or unsymmetric KMS keys
Sign and verify messages using asymmetric KMS keys.
Generate exportable symmetric and asymmetric key pairs.
Verify and generate HMAC codes
Generator random numbers suitable to cryptographic applicationsEnvelope encryption
AWS cloud services that are integrated with AWS KMS use an envelope encryption method to protect data.
Envelope encryption, which uses two keys (Master key or Data key), is an efficient method to encrypt data.
Envelop encryptionA data key is generated by AWS and used by it to encrypt every piece of data or resource.
Data key is encrypted using a master key that is defined in AWS KMS.
The AWS service then stores encrypted data keys.
AWS KMS receives the encrypted key and decrypts it under the master key. This allows data to be decrypted by the service.
KMS supports sending data less than 4KB encrypted. Envelope encryption can offer significant performance advantages
Data encrypted directly with KMS must be transmitted over the network.
Envelope encryption reduces network load for the application, or AWS cloud service. Only the request and fulfillment of the data key via KMS must be over the networkKMS Service Concepts
KMS Keys OR Customer Masters Keys (CMKs). The AWS KMS key is a logical representation for a cryptographic key.
KMS Keys are used to create and use symmetric and asymmetric KMS keys, for encryption or signing, or HMAC KMS keys that generate and verify HMAC tags.
AWS KMS is protected against unauthorized access by both the private keys of asymmetric KMS keys and symmetric KMS keys.
KMS keys contain metadata such as key ID, key spec and key usage, description, key state, and a reference the key material that is used for cryptographic operations.
Symmetric KMS keys, 256-bit AES keys, are not exportable.
KMS keys to encrypt/decrypt up to 4KB (4096 bytes).
KMS keys can be used for generating, encrypting, and decrypting data keys. They can also be used outside of AWS KMS [Envelope encryption]
Customer Keys and AWS KeysAWS Keys managed keysKMS keys AWS services create in AWS accounts
Keys are automatically rotated once every 3 years (365 days).
It is impossible to manage thes