In this post, I make available my notes about Key Management Service (KMS) made from Adrian Cantrill’s course AWS Certified Solutions Architect – Associate (SAA-C02). The Q&A session below can be used to validate your knowledge or create Flashcards for study. Since this is a piece of knowledge in construction there may be mistakes, drop a comment for any suggestions.
- KMS is part of the AWS public zone and exists as a separate service in each region
- KMS allows you to create, store and manage cryptography keys.
- It can handle Symmetric and Asymmetric Keys and has cryptographic operations for encrypting, decrypting, and others.
- It is important to know that keys never leave the KMS Service.
- The KMS provides the security standard FIPS 140-2 (L2) compliance service.
- The main thing KMS manages is the CMK (Customer Master Key)
- KMS is a container for physical master keys
- There are two types of CMK, AWS-managed and customer-managed.
- AWS-managed CMK is created automatically when you enable server-side encryption of a resource, customer-managed CMK is created by you when necessary.
- Key material is like a code used to encrypt and decrypt data.
- CMKs support rotation: Process when the physical material is changed. For AWS-managed CMK the rotation happens once every 3 years, with Customer-managed CMK rotation is optional but once enable it happens once a year
- CMKS logical is made of: ID, date, policy, description, state (active or not).
- Aliases: Allow creation alias at the region that points to a CMK and your application can use that alias instead of the direct CMK name. This allows you to change the CMK without changing the application.
- Key Policies is like a resource policy for keys and revert CMK has its Key Policy.
- For IAM users to use KMS he needs: Key Policy + IAM Policy
- The Data Encryption Key (DEK) is a type of key that KMS can generate using a CMK
- The GenerateDateKey operation generate keys (DEK) that work for bigger than 4KB
- KMS never stores the DEK, it provides to you and discards it because it does not use it, you are responsible to use DEK to encrypt and decrypt data
- To encrypt data outside of KMS: Generate the plain data key and ciphertext version of the keys using the GenerateDataKey Operation, use the plain key to encrypt the data and discard it, and store the encrypted key with the data.
- To decrypt data outside KMS: Get the encrypted key and use the decrypt operation of KMS to receive the plaintext of the key, use the plaintext data key to decrypt the data and discard it.
On what AWS Network Zone KMS is part of?
AWS Public Zone
How KMS is available in each region?
It is available as a separate service in each region.
What is the purpose of KMS?
Create, store and manage cryptography keys.
What type of keys KMS can handle?
Symetric and Asymetric keys.
What type of cryptographic operation does KMS have?
Operations for encrypting, decrypting, and others.
Can you take off the keys from KMS?
No, keys are isolated to a region and never leave the KMS Service.
What security standard KMS is compliance?
Security standard FIPS 140-2 (L2)
What is the main thing KMS manages?
CMK Customer Master Keys.
What is KMS?
Service that manages and stores physical master keys.
What are the types of CMK?
AWS-managed and customer-managed CMKs.
When AWS-managed CMK is created?
when you enable server-side encryption of a resource.
When customer-managed CMK is created?
It is created by you when necessary.
What is key material?
It is like a code used to encrypt and decrypt data.
What is CMK rotation?
The process where the physical material is changed.
When does the material rotation happen for AWS-managed CMK?
Automatically once every three years.
When does the material rotation happen for Customer-managed CMK?
Rotation is optional, it happens once a year when enabled.
What logical CMK is made of?
ID, date, policy, description, state
What is CMK alias?
It is the creation of an alias at the region that points to a CMK.
What is the benefit of creating a CMK alias?
Points the alias to other CMK without changing your application that points to the alias name.
What is a Key Policy?
It is like a resource policy for keys.
What is necessary for an IAM user to use KMS?
Key Policy and IAM Policy.
What is Data Encryption Key (DEK)?
A type of keys that KMS can generate using a CMK.
What GenerateDateKey operation of KMS?
Generate keys (DEK) to encrypt data bigger than 4KB.
Where KMS store the Data Encryption Key (DEK)?
KMS never stores the DEK, it provides to you and discards.
How to encrypt data outside KMS?
[a] Generate the plaintext and ciphertext data key using the GenerateDataKey operation
[b] Use the plaintext data key to encrypt the data and discard it
[c] Store the encrypted key with the data.
How decrypt data outside KMS?
[a] Get the encrypted key stored with the data and use the decrypt operation to receive the plaintext of the key.
[b] Use the plaintext data key to decrypt the data and discard it.