Getting Started with AWS Key Management Service (KMS)

Introduction

AWS AWS KMS is a managed service designed to create and manage encryption keys. So what is Encryption, and what are these encryption keys? In this blog post, we will first discuss encryption and then the important concepts of the AWS KMS service. Consider this blog post as a starting point for your AWS KMS learning journey, and read all linked blog points in the See more section. Se let us get started with AWS KMS.

What is Encryption?

Encryption is a process that transforms readable data, typically referred to as plaintext, into a coded form, known as ciphertext, by using a set of characters called an encryption key. Decryption is the reverse process, where ciphertext is converted back to plaintext using a key, allowing authorized users to access the original information. This transformation ensures that sensitive information remains confidential and secure, as only individuals with the correct key can decrypt the data back into its original, readable form. We can read more about Encryption at secdops.com/blog/getting-started-with-encryption. 

Types of KMS Keys (Based on ownership)

Based on ownership, we can categorize the KMS keys into three types:

• Customer Managed Keys are keys created and managed by us, the customer. We have full control, including key creation and management, and incur monthly and per-use fees. We are also responsible for rotating the keys. Rotating keys involves regularly replacing current encryption keys with new ones to minimize the window of vulnerability and strengthen our data protection measures.
• AWS Managed Keys (e.g., aliases starting with aws/rds, aws/ebs) are created and managed by AWS in our account with automatic yearly rotation and have no monthly fee; per-use fees may apply. We can view these keys and their usage in CloudTrail.
• AWS-owned keys are owned and managed by AWS outside our account and will be used across AWS accounts for specific services, such as Amazon S3, for the default encryption. We cannot see these keys in our KMS dashboard, and we cannot see their usage in CloudTrail logs. 

Within the AWS KMS Dashboard, we can select AWS-managed keys or Customer-managed keys. With AWS-managed, we can only see the keys. With customer-managed, we can create keys specifying the Key type - symmetric or asymmetric. 

Read more about AWS-managed and customer-managed keys at cloudericks.com/blog/understanding-aws-kms-keys-customer-keys-and-aws-keys. 

Encryption Key Types

AWS KMS Keys can differ based on the encryption and encryption keys used. 

Symmetric vs. Asymmetric Encryption

• The key used for decryption could be the same as the encryption key, which is called symmetric encryption.
• The key used for decryption could be one mathematically related to the encryption key, which is called asymmetric encryption. 
• While creating a customer-managed key in KMS, we can select from a symmetric or asymmetric key.
• Read more:
  • Asymmetric encryption at cloudericks.com/blog/understanding-asymmetric-keys-in-aws-kms.
  • Symmetric encryption at cloudericks.com/blog/understanding-symmetric-encryption-in-aws-kms. 

HMAC KMS keys

• HMAC keys are symmetric keys used to generate and verify Hash-Based Message Authentication Codes (HMACs). 
• HMAC KMS keys are utilized to verify the integrity and authenticity of data within AWS KMS. 
• While creating a customer-managed key in KMS, after we select Symmetric encryption, we can select the Key Usage as either Encrypt and decrypt or Generate and verify MAC.
• Read more at cloudericks.com/blog/understanding-hmac-keys-in-aws-kms.

Data Keys

•  Data keys are symmetric keys used for encrypting data, including large data volumes and other encryption keys.
• Unlike symmetric KMS keys, data keys can be used outside AWS KMS. When AWS KMS generates a data key, it provides a plaintext version for immediate use (optional) and an encrypted copy that can be safely stored alongside the data.
• Read more at cloudericks.com/blog/understanding-data-keys-in-aws-kms.

Data Key Pairs

• Data key pairs are asymmetric keys, consisting of related public and private keys, designed for client-side encryption and decryption or signing and verification outside of AWS KMS. 
• Unlike data key pairs generated by tools like OpenSSL, AWS KMS protects the private key of each data key pair under a symmetric encryption KMS key that you specify.
• Read more at cloudericks.com/blog/understanding-data-key-pairs-in-aws-kms. 

 AWS KMS User Personas and Roles

The following are two of the most important roles to get started with AWS KMS:

1. Key Creators are people with permission to create a key. These users are available before creating a key and key policy. While creating the key, they can specify key administrators and key users, which will then be added to the key policy.
2. Key Administrators manage KMS keys but do not use them in cryptographic operations. They handle tasks such as key configuration and enabling or disabling keys.
3. Key Users can use the key for cryptographic operations, such as encrypting or decrypting data.

For more information on AWS KMS user persona and roles with role descriptions and use cases, refer to cloudericks.com/blog/understanding-aws-kms-roles-creators-administrators-and-users.

Why Use AWS KMS?

1. Security: KMS leverages hardware security modules (HSMs) for robust key security, adhering to the FIPS 140-2 Cryptographic Module Validation Program standards. These are trusted by government and financial institutions, ensuring the highest level of security for your cryptographic keys. In the China (Beijing) and China (Ningxia) Regions, where FIPS 140-2 is not supported, AWS KMS uses OSCCA certified HSMs.
2. Management: It simplifies the creation, management, and rotation of encryption keys.
3. Key policies: Key access is regulated by a key policy, providing precise control over data access, including stipulations on when, how, and by whom the data can be accessed.
4. Integration: AWS KMS seamlessly integrates with over a hundred AWS services, including major databases, analytics, and storage services. This ensures comprehensive data protection across your entire AWS environment.
5. Monitoring: Its integration with AWS CloudTrail means all key management actions, lifecycle events, and usage are recorded, helping you manage risks and meet compliance requirements.

Use Cases

1. Protect Data at Rest: Activate server-side encryption using KMS keys, giving us control and management of our data's security in AWS services.

2. Encrypt and Decrypt Data: Implement the AWS Encryption SDK for secure cryptographic operations in our applications, enhancing data protection.

3. Sign and Verify Digital Signatures: Safeguard signing operations with asymmetric KMS keys, ensuring the authenticity and integrity of digital communications.

4. Build Secure Multi-Tenant Databases: Utilize the AWS Database Encryption SDK to encrypt and securely search sensitive records, providing an added layer of security for database environments.

Best Practices

1. Key rotation is an essential security practice:
   • AWS KMS can automatically rotate keys every year.
   • You can also manually rotate keys if needed.
2. Regularly audit your KMS usage with CloudTrail:
   • CloudTrail logs all KMS actions, providing a record of who did what and when.
   • Regularly review these logs for security management.
3. Regularly review and update key policies.
4. Use separate keys for different applications or environments.

Getting Started with KMS

1. Access the AWS KMS service by going to the key management service.
2. Create a Key - (symmetric is more common)
3. Configure Key Policies and Permissions to define who can use and manage the key. AWS will create a default policy for Key Administrators and Key users we specify during key creation, and we can customize it as needed later.
4. Use Our Key to encrypt and decrypt data via the AWS Management Console or programmatically using AWS SDKs. We can also configure other AWS services to use this key for data encryption.

Conclusion

Starting with AWS KMS is a significant step towards securing your cloud data. Remember, the key (pun intended!) is to understand your security needs and configure KMS accordingly. 

See also

• Read more about KMS features at cloudericks.com/blog/aws-kms-feature-summary.
• Read about key material at cloudericks.com/blog/understanding-aws-kms-keys-key-material-and-origins.
• Read about custom key stores at cloudericks.com/blog/understanding-custom-key-stores-in-aws-kms.
• Read about Key Source External and how it is different from custom key store (external) at cloudericks.com/blog/aws-kms-key-source-external-the-byok-solution.
• Read about AWS KMS condition keys at cloudericks.com/blog/understanding-aws-kms-condition-keys.
• Read more about aliases for KMS keys at cloudericks.com/blog/understanding-aliases-for-aws-kms-keys.
• Read about Multi-Region Keys at cloudericks.com/blog/understanding-multi-region-keys-in-aws-kms.
• Read about key rotation for customer-managed keys at cloudericks.com/blog/understanding-aws-kms-key-rotation.
• Read more about key deletion at cloudericks.com/blog/understanding-key-deletion-in-aws-kms.
• Read about envelope encryption with KMS at cloudericks.com/blog/getting-started-with-envelope-encryption-in-aws-kms.
• Read more about key policies at cloudericks.com/blog/understanding-key-policies-in-aws-kms.
• Read about grants at cloudericks.com/blog/understanding-grants-in-aws-kms.
• Read about key policies and grants at cloudericks.com/blog/understanding-aws-kms-key-policies-vs-grants.
• Read about Key Policy evaluation logic at cloudericks.com/blog/understanding-key-policy-evaluation-process.
• Read about FIPS 140-2 at secdops.com/blog/understanding-fips-140-2-and-fips-140-3.
• Read about Cloud HSM at cloudericks.com/blog/getting-started-with-cloud-hsm.

Special note on KEWA study group

AWS KMS is a very important service. Please ask our study group if you have any doubts, and the group will try to clear the doubts over a Zoom meeting. If you have purchased any of Heartin's published books, you may ask for a free entry to our study group using this website's contact form. Otherwise, you can share knowledge once a month to get free entry. Read more about KEWA study group at Cloudericks.com/wa.