Home Membership Courses Blog
About Contact

Understanding Asymmetric Keys in AWS KMS

all aws aws kms aws security Jan 25, 2024

Introduction

In this blog post, we're diving into asymmetric keys in AWS KMS, breaking it down into simple terms. Whether preparing for an exam or just curious about cloud security, this guide will walk you through the basics of asymmetric keys in AWS KMS.

What are Asymmetric KMS Keys?

AWS KMS supports asymmetric keys, which are pairs of mathematically related public and private keys. These key pairs can be of three types:

  1. RSA Keys: Used for either encryption/decryption or signing/verification. AWS KMS offers various key lengths for different security needs.
  2. Elliptic Curve (ECC) Keys: Primarily used for signing and verification.
  3. SM2 Keys: Available only in China Regions, used similarly to RSA keys.

These keys are generated within AWS KMS's highly secure hardware security modules (HSMs), which are certified under the FIPS 140-2 Cryptographic Module Validation Program (with the exception of China's Beijing and Ningxia Regions).

Private and Public Keys

  • Private Key: It's generated in AWS KMS and is always encrypted within AWS KMS. We cannot extract it unencrypted.
  • Public Key: We can share it with anyone, even those we don't trust. It's used alongside the private key but can be distributed and used outside of AWS KMS.

Use Cases and Considerations

1. Digital Signatures

Asymmetric keys are pivotal for creating digital signatures. This is a crucial aspect of verifying the authenticity and integrity of digital documents or software. Here's how it works:

  • Signing: You use your private key to sign a document or software.
  • Verification: Others use your public key to verify the signature, ensuring it's genuinely from you and hasn't been tampered with.

2. Encryption Outside AWS

If we need to encrypt data outside AWS where users can't access AWS KMS, asymmetric KMS keys are ideal. This is especially useful for:

  • Securing Emails: Encrypting email content before sending it over the internet.
  • Protecting Files: Encrypting files that are stored or shared outside the AWS environment.

Special Note

If we're encrypting data within an AWS service, use symmetric encryption KMS keys, as AWS services integrated with AWS KMS don't support asymmetric keys.

Managing Asymmetric KMS Keys

In AWS KMS, we can create and manage these keys, set their policies, enable or disable them, and even audit their usage through AWS CloudTrail logs. We completely control these keys, ensuring they align with our security and access requirements.

Asymmetric Data Key Pairs

AWS KMS also offers asymmetric data key pairs for client-side cryptography outside of AWS KMS. The private key in this pair is protected by a symmetric encryption KMS key within AWS KMS.

Important Points to Remember for Exams

  1. Key Types: Understand the differences between RSA, ECC, and SM2 keys.
  2. Key Generation Location: Remember that keys are generated within AWS KMS HSMs, certified under FIPS 140-2.
  3. Private Key Security: The private key never leaves AWS KMS unencrypted.
  4. Public Key Distribution: Public keys can be downloaded and used outside AWS KMS.
  5. Use Cases: Know when to use asymmetric vs. symmetric KMS keys.
  6. AWS Services Compatibility: AWS services that integrate with AWS KMS do not support asymmetric encryption keys.
  7. Region Availability: Asymmetric KMS keys are available in all AWS Regions that support AWS KMS, with SM2 keys exclusive to China Regions.
  8. Management and Auditing: You can manage key policies, access, and track usage via AWS CloudTrail.

Conclusion

Understanding these key points will not only help you in exams but also give you a foundational understanding of how asymmetric keys function in AWS KMS, enhancing your knowledge of cloud security.

See also

Read about Digital Signing with Asymmetric Keys at secdops.com/blog/understanding-digital-signing-with-asymmetric-keys.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership