Home Membership Courses Blog
About Contact

Understanding AWS KMS Keys - Customer Keys and AWS Keys

all aws aws cost management aws kms aws security Jan 25, 2024

Introduction

AWS KMS is an essential component for managing encryption keys in the AWS ecosystem. Understanding the different types of keys - Customer Managed Keys, AWS Managed Keys, and AWS Owned Keys - and their use cases is crucial for both practical implementation and for those preparing for AWS exams. This blog post aims to demystify these concepts.

Customer Managed Keys

Customer Managed Keys are the keys that we, as an AWS customer, create, own, and manage within our AWS account.

Characteristics and Use Cases

  • Full Control: We have complete authority over these keys. This includes setting up key policies, IAM policies, and grants.
  • Flexibility: We can enable or disable these keys, rotate their cryptographic material, add tags, create aliases, and schedule them for deletion.
  • Visibility and Audit: These keys can be used in cryptographic operations, and their usage can be audited via AWS CloudTrail logs.
  • Pricing: Customer-managed keys incur a monthly fee and a per-use fee, which is counted against AWS KMS quotas for our account.
  • Logging: Every request made to these keys is recorded as events in CloudTrail.

When to Use

Use Customer Managed Keys when we need full control over the encryption keys, such as for compliance requirements or specific organizational policies.

AWS Managed Keys

AWS Managed Keys (e.g., aliases starting with aws/rds, aws/ebs) are created and managed by AWS in our account with automatic yearly rotation and have no monthly fee; per-use fees may apply. We can view these keys and their usage in CloudTrail.

Characteristics and Use Cases

  • Ease of Use: These keys do not require any management effort on our part. AWS handles the creation, maintenance, and policy management.
  • Automatic Rotation: They are rotated automatically every year (365 days) without any intervention needed from our side.
  • Cost-Effective: There is no monthly fee for AWS Managed Keys, though per-use fees might apply (covered by some AWS services).
  • Logging: Every request made to these keys is recorded as events in CloudTrail.

When to Use

AWS Managed Keys are suitable when we do not require specific control over our encryption keys but still need to view the key policies and audit the key usage using CloudTrail logs.

AWS Owned Keys

AWS-owned keys are owned and managed by AWS outside our account and will be used across AWS accounts for specific services, such as Amazon S3, for the default encryption. We cannot see these keys in our KMS dashboard, and we cannot see their usage in CloudTrail logs. 

Characteristics and Use Cases

  • Zero Cost: These keys are free of charge with no monthly or usage fees.
  • Simplicity: No need to create or maintain these keys.
  • Rotation Policy: Varies across different AWS services.

When to Use

AWS-owned keys are ideal for scenarios where we require a simple and cost-effective solution and do not need to audit or control the encryption keys.

Important Points to Remember for Exams

  • Customer Managed Keys: Full control, includes key creation and management, incurs monthly and per-use fees.
  • AWS Managed Keys: Managed by AWS, no monthly fee, automatic yearly rotation, per-use fees may apply.
  • AWS Owned Keys: Owned by AWS for multiple accounts, no cost, rotation policy varies, no need for creation or management.
  • Rotation Policy: AWS Managed Keys are rotated every year; the policy for AWS Owned Keys varies per service.
  • Billing: Only Customer Managed Keys incur a monthly fee; AWS Managed Keys and AWS Owned Keys do not.
  • Access and Visibility: We have access to the metadata of Customer Managed and AWS Managed Keys, but not for AWS Owned Keys.
  • Use in Cryptographic Operations: Customer Managed Keys can be directly used, while AWS Managed and Owned Keys are used by AWS services.

Conclusion

Understanding these key types and their use cases is vital for effective cloud security management and for excelling in AWS-related exams. Remember, the choice of key type should align with your organizational requirements, whether it be control, ease of use, or cost-effectiveness.

See also

Read about key rotation for customer managed keys at cloudericks.com/blog/understanding-key-rotation-for-customer-managed-keys-with-aws-kms.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership