Components Of AWS Key Management Service (KMS):
Welcome to CloudAffaire and this is Debjeet.
In this blog post, we will discuss what is AWS Key Management Service or KMS and components Of AWS Key Management Service (KMS).
What Is AWS Key Management Service (KMS):
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Components Of AWS Key Management Service (KMS):
- Customer master keys (CMKs): Customer master keys are the primary resources in AWS KMS. A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. AWS KMS supports symmetric and asymmetric CMKs. AWS KMS supports three types of CMKs: customer managed CMKs, AWS managed CMKs, and AWS owned CMKs.
- Customer managed CMKs: Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs and usage is charged.
- AWS managed CMKs: AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS. Some AWS services support only an AWS managed CMK. Others use an AWS owned CMK or offer you a choice of CMKs. You have no control over these CMKs and usage is free.
- AWS owned CMKs: AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account. You have no control over these CMKs and usage is free.
- Data keys: Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS.
- Data key pairs: Data key pairs are asymmetric data keys that consist of a mathematically-related public key and private key. They are designed to be used for client-side encryption and decryption or signing and verification outside of AWS KMS. Unlike the data key pairs that tools like OpenSSL generate, AWS KMS protects the private key in each data key pair under a symmetric CMK in AWS KMS that you specify. However, AWS KMS does not store, manage, or track your data key pairs, or perform cryptographic operations with data key pairs. You must use and manage data key pairs outside of AWS KMS.
- Aliases: An alias is a friendly name for a CMK. For example, you can refer to a CMK as my_key instead of 1234abcd-12ab-34cd-56ef-1234567890ab. Aliases make it easier to identify a CMK in the AWS Management Console. You can also use an alias to identify a CMK in some AWS KMS operations, including cryptographic operations. In AWS KMS, aliases are independent resources, not properties of a CMK. As such, you can add, change, and delete an alias without affecting the associated CMK.
- Key policies: When you create a CMK, you determine who can use and manage that CMK. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or change permissions at any time for a customer managed CMK. But you cannot edit the key policy for an AWS managed CMK.
- Grants: A grant is another mechanism for providing permissions. It’s an alternative to key policies. Because grants can be very specific, and are easy to create and revoke, they are often used to provide temporary permissions or more granular permissions.
- Grant tokens: When you create a grant, the permissions specified in the grant might not take effect immediately due to eventual consistency. If you need to mitigate the potential delay, use the grant token that you receive in the response to your CreateGrant request. You can pass the grant token with some AWS KMS API requests to make the permissions in the grant take effect immediately.
- CMK Audit: You can use AWS CloudTrail to audit key usage. CloudTrail creates log files that contain a history of AWS API calls and related events for your account. These log files include all AWS KMS API requests made with the AWS Management Console, AWS SDKs, and command line tools. The log files also include requests to AWS KMS that AWS services make on your behalf. You can use these log files to find important information, including when the CMK was used, the operation that was requested, the identity of the requester, and the source IP address.
- Encryption context: All AWS KMS cryptographic operations with symmetric CMKs accept an encryption context, an optional set of key–value pairs that can contain additional contextual information about the data. AWS KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption.
Symmetric VS Asymmetric KMS Keys:
- Symmetric customer master keys: Symmetric keys are used in symmetric encryption, where the same key is used for encryption and decryption. When you create a customer master key (CMK) in KMS, by default, you get a symmetric CMK. In AWS KMS, a symmetric CMK represents a 256-bit encryption key that never leaves AWS KMS unencrypted.
- Asymmetric customer master keys: Asymmetric CMK represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they’re not trusted, but the private key must be kept secret. In an asymmetric CMK, the private key is created in AWS KMS and never leaves AWS KMS unencrypted. To use the private key, you must call AWS KMS. You can use the public key within AWS KMS by calling the AWS KMS API operations. Or, you can download the public key and use it outside of AWS KMS.
To get more details on AWS KMS, please refer below AWS documentation