DVA-C01 studying - KMS

KMS - Key Management Service

What it is

• https://aws.amazon.com/kms/

• managed service for creating and controlling the encryption keys used to encrypt your data

  • encryption keys are Single-Region by default

• can be multi-tenant

• seamless integration with a plethora of AWS services (usually a checkbox in the console when configuring services)

• makes it simple to encrypt your data with encryption keys you manage

• when to use:

  • anytime you are storing secret/sensitive data e.g. passwords, credentials, secrets, financial data, customer data

• cannot use AWS managed keys in cryptographic operations directly

• list of CLI commands https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/index.html

  • aws kms encrypt command to encrypt files into ciphertext using a customer master key
  • aws kms decrypt command to decrypt ciphertext encrypted with a KMS CMK
  • aws kms rencrypt command to encrypt files using a customer master key
  • aws kms enable-key-rotation command to enable automatic key rotation every 365 days
  • aws kms re-encrypt  encrypts data on the server side with a new CMK without exposing the plaintext of the data on the client side

CMK - Customer Master Key

• encrypt/decrypt up to 4kb of data

• used to generate/encrypt/decrypt the Data Key

• Data Key - key used to encrypt/decrypt your data

  • CMK encrypts the Data Key (under 4kb), the Data Key encrypts your data (likely over 4kb) - envelope encryption

• properties

  • can be aliased - alias can be referenced in applications
  • tracks the date/time it was created
  • can have a user added description
  • tracks it's state - enabled, disabled, pending deletion, or unavailable
  • key material can either be user generated externally or generated via AWS
  • cannot be exported outside of KMS

• example setup process

  1. create an alias
  2. add a description
  3. chose a Key Material
  4. set Key Administrative Permssions - IAM users and roles that can administer (not use) the key through the KMS API
  5. set Key Usage Permission - IAM users and roles that can use the key to encrypt/decrypt data

Envelope Encryption

• process for encrypting data

  • encrypts plaintext data with a data key, and then encrypting the data key with another key

• typically used for files greater than 4KB in size

• encryption process

  1. CMK exists in KMS
  2. aws kms generate-data-keyor** GenerateDataKey used to create Data Key**
  3. CMK encrypts the Data Key
  4. Data Key encrypts your data
  5. encrypted Data Key is stored locally with the data (not in KMS) - used later for decryption purposes

• decryption process

  1. encrypted data exists with encrypted Data Key
  2. CMK uses KMS API to run a decrypt operation on the Data Key - decrypted Data Key returns in plaintext
  3. decrypted Data Key used to decrypt the data
  4. decrypted Data Key is deleted from memory

• why use?

  • network performance - encrypting data directly with KMS requires it must be transfered over the network
  • envelop encryption ensures that only the key, not the data, is sent over the network - avoids need to transfer large amounts of data to KMS (over the network)
  • protects encryption key