DVA-C01 studying - KMS
KMS - Key Management Service
What it is
-
managed service for creating and controlling the encryption keys used to encrypt your data
- encryption keys are Single-Region by default
-
can be multi-tenant
-
seamless integration with a plethora of AWS services (usually a checkbox in the console when configuring services)
-
makes it simple to encrypt your data with encryption keys you manage
-
when to use:
- anytime you are storing secret/sensitive data e.g. passwords, credentials, secrets, financial data, customer data
-
cannot use AWS managed keys in cryptographic operations directly
-
list of CLI commands https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/index.html
aws kms encrypt
command to encrypt files into ciphertext using a customer master keyaws kms decrypt
command to decrypt ciphertext encrypted with a KMS CMKaws kms rencrypt
command to encrypt files using a customer master keyaws kms enable-key-rotation
command to enable automatic key rotation every 365 daysaws kms re-encrypt
encrypts data on the server side with a new CMK without exposing the plaintext of the data on the client side
CMK - Customer Master Key
-
encrypt/decrypt up to 4kb of data
-
used to generate/encrypt/decrypt the Data Key
-
Data Key - key used to encrypt/decrypt your data
- CMK encrypts the Data Key (under 4kb), the Data Key encrypts your data (likely over 4kb) - envelope encryption
-
properties
- can be aliased - alias can be referenced in applications
- tracks the date/time it was created
- can have a user added description
- tracks it’s state - enabled, disabled, pending deletion, or unavailable
- key material can either be user generated externally or generated via AWS
- cannot be exported outside of KMS
-
example setup process
- create an alias
- add a description
- chose a Key Material
- set Key Administrative Permssions - IAM users and roles that can administer (not use) the key through the KMS API
- set Key Usage Permission - IAM users and roles that can use the key to encrypt/decrypt data
Envelope Encryption
-
process for encrypting data
- encrypts plaintext data with a data key, and then encrypting the data key with another key
-
typically used for files greater than 4KB in size
-
encryption process
- CMK exists in KMS
aws kms generate-data-key
or*GenerateDataKey
used to create Data Key*- CMK encrypts the Data Key
- Data Key encrypts your data
- encrypted Data Key is stored locally with the data (not in KMS) - used later for decryption purposes
-
decryption process
- encrypted data exists with encrypted Data Key
- CMK uses KMS API to run a decrypt operation on the Data Key - decrypted Data Key returns in plaintext
- decrypted Data Key used to decrypt the data
- decrypted Data Key is deleted from memory
-
why use?
- network performance - encrypting data directly with KMS requires it must be transfered over the network
- envelop encryption ensures that only the key, not the data, is sent over the network - avoids need to transfer large amounts of data to KMS (over the network)
- protects encryption key