Encryption

  • In general, there are 3 types of encryption

    • Encryption in flight

      • This type of encryption is typically achieved using TLS/SSL certificates in HTTPS secured websites.

      • Encrypt before sending the data to server and decrypted after receving from the server.

      • This avoids MITM (Man in the middle) attacks.

    • Server Side encryption

      • Typically used to encrypt data in rest.

      • Data is encrypted after receiving at the server side and decrypted before sending to the requester using a key.

    • Client Side encryption

      • Encrypt and decrypt data at client side itself.

      • Used in Envelope encryption.

AWS Key Management Service (KMS)

Icon

AWS KMS Icon

About

  • Its a key management service offered by AWS.

  • It manages encryption keys for us.

  • Its fully integrated with IAM for authorization

  • CloudTrail provides audit trails of KMS key usage.

  • Seamlessly integrated into most AWS services like RDS, ECS, S3 ...

  • Never store your credentials in plain text, especially in your code, rather encrypt using KMS key and refer to encrypted secrets.

  • KMS key encryption is also available through API calls (SDK and CLI).

KMS Keys

  • They are scoped per region.

  • Can single region or multi-region (replicated) keys.

  • To copy an EBS volume encrypted with a KMS Key in region A to region B. The steps will be as follows,

    • Take a snapshot of encrypted EBS volume at region A.

    • Note same KMS Key cannot be kept in two different region.

    • Reencrypt the snapshot with a different KMS key at region A.

    • Restore the snapshot into region B.

KMS Key Types

  • KMS Keys is the new name of KMS Customer Master Key.

  • There are two types of them based on type of encryption mechanism.

  • Pricing to access KMS API costs around $0.03 cents per 10000 calls.

Based on ecryption mechanism

Symmetric KMS Key (AES-256)

  • Single encryption keys that is used to encrypt and decrypt keys.

  • AWS Service that are integrated with KMS use Symmetric CMKs.

  • You never get access to the KMS unencrypted, to use them use KMS API calls.

Asymmetric KMS Key (RSA and ECC)

  • Two keys i.e a pair are generated namely, public key to encrypt data and private key to decrypt data.

  • Used to Encrypt/Decrypt or sign/verify operations.

  • The public key is downloadable, but you cant access the private Key unencrypted.

  • Typically used when encryption needs to be done outside of AWS by users who can't access KMS API.

Based on Key Management

AWS Owned Keys

  • These are free keys not KMS but is a type of encryption keys used within AWS.

  • SSE-S3, SSE-SQS, SSE-DDB

AWS Managed Key

  • These are free keys.

  • Typically of the form aws/<service-name>. Example -> aws/rds.

  • Can only be used from within the service that is assigned to.

Customer managed keys

  • Costs $1/month.

  • Keys can generated by you and imported as well, pricing remains same i.e $1/month.

Key Rotation

  • Also provides automatic key rotations.

  • For AWS managed KMS keys, automatic rotation per year.

  • For Customer managed KMS keys, can enable automatic rotation or on demand rotation.

  • For imported KMS Keys, only manual rotation is possible using alias.

  • Key rotation history is also available for on-demand key rotation.

KMS Key Policies

  • Similar to S3 Bucket policies, but only difference being cannot control access without them.

  • If there is no KMS Key policy, then no one can access them.

Default KMS Key Policy

  • By default there is a KMS Key policy and is created if there is no specific KMS Key Policy.

  • Complete access to the key to the root user.

  • This default policy allows all users/roles (not service) in the account to access the keys if they have proper IAM permissions.

Custom KMS Key Policy

  • Custom Key Policy allows to control access to the key

    • Like users, roles that can access the KMS Key.

    • Define who can administer the key.

  • Useful for cross-account access to the KMS Key.

  • Example include, copying a volume's snapshots across account, which includes following steps.

    1. Create a snapshot, encrypted with your Customer managed KMS Key.

    2. Attach a KMS key policy to authorize a cross-account access.

    3. Share the encrypted snapshot.

    4. Create a copy of the snapshot, encrypt it with a different CMK in target account.

    5. Create a volume from snapshot.

KMS Quota

  • When the quota limit is exceeded, you get a ThrottlingException.

  • To resolve this issue, use exponential-backoff and retry.

  • Depending on the AWS region and type of CMK used in the request, each quota is calculated separately.

  • For cryptographic operations, they share a quota across account per region.

  • AWS support can increase the request quota if a ticket is opened.

KMS Quotas
Previous29_KMSNextKMS API

Last updated