# Encryption * In general, there are 3 types of encryption * `Encryption in flight` * This type of encryption is typically achieved using TLS/SSL certificates in HTTPS secured websites. * Encrypt before sending the data to server and decrypted after receving from the server. * This avoids MITM *(Man in the middle)* attacks. * `Server Side encryption` * Typically used to encrypt data in rest. * Data is encrypted after receiving at the server side and decrypted before sending to the requester using a key. * `Client Side encryption` * Encrypt and decrypt data at client side itself. * Used in Envelope encryption. ## AWS Key Management Service *(KMS)* ### Icon ![AWS KMS Icon](https://icon.icepanel.io/AWS/svg/Security-Identity-Compliance/Key-Management-Service.svg) ### About * Its a key management service offered by AWS. * It manages encryption keys for us. * Its fully integrated with IAM for authorization * `CloudTrail` provides audit trails of KMS key usage. * Seamlessly integrated into most AWS services like RDS, ECS, S3 ... * Never store your credentials in plain text, especially in your code, rather encrypt using KMS key and refer to encrypted secrets. * KMS key encryption is also available through API calls *(SDK and CLI)*. * API calls to KMS is not free. ### KMS Keys * They are scoped per region. * Can be single region or multi-region *(replicated)* keys. * To copy an EBS volume encrypted with a KMS Key in region A to region B. The steps will be as follows, * Take a snapshot of encrypted EBS volume at region A. * Note same KMS Key cannot be kept in two different region. * **Reencrypt** the snapshot with a different KMS key at region A. * Restore the snapshot into region B. ### KMS Key Types * KMS Keys is the new name of KMS Customer Master Key. * There are two types of them based on type of encryption mechanism. * Pricing to access KMS API costs around `$0.03` cents per 10000 calls. #### Based on ecryption mechanism **Symmetric KMS Key *****(AES-256)*** * Single encryption keys that is used to encrypt and decrypt keys. * AWS Service that are integrated with KMS use Symmetric CMKs. * You never get access to the KMS unencrypted, to use them use KMS API calls. **Asymmetric KMS Key *****(RSA and ECC)*** * Two keys i.e a pair are generated namely, public key to encrypt data and private key to decrypt data. * Used to Encrypt/Decrypt or sign/verify operations. * The public key is downloadable, but you cant access the private Key unencrypted. * Typically used when encryption needs to be done outside of AWS by users who can't access KMS API. #### Based on Key Management **AWS Owned Keys** * These are free keys not KMS but is a type of encryption keys used within AWS. * `SSE-S3`, `SSE-SQS`, `SSE-DDB` **AWS Managed Key** * These are free keys. * Typically of the form `aws/`. Example -> `aws/rds`. * Can only be used from within the service that is assigned to. **Customer managed keys** * Costs `$1`/month. * Keys can generated by you and imported as well, pricing remains same i.e `$1`/month. ### Key Rotation * Also provides automatic key rotations. * For AWS managed KMS keys, automatic rotation per year. * For Customer managed KMS keys, can enable automatic rotation or on demand rotation. * For imported KMS Keys, only manual rotation is possible **using alias**. * Key rotation history is also available for on-demand key rotation. * Ket rotation for customer managed key can be between 90 to 2560 days. ## KMS Key Policies * Similar to S3 Bucket policies, but only difference being cannot control access without them. * If there is no KMS Key policy, then no one can access them. ### Default KMS Key Policy * By default there is a KMS Key policy and is created if there is no specific KMS Key Policy. * Complete access to the key to the root user. * This default policy allows **all users/roles** *(not service)* in the account to access the keys if they have proper IAM permissions. ### Custom KMS Key Policy * Custom Key Policy allows to control access to the key * Like users, roles that can access the KMS Key. * Define who can administer the key. * Useful for cross-account access to the KMS Key. * Example include, copying a volume's snapshots across account, which includes following steps. 1. Create a snapshot, encrypted with your Customer managed KMS Key. 2. Attach a KMS key policy to authorize a cross-account access. 3. Share the encrypted snapshot. 4. Create a copy of the snapshot, encrypt it with a different CMK in target account. 5. Create a volume from snapshot. ## KMS Quota * When the quota limit is exceeded, you get a `ThrottlingException`. * To resolve this issue, use exponential-backoff and retry. * Depending on the AWS region and type of CMK used in the request, each quota is calculated separately. * For cryptographic operations, they share a quota across account per region. * AWS support can increase the request quota if a ticket is opened. ![KMS Quotas](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-ae1d5d1066ee6774e13cdbd1cdebce34d65259c5%2FKMSQuotas.png?alt=media)