Encryption

AWS Key Management Service (KMS)

Its a key management service offered by AWS.
It manages encryption keys for us.
Its fully integrated with IAM for authorization
CloudTrail provides audit trails of KMS key usage.
Seamlessly integrated into most AWS services like RDS, ECS, S3 ...
Never store your credentials in plain text, especially in your code, rather encrypt using KMS key and refer to encrypted secrets.
KMS key encryption is also available through API calls (SDK and CLI).

They are scoped per region.
Can single region or multi-region (replicated) keys.
To copy an EBS volume encrypted with a KMS Key in region A to region B. The steps will be as follows,
- Take a snapshot of encrypted EBS volume at region A.
- Note same KMS Key cannot be kept in two different region.
- Reencrypt the snapshot with a different KMS key at region A.
- Restore the snapshot into region B.

Symmetric KMS Key (AES-256)

Asymmetric KMS Key (RSA and ECC)

Two keys i.e a pair are generated namely, public key to encrypt data and private key to decrypt data.
Used to Encrypt/Decrypt or sign/verify operations.
The public key is downloadable, but you cant access the private Key unencrypted.
Typically used when encryption needs to be done outside of AWS by users who can't access KMS API.

AWS Owned Keys

AWS Managed Key

Customer managed keys

Costs $1/month.
Keys can generated by you and imported as well, pricing remains same i.e $1/month.

Also provides automatic key rotations.
For AWS managed KMS keys, automatic rotation per year.
For Customer managed KMS keys, can enable automatic rotation or on demand rotation.
For imported KMS Keys, only manual rotation is possible using alias.
Key rotation history is also available for on-demand key rotation.

Similar to S3 Bucket policies, but only difference being cannot control access without them.
If there is no KMS Key policy, then no one can access them.

By default there is a KMS Key policy and is created if there is no specific KMS Key Policy.
Complete access to the key to the root user.
This default policy allows all users/roles (not service) in the account to access the keys if they have proper IAM permissions.

Custom Key Policy allows to control access to the key
- Like users, roles that can access the KMS Key.
- Define who can administer the key.
Useful for cross-account access to the KMS Key.
Example include, copying a volume's snapshots across account, which includes following steps.
1. Create a snapshot, encrypted with your Customer managed KMS Key.
2. Attach a KMS key policy to authorize a cross-account access.
3. Share the encrypted snapshot.
4. Create a copy of the snapshot, encrypt it with a different CMK in target account.
5. Create a volume from snapshot.

When the quota limit is exceeded, you get a ThrottlingException.
To resolve this issue, use exponential-backoff and retry.
Depending on the AWS region and type of CMK used in the request, each quota is calculated separately.
For cryptographic operations, they share a quota across account per region.
AWS support can increase the request quota if a ticket is opened.

Last updated 2 months ago