Encryption

Previous29_KMS NextKMS API

Last updated 4 months ago

Encryption

In general, there are 3 types of encryption
- Encryption in flight
  - This type of encryption is typically achieved using TLS/SSL certificates in HTTPS secured websites.
  - Encrypt before sending the data to server and decrypted after receving from the server.
  - This avoids MITM (Man in the middle) attacks.
- Server Side encryption
  - Typically used to encrypt data in rest.
  - Data is encrypted after receiving at the server side and decrypted before sending to the requester using a key.
- Client Side encryption
  - Encrypt and decrypt data at client side itself.
  - Used in Envelope encryption.

AWS Key Management Service (KMS)

Icon

About

Its a key management service offered by AWS.
It manages encryption keys for us.
Its fully integrated with IAM for authorization
CloudTrail provides audit trails of KMS key usage.
Seamlessly integrated into most AWS services like RDS, ECS, S3 ...
Never store your credentials in plain text, especially in your code, rather encrypt using KMS key and refer to encrypted secrets.
KMS key encryption is also available through API calls (SDK and CLI).

KMS Keys

They are scoped per region.
Can single region or multi-region (replicated) keys.
To copy an EBS volume encrypted with a KMS Key in region A to region B. The steps will be as follows,
- Take a snapshot of encrypted EBS volume at region A.
- Note same KMS Key cannot be kept in two different region.
- Reencrypt the snapshot with a different KMS key at region A.
- Restore the snapshot into region B.

KMS Key Types

KMS Keys is the new name of KMS Customer Master Key.
There are two types of them based on type of encryption mechanism.
Pricing to access KMS API costs around $0.03 cents per 10000 calls.

Based on ecryption mechanism

Symmetric KMS Key (AES-256)

Single encryption keys that is used to encrypt and decrypt keys.
AWS Service that are integrated with KMS use Symmetric CMKs.
You never get access to the KMS unencrypted, to use them use KMS API calls.

Asymmetric KMS Key (RSA and ECC)

Two keys i.e a pair are generated namely, public key to encrypt data and private key to decrypt data.
Used to Encrypt/Decrypt or sign/verify operations.
The public key is downloadable, but you cant access the private Key unencrypted.
Typically used when encryption needs to be done outside of AWS by users who can't access KMS API.

Based on Key Management

AWS Owned Keys

These are free keys not KMS but is a type of encryption keys used within AWS.
SSE-S3, SSE-SQS, SSE-DDB

AWS Managed Key

These are free keys.
Typically of the form aws/<service-name>. Example -> aws/rds.
Can only be used from within the service that is assigned to.

Customer managed keys

Costs $1/month.
Keys can generated by you and imported as well, pricing remains same i.e $1/month.

Key Rotation

Also provides automatic key rotations.
For AWS managed KMS keys, automatic rotation per year.
For Customer managed KMS keys, can enable automatic rotation or on demand rotation.
For imported KMS Keys, only manual rotation is possible using alias.
Key rotation history is also available for on-demand key rotation.

KMS Key Policies

Similar to S3 Bucket policies, but only difference being cannot control access without them.
If there is no KMS Key policy, then no one can access them.

Default KMS Key Policy

By default there is a KMS Key policy and is created if there is no specific KMS Key Policy.
Complete access to the key to the root user.
This default policy allows all users/roles (not service) in the account to access the keys if they have proper IAM permissions.

Custom KMS Key Policy

Custom Key Policy allows to control access to the key
- Like users, roles that can access the KMS Key.
- Define who can administer the key.
Useful for cross-account access to the KMS Key.
Example include, copying a volume's snapshots across account, which includes following steps.
1. Create a snapshot, encrypted with your Customer managed KMS Key.
2. Attach a KMS key policy to authorize a cross-account access.
3. Share the encrypted snapshot.
4. Create a copy of the snapshot, encrypt it with a different CMK in target account.
5. Create a volume from snapshot.

KMS Quota

When the quota limit is exceeded, you get a ThrottlingException.
To resolve this issue, use exponential-backoff and retry.
Depending on the AWS region and type of CMK used in the request, each quota is calculated separately.
For cryptographic operations, they share a quota across account per region.
AWS support can increase the request quota if a ticket is opened.

Previous29_KMS NextKMS API

Last updated 4 months ago

In general, there are 3 types of encryption
- Encryption in flight
  - This type of encryption is typically achieved using TLS/SSL certificates in HTTPS secured websites.
  - Encrypt before sending the data to server and decrypted after receving from the server.
  - This avoids MITM (Man in the middle) attacks.
- Server Side encryption
  - Typically used to encrypt data in rest.
  - Data is encrypted after receiving at the server side and decrypted before sending to the requester using a key.
- Client Side encryption
  - Encrypt and decrypt data at client side itself.
  - Used in Envelope encryption.

AWS Key Management Service (KMS)

Icon

About

Its a key management service offered by AWS.
It manages encryption keys for us.
Its fully integrated with IAM for authorization
CloudTrail provides audit trails of KMS key usage.
Seamlessly integrated into most AWS services like RDS, ECS, S3 ...
Never store your credentials in plain text, especially in your code, rather encrypt using KMS key and refer to encrypted secrets.
KMS key encryption is also available through API calls (SDK and CLI).

KMS Keys

They are scoped per region.
Can single region or multi-region (replicated) keys.
To copy an EBS volume encrypted with a KMS Key in region A to region B. The steps will be as follows,
- Take a snapshot of encrypted EBS volume at region A.
- Note same KMS Key cannot be kept in two different region.
- Reencrypt the snapshot with a different KMS key at region A.
- Restore the snapshot into region B.

KMS Key Types

KMS Keys is the new name of KMS Customer Master Key.
There are two types of them based on type of encryption mechanism.
Pricing to access KMS API costs around $0.03 cents per 10000 calls.

Based on ecryption mechanism

Symmetric KMS Key (AES-256)

Single encryption keys that is used to encrypt and decrypt keys.
AWS Service that are integrated with KMS use Symmetric CMKs.
You never get access to the KMS unencrypted, to use them use KMS API calls.

Asymmetric KMS Key (RSA and ECC)

Two keys i.e a pair are generated namely, public key to encrypt data and private key to decrypt data.
Used to Encrypt/Decrypt or sign/verify operations.
The public key is downloadable, but you cant access the private Key unencrypted.
Typically used when encryption needs to be done outside of AWS by users who can't access KMS API.

Based on Key Management

AWS Owned Keys

These are free keys not KMS but is a type of encryption keys used within AWS.
SSE-S3, SSE-SQS, SSE-DDB

AWS Managed Key

These are free keys.
Typically of the form aws/<service-name>. Example -> aws/rds.
Can only be used from within the service that is assigned to.

Customer managed keys

Costs $1/month.
Keys can generated by you and imported as well, pricing remains same i.e $1/month.

Key Rotation

Also provides automatic key rotations.
For AWS managed KMS keys, automatic rotation per year.
For Customer managed KMS keys, can enable automatic rotation or on demand rotation.
For imported KMS Keys, only manual rotation is possible using alias.
Key rotation history is also available for on-demand key rotation.

KMS Key Policies

Similar to S3 Bucket policies, but only difference being cannot control access without them.
If there is no KMS Key policy, then no one can access them.

Default KMS Key Policy

By default there is a KMS Key policy and is created if there is no specific KMS Key Policy.
Complete access to the key to the root user.
This default policy allows all users/roles (not service) in the account to access the keys if they have proper IAM permissions.

Custom KMS Key Policy

Custom Key Policy allows to control access to the key
- Like users, roles that can access the KMS Key.
- Define who can administer the key.
Useful for cross-account access to the KMS Key.
Example include, copying a volume's snapshots across account, which includes following steps.
1. Create a snapshot, encrypted with your Customer managed KMS Key.
2. Attach a KMS key policy to authorize a cross-account access.
3. Share the encrypted snapshot.
4. Create a copy of the snapshot, encrypt it with a different CMK in target account.
5. Create a volume from snapshot.

KMS Quota

When the quota limit is exceeded, you get a ThrottlingException.
To resolve this issue, use exponential-backoff and retry.
Depending on the AWS region and type of CMK used in the request, each quota is calculated separately.
For cryptographic operations, they share a quota across account per region.
AWS support can increase the request quota if a ticket is opened.