Skip to content

Encryption

Key Management Service (KMS)

  • Regional & Public Service (Regions are isolated)
  • Allows to create, store & manage symmetric/assymetric keys
  • Can perform cryptographic operations (encrypt/decrypt)
  • Cryptographic keys never Leave KMS (Isolated to a region & cannot be extracted).
  • KMS provides FIPS 140-2(L2) compliance
  • KMS keys are logical containing ID,date,policy,description & state
  • Backed by physical key material that can be genreated or imported into KMS
  • KMS keys can be used for up to 4 KB of data
  • KMS provides role seperation for key generation, encryption & decryption

Decrypt

KMS does not need to be told which key to use for decrypt. This information is already encoded in the cipher text of the data.

Data Encryption Keys (DEKs)

  • Type of keys generated by KMS using the KMS key & the GenerateDataKey operation. This works on data > 4 KB
  • These keys are linked to the KMS key that created them
  • KMS does not store the DEK key - It provides to the user/service & then discards it
  • When a DEK Key is genreated KMS Provides a Plaintext version of the key & an Ciphertext(Encrypted) version of that key.

Key Policy & Security

  • Every KMS key has a Key policy (Type of resource policy. Eg: bucket policy)
  • KMS keys have to explicitly trust the AWS Account they are contained in (Key policy is created when creating the key)
  • To use KMS there must be Key Policies that trust the AWS Account & IAM Policies that allow users to perform operations on KMS
  • Key rotation for KMS managed keys is 1 year by default. (Off for customer managed keys)