Key Management Service (KMS)¶
- Regional & Public Service (Regions are isolated)
- Allows to create, store & manage symmetric/assymetric keys
- Can perform cryptographic operations (encrypt/decrypt)
- Cryptographic keys never Leave KMS (Isolated to a region & cannot be extracted).
- KMS provides FIPS 140-2(L2) compliance
- KMS keys are logical containing ID,date,policy,description & state
- Backed by physical key material that can be genreated or imported into KMS
- KMS keys can be used for up to 4 KB of data
- KMS provides role seperation for key generation, encryption & decryption
KMS does not need to be told which key to use for decrypt. This information is already encoded in the cipher text of the data.
Data Encryption Keys (DEKs)¶
- Type of keys generated by KMS using the KMS key & the
GenerateDataKeyoperation. This works on data > 4 KB
- These keys are linked to the KMS key that created them
- KMS does not store the DEK key - It provides to the user/service & then discards it
- When a DEK Key is genreated KMS Provides a Plaintext version of the key & an Ciphertext(Encrypted) version of that key.
Key Policy & Security¶
- Every KMS key has a Key policy (Type of resource policy. Eg: bucket policy)
- KMS keys have to explicitly trust the AWS Account they are contained in (Key policy is created when creating the key)
- To use KMS there must be Key Policies that trust the AWS Account & IAM Policies that allow users to perform operations on KMS
- Key rotation for KMS managed keys is 1 year by default. (Off for customer managed keys)