Fork me on GitHub

Project Notes

#316 AWS KMS

About the AWS Key Management Service (KMS).

Notes

The AWS Key Management Service (KMS) is used to create and control keys used to encrypt or digitally sign data.

  • Fully integrated with IAM for authorization
  • AWS manages the encryption keys
  • CloudTrail can be used to audit KMS Key usage
  • Integrated with most AWS services (EBS, S3, etc)

Types of KMS Keys

  • AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB ()
  • AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
  • Customer managed keys created or imported into KMS (not free)
  • Customer managed keys imported: $1 / month

Note: API calls to KMS are not free

Supported Keys Types

  • Symmetric (AES-256 keys)
    • Single encryption key used to Encrypt and Decrypt
    • Integrated AWS services use Symmetric CMKs
    • Never get access to the unencrypted KMS Key (used via KMS API)
  • Asymmetric (RSA & ECC key pairs)
    • Public (Encrypt) and Private Key (Decrypt) pair
    • For Encrypt/Decrypt and Sign/Verify operations
    • The public key is downloadable, but can’t access the unencrypted Private Key

Automatic Key rotation

  • AWS-managed KMS Key: automatic every 1 year
  • Customer-managed KMS Key: (must be enabled) automatic & on-demand
  • Imported KMS Key: only manual rotation possible using alias

KMS Key Policies

  • Default KMS Key Policy:
    • Created if you don’t provide a specific KMS Key Policy
    • Complete access to the key to the root user = entire AWS account
  • Custom KMS Key Policy:
    • Define users, roles that can access the KMS key
    • Define who can administer the key
    • Useful for cross-account access of your KMS key

Credits and References

About LCK#316 securityKMS

This page is a web-friendly rendering of my project notes shared in the LittleCodingKata GitHub repository.

Project Source on GitHub Return to the LittleCodingKata Catalog
About LittleCodingKata

LittleCodingKata is my collection of programming exercises, research and code toys broadly spanning things that relate to programming and software development (languages, frameworks and tools).

These range from the trivial to the complex and serious. Many are inspired by existing work and I'll note credits and references where applicable. The focus is quite scattered, as I variously work on things new and important in the moment, or go back to revisit things from the past.

This is primarily a personal collection for my own edification and learning, but anyone who stumbles by is welcome to borrow, steal or reference the work here. And if you spot errors or issues I'd really appreciate some feedback - create an issue, send me an email or even send a pull-request.

Follow the Blog follow projects and notes as they are published in your favourite feed reader