AWS KMS: Key Concepts & Benefits

Let's begin with a few questions, you know the answers to it:

• Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances needs to be encrypted. Which of the following can help achieve this?
• An organization's security policy requires an application to encrypt data before writing it to the disk. Which solution should the organization use to meet this requirement?
• A company is using a Redshift cluster to store its data warehouse. There is a requirement from the Internal IT Security team to encrypt data for the Redshift database. How can this be achieved?
• A customer wants to create a stream of EBS Volumes in AWS. The data on the volume is required to be encrypted at rest. How can this be achieved?

The answer to all the questions given above is AWS KMS.

What is AWS Key Management Service?

• AWS KMS is a service that helps you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
• AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.
• AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Key Concepts

AWS KMS key

• A logical key that represents the top of your key hierarchy.
• A KMS key is given an Amazon Resource Name (ARN) that includes a unique key identifier, or key ID.

AWS KMS keys have three types:

• Customer-managed key?– Customers create and control the lifecycle and key policies of customer-managed keys.
• AWS managed keys?– AWS creates and controls the lifecycle and key policies of AWS managed keys, which are resources in a customer’s AWS account. Customers can view access policies and CloudTrail events for AWS-managed keys, but cannot manage any aspect of these keys.
• AWS-owned keys?– These keys are created and exclusively used by AWS for internal encryption operations across different AWS services. Customers do not have visibility into key policies or AWS-owned key usage in CloudTrail.

Alias

• A user-friendly name that is associated with a KMS key.
• The alias can be used interchangeably with key ID in many of the AWS KMS API operations.

Permissions

• A policy attached to a KMS key defines permissions on the key.
• The default policy allows any principles that you define, as well as allowing the AWS account root user to add IAM policies that reference the key.

Grants

• The delegated permission to use a KMS key when the intended IAM principles or duration of usage is not known at the outset and therefore cannot be added to a key or IAM policy.
• One use of grants is to de?ne scoped-down permissions for how an AWS service can use a KMS key.
• The service may need to use your key to do asynchronous work on your behalf on encrypted data in the absence of a direct-signed API call from you.

Data keys

• Cryptographic keys are generated on HSMs, protected by a KMS key.
• AWS KMS allows authorized entities to obtain data keys protected by a KMS key.
• They can be returned both as plaintext (unencrypted) data keys and as encrypted data keys.
• Data keys can be symmetric or asymmetric (with both the public and private portions returned).

Ciphertexts

• The encrypted output of AWS KMS is sometimes referred to as customer ciphertext to eliminate confusion.
• Ciphertext contains encrypted data with additional information that identifies the KMS key to use in the decryption process.
• Encrypted data keys are one common example of ciphertext produced when using a KMS key, but any data under 4 KB in size can be encrypted under a KMS key to produce a ciphertext.

Encryption context

• AWS KMS uses authenticated encryption to protect data keys.
• The encryption context is incorporated into the AAD of the authenticated encryption in AWS KMS–encrypted ciphertexts.
• This context information is optional and not returned when requesting a key (or an encryption operation). But if used, this context value is required to successfully complete a decryption operation.
• The intended use of the encryption context is to provide additional authenticated information.
• This information can help you enforce policies and be included in the AWS CloudTrail logs.
• For example, you could use a key-value pair of?{"key name":"satellite uplink key"} to name the data key.
• Subsequent use of the key creates an AWS CloudTrail entry that includes “key name”: “satellite uplink key.” This additional information can provide useful context to understand why a given KMS key was used.

Public key

• When using asymmetric ciphers (RSA or elliptic curve), the public key is the “public component” of a public-private key pair.
• The public key can be shared and distributed to entities that need to encrypt data for the owner of the public-private key pair.
• For digital signature operations, the public key is used to verify the signature.

Private key

• When using asymmetric ciphers (RSA or elliptic curve), the private key is the “private component” of a public-private key pair.
• The private key is used to decrypt data or create digital signatures.
• Similar to symmetric KMS keys, private keys are encrypted in HSMs. They are decrypted only into the short-term memory of the HSM and only for the time needed to process your cryptographic request.

Benefits

Centralized Key Management

• Centralized control over the lifecycle and permissions of your keys
• Create new keys and control who can manage keys separately from who can use them.
• You can import keys from your own key management infrastructure, or use keys stored in your AWS CloudHSM cluster
• You can choose the automatic rotation of?root keys generated in AWS KMS once per year without the need to re-encrypt previously encrypted data.
• The service automatically keeps older versions of the?root key available to decrypt previously encrypted data.
• Manage & audit root keys using AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI).

AWS Service Integration

• To protect data at rest, integrated AWS services use envelope encryption, where a data key is used to encrypt data and is itself encrypted under a KMS key stored in AWS KMS.?
• For signing and verification, integrated AWS services use a key pair from an asymmetric KMS key in AWS KMS.
• There are two types of?KMS key resources that can be created in your AWS account:
• (i) An AWS-managed?KMS key can be created automatically when needed. You can list or inventory AWS Managed KMS keys and receive a record of their use in AWS CloudTrail, but permissions for the resource are managed by the AWS service it was created to be used with.
• (ii) A customer-managed?KMS key gives you the highest degree of control over the permissions and lifecycle of the key.

Scalability, Durability, and High Availability

• It defines?default limits?for a number of keys and request rates, but you can request increased limits if necessary.
• The KMS keys you create or ones that are created on your behalf by other AWS services cannot be exported from the service. Therefore AWS KMS takes responsibility for their durability.
• To help ensure that your keys and your data are highly available, it stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
• If you import keys into the service, you maintain a secure copy of the KMS keys so that you can re-import them if they are not available when you need to use them.
• If you use the custom key store feature to create your KMS keys in an AWS CloudHSM cluster, encrypted copies of your keys are automatically backed up and you have full control over the recovery process.
• For encrypted data or digital signature workflows that move across Regions (disaster recovery, multi-region high availability architectures, DynamoDB Global Tables, and globally distributed consistent digital signatures), you can create KMS multi-Region keys, a set of interoperable keys with the same key material and key IDs that can be replicated into multiple Regions.
• AWS KMS is designed to be a highly available service with a regional API endpoint.
• As most AWS services rely on it for encryption and decryption, it is architected to provide a level of availability that supports the rest of AWS and is backed by the?AWS KMS Service Level Agreement.

Secured

• The service uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of your keys.
• Plaintext keys are never written to disk and are only ever used in the volatile memory of the HSMs for the time needed to perform your requested cryptographic operation.
• Keys created by the service AWS KMS are never transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created

Custom Key Store

• AWS KMS provides the option for you to create your own key store using HSMs that you control. Each?custom key store?is backed by an?AWS CloudHSM cluster.
• When you use a?KMS key in a custom key store, the cryptographic operations under that key are performed in your AWS CloudHSM cluster.

Asymmetric Keys

• You can designate a?KMS key for use as a signing key pair or an encryption key pair.
• Key pair generation and asymmetric cryptographic operations using these KMS keys are performed inside HSMs.
• You can request the public portion of the asymmetric?KMS key for use in your local applications, while the private portion never leaves the service.
• You can also request the service to generate an asymmetric data key pair.?
• This operation returns a plaintext copy of the public key and private key as well as a copy of the private key encrypted under a symmetric?KMS key that you specify.
• You can use the plaintext public or private key in your local application and store the encrypted copy of the private key for future use.

HMAC

• You can generate and verify Hash-Based Message Authentication Code (HMACs) from within KMS’s FIPS 140-2 validated hardware security modules (HSMs).
• HMACs are a cryptographic building block that incorporates secret key material within a hash function to create a unique keyed message authentication code.
• HMAC KMS keys provide an advantage over HMACs from application software because the key material is generated and used entirely within AWS KMS, and they are subject to the access controls that you set on the key.
• The HMAC KMS keys and the HMAC algorithms that AWS KMS uses conform to industry standards defined in RFC 2104.