AWS Security - KMS
Sanket Terdal
Innovative Problem Solver | Agile Methodologies & Cross-Functional Leadership | Architect | Problem Solver | Blogger & Hands on Developer
Introduction
AWS provides services that help you protect your data, accounts, and workloads from unauthorized access. AWS data protection services provide encryption and key management and threat detection that continuously monitors and protects your accounts and workloads. Below are some of security tools and services under various categories like IAM, Detection. Network and application protection, Date protection and compliance. In this article, we are going to explore AWS Key management service (KMS)
AWS Key Management Service
Let's say we are using some of AWS services. There are couple of scenarios:
Scenario 1: Consider a scenario where?we have files up to 4 KB each in size, that needs to be encrypted at the client-side?
Scenario 2:We have an application hosted on EC2 instance and interacting with a DynamoDB table. There is a security requirement to ensure that all data on the DynamoDB table is encrypted at rest.
Let's see for above scenarios where we want to encrypt data at rest, how can we use AWS KMS ( Key Management Services)
AWS KMS (Key Management Service) is the service that manages encryption keys on AWS.?These encryption keys are called “Customer Master Keys” or CMKs. KMS uses Hardware Security Modules (HSM) to store CMKs. AWS KMS is integrated with many AWS services.
Customer Master Key(CMK): A key created by AWS KMS that can only be used within the AWS KMS Service. CMK is only used to encrypt a small amount of data less than 4KBs. AWS does not encrypt the gigabytes of data using CMK. If you have large data to encrypt, then use Data Keys.
Data Key: A symmetric key generated by AWS KMS for service. The data key is used to encrypt or decrypt data inside of service or custom application(s).It can be metadata associated with the encrypted data. AWS does NOT store or manage Data Keys. Instead, you have to manage them.
One can use one Customer Master Key (CMK) to generate thousands of unique data keys. We can generate data keys from a CMK using two methods.
Encryption Process
As in image below, service can send request GenerateDataKey to KMS to get data key(Plaintext and Encrypted) one. Once you get the that data key from KMS, use the Plaintext data key to encrypt your data. After encryption, never keep the Plaintext data key together with encrypted data(Ciphertext) since anyone can decrypt the Ciphertext using the Plaintext key. So remove the Plaintext data key from the memory as soon as possible. Just keep the Encrypted data key with the Ciphertext. When you want to decrypt it, call the KMS API with the encrypted data key and KMS will send you the Plaintext key if you are authorized to receive it. Afterward, you can decrypt the Ciphertext using the Plaintext key.
领英推荐
Decryption Process
To decrypt your data, pass the encrypted data key to the Decrypt operation. AWS KMS uses your CMK key to decrypt the data key and then returns the plaintext data key. Use the plaintext data key to decrypt your data and then remove the plaintext data key from memory as soon as possible. The following diagram shows how to use the Decrypt operation to decrypt an encrypted data key.
In AWS KMS, Customer Master Key(CMK) is used to encrypt the Data key that is again used to encrypt the actual data. This CMK is stored inside Hardware Security Module (HSM) with a greater level of protection.
Use Case : KMS with EBS
Amazon EBS offers volume encryption capability. Each volume is encrypted using AES-256-XTS. This requires two 256-bit volume keys, which you can think of as one 512-bit volume key. The volume key is encrypted under a KMS key in your account. For Amazon EBS to encrypt a volume for you, it must have access to generate a volume key (VK) under a KMS key in the account. You do this by providing a grant for Amazon EBS to the KMS key to create data keys and to encrypt and decrypt these volume keys. Now Amazon EBS uses AWS KMS with a KMS key to generate AWS KMS encrypted volume keys.(Source: AWS). Refer diagram below for below steps:
Scenarios
Let's revisit scenario we discussed at the start of this article
Scenario 1: Consider some of the scenarios where?we have files up to 4 KB each in size, that needs to be encrypted at the client-side.
Approach: AWS provides an Amazon encryption client which is embedded into the AWS SDK and CLI. With client-side encryption using AWS KMS, the customer creates a CMK in KMS associated with Key ID. File and CMK Key ID is passed to the AWS encryption client using SDK or CLI. The encryption client requests a data key from KMS using a specified CMK key ID.KMS uses CMK Key ID to generate a unique data encryption key, which the client uses to encrypt the object data.
Scenario 2:We have an application hosted on EC2 instance and interacting with a DynamoDB table. There is a security requirement to ensure that all data on the DynamoDB table is encrypted at rest.
Approach: DynamoDB encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS).
Conclusion
We have to encrypt data in transit as well as when data is at rest. For a website(HTTPS) to encrypt data in transit, communication between the browser and the server is encrypted by associating an SSL certification with the domain. Once the data gets to the point where the SSL termination happens on the server side the encrypted data is decrypted. This data is data at rest. This is where AWS KMS come into picture as seen above. Amazon Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. Amazon KMS is integrated with other Amazon Web Services services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.
References: https://aws.amazon.com/kms/