KMS Flashcards
AWS Regional Services are services that operate in isolation from every other region and requires certain configuration to access and be accesed from other regions
True
KMS is a regional service
True
AWS KMS is a public service, it is available in aws Public zone
True
KMS Features
- Regional & Public Service(Can be Multi-Region enabled)
- Create, Store and Manage Keys
- Symmetric and Asymmetric Keys
- Cryptographic operations (encrypt, decrypt & …)
- Keys never leave KMS
- Provides FIPS 140-2 (L2) Encryption standard
KMS Keys Components
KMS Keys are logical -
ID,
date,
policy,
desc &
state
KMS key max size
4kb
KMS Role separation
Create Keys
Encrypt
Decrypt
Each of th ese operations require a separate permission
KMS Data Encryption Key
DEK is used for encrypting Data >4kb
this kind of key is not stored within kms like the encryption key.
DEK - KMS hands you a Plaintext version and encryption key, you encrypt your data, and discard the plaintext version. In order to decrypt data, send encrypted Key back to KMS, and KMS will decrypt. Same DEK can be used to encrypt any number of files
KMS Keys vs DEK
KMS Keys - KMS Handles the Encryption process, you provide the data =<4KB
DEK - KMS hands you a Plaintext version and encryption key, you encrypt your data, and discard the plaintext version. In order to decrypt data, send encrypted Key back to KMS, and KMS will decrypt. Same DEK can be used to encrypt any number of files
KMS Decryption
KMS keys can not leave the region where it is generated, KMS keys cannot be extracted outside KMS. However, KMS offers Multi-region Keys
Customer MAnaged Keys
Customer Managed Keys can highly be customized. Unlike AWS Managed Keys, in the key policy, they can be customized for cross-account, cross-region usage, etc
KMS Key Rotation
AWS Managed Keys are rotated Automatically once a year(Fixed).
Customer Managed key can be configured anyhow
Aliases
You cant create Aliases with KMS Keys.
Both Old/previous Keys are stored after rotation(So as data encrypted previously can still be decrypted)
However with DEK, Aliases can be used
KMS Key Policy
This this is like an S3 resource Policy, the Policy is not Automatic. Trusted identity/resource must be explicitly specified, if not…
IAM Policy(kms) only gives the permission to create, encrypt, and decrypt, however, KMS Must trust the entity specified in the IAM Policy before anything can happen.
Deleting a KMS Key
Deleting a KMS Key is not instantaneous, you would have to schedule a deletion >=7days