KMS Flashcards
What is Encryption in flight?
Data is encrypted before sending and decrypted after receiving
• SSL certificates help with encryption (HTTPS)
• Encryption in flight ensures no MITM (man in the middle attack) can happen
What is server side encryption at rest?
• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key (usually a data key)
• The encryption / decryption keys must be managed somewhere and
the server must have access to it
What is client side encryption?
- Data is encrypted by the client and never decrypted by the server
- Data will be decrypted by a receiving client
- The server should not be able to decrypt the data
- Could leverage Envelope Encryption
Anytime you hear “encryption” for an AWS service what is it?
KMS
What is KMS?
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data
What are the CMK types?
Symmetric (AES-256 keys)
Asymmetric (RSA and ECC key pairs)
What type of CMK use AWS services that are integrated with KMS?
Symmetric
What is Symmetric CMK?
single encryption key that is used to Encrypt and Decrypt
What is Asymmetric CMK?
Public (Encrypt) and Private Key (Decrypt) pair (used by SSH)
What is used for Asymmetric CMK?
for encryption outside of AWS by users who can’t call the KMS API
What are the 3 types of CMK that you can create in KMS?
- AWS Managed Service Default CMK: free
- User Keys created in KMS: $1 / month
- User Keys imported (must be 256-bit symmetric key): $1 / month
What are you able to do with your KMS keys and policies?
- Able to fully manage the keys & policies:
- Create
- Rotation policies
- Disable
- Enable
How can you retrieve the key used to encrypt data by KMS?
you can never retrieve it
What is the max data allowed by KMS per call?
4 KB, otherwise use envelope encryption
Are KMS keys multi regions?
no, when you copy something encrypted cross region KMS reencrypt with a new key for the other region
What are KMS Key Policies?
Control access to KMS keys, “similar” to S3 bucket policies, but you cannot access KMS without them and there is a default one
What you must do to give access to KMS to someone?
o Make sure the Key Policy allows the user
o Make sure the IAM Policy allows the API calls
How should you copy EBS snapshots accross regions?
1- Encrypt the volume using a KMS Key A
2- Create a snapshot
3- KMS Re-Encrypt the snapshot using a KMS Key B from Region B
4- Create volume from snapshot
How is the default KMS Key Policy?
o Created if you don’t provide a specific KMS Key Policy
o Complete access to the key to the root user = entire AWS account
o Gives access to the IAM policies to the KMS key
How is a custom KMS Key Policy?
o Define users, roles that can access the KMS key
o Define who can administer the key
o Useful for cross-account access of your KMS key
How can you copy snapshots accross acounts?
- Create a Snapshot, encrypted with your own CMK
- Attach a KMS Key Policy to authorize cross-account access
- Share the encrypted snapshot
- (in target) Create a copy of the Snapshot, encrypt it with a KMS Key in your account
- Create a volume from the snapshot
What will help us to encrypt more than 4 KB by using Envelop Encryption?
The main API that will help us is the GenerateDataKey API
What is the Encryption SDK?
The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It also exists as a CLI tool we can install
What useful feature is provided by the Encryption SDK?
Data Key Caching:
o re-use data keys instead of creating new ones for each encryption
o Helps with reducing the number of calls to KMS with a security trade-off
What uses the Encryption SDK for data key caching?
Use LocalCryptoMaterialsCache (max age, max bytes, max number of messages)
What are the main APIs in KMS?
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- Decrypt
- GenerateRandom
What is Encrypt API in KMS?
encrypt up to 4 KB of data through KMS
What is GenerateDataKey API in KMS?
generates a unique symmetric data key (DEK)
o returns a plaintext copy of the data key
o AND a copy that is encrypted under the CMK that you specify
What is GenerateDataKeyWithoutPlaintext API in KMS?
o Generate a DEK to use at some point (not immediately)
o DEK that is encrypted under the CMK that you specify (must use Decrypt later)
What is Decrypt API in KMS?
decrypt up to 4 KB of data (including Data Encryption Keys)
What is GenerateRandom API in KMS?
Returns a random byte string
What happens when you exceed a request quota in KMS?
When you exceed a request quota, you get a ThrottlingException
• For cryptographic operations, they share a quota
• This includes requests made by AWS on your behalf (ex: SSE-KMS)
How can you respond to KMS Throttling exceptions?
- use exponential backoff (backoff and retry)
- For GenerateDataKey, consider using key caching from the Encryption SDK
- You can request a Request Quotas increase through API or AWS support
What API calls will leverage SSE-KMS?
- SSE-KMS leverages the GenerateDataKey & Decrypt KMS API calls
- These KMS API calls will show up in CloudTrail, helpful for logging
What you need to perform SSE-KMS encryption?
To perform SSE-KMS, you need:
o A KMS Key Policy that authorizes the user / role
o An IAM policy that authorizes access to KMS
o Otherwise you will get an access denied error
How can you force SSL to be used in your bucket?
To force SSL, create an S3 bucket policy with a DENY on the condition aws:SecureTransport = false
What would happen if you allow on aws:SecureTransport = true in your bucket policy?
Using an allow on aws:SecureTransport = true would allow anonymous GetObject if using SSL
How could you force SSE-KMS encryption in your bucket policy?
- Deny incorrect encryption header: make sure it includes aws:kms (== SSE-KMS)
- Deny no encryption header to ensure objects are not uploaded un-encrypted
• Note: could swap 2) for S3 default encryption of SSE-KMS
How can you encrypt CloudWatch logs with KMS keys?
Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.
How can you associate a CMK with a log group using the CloudWatch console?
You cannot associate a CMK with a log group using the CloudWatch console. You must use the CloudWatch Logs API
How can you associate a CMK with a log group using the CloudWatch Logs API?
associate-kms-key API call if the log group already exists
create-log-group API call if the log group doesn’t exist yet
What you need to do in KMS to integrate it with CloudWatch Logs?
You need to edit the KMS Key Policy
