KMS Flashcards
KMS is fully integrated with
with IAM for authorization so that makes the management of these rules very simple and centralized.
you can use it with CLI and AWS SDK
KMS is integrated into
- EBS: encrypt volumes
- S3: server side encryption of objects
- Redshift: encryption of data
- RDS: encryption of data
- SSM: parameter store
use symmetric keys
two types of keys (exam)
- AES-256 bit symmetric (single key for encryption and decryption )
necessary for envelope encryption
(symmetric is more on the exam) - RSA and ECC asymmetric key pairs: Used for encryption / decryption and for Sign/Verify
The public key is something you can download
but again, access to the private key is impossible.
access to AES-256 bit symmetric Customer Master Key
you actually never get access to the key unencrypted
you must use the KMS API to use that key and you actually never see the key.
asymmetric CMS scenarios (exam)
- to cryptographically verify a digital signature client-side without the need for a network connection.
- customers can use KMS to securely manage decryption of data that has been encrypted by a partner’s system that does not integrate with AWS APIs or have access to AWS account credentials.
Key Management Service: what features are offered
- manage keys and policies (create, rotate policies, disable, enable)
- audit key usage (CloudTrail)
KMS pricing
three types of CMK:
- AWS managed service default customer master key, which is free so this is the idea when you go into EBS volume and use the AWS/EBS key, this is going to be free.
- if you create your own keys, this is $1 per month and there is no free tier and
- if you import your own keys,
so if you have to generate them outside of KMS
you’re going to pay for each API call done to KMS so we’re talking about 3 cents per 10,000 calls.
So when would you use KMS?
you need to share some sensitive information
- database passwords,
- credentials for an external service,
- a private key of SSL certificates,
or anything you need to encrypted is going to be secret,
the real value of KMS is that
- we actually don’t see the keys to encrypt the data or decrypt so the whole security belongs with AWS. We can only send data to KMS to decrypt and encrypt
- On top of it, KMS can rotate these keys for extra security.
KMS has a limit,
and you can only encrypt up to 4 kilobytes of data per call and so, if you want to have more data encrypted,
then you need to use something called envelope encryption which is advanced and you only need to know in the certified developer exam.
So, to give access to KMS to someone,
they need to make sure that
- the key policy allows the user to access the key
- as well the IAM policy to allow the API call
and when these two things are together, then you get access to KMS key.
KMS and regions
with your KMS keys are bound to a specific region. So that means that when you create a KMS key in region A it cannot be transmitted over to region B.
So let’s say we have an encrypted EBS volume with KMS and a KMS key in the region eu-west-2 and we’d like to copy that volume across to a new region
for example, ap-southeast-2. So, because KMS keys are linked to a specific region you would need to do a specific operation.
- create a snapshot of your volume and any snapshot made from an encrypted volume is also encrypted with KMS and the same key.
- copy that snapshot over to the new region but you will specify a new KMS key to re-encrypt the data with
and now you have a snapshot encrypted with KMS
in the other region but with a new key. - when you recreate a volume from that snapshot
then that volume will be encrypted with a new KMS Key B.
key policies
control access to KMS keys, without them you can’t control access
if you don’t specify a key policy, then no one can access your key.
When you create a CMK programmatically—that is, with the AWS KMS API (including through the AWS SDKs and command line tools)—you have the option of providing the key policy for the new CMK. If you don’t provide one,
AWS KMS creates one for you.
This default key policy has one policy statement that gives the AWS account (root user) that owns the CMK full access to the CMK and enables IAM policies in the account to allow access to the CMK.
When you create a CMK with the AWS Management Console, you can choose
the IAM users, IAM roles, and AWS accounts that are given access to the CMK. The users, roles, and accounts that you choose are added to a default key policy that the console creates for you.
The default key policy created by the console allows the following permissions,
1. Allows access to the AWS account and enables IAM policies
- Allows key administrators to administer the CMK
- Allows key users to use the CMK
So to give users access to KMS keys using this default KMS key policy
you just create the correct IM policy and attach it to the user.
If you define a custom KMS key policy
you would specifically define the users and the roles they can access this specific KMS key and define who can administer the key
useful when you do cross-account access of your KMS key.
So when you create a snapshots it would be encrypted with your own CMK, then you would attach a key policy to authorize cross-account access on that key.
This would be an example key policy in which we allow the target account to read our KMS key
then we would share the encrypted snapshots
and in the target account, we would create a copy of the snapshots which would be possible because we have access to the KMS key in our original accounts
and then finally, we would create a volume from that snapshots and this is how we was create and copy
a snapshot across accounts.
if you want to encrypt more than 4 KB (exam)
we need to use Envelope Encryption
the main API is GenerateDataKey
APIs for Encryption (exam)
- to encrypt less than 4 KB use Encrypt API
- more than 4KB GenerateDataKey
- GenerateDataKeyWithoutPlaintext: generate again DEK, but not to use right now, it’s to use at some point in the future. this DEK is the same, it’s also encrypted using this CMK we specify, but if you use it, we must decrypted afterwards, which is one extra step.
So the exam will try to trick you to perform envelope encryption right now, you need to use GenerateDataKey API not GenerateDataKeyWithoutPlaintext.
APIs for Decryption (exam)
- to decrypt less than 4 KB use Decrypt API
Envelope encryption how
- we’re going to use the SDK, and call the GenerateDataKey API, and we’ll specify a CMK,
- KMS will check again the IAM permission, making sure we can generate a data key.
- And if we can, then KMS will generate this data key for us, and will send us back a plain-text version of it.
(DEK) and an encrypted version of the DEK - now we can - client side - encrypt the big file client side using our own CPU with this DEK.
- And then we’re going to build an envelope around it,
which is the final file. Inside we put the encrypted version of the DEK and the encrypted file
How to decrypt envelope
So with a decrypt API we can only pass up to four kilobytes of data. Sowe’re going to decrypt the data encryption key, the DEK.
So I’ll pass through KMS, we’ll check the IAM permissions. And if everything is good with KMS, we’re able to decrypt that DEK.
So now we get the plain-text DEK. And with this plain-text DEK, we can look at the encrypted file and the plain-text DEK and decrypt it together, client side.
AWS Encryption SDK
Envelope encryption is implemented in AWS Encryption SDK, there is a CLI tool and implementation in Java, Python etc
Encryption SDK has a feature data key caching.
instead of recreating a new data key every time we want to encrypt an object, we can reuse them instead, so that you have less calls into KMS and it’s less expensive.
But there is a security trade-off because now you’re using the same data key encryption, data encryption key for many different files.
you can define the max age of your key, the max number of bytes that it should encrypt, or the max number of messages that should be encrypted by this DEK before moving on to the next DEK.
if you want it to generate a random number,
then you have the API called GenerateRandom that will return a random byte string.
