KMS ENCRYPTION Flashcards
CMK Type: Symmetric
AES-256 Single Key to Encrypt and Decrypt : Symmetric Services that are using KMS use this Never get access to key in plaintext Necessary for envelope encryption
CMK Type: Asymmetric
RSA and ECC Two Keys, assymetric Public Key (Encrypt) Private Key (Decrypt) used for encrypt/decrypt Sign/Verify Public key is downloadable
USED FOR ENCRYPTION OUTSIDE OF AWS
KMS overview
Fully Manage Key/ Policy
Create
Rotate
Disable/Enable
Audit Key usage via Cloudtrail
Three types of CMK: Customer Master Key
AWS managed: FREE Service Default
User Keys made in KMS: 1$ monthly
User keys imported (256 symmetric only) 1$Monthly
API CALL FEE .03$ per 10,000 calls
KMS overview 101 practices
Never store secrets plaintext
Encrypted secrets can be stored in CODE or ENVIROMENT VARIABLES!
KMS can only Encrypt 4KB MAX!!!!
Beyond 4KB needs Envelope Encryption
ACCESS:
Key Policy Allows User
IAM Policy Allows API CALLS
KMS REGIONS
KMS keys cannot be shared between regions, snapshots that are encrypted need to undergo:
KMS ReEncrypt with Alternative KMS key native to new region!.
KMS Key Policies
Control Access Much like S3 Bucket Policy
Iam policy vs Key policy
Key Policy: Need to specify Key policy to allow key access.
Default:
- Created if you don’t provide a policy
- Complete access to the Root user which encompasses the entire AWS account.
- gives access to IAM policies to KMS key
Custom:
Can define user/role access to key
Who can administer access to key
Needed for Cross account access.
KMS Key Cross Account Access
- Create Encrypted Snapshot
- Attach KMS key policy to allow cross account access
Principal : has target account ID
Actions created to use key (DECRYPT /CREATE GRANT)
conditions: KMS caller account will have Target account ID
- Share Encrypted Snapshot
- In Target create a copy of snapshot and encrypt it with your own accounts KMS KEY!
- Create a volume from a snapshot
THIS ALLOWS ANOTHER ACCOUNT TO REENCRYPT DATA.
ENCRYPT AND DECRYPT
UNDER 4KB
ENCRYPT:
1. Secret Unencrypted (<4KB)
Encrypt API calls to KMS, specified CMK to use
- KMS checks IAM permissions
- If Successful, KMS will send back Encrypted Secret
DECRYPT:
1. Encrypted Data
Decrypt API call
- KMS automatically will know which CMK was used
It will check with IAM for permisions - Decrypted information is sent back if KMS has approval from IAM
Envelope Encryption:
ENCRYPTION:
GenerateDataKey API: Anything over 4KB of data needs to use this command
- Big file needs to be encryped: SDK is used
GenerateDataKey API is called to KMS. KMS will now see if IAM policy allows this - KMS will send a plaintext Data Key: DEK . Back to client.
KMS will also send an Encrypted version of the DEK - Client will receive Plaintext and Cypher DEK and use Plaintext DEK to Encrypt file and create Envelope.
Inside Envelope the Cyphertext DEK is placed with the Encrypted File.
FILE HAS WRAPPER WITH ENCRYPTED DEK
DECRYPT:
- Encrypted DEK and File: Use Decrypt API
- DEK cyphertext is passed to KMS, IAM checks occur and the decrypted DEK is sent back to client.
- This Plaintext DEK is used to Decrypt the file locally.
KMS SYMMETRIC API
Encrypt: Encrypt 4KB data
GenerateDataKey: Unique Symmetrical Data KEY DEK
Returns Plaintext copy of key
Also returns a Cyphertext DEK under CMK specified
GenerateDataKeyWithoutPlaintext:
Generate DEK to be used later
DEK encrypted under chosen CMK
Decrypt: Decrypt up to 4KB of Data, DEK can be done also
GenerateRandom: Returns Random Byte String: Returns a random byte string that is cryptographically secure.
KMS limits: Request Quota
ThrottlinException:
When you exceed request quota for KMS
Resolution: Exponential backoff For GenerateDataKey, DEK. Use DEK caching from encryption SDK ------------- Cryptographic operations shared quota includes SSE-KMS
–
Can be increased, this is soft limit.
KMS limits: Request Quota operations
API operations Decrypt Encrypt GenerateDataKey DEK (Symmetric) GenerateDataKeyWithoutPlaintext (Symmetric) GenerateRandom
ReEncrypt
Sign (Assymetric)
Verify (Assymetric)
KMS limits: Request Quota amounts
Shared Vary with Region and type of CMK
Symmetric: Regional
Asymmetric: Type of CMK share.
Symmetric
5,500 Shared
10,000 (shared) in certain regions
30,000 Shared in US east 1, west 2 , west 1
Assymetric
500 Shared RSA CMK
300 Shared ECC CMK
SSE KMS: overview and how it encrypts items
Handled and managed by AWS
User control + Audit trail
Object Encrypted Server Side
Must have Header:
X-AMZ-Server-side-Encryption: aws:KMS
METHOD
Object : Sent via HTTPS with Header (aws:kms)
Inside S3: Object is on S3, CMK is referenced and used to encrypt the object and it is placed under the bucket.
SSE KMS Deep Dive
Operations
Cloudtrail tracking
Requirements for SSE-KMS authorization
Kms limits, what service causes issues, what are solutions.
SSE-KMS Operations: KSM API calls
GenerateDataKey
Decrypt
** These show up in cloudtrail for logging
Requirements for SSE-KMS Both needed 1 KMS key policy authorizing user/role 2 IAM policy Authorizes Access to KMS **otherwise acces denied.
S3 Calls to KMS for SSE-KMS counts against KMS LIMTS!! Resolution Exponential Backoff Request KMS limit increase Service throttle is KMS issue, not S3!
