KMS ENCRYPTION Flashcards
CMK Type: Symmetric
AES-256 Single Key to Encrypt and Decrypt : Symmetric Services that are using KMS use this Never get access to key in plaintext Necessary for envelope encryption
CMK Type: Asymmetric
RSA and ECC Two Keys, assymetric Public Key (Encrypt) Private Key (Decrypt) used for encrypt/decrypt Sign/Verify Public key is downloadable
USED FOR ENCRYPTION OUTSIDE OF AWS
KMS overview
Fully Manage Key/ Policy
Create
Rotate
Disable/Enable
Audit Key usage via Cloudtrail
Three types of CMK: Customer Master Key
AWS managed: FREE Service Default
User Keys made in KMS: 1$ monthly
User keys imported (256 symmetric only) 1$Monthly
API CALL FEE .03$ per 10,000 calls
KMS overview 101 practices
Never store secrets plaintext
Encrypted secrets can be stored in CODE or ENVIROMENT VARIABLES!
KMS can only Encrypt 4KB MAX!!!!
Beyond 4KB needs Envelope Encryption
ACCESS:
Key Policy Allows User
IAM Policy Allows API CALLS
KMS REGIONS
KMS keys cannot be shared between regions, snapshots that are encrypted need to undergo:
KMS ReEncrypt with Alternative KMS key native to new region!.
KMS Key Policies
Control Access Much like S3 Bucket Policy
Iam policy vs Key policy
Key Policy: Need to specify Key policy to allow key access.
Default:
- Created if you don’t provide a policy
- Complete access to the Root user which encompasses the entire AWS account.
- gives access to IAM policies to KMS key
Custom:
Can define user/role access to key
Who can administer access to key
Needed for Cross account access.
KMS Key Cross Account Access
- Create Encrypted Snapshot
- Attach KMS key policy to allow cross account access
Principal : has target account ID
Actions created to use key (DECRYPT /CREATE GRANT)
conditions: KMS caller account will have Target account ID
- Share Encrypted Snapshot
- In Target create a copy of snapshot and encrypt it with your own accounts KMS KEY!
- Create a volume from a snapshot
THIS ALLOWS ANOTHER ACCOUNT TO REENCRYPT DATA.
ENCRYPT AND DECRYPT
UNDER 4KB
ENCRYPT:
1. Secret Unencrypted (<4KB)
Encrypt API calls to KMS, specified CMK to use
- KMS checks IAM permissions
- If Successful, KMS will send back Encrypted Secret
DECRYPT:
1. Encrypted Data
Decrypt API call
- KMS automatically will know which CMK was used
It will check with IAM for permisions - Decrypted information is sent back if KMS has approval from IAM
Envelope Encryption:
ENCRYPTION:
GenerateDataKey API: Anything over 4KB of data needs to use this command
- Big file needs to be encryped: SDK is used
GenerateDataKey API is called to KMS. KMS will now see if IAM policy allows this - KMS will send a plaintext Data Key: DEK . Back to client.
KMS will also send an Encrypted version of the DEK - Client will receive Plaintext and Cypher DEK and use Plaintext DEK to Encrypt file and create Envelope.
Inside Envelope the Cyphertext DEK is placed with the Encrypted File.
FILE HAS WRAPPER WITH ENCRYPTED DEK
DECRYPT:
- Encrypted DEK and File: Use Decrypt API
- DEK cyphertext is passed to KMS, IAM checks occur and the decrypted DEK is sent back to client.
- This Plaintext DEK is used to Decrypt the file locally.
KMS SYMMETRIC API
Encrypt: Encrypt 4KB data
GenerateDataKey: Unique Symmetrical Data KEY DEK
Returns Plaintext copy of key
Also returns a Cyphertext DEK under CMK specified
GenerateDataKeyWithoutPlaintext:
Generate DEK to be used later
DEK encrypted under chosen CMK
Decrypt: Decrypt up to 4KB of Data, DEK can be done also
GenerateRandom: Returns Random Byte String: Returns a random byte string that is cryptographically secure.
KMS limits: Request Quota
ThrottlinException:
When you exceed request quota for KMS
Resolution: Exponential backoff For GenerateDataKey, DEK. Use DEK caching from encryption SDK ------------- Cryptographic operations shared quota includes SSE-KMS
–
Can be increased, this is soft limit.
KMS limits: Request Quota operations
API operations Decrypt Encrypt GenerateDataKey DEK (Symmetric) GenerateDataKeyWithoutPlaintext (Symmetric) GenerateRandom
ReEncrypt
Sign (Assymetric)
Verify (Assymetric)
KMS limits: Request Quota amounts
Shared Vary with Region and type of CMK
Symmetric: Regional
Asymmetric: Type of CMK share.
Symmetric
5,500 Shared
10,000 (shared) in certain regions
30,000 Shared in US east 1, west 2 , west 1
Assymetric
500 Shared RSA CMK
300 Shared ECC CMK
SSE KMS: overview and how it encrypts items
Handled and managed by AWS
User control + Audit trail
Object Encrypted Server Side
Must have Header:
X-AMZ-Server-side-Encryption: aws:KMS
METHOD
Object : Sent via HTTPS with Header (aws:kms)
Inside S3: Object is on S3, CMK is referenced and used to encrypt the object and it is placed under the bucket.
SSE KMS Deep Dive
Operations
Cloudtrail tracking
Requirements for SSE-KMS authorization
Kms limits, what service causes issues, what are solutions.
SSE-KMS Operations: KSM API calls
GenerateDataKey
Decrypt
** These show up in cloudtrail for logging
Requirements for SSE-KMS Both needed 1 KMS key policy authorizing user/role 2 IAM policy Authorizes Access to KMS **otherwise acces denied.
S3 Calls to KMS for SSE-KMS counts against KMS LIMTS!! Resolution Exponential Backoff Request KMS limit increase Service throttle is KMS issue, not S3!
SSE KMS S3 Bucket Protect
FORCE SSL
AWS Secure Transport
Force SSL
Create bucket policy that denys if the below is matched
AWS:Securetransport: False
AWS:Securetransport: true, is bad practice, it would allow anonymous Getobject using SSL
SSE KMS S3 Bucket Protect
Force Encryption of SSE KMS
- Deny Incorrect encryption header; makes sure only header used is AWS:KMS,
Stringnotequals: AWS:KMS is denied - Deny No Encryption Header to ensure non-encryption items are not uploaded to this bucket
* *Or have default encryption of all objects as SSE -KMS
Parameter store Hierarchy
Parameter store holds values to be used in cloudformation. these items can be stored via Hiearchy
* Parameter Store support for hierarchies lets you organize parameters based on your deployment. *
Can have different parameters to be used in DEV/Prod and have separation by hierarchy.
GetParameters
GetParametersbypath API
Parameter store STANDARD VS ADVANCED Total number Max size Parameter policy Cost Storage Price
Size: 10,000 vs 100,000 Max size of value: 4KB vs 8KB Policy: No, Yes Cost: Free vs Charges Storage pricing: Free, .05 per advanced
Parameter Policy
For Advanced Parameters.
** Allows TTL to be assigned to parameter for expiration, force update or delete sensitive information
Can assign multiple policies at once
Policy types
Expiration: Delete
Expirationnotification : Send notification at x time through Cloudwatch events before expire
Nochangenotification: If nothing changed in X time then sign Cloudwatch event.
Secrets Manager
Storing secret
Force Rotation of secrets
AUTOMATION GENERATION OF SECRETS FOR ROTATION AUTO BY LAMBDA
Integrate with RDS; synchronize secrets between db and secrets manager
Encrypt with KMS
MEANT FOR RDS INTEGRATION**
Parameter Store vs Secrets Manager
Secrets manager- DB Costs more Automation of rotation of secrets by lambda Integration with RDS/Redshift/DocumentDB KMS encryption needed*** Can integrate with cloudformation
SSM Parameter store -CLOUDFORMATION Costs less no rotation KMS encryption optional*** integration with cloudformation Can pull secret manager secret using ssm parameter store api
Codebuild secrets
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers.
FOR PARAMETERS AND SECRETS
DONT STORE AS PLAINTEXT IN ENVIROMENT VARIABLES!
Enviroment variables can reference either
Parameter store parameters
Secrets manager secrets
