Security, Identity & Compliance | AWS Key Management Service Flashcards
What is AWS Key Management Service (KMS)?
General
AWS Key Management Service | Security, Identity & Compliance
AWS KMS is a managed encryption service that enables you to easily encrypt your data. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt your data across AWS services and within your own applications.
Why should I use AWS KMS?
General
AWS Key Management Service | Security, Identity & Compliance
If you are a developer who needs to encrypt data in your applications, you should use the AWS SDKs with AWS KMS support to easily use and protect encryption keys. If you’re an IT administrator looking for a scalable key management infrastructure to support your developers and their growing number of applications, you should use AWS KMS to reduce your licensing costs and operational burden. If you’re responsible for proving data security for regulatory or compliance purposes, you should use AWS KMS to verify that data is encrypted consistently across the applications where it is used and stored.
How do I get started with AWS KMS?
General
AWS Key Management Service | Security, Identity & Compliance
The easiest way is to get started using AWS KMS is to check the box to encrypt your data within supported AWS services and use the default keys that are created in your account for each service. If you want further controls over the management of these keys, you can create keys in AWS KMS and assign them to be used in the supported AWS services when creating encrypted resources as well as use them directly within your own applications. AWS KMS can be accessed from the “Encryption Keys” section of the AWS Identity and Access Management (IAM) console for web-based access, and the AWS KMS Command Line Interface or AWS Software Development Kit for programmatic access. Visit the Getting Started page to learn more.
In what Regions is KMS available?
General
AWS Key Management Service | Security, Identity & Compliance
Availability is listed on our global Products and Services by Region page.
What key management features are available in AWS KMS?
General
AWS Key Management Service | Security, Identity & Compliance
You can perform the following key management functions in AWS KMS:
Create keys with a unique alias and description
Import your own keys
Define which IAM users and roles can manage keys
Define which IAM users and roles can use keys to encrypt and decrypt data
Choose to have AWS KMS automatically rotate your keys on an annual basis
Temporarily disable keys so they cannot be used by anyone
Re-enable disabled keys
Delete keys that you no longer use
Audit use of keys by inspecting logs in AWS CloudTrail
How does AWS KMS work?
General
AWS Key Management Service | Security, Identity & Compliance
AWS KMS allows you to centrally manage and securely store your keys. You can generate keys in KMS or import them from your key management infrastructure. These keys can be used from within your applications and supported AWS services to protect your data, but the key never leaves KMS AWS. You submit data to AWS KMS to be encrypted, or decrypted, under keys that you control. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data. All requests to use these keys are logged in AWS CloudTrail so you can understand who used which key when.
Where is my data encrypted if I use AWS KMS?
General
AWS Key Management Service | Security, Identity & Compliance
You can use AWS KMS to help encrypt data locally in your own applications or have it encrypted within a supported AWS service. You can use an AWS SDK with AWS KMS support to do the encryption wherever your applications run. You can also request a supported AWS service to encrypt your data as it is being stored. AWS CloudTrail provides access logs to allow you to audit how your keys were used in either situation.
Which AWS cloud services are integrated with AWS KMS?
General
AWS Key Management Service | Security, Identity & Compliance
AWS Key Management Service is seamlessly integrated with several other AWS services to make encrypting data in those services as easy as checking a box and selecting the master key you want to use. See the Product Details page for the list of AWS services currently integrated with KMS. All use of your keys within integrated services appears in AWS CloudTrail logs. See the AWS KMS Developer’s Guide for more information on how integrated services use AWS KMS.
How do AWS cloud services use my keys to encrypt data?
General
AWS Key Management Service | Security, Identity & Compliance
AWS cloud services integrated with AWS KMS use a method called envelope encryption to protect your data. Envelope encryption is an optimized method for encrypting data that uses two different keys. A data key is generated and used by the AWS service to encrypt each piece of data or resource. The data key is encrypted under a master key that you define in AWS KMS. The encrypted data key is then stored by the AWS service. When you need your data decrypted by the AWS service, the encrypted data key is passed to AWS KMS and decrypted under the master key that was originally encrypted under so the service can then decrypt your data.
Why use envelope encryption? Why not just send data to AWS KMS to encrypt directly?
General
AWS Key Management Service | Security, Identity & Compliance
While AWS KMS does support sending data less than 4 KB to be encrypted, envelope encryption can offer significant performance benefits. When you encrypt data directly with KMS it must be transferred over the network. Envelope encryption reduces the network load for your application or AWS cloud service. Only the request and fulfillment of the data key through KMS must go over the network. Since the data key is always stored in encrypted form, it is easy and safe to distribute that key where you need it to go without worrying about it being exposed. Encrypted data keys are sent to AWS KMS and decrypted under master keys to ultimately allow you to decrypt your data. The data key is available directly in your application without having to send the entire block of data to AWS KMS and suffer network latency.
What’s the difference between a key I create vs. default master keys created for me for use within AWS cloud services?
General
AWS Key Management Service | Security, Identity & Compliance
You have the option of selecting a specific master key to use when you want an AWS service to encrypt data on your behalf. A default master key specific to each service is created in your account as a convenience the first time you try to create an encrypted resource. This key is managed by AWS KMS but you can always audit its use in AWS CloudTrail. You can alternately create a customer master key in AWS KMS that you can then use in your own applications or from within a supported AWS service. AWS will update the policies on default master keys as needed to enable new features in supported services automatically. AWS does not modify policies on keys you create.
Why should I create a customer master key?
General
AWS Key Management Service | Security, Identity & Compliance
Creating a key in AWS KMS gives you more control than you have with default service master keys. When you create a customer master key, you can choose to use key material generated by KMS on your behalf or import your own key material, define an alias, a description, and opt-in to have the key automatically rotated once per year if it backed by key material generated by KMS. You also can define permissions on the key to control who can use and manage the key. Management and usage activity related to the key is available for audit in AWS CloudTrail.
Can I import keys into KMS?
General
AWS Key Management Service | Security, Identity & Compliance
Yes. You can import a copy of your key from your own key management infrastructure to KMS and use it with any integrated AWS service or from within your own applications.
When would I use an imported key?
General
AWS Key Management Service | Security, Identity & Compliance
You can use an imported key to get greater control over the creation, lifecycle management, and durability of your key in KMS. Imported keys are designed to help you meet your compliance requirements which may include the ability to generate or maintain a secure copy of the key in your infrastructure, and the ability to delete the imported copy of the key on demand from AWS infrastructure once you no longer need the key.
What type of keys can I import?
General
AWS Key Management Service | Security, Identity & Compliance
You can import 256-bit symmetric keys.