- Anytime you hear “encryption” for an AWS service, it’s most likely KMS
- Easy way to control access to data, AWS manages keys for us
- Fully integrated with IAM for authorization
- Seamlessly integrated into:
- Amazon EBS: encrypt volumes
- Amazon S3: Server side encryption of objects
- Amazon Redshift: encryption of data
- Amazon RDS: encryption of data
- Amazon SSM: Parameter store
- You can also use the CLI / SDK
- KMS can be used to decrypt/encrypt up to 4KB of data.
Steps to implement Envelope Encryption
- Create a new CMK, or re-use an existing CMK. This can be done the AWS Console, or with CLI using create-key.
- Use generate-data-key to get a data key.
- This returns the plain text data key, and also an encrypted (with the specified CMK) version of the data key. The encrypted version is referred to as a CipherTextBlob. Store the returned CipherTextBlob (we will need it later). The CipherTextBlob has metadata which tells KMS which CMK was used to generate it. Store this CipherTextBlob.
- Use the plain-text data key to encrypt any amount of data.
- Throw away the plain-text data key, but be sure to store the CipherTextBlob along side the encrypted data.
- To decrypt, use the Decrypt API, sending it the CipherTextBlob from step (3).
- The above step will return the plain text data key (the same one we threw away). Use this key to decrypt the data.
- Throw away the plain-text data key.
- To encrypt more data, repeat steps 6, 7, 8 except use the plain text key to encrypt instead of decrypt.
When to Use KMS
- Use AWS KMS to create and manage master keys (CMKs). You can establish policies that determine who can use CMKs and how they can use them. You can track their use in transaction and audit logs, such as AWS CloudTrail.
- You can use CMKs to encrypt small amounts of data (up to 4096 bytes). However, CMKs are typically used to generate, encrypt, and decrypt the data keys that encrypt data. Unlike CMKs, data keys can encrypt data of any size and format, including streamed data.
When not to use KMS
- AWS KMS does not store or manage data keys, and you cannot use KMS to encrypt or decrypt with data keys. To use data keys to encrypt and decrypt, use the AWS Encryption SDK.
- AWS KMS CMKs are backed by FIPS-validated hardware service modules (HSMs) that KMS manages. To manage own HSMs, use AWS CloudHSM.
- AWS KMS only supports symmetric encryption. If you want to use asymmetric encryption, use AWS CloudHSM.
AWS Certified Solutions Architect Associate Free Practice TestTake a Quiz