AWS Solution Architect Associate (SAA-C02) Review Material – Key Management System (KMS)

Leave a Comment / AWS Review Notes / By

KMS

  • Create and manage Customer Master Keys (CMK), a cryptographic key, and control their use across a wide range of AWS services and in your application.
  • Can rotate, disable, enable keys
  • Comply with FIPS 140-2 Level 2
  • Supports 2 types of keys:
    1. Symmetric Key(AES-256)
      • Users have no access to the keys (keys are referred to by their alias or ARN)
      • For encrypting up to 4KB of data. Because anything above that encryption will be very slow
      • If needs to encrypt over 4KB must use envelop encryption
    2. Asymmetric Key (Key Pair)
      • The Public Key to encrypt; Private Key to decrypt (normally)
      • Can also be used to Sign/Verify data(like md5)
      • Users have access to Public Keys.
      • Users have NO access to Private Keys.
  • 3 Types of CMK:
    • AWS Managed
      • No charge
      • The user has no control over these keys
    • Customer Managed
      • KMS generates the key but
      • Users can enable, disable, rotate, delete these keys.
      • Automatic Rotation
        • for symmetric keys only.
        • defaults to 1 year.
        • Old keys are retained but their alias and ID will be assigned to the new key.
      • Manual Rotation, the new key will have a new ID
      • Users can define key policies (i.e. who can administer and who can use the keys)
      • Supports optional automatic key rotation
    • Imported Keys
      • Same as Customer Managed except that the key is created outside of KMS.

Envelop Encryption

  • Used to encrypt data over 4KB using Symmetric Key
  • Encryption Process:
    • KMS generates a Data Key which is encrypted using the CMK
    • KMS does not store the Data Key
    • The Data Key is used to encrypt the data.
    • The Data Key is stored (added) to the data (together called envelop).
  • Decryption Process:
    • The KMS API will extract the Data Key from the envelop and decrypt it using the CMK (it can locate the right key because the key name/alias is stored in the envelope)
    • The Data Key will then be used to decrypt the data.
  • To encrypt data outside of AWS KMS:
    1. Use the GenerateDataKey operation to get a data key.
    2. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.
    3. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.
  • To decrypt data outside of AWS KMS:
    1. Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
    2. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.

Cloud HSM

  • Single Tenant (vs KMS multi-tenant)
  • Comply with FIPS 140-2 Level 3
  • Only support Customer Managed CMK
  • Deployed in a VPC. For HA, must deploy HSM on at least 2 different AZs.
  • Support Cryptographic Acceleration (e.g. SS/TLS Acceleration, Oracle TDE)

Leave a Comment

Your email address will not be published. Required fields are marked *