{"id":240,"date":"2022-02-02T10:13:40","date_gmt":"2022-02-02T10:13:40","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=240"},"modified":"2024-12-20T03:46:14","modified_gmt":"2024-12-20T03:46:14","slug":"aws-solution-architect-associate-saac02-review-material-key-management","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=240","title":{"rendered":"AWS Solution Architect Associate (SAA-C02) Review Material &#8211; Key Management System (KMS)"},"content":{"rendered":"\n<!--more Continue reading-->\n\n\n\n<h4 class=\"wp-block-heading\">KMS<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Create and manage <strong>Customer Master Keys (CMK)<\/strong>,  a cryptographic key, and control their use across a wide range of AWS services and in your application.<\/li><li>Can rotate, disable, enable  keys<\/li><li>Comply with FIPS 140-2 Level 2<\/li><li>Supports 2 types of keys:<ol><li>Symmetric Key(AES-256)<ul><li>Users have no access to the keys (keys are referred to by their alias or ARN)<\/li><li>For encrypting up to 4KB of data. Because anything above that encryption will be very slow<\/li><li>If needs to encrypt over 4KB must use <strong>envelop encryption<\/strong><\/li><\/ul><\/li><li>Asymmetric Key (Key Pair)<ul><li>The <strong>Public Key<\/strong> to encrypt; <strong>Private Key<\/strong> to decrypt (normally)<\/li><li>Can also be used to Sign\/Verify data(like md5)<\/li><li>Users have access to Public Keys.<\/li><li>Users have NO access to Private Keys.<\/li><\/ul><\/li><\/ol><\/li><li>3 Types of CMK:<ul><li>AWS Managed<ul><li>No charge<\/li><li>The user has no control over these keys<\/li><\/ul><\/li><li>Customer Managed<ul><li>KMS generates the key but<\/li><li>Users can enable, disable, rotate, delete these keys.<\/li><li><strong>Automatic Rotation<\/strong><ul><li>for symmetric keys only. <\/li><li>defaults to 1 year.  <\/li><li>Old keys are retained but their alias and ID will be assigned to the new key.<\/li><\/ul><\/li><li><strong>Manual Rotation<\/strong>, the <span class=\"has-inline-color has-vivid-cyan-blue-color\">new key will have a new ID<\/span> <\/li><li>Users can define key policies (i.e. who can administer and who can use the keys)<\/li><li>Supports <em><span class=\"has-inline-color has-vivid-cyan-blue-color\">optional automatic key rotation<\/span><\/em><\/li><\/ul><\/li><li>Imported Keys<ul><li>Same as Customer Managed except that the key is created outside of KMS.<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Envelop Encryption<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Used to encrypt data over 4KB using Symmetric Key<\/li><li>Encryption Process:<ul><li>KMS generates a <strong>Data Key which is encrypted <\/strong>using the CMK<\/li><li>KMS does not store the Data Key<\/li><li>The Data Key is used to encrypt the data.<\/li><li>The Data Key is stored (added) to the data (together called envelop).<\/li><\/ul><\/li><li>Decryption Process:<ul><li>The KMS API will extract the Data Key from the envelop and decrypt it using the CMK (it can locate the right key because the key name\/alias is stored in the envelope)<\/li><li>The <strong>Data Key<\/strong> will then be used to decrypt the data.<\/li><\/ul><\/li><li>To encrypt data outside of AWS KMS:<ol><li>Use the&nbsp;<code>GenerateDataKey<\/code>&nbsp;operation to get a data key.<\/li><li>Use the plaintext data key (in the&nbsp;<code>Plaintext<\/code>&nbsp;field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.<\/li><li>Store the encrypted data key (in the&nbsp;<code>CiphertextBlob<\/code>&nbsp;field of the response) with the encrypted data.<\/li><\/ol><\/li><li>To decrypt data outside of AWS KMS:<ol><li>Use the&nbsp;<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/APIReference\/API_Decrypt.html\">Decrypt<\/a>&nbsp;operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.<\/li><li>Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.<\/li><\/ol><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Cloud HSM<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Single Tenant (vs KMS multi-tenant)<\/li><li>Comply with FIPS 140-2 Level 3<\/li><li>Only support Customer Managed CMK<\/li><li>Deployed in a VPC.  For HA, must deploy HSM on at least 2 different AZs.<\/li><li>Support Cryptographic Acceleration (e.g.  SS\/TLS Acceleration, Oracle TDE)<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-240","post","type-post","status-publish","format-standard","hentry","category-aws-review-notes"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=240"}],"version-history":[{"count":10,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":1405,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions\/1405"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}