Outline
- What is AWS KMS?
- Comparison of AWS KMS with Other Encryption Services
- Comparing Encryption Methods in AWS KMS
- Best Practices for Securing Encrypted Data in AWS KMS
- Advanced Encryption Techniques
- How to generate AWS KMS encryption keys
What is AWS KMS?
AWS KMS Key Encryption (Key Management Service) is a service provided by Amazon Web Services (AWS) that allows the generation and management of keys to encrypt data in an AWS environment.
AWS KMS provides an API that can be used to create, import, and manage keys, as well as encrypt and decrypt data with those keys.
AWS KMS uses trusted encryption methods such as AES-256 to secure keys and data. This service allows the protection of sensitive data from unauthorized access and ensures compliance with security standards and applicable legislation.
With AWS KMS, private keys can be generated and stored in the secure service, and data is encrypted with these keys. KMS can also be used to control access to keys, manage key lifecycles, delegate access to keys, and monitor key-related activities.
In short, AWS KMS provides the ability to create and manage your own keys and encrypt data with those keys in a secure and trusted way in an AWS environment.
Comparison of AWS KMS with Other Encryption Services
AWS KMS
AWS Key Management Service (KMS) is a fully managed service that makes it easy to create and control the encryption keys used to encrypt your data. It integrates with other AWS services to provide seamless encryption for your data, and allows you to manage your encryption keys through the AWS Management Console, AWS CLI, or AWS SDKs.
Other Encryption Services
Other encryption services in the market include Microsoft Azure Key Vault, Google Cloud KMS, and HashiCorp Vault. These services offer similar functionality to AWS KMS, but may differ in terms of pricing, ease of use, and integration with other services.
Comparing Encryption Methods in AWS KMS
Best Practices for Securing Encrypted Data in AWS KMS:
Use Strong Access Controls
- Ensure that only authorized users and services can access your encryption keys.
- Use AWS Identity and Access Management (IAM) policies to restrict access to the KMS API and specific KMS keys.
- Use AWS CloudTrail to audit key usage and changes.
Encrypt Your Data Before Storing It
- Encrypt data before storing it in AWS KMS. This ensures that the data is protected even if the underlying storage is compromised.
- Use client-side encryption libraries to encrypt data before sending it to AWS KMS.
Key Management
- Follow the principle of least privilege when granting access to KMS keys.
- Use AWS CloudTrail to monitor and log all key usage.
- Rotate keys regularly to minimize the impact of a compromised key.
Encryption
- Use envelope encryption to encrypt large amounts of data.
- Encrypt data at rest using KMS-managed keys.
- Use AWS KMS to encrypt data in transit.
AWS KMS: Advanced Encryption Techniques
Custom Key Management
A custom key store is a logical key store within AWS KMS that is backed by a key manager outside of AWS KMS that you own and manage. Custom key stores combine the convenient and comprehensive key management interface of AWS KMS with the ability to own and control the key material and cryptographic operations. AWS KMS allows for custom key management, giving users greater control over their encryption keys. Users can create and manage their own keys, or use AWS-managed keys for added convenience.
Envelope Encryption
AWS KMS supports envelope encryption, which adds an extra layer of security to encryption keys.
With envelope encryption, data is encrypted with a data key, which is then encrypted with a master key.
This provides an additional layer of protection, as the master key is never exposed to the data being encrypted.
How to generate AWS KMS encryption keys AWS
- Log in to the AWS Management Console.
- From Services or the box search to choose Key Management Service.
From navigate to the AWS KMS dashboard:
Choose customer managed keys
- We note the previously created keys (key1)
- To create a new encryption key, select Create key to create a new encryption key.
Note: We note that although the key was previously created, the deletion process continues Because the encryption key cannot be deleted directly, it takes at least seven days for the deletion process to be completed.
Key type:
- We choose the type of encryption key, Symmetric or Asymmetric (here we will choose the symmetric encryption key).
Key usage:
- Use the key only to encrypt and decrypt data.
- Use the key only to generate and verify hash-based message authentication codes (HMAC).
Advanced options:
Key material origin - This is where you are using AWS KMS
- KMS: This means you creating the key management service on AWS
- External: This is if you using external which means if you have any symmetric 256 key management system you can bring it into your KMS.
- AWS CloudHSM key: if you are using the customer key store in CloudHsm
Choose the key generation Region:
- Create a KMS key in a single AWS Region (by default)
Or generate a KMS key that you can replicate to multiple AWS Regions.
Then click on Next.
Add labels:
1. Provide a name for the key.
Description - (optional)
2. Put a Description for the key.
Tags:(optional)
- You can use tags(Add Tag)to categorize and identify your KMS keys and help you track your AWS costs. When you add tags to AWS resources, AWS generates a cost allocation report for each tag.
- Then click on Next.
Define key administrative permissions:
- We choose the IAM users and roles that can manage this key through the KMS API. You may need to add additional permissions for users or roles to manage this key from this console.
Key deletion:
- To allow key administrators to delete this key, Choose the check box.
Define key usage permissions:
- We define which IAM users and roles can use the KMS key for encryption operations.
- Additional AWS accounts can be added that can use this key. (Administrators of the accounts you specify are responsible for managing the permissions that allow IAM users and their roles to use this key).
- Then click on Next
Review:
- Reviewing all created encryption key configurations.
- The encryption key AWS KMS has been generated successfully
- Some actions can be taken on the key such as enabling the key to be used for encryption, disabling the key, or deleting the key, we do this by checking the checkbox for the key and choosing from the Key action.
Encrypt Data with the CMK
After generating AWS KMS encryption keys, it can be used to encrypt sensitive application data stored in the volume storage in EC2 or databases or object stores such as S3 using AWS KMS.
For example, in the EC2 service, when an instance is created, the volume storage can be encrypted by selecting encryption in the encryption box.
Also, data can be encrypted when creating new volume storage through:
- Select the checkbox for Encryption this value
- Then choose the encryption key.
Sensitive application data stored in storage in object stores such as S3 can be encrypted with AWS KMS.
When creating the bucket:
- Choose how to encrypt objects via AWS KMS
- Choose the key generated by AWS KMS.
- Then choose the encryption key that was generated.
Deletion of the Encryption key AWS KMS
You should delete a KMS key only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the KMS key instead of deleting it. You can re-enable a disabled KMS key and cancel the scheduled deletion of a KMS key, but you cannot recover a deleted KMS key. You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys.
However, you might choose to delete a KMS key for one or more of the following reasons:
• To complete the key lifecycle for KMS keys that you no longer
need
• To avoid the management overhead and costs associated with
maintaining unused KMS keys
• To reduce the number of KMS keys that count against your KMS key
resource quota.
To delete the encryption key:
• We select the key to be deleted by the checkbox.
• From the key action choose Schedule key deletion
From Schedule key deletion:
- Enter a waiting period between 7 and 30 days (Since deleting a KMS key is disruptive and potentially dangerous, AWS KMS requires you to set a waiting period of 7 to 30 days. The default waiting period is 30 days).
- Then choose the checkbox to confirm the schedule key deletion
- Then click on Schedule deletion.
- Successfully scheduled deletion of key and you can note that from the status of the key (Pending deletion)
References:
Top comments (0)