Table of Contents
Introduction to AWS Key Management Service (KMS)
Amazon Web Service’s Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encode your data. Amazon web services key management service is integrated with other Amazon web services including:
- S3
- EBS
- Amazon work email
- Amazon Redshift
- Amazon elastic transcoder and others.
These AWS services make it simple to encode the data and information with encryption keys that you manage.
Benefits of Key Management Services
The various benefits of AWS Key Management Services include:
Centralized Key Management Service
Amazon Web Service’s Key Management Service gives you centralized control of your encryption keys. You can easily import, rotate, and create keys as well as define usage policies and audit usage from the Amazon Web Service’s Management Console or by using the Amazon Web Service’s CLI or SDK.
The master keys in key management service, whether imported by you or created on your behalf by a key management service, are stored in the highly durable storage in an encoded format to help confirm that they can be retrieved when required.
You can choose to have the key management service automatically rotate master keys created in the key management service once per year without the need to re-encrypt data or information that has already been encoded with your master key.
You do not need to track the older versions of your master keys as the key management service keeps them available to decode the previously encoded data.
You can make new master keys, and control who has access to those keys and which services they can be utilized with, whenever you want. You can also import keys from your key management infrastructure and utilize them in key management services.
AWS Service Integration
Amazon Web Service’s Key Management Service is seamlessly integrated with most other Amazon web services. This addition means that you can easily use Amazon Web Service’s Key Management Service’s master keys to encode the data you store with these services.
You can utilize a default master key that is created for you automatically and usable only within the combined service, or you can select a custom master key that you either created in key management service or imported from your key management infrastructure and have the approval to use it.
Audit Capabilities
If Amazon Web Service’s CloudTrail is allowed for your Amazon web services account, each utilization of a key that you store in key management service is recorded in a log file that is delivered to the Amazon Simple Storage Service bucket that you specified when you allowed Amazon Web Service’s CloudTrail. The information or data recorded contains details of the user, date, time, and the key used.
Scalability, Durability, and High Availability
Amazon Web Service’s Key Management Service is a managed service. As your usage of Amazon Web Service’s Key Management Service encryption keys grows, you do not have to buy additional key management infrastructure. Amazon Web Service’s Key Management Service automatically scales to meet your encryption key requirements.
The master keys made on your behalf by Amazon Web Service’s Key Management Service or imported by you cannot be exported from the service. Amazon Web Service’s Key Management Service stores several copies of encrypted versions of your keys in systems that are designed for 99.99999999% durability to help guarantee you that your keys will be available when you want to access them.
If you import keys into a key management service, you have to securely maintain a copy of your keys because of that you can re-import them at any time. Amazon Web Service’s Key Management Service is deployed in several availability zones within an Amazon web service region to give high availability for your encryption keys.
Secure
Amazon Web Service’s Key Management Service is designed in a way that no one, including Amazon Web Service’s employees, can recover your plaintext keys from the service.
The service utilizes FIPS 140-2 validated hardware security modules to protect the confidentiality and integrity of your keys regardless of whether you request key management service to make keys on your behalf or you import them into the service.
Your plaintext keys are never written to a disk and are only utilized in the volatile memory of the hardware security modules for the time required to perform your requested cryptographic operation. Key Management Service keys are never transmitted outside of the Amazon web services regions in which securing to they were created.
Updates to the key management service hardware security module firmware are controlled by multi-party access control that is reviewed and audited by an independent group within Amazon.
KMS Envelope Encryption
When you encrypt your data or information, your data is secured, but you have to secure your encryption key. One strategy is to encode it. Envelope encryption is the practice of encoding plaintext data with a data key, and then encoding the data key under another key. You can even encode the data encryption key under another encryption key, and encode that encryption key under another encryption key.
However, eventually, one key must remain in plaintext so you can decode the keys and your data. This top-level plaintext key-encryption key is called the master key.
Amazon Web Service’s Key Management Service gives you the benefit of securing secure your master keys by securely storing and managing them. Master keys stored in Amazon Web Service’s Key Management Service, also known, as customer master key, never leave the Amazon Web Service’s Key Management Service FIPS validated hardware security modules unencrypted. To use an Amazon Web Service’s KMS customer master key, you must call Amazon Web Service’s Key Management Service.
KMS Envelope Encryption Benefits
KMS Envelope encryption gives several benefits like:
- Protecting data keys
- Encrypting the same data or information under multiple master keys
- Combining the strengths of multiple algorithms
Protecting data keys
When you encode a data key, you do not have to worry about storing the encoded data key because the data key is inherently secure by encryption. You can safely store the encoded data key alongside the encoded data.
Encrypting the same data or information under multiple master keys.
It is time-consuming, particularly when the data being encoded are huge objects. Instead of repeatedly re-encrypting raw data with dissimilar keys, you can re-encrypt only the data keys that shield the raw data.
Combining the strengths of multiple algorithms
In general, symmetric key algorithms are quicker and produce smaller ciphertexts than public-key algorithms, but public-key algorithms offer inherent separation of roles and easier key management. Envelope encryption allows you to combine the strengths of each strategy.
Conclusion
Amazon Web Service’s Key Management Service provides you with centralized control over the encryption keys used to protect your information.
You can import, create, rotate, delete, disable, define usage policies for, and audit the use of encryption keys used to encrypt your information.
If you’re interested in learning more about AWS services, check out our AWS Certified Developer Associate Complete Study Guide, which comprehensively covers everything. Order today to get 21% OFF! Check out more IPSpecialist AWS Courses.