KMS - seanremenyi/Notes_aws_developer GitHub Wiki

AS Key management service Managed: A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data Integrated: Seamlessly integrated with many AWS srvices to make encrypting data in those services as easy as checking a box Simple: With KMS, it is simple to encrypt your data with encryption keys that you manage KMS is multi-tenant whereas CloudHSM is dedicated hardware. S3 Encryption and Client-Side encryption are not Key Management Solutions

When to use KMS? Whenever you are dealing with sensitive information Sensitive data that you want to keep secret Customerdat, financial data, credentials, passowrds, secrets, etc. What is a CMK: Customer Master Key Encrypt/decrypt data up to 4 kb What is is used for? Generate/encrypt/decrypt the Data Key. Data Kaey Used to Encrypt/decrypt your data This is known as envelope encryption

Summarys CMK: Alias: Your application can refer to the alias when using the CMK CreationDate: The date and time when the CMK was created Description: You can add your own description to describe the CMK Key State: Enabled, Disabled, pending deletion, unavailable Key Material: Customer-provided or AWS-provided Stays inside KMS: Can never be exported

Set up CMK: Create alias and description. Choose key material option (KMS, own, CloudHSM) Key Administrative Permissions: IAM users and roles that can administer (but not use) the key through the KMS API Key Usage Permissions: IAM users and roles that can use the key to encrypt and decrypt data

AWS-Managed CMK:AWS-provided and AWS-managed CMK. Used on your behalf with the AWS services integrated with KMS Customer-Managed CMK: You create, own and manage yourself Data Key: Encryption key that you can use to encrypt data, including large amounts of data. You can use a CMK to generate, encrypt and decrypt keys

Understanding KMS API calls: aws kms encrypt: Encrypts plaintext into ciphertext by using a customare master key aws kms decrypt: Decrypts ciphertext that was encrypted by an AWS KMS customer master key (CMK) aws key re-encrypt: Decrypts ciphertext and then re-encrypts it entirely within AWS KMs (e.g. you change the CMK or manually rotate the CMK) aws kms enable-key-rotation: Enables autoomatic key rotation every 365 days aws kms generate-data-key: Uses CMK to generate a data key to encrypt data >4kb

Envelope Encryption A process for encrypting your data. it applies to file > 4kb in size why use it? network performance. Whe you encrypt data directly with KMS it must be transeferred over the network Performance. With envelope encryption, only the data key goes over the network, not your data Benefits. The data key is used locally in your application or AWS service, avoiding the need to transfer large amounts of data to KMS Encrypting the key that encrypts our data. The CMK is used to encrypt the data key (or envelope key) The data key encrypts our data Used for encrypting anything over 4 KB Using envelope encryption avoids sending all your data into KMS over the network Remember the GenerateDataKey API call