Please enable JavaScript.
Coggle requires JavaScript to display documents.
KMS, CMKs, user, Data > 4KB - Coggle Diagram
KMS
CMK
backed by physical key material
created or imported
Logical, ID, date, policy, desc and state of the key
Can be used to directly encrypt/decrypt data of 4KB
Regional and public service
Create/Store/Manage Keys
Symmetric/Asymmetric Keys
Cryptographic operations
FIPS 140-2
CMKs
AWS Managed
AWS Managed CMKs are Automatically created using service such as S3
Customer Managed
Customer managed keys are created by customer.
Never leave region
supports key rotation
Alias per region(apps can use Aliases)
Key Policy
IAM Policy
user
create key
CMK
KMS encrypts CMK
plain text
makes encrypt call specifying key
KMS verifies if user has permissions
KMS decrypts CMK
Encrypts data
cipher text
Decrypt call
KMS
user has permission to decrypt?
Yes
KMS decrypts CMK
Decrypts the cipher text
Data > 4KB
KMS generates DEK using CMK
2 versions of DEK: plaintext version and encrypted key
KMS then discards the Plaintext DEK. KMS doesnt encrypt/decrypt data using DEK. Its the service or you have to use DEK for that.
1 DEK can be used to encrypt 1 or million files