Please enable JavaScript.
Coggle requires JavaScript to display documents.
26.294: Key Management Service - Coggle Diagram
26.294: Key Management Service
KMS
"encryption" = KMS
AWS manages encryption keys for us
Fully integrated with IAM for authorization
Control access to your data
Audit KMS Key usage using CloudTrail
Seamlessly integrated into most AWS services (EBS, S3, RDS, SSM..)
Never ever store your secrets in plaintext, especially in your code!
KMS Key Encryption also available through API calls (SDK, CLI)
Encrypted secrets can be stored in the code/env variables
Keys Types
KMS Keys is the new name of KMS Customer Master Key
Symmetric (AES-256 Keys)
Single encryption key that is used to Encrypt and Decrypt
AWS services that are integrated with KMS use Symmetric CMKs
You never get access to the KMS key unencrypted (must call KMS API to use)
Asymmetric (RSA & ECC key pairs)
Public (Encrypt) and Private Key (Decrypt) pair
Used for Encrypt/Decrypt or Sign/Verify operations
The public key is downloadable, but can't access the Private key unencrypted
Usecase: encryption outside of AWS by users who can't call the KMS API
Type of KMS Keys
AWS Owned key
(SSE-S3, SSE-SQS, SSE-DDB)
AWS Managed key
: free (aws/service-name, ex: aws/rds or aws/ebs)
Customer managed keys created in KMS: 1$/month
Customer managed keys imported: 1$/month
pay for API call to KMS (0.03$/10000 calls)
Auto Key rotation
AWS managed key: Auto every 1 year
Customer managed KMS key: auto every 1 year
Imported KMS key: only manual rotation possible using alias
KMS Key Policies
Control access to KMS keys, "Similar" to S3 bucket policies
Diff: cannot control access without them
Default KMS Key Policy
Created if you dont' provide a specific KMS Key Policy
Complete access to the key to the root user = entire AWS acc
Custom KMS Key Policy
Define users, roles that can access the KMS key
Define who can administer the key
Useful for cross account access of your KMS key
Copy Snapshots across account
Create Snapshot, encrypted with your own KMS key
Attach a KMS Key policy to authorize cross account access
Share the encrypted snapshot
Create a copy of the Snapshot, encrypt it with a CMK in your account
Create a volume from the snapshot