Treat all your information in the cloud like someone is trying to steal the data. Encrypt data at all times during Transport and Rest (storage). Encryption of data at Rest is done using Encryption Keys and Algorithms.

AWS KMS (Key Management Service) is an excellent managed service that does the heavy lifting of managing the lifecycle of the keys (aka Key Management Infrastructure). These keys are used to encrypt and protect data within our custom applications and the AWS managed services like S3, EBS etc.

Types of Keys

KMS Customer Master Key (KMS CMK)

Customer Master Key is the main resource that is created and managed in KMS. CMKs are symmetric keys that are used to generate, encrypt and decrypt data keys. CMKs are never exported outside of AWS and are primarily addressed via Key Alias or Key ID. CMKs are not directly used for encrypting the data but are used to generate data key that in turn is used for encrypting the data.

Customer Master Key is the main resource that is created and managed in KMS. CMKs are symmetric keys that are used to generate, encrypt and decrypt data keys. CMKs are never exported outside of AWS and are primarily addressed via Key Alias or Key ID. CMKs are not directly used for encrypting the data but are used to generate data key that in turn is used for encrypting the data. Customer managed CMK (this name feels like going in circles)

This key is created and managed by the AWS Customer for their custom applications or for AWS managed services to encrypt and decrypt data. These can be disabled and enabled by customers.

(this name feels like going in circles) This key is created and managed by the AWS Customer for their custom applications or for AWS managed services to encrypt and decrypt data. These can be disabled and enabled by customers. AWS managed CMK

This key is created and managed by the AWS itself for AWS managed services to encrypt and decrypt data. These are default keys created for services like S3, ebs etc and can be used in the absence of customer managed CMKs. These can’t be disabled and enabled by customers.

This key is created and managed by the AWS itself for AWS managed services to encrypt and decrypt data. These are default keys created for services like S3, ebs etc and can be used in the absence of customer managed CMKs. These can’t be disabled and enabled by customers. Data Key

The Data key is an encryption key that is generated using a CMK. Custom Applications or AWS services use the Data Keys to encrypt, and decrypt data. Data Keys can be exported as Plain Text or encrypted by the CMK. KMS doesn’t manage the lifecycle such as storing data keys. Storing and tracking of data keys should be done by the applications or AWS services that use them.

The Process of Data Encryption

Using a Customer Master Key, a Data Key is generated. This Data key will be created in both the plain text format (plain data key) and encrypted format (encrypted data key) by the Customer Master Key. KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys for encryption.

Applications or AWS services will use the plain data key in its memory to encrypt the data and store the encrypted data along with the encrypted data key. KMS doesn’t store the data keys in any format, it is the applications/aws services responsibility to store the encrypted data key along with the encrypted data.

When it is time for decrypting the data, the Applications/AWS services retrieves the encrypted data key associated with the encrypted data, send it to KMS to decrypt it in the plain text format (plain data key) and use it to decrypt the encrypted application data.

The practice of using a master key to encrypt data keys used by applications/aws services is known as envelope encryption.

Encryption Context

AWS Encryption SDK libraries make the encryption and decryption of data easier within the custom applications. These operations accept an optional set of key–value pairs that can contain additional contextual information about the data. This set of key–value pairs is called encryption context. When encryption context is used with an encryption operation, the encryption context for the corresponding decryption operation must match for the decryption to succeed.

Access to Keys

Key Policies are the primary way to control access to customer master keys. A key policy is a JSON document that specifies permissions. With Key Policies, access to Customer Managed CMK can be managed but not AWS Managed CMKs.

are the primary way to control access to customer master keys. A key policy is a JSON document that specifies permissions. With Key Policies, access to Customer Managed CMK can be managed but not AWS Managed CMKs. Grant is another mechanism for providing permissions, an alternative to the key policy. Grants can be used to give long-term access that allows AWS principals to use customer-managed CMKs.

is another mechanism for providing permissions, an alternative to the key policy. Grants can be used to give long-term access that allows AWS principals to use customer-managed CMKs. IAM policies (identity-based policies) and Key Policies (resource-based policies) are used in combination to control access to CMKs. IAM policies by themselves are not sufficient to allow access to a KMS CMK. The CMK’s key policy must also allow access.

Rotating Customer Master Keys

Rotating CMKs periodically is a security best practice. There are two options to rotate the CMKs. Manually create a new CMK and update the key alias with the new Key ID so that applications can use the new CMK. Alternately, Automatic Key Rotation can be enabled for CMKs that AWS will rotate the key every year. This automatic rotation is available for all customer managed CMKs with KMS-generated key material only; not for CMKs with the imported key material.

AWS KMS saves the CMK’s older cryptographic material so it can be used to decrypt data that was encrypted with it.

AWS KMS automatically rotates AWS managed CMKs every three years and this can’t be managed by customers.

When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data.

Deleting Customer Master Keys

CMKs can be deleted but once deleted, the encrypted data using the data keys encrypted by CMK cannot be decrypted. It is a best practice to disable the key and monitor for any usage of the CMK before permanently deleting it.

Monitor Keys Usage Metrics

It is a best practice to monitor the key usage metrics for control plane and data plane operations. Control plane operations include enabling, disabling and deleting keys etc. Data Plane operations include generating data keys, encryption, decryption etc.

What KMS is not

KMS doesn’t support asymmetric keys and asymmetric encryption and decryption

KMS is not a dedicated single tenant solution like CloudHSM to manage PKI that supports asymmetric and symmetric keys based use cases

It is imperative for the customers using AWS Cloud to take advantage of KMS and secure the data at Rest for both custom applications and managed services and for that KMS is a fine service.