DEV Community

Cover image for AWS Security: KMS Keys
AWS Community Builders profile image Samia Khan
Samia Khan for AWS Community Builders

Posted on

AWS Security: KMS Keys

#aws #security #devsecops #cloud

I've been doing a lot of security related work recently so here's a summary of KMS keys and the different types.

Types of encryption:

Symmetric Encryption - Uses the same key for both encryption and decryption, commonly used for encrypting large amounts of data.

Asymmetric Encryption - Uses a public key to encrypt and a private key to decrypt, useful for secure key exchange and digital signatures.

Envelope Encryption - Encrypts data with a data key (symmetric) and then encrypts that data key with a master key (asymmetric). Top level key must remain unencrypted.

What is a KMS key?

A KMS key is a logical representation of a cryptographic key in AWS Key Management Service. It is used to encrypt and decrypt data across AWS services and applications and contains key material, metadata, and policies that control access. The key material can be generated by AWS or imported by the customer. KMS keys can be symmetric or asymmetric and support auditing through CloudTrail for compliance and security.

Key types:

1. AWS Managed Keys

Encryption keys created, owned, and managed by AWS for use in AWS services. Customers can't manage their properties directly.

When using an AWS Managed Key, it is theoretically possible for AWS to decrypt your data without you being aware of it and AWS is contractually forbidden from using all AWS KMS keys (including AWS Managed Keys) to access or decrypt your data except as required to operate the service or comply with the law.

2. Customer Managed Keys (CMK)

Customer-created keys in KMS with full control over permissions, rotation, and lifecycle. The customer is responsible for creating, updating, revoking, and deleting a CMK. Using a CMK may be required for regulatory or compliance reasons for workloads handling sensitive types of data like healthcare data.

Key Rotation

  • AWS Managed Keys - These keys are automatically rotated every year

  • CMK - Automatic key rotation can be enabled for Symmetric CMKs that don't have imported key material

  • Asymmetric CMKs – Must be rotated manually by creating a new key and updating aliases

  • CMKs with Imported Key Material – Must be rotated manually by re-importing or creating a new key

Top comments (0)