Ref: https://learn.cantrill.io/courses/1820301/lectures/41301479
DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301480
AWS KMS - Overview
- 🔧 Creates and manages cryptographic keys
- Support for both symmetric (basic functionality) & asymmetric (advanced) keys
- Can perform crypto ops (cryptographic operations) like encrypt/decrypt with keys
- ‼️ Keys NEVER leave KMS!!
- Secured inside HW Security Modules (HSMs) that are FIPS 140-2 (L2) compliant
- ❗ Do NOT confuse AWS KMS with AWS CloudHSM! With CloudHSM, AWS has NO ACCESS whatsoever to your crypto keys!
- 💡 KMS has some FIPS 140-2 (L3) features, but overall it's still only FIPS 140-2 (L2) compliant
- Keys isolated to a region, never leave that region → Regional service
- 💡 Multi-region keys exist, but they are out of the scope of SAA-C03 exam
- Public service with public endpoints
KMS - Cryptographic Operations
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0700-SIMPLE_STORAGE_SERVICE(S3)/00_LEARNINGAIDS/KMS-1.png
- ❗ KMS is very granular with permissions! → ROLE SEPARATION
- Different users may have different permissions and be allowed to perform different ops
CreateKey → create a KMS key & store it in disk (inside HSMs)
- ❗ Keys always stored in ciphertext (encrypted) inside HSMs
Encrypt → generates ciphertext from provided KMS key and plaintextDecrypt → decrypts provided ciphertext, returns plaintext
- ‼️ No need to specify which KMS key to use (info already encoded in the ciphertext)!!
GenerateDataKey → creates a Data Encryption Key (DEK)
- DEK used in envelope encryption for bulk crypto ops with data > 4kB
KMS Keys
- 🔧 KMS key = logical container with key metadata, backed by key material
- 💡 KMS key = CMK key (Customer Master Key - old naming)
/00_LEARNINGAIDS/KMS-1.png){kind=link}