Thursday, July 9, 2020

KMS - Key Management Service

Encryption
Main concepts:
-         Data
-         Method
-         Keys
Keys:
-         Symmetric (aka Public key)
          §   One key for encryption the other for decryption
-         Asymmetric (aka Private key)
          §   One key for both encryption and decryption
          §   Used by AWS

KMS – AWS KMI
-         AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.
-         Key management infrastructure: storage layer that protects the plaintext keys
-         Management layer that authorizes key usage
-         HSM – Hardware Security Module, KMS stores keys in AWS CloudHSM.
          §   Protects keys from unauthorized use
          §   Software layer controls who can administer keys
-         FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
-         AWS KMS – managed service, integrated with CloudTrail
-         KMS is a global service, but keys are regional - never transmitted outside of the region created in
-         KMS stores multiple copies of keys for availability 99.999999999% (11 9’s)
-         Can import customer keys

Customer Master Key
-         Customer master keys are the primary resources in AWS KMS
-         customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.
-         CMK – a symmetric CMK or the private portion of an asymmetric. CMK cannot be exported in plain text from the HSMs. The public portion of an asymmetric CMK can be exported from the console or by calling the “GetPublicKey” API.
-         CMK’s don’t leave AWS unencrypted
-         CMK’s are used to en/decrypt up to 4K of data. This is used mostly for encryption of data keys which are used to encrypt data locally in the AWS service or your application (envelope encryption).The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire unencrypted block of data to AWS KMS and suffer network latency

Customer Managed CMKs
-         You create, import and manage
AWS managed CMKs
-         Unique to account and region
-         Only service that created CMK can use it
-         Named aws/serviceaws/redshift
-         AWS manages creation of the key
-         Some services require using AWS CMK, some offer a choice of using your own
-         Default Master Key specific to each service is created in your account the first time you use encryption on a service
-         Can create custom master key in AWS KMS and use in your app or from supported AWS service

No comments:

Post a Comment